The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Post

How to use an SBOM for Software Vulnerability Monitoring

image credit: North American Transmission Forum
Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,529 items added with 668,409 views
  • Dec 20, 2022
  • 253 views

My recent article requesting that Congress retain the SBOM provision in upcoming legislation has resulted in people asking how an SBOM is used to monitor for software vulnerabilities. Here’s the answer.

BEFORE PROCUREMENT and INSTALLATION OF SOFTWARE PRODUCTS

Step 1, ask your vendor for an SBOM describing the product and version you are interested in using.

Step 2. Use the SBOM to produce a Vulnerability Disclosure Report (VDR). Commercial tools are available for this step.

Step 3. Examine the Vulnerability Disclosure Report for vulnerabilities and request the vendor to provide an updated VDR containing their assessment and fix status for each vulnerability reported in the product. Ask the vendor to make this “living VDR” available online so that a consumer can monitor for vulnerabilities and any vulnerability fixes that may be coming from the vendor. Ask the vendor to put a link to the online, living VDR in a Vendor Response File (VRF), along with links to other attestations required for OMB M-22-18.

AFTER INSTALLATION ONGOING VULNERABILITY MONITORING

Step 1. Load the product SBOM into the OWASP CycloneDX Dependency Track Tool

Step 2. Daily, review the SBOM vulnerability status in the Dependency Track tool looking for new vulnerabilities in your installed software products.

Step 3. When new vulnerabilities are reported, download the online version of the VDR for the product and version from the supplier and check for updates from the vendor on any new vulnerabilities. Commercial tools are available for this step.

Step 4. Repeat steps 2 and 3.

These proactive vulnerability monitoring steps will help your cybersecurity personnel stay ahead of the hackers and reduce the window of susceptibility whenever a new software vulnerability is reported.  

Discussions

No discussions yet. Start a discussion below.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »