A software product’s code-base grows over time with added functionality resulting in the use of potentially numerous new 3rd party libraries. Some of these libraries are well-maintained by commercial organizations and some are maintained by communities of open source developers. Over time, it is easy for a development team to lose track of these software components, resulting in gaps in visibility into component vulnerabilities. This can have an impact on the security of the product and introduce un-needed risk into end-user customer organizations.
The National Telecommunications and Information Administration (NTIA) has launched a new multi-stakeholder process focused on solving this problem through Software Component Transparency. We at VDOO see the NTIA initiative as a leading indicator of the need for new capabilities in the vulnerability management market, demonstrated by our existing commitment to providing automated security analysis, customized secure design recommendations and component visibility for our customers. We plan to participate in making this project a success and we encourage IoT product developers, security vendors, and platform providers to do the same.
At VDOO, we understand the value of software component visibility. The growing complexity of software systems has made vulnerability management a daunting task for both manufacturers and end-user organizations. Today’s software is composed of dozens to hundreds of 3rd party libraries, each potentially exposing their own vulnerabilities. End-user organizations should not have to assign analysts the costly task of manually tracking the libraries used within their deployed software, and manufacturers are often burdened with tracking legacy software components that were never properly documented.
Visibility into the true composition of software products provides integrators and end-user organizations the ability to better track their risk exposure and take actions necessary to secure their environments. The NTIA Software Component Transparency initiative results in a standardized Software Bill of Materials (SBOM) that documents the supply chain and provides end-user organizations with a new tool in the vulnerability management process.
At VDOO, our automated security analysis platform can be used today to automatically investigate a firmware file and generate an associated SBOM. Our security analysis tool can be used by manufacturers within their Continuous Integration (CI) environment to better manage the software libraries used within their product. The platform can also be used by end-user organizations as a useful tool within their enterprise risk management strategy. Alignment of an SBOM report with existing vulnerability tracking services makes the SBOM even more impactful. VDOO’s automated security analysis tool is designed to map outputs with the CVE and NVD, supporting the automated identification of security weaknesses and design flaws based on true visibility of all incorporated software components.
The format of a standardized SBOM is not yet defined. The specific format and data elements are being worked by the NTIA stakeholders. We can envision though that an SBOM will capture software attributes such as component name, major release/minor release versions, patch levels, component IDs, descriptions, and whether the component was modified or used as-is. Attribute flexibility and grouping options would support the growth of the SBOM over time to enable new features as well. VDOO’s binary analysis capabilities line up well with these anticipated data attributes and we will ensure that our products maintain that alignment as the standard matures.
Although the NTIA multi-stakeholder process is focused on the software industry in general, we believe that this initiative is directly applicable to IoT product makers. Although the timing is right to make a difference in the security of connected products, the burden of generating an SBOM falls on these IoT organizations. There can be a significant cost and schedule impact associated with the process of identifying all of the libraries and components used within a legacy product. Our automated security analysis tool minimizes these impacts while helping product manufacturers improve their secure product development lifecycle and supporting end-customer supply chain vulnerability management processes.
Of course, there are both policy and technical questions that must be addressed for the NTIA to be successful in creating a useful software transparency standard. Questions related to whether this applies to both 3rd party libraries and internally-developed libraries as well as intellectual property (IP) considerations are on the table. Also, there are some that question the wisdom of communicating this information to adversaries, although we should assume that those adversaries already know the makeup of software packages.
Even so, we at VDOO believe that software component transparency can be a foundational enabler of new security capabilities in the IoT market. Automation is critical for the IoT as thousands to millions of devices are deployed. A standardized SBOM will lead the way towards comprehensive visibility into the security posture of IoT networks, allowing for automated updates of software and libraries based on the real knowledge of whether a device is vulnerable. We encourage IoT product makers, platform providers and security vendors to participate or at least closely follow the progress of this NTIA multi-stakeholder initiative.
We’d love to share more. Contact us if you’d like to learn more about the SBOM initiative or our automated security analysis capabilities.