web analytics

The Power of Post-Production SBOMs – Source: securityboulevard.com

the-power-of-post-production-sboms-–-source:-securityboulevard.com
Rate this post

Source: securityboulevard.com – Author: Mark Hermeling

The use cases and lifecycle of Software Bills of Materials (SBOM) are starting to coalesce as software organizations begin making them working artifacts. The White House Cybersecurity Executive Order (EO 14028) initiated a push to improve software supply chain security for software vendors and the federal government. However, the impact is being felt across industries, such as medical device software, where improved security and, particularly, software supply chain security, are becoming key requirements.

This post looks at the lifecycle of the SBOM in the context of the SDLC, pre-and post-production SBOMs, how they differ, and how to apply binary versus source code software composition analysis (SCA).

AWS Builder Community Hub

Source code analysis tools analyze the actual source code files of an application. They examine the code’s structure, dependencies, and specific functions or libraries used. The scope of the analysis is limited to the sources made available to the tools. Source SCA tools can detect vulnerabilities, licensing issues, and other code-related problems by directly examining the source code. These tools are typically used during development as new code is developed and new open-source or third-party code is incorporated.

Binary SCA tools (like GrammaTech CodeSentry) analyze compiled binary code or executables. They inspect the compiled artifacts without direct access to the original source code. BCA tools focus on identifying open-source components and their versions within binaries. These tools focus on identifying open-source components and their associated vulnerabilities without access to the source code. They rely on signature-based matching or heuristics to compare binary artifacts against known vulnerabilities in their databases. Binary SCA tools are typically used during application deployment and post-release maintenance.

SBOMs Throughout the SDLC

Software Bill of Materials (SBOM) provides a detailed list of the software’s building blocks, including open-source libraries, third-party components, frameworks, and their associated versions and licenses. The SBOM plays a crucial role throughout the software development lifecycle, both in the pre-production and post-production stages.

Pre-Production SBOMs

As the name implies, pre-production SBOMs are used during the design and development phases of software development when new sources are created or added from outside the organization.

Planning and Design: During the planning and design phase, an SBOM helps teams assess the feasibility and security of incorporating specific components into the software. It enables them to evaluate potential risks, licensing requirements, and dependencies that might impact the software’s development.

Development and Coding: Developers use the SBOM to track and manage the open-source components and libraries they incorporate into the software. It helps ensure compliance with licensing obligations, identify potential security vulnerabilities, and monitor component versions and updates. The SBOM assists in maintaining a clean and secure codebase from the early stages of development.

Quality Assurance: The SBOM plays a role in testing and QA activities. It helps development teams identify potential vulnerabilities or outdated components in the software. By referencing the SBOM, they can verify that the software aligns with security standards, legal requirements, and best practices.

Pre-production and post-production SBOMs within the SDLC.

Post Production SBOM

Post-production, in the context of software development, is the deployment stage where software application components are integrated and shippable to a customer. In most CI/CD pipelines, a deployable application is the end goal of each cycle, and it’s important that SBOM artifacts are created with each. These post-production SBOMs are generated by binary SCA tools because of the larger scope of analysis that includes the application, open source, and third-party libraries.

Deployment and Distribution: Once the software is ready for deployment, the SBOM serves as a reference for the distribution process. It provides insights into the licenses and legal obligations associated with the software’s components. This information ensures compliance with open-source licenses and facilitates proper attribution and distribution.

Vulnerability Management: The SBOM plays a critical role in post-production vulnerability management. By cross-referencing the SBOM with vulnerability databases, organizations can quickly identify and address any security vulnerabilities or patches related to the software’s components. This enables timely updates and reduces the risk of exploitation by potential threats.

Incident Response and Patch Management: In the event of a security incident or the discovery of a vulnerability in a component, the SBOM helps organizations assess the impact on their software. They can identify the affected versions and components, analyze the potential risks, and apply appropriate patches or updates to mitigate vulnerabilities.

Compliance and Auditing: The SBOM is valuable for compliance and auditing purposes. It provides a transparent record of the software’s components, licenses, and dependencies. Organizations can demonstrate adherence to licensing obligations, compliance frameworks, and regulatory requirements, ensuring transparency and accountability in their software supply chain.

The Power of Post-Production Binary SCA SBOMs

There is a role for both source-based, pre-production SBOMs and post-production SBOMs generated by binary SCA tools. In fact, both should be used together for a complete solution. However, there are some advantages to as-built, post-production SBOMs.

Verify pre-production SBOMs: It’s critical that open-source licensing and vulnerabilities from pre-production sources match up with the same binary findings. Discrepancies should be documented and assessed. It’s possible that binary SCA tools may detect new dependencies and open source vulnerabilities from source-based analysis due to the increased scope of libraries and other executables.

Detect vulnerabilities in non-source artifacts: Binary SCA tools analyze binary code, libraries, and executables, and it’s possible that more vulnerabilities are found. The increased scope of the analysis provides a more complete picture of the open source dependencies and security risks of the application.

Produce an “as-built” SBOM for customers in the desired format: The post-production SBOM is the complete list of all components in their final form for shipment to a customer. Tools like CodeSentry support standard SBOM formats for easy integration into vulnerability and SBOM management tools.

Complete SBOM for integration into vulnerability, portfolio, and SBOM management systems: Post-production SBOMs provide a complete picture of dependencies and vulnerabilities in the software supply chain. It is this stage of the lifecycle and the type of SBOM that makes the most sense to feed into management systems.

SBOM generation for deployed or legacy applications: Since binary SBOMs work on any executable or library, it’s possible to analyze applications already deployed, including legacy applications. It’s also possible to analyze third-party applications used in conjunction with your application ecosystem. This is an important capability when new vulnerabilities, like Log4J, pop up and exposure to them is unknown.

Summary

Overall, SBOMs are crucial for improving software security, ensuring compliance, and managing vulnerabilities throughout the software development lifecycle. Both pre-production and post-production SBOMs, utilizing source code and binary SCA tools, respectively, contribute to a comprehensive solution.

Pre-production SBOMs are used during the planning, design, development, and coding stages to assess feasibility, manage open-source components, ensure compliance, and perform quality assurance. Post-production SBOMs, generated by binary SCA tools, come into play during deployment and distribution, vulnerability management, incident response, patch management, compliance, and auditing.

The advantages of post-production SBOMs are that they verify pre-production SBOMs, detect vulnerabilities in non-source artifacts, produce a complete as-built SBOM for customers, and facilitate integration into vulnerability, portfolio, and SBOM management systems. Additionally, post-production SBOMs can be generated for deployed or legacy applications, allowing analysis of the entire software supply chain.

The post The Power of Post-Production SBOMs appeared first on Grammatech.

*** This is a Security Bloggers Network syndicated blog from GrammaTalk | Grammatech authored by Mark Hermeling. Read the original post at: https://www.grammatech.com/learn/the-power-of-post-production-sboms/

Original Post URL: https://securityboulevard.com/2023/08/the-power-of-post-production-sboms/

Category & Tags: Security Bloggers Network,GrammaTalk – Security Bloggers Network,GrammaTalk

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Cybersecurity Talent Crisis Today and Tomorrow by Codrut Andrei
Cybersecurity Talent Crisis Today and...
SCYTHE
Better Cybersecurity Metrics – SOC Metrics – Threat Hunting Metrics – Cyber Threat Intelligence (CTI) Metrics – Incident Response (IR) Metrics for CISOs by SCYTHE
Better Cybersecurity Metrics – SOC...
ACSC Australia
Personal Cyber Security First Steps by Australian Government – ACSC
Personal Cyber Security First Steps...
Joas Antonio
100 Security Operation Tools for SOCs by Joas Antonio
100 Security Operation Tools for...
Joas Antonio
Guide for Multi-Cloud Read Team AWS – GCP – AZURE by Joas Antonio
Guide for Multi-Cloud Read Team...
SANS
SANS Faculty Cybersecurity Free Tools – SANS Instructors have built more than 150 open source tools that support your work and help you implement better security.
SANS Faculty Cybersecurity Free Tools...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

CASOS DE USO APLICABLES EN UN SIEM
CASOS DE USO APLICABLES EN...
IGNITE Technologies
Burp Suite for Pentester
Burp Suite for Pentester
The Institute of Internal auditors
Auditing Risk Culture
Auditing Risk Culture
DevSecOps Guide
ATTACKING PHP APPLICATIONS
ATTACKING PHP APPLICATIONS
DevSecOps Guide
ATTACKING KUBERNETES WITH SECURITY BEST PRACTICE
ATTACKING KUBERNETES WITH SECURITY BEST...
CLTC WHITE PAPER SERIES
Guidance for the Development of AI Risk and Impact Assessments
Guidance for the Development of...
Active Directory
Active Directory IT AuditChecklist
Active Directory IT AuditChecklist
A guide to business continuity planning
A guide to business continuity...
LOG RHYTHM
Using MITRE ATT&CK™ in Threat Huntingand Detection
Using MITRE ATT&CK™ in Threat...
Kaspersky
H2 2023 – A brief overviewof main incidentsin industrial cybersecurity
H2 2023 – A brief...
Andrey Prozorov
24 Great Cybersecurity Frameworks
24 Great Cybersecurity Frameworks
ENISA-EUROPA
SEGURIDAD DE TELECOMUNICACIONES
SEGURIDAD DE TELECOMUNICACIONES

More Latest Published Posts

SF-ISAC
Digital Operational Resilience Act
Digital Operational Resilience Act
SYNGRESS
DIGITAL FORENSICS WITH Open Source TOOLS
DIGITAL FORENSICS WITH Open Source TOOLS
IT REVOLUTION DEVOPS ENTERPRISE FORUM
DevOps Automated Governance Reference Architecture
DevOps Automated Governance Reference Architecture
SANS GIAC CERTIFICATIONS
Detecting Attacks on Web Applications from Log Files
Detecting Attacks on Web Applications from Log Files
EUROPEAN DATA PROTECTION SUPERVISOR
ANNUAL REPORT 2023
ANNUAL REPORT 2023
TechTarget
IT Disaster Recovery Plan Template
IT Disaster Recovery Plan Template
Opstune
IOC Scan Framework v2.0
IOC Scan Framework v2.0
Federal Office for Information Security
Indirect Prompt Injections
Indirect Prompt Injections
the Department of the Environment Climate and Communications
Guidelines on CyberSecurity Specifications
Guidelines on CyberSecurity Specifications
Edelman
INCIDENT RESPONSE REFERENCE GUIDE
INCIDENT RESPONSE REFERENCE GUIDE
Security METRICS
Security Metrics Guide to PCI DSS Compliance
Security Metrics Guide to PCI DSS Compliance
SOC TIPS Cybersecurity
Guia de Resposta a Incidentes de Segurança para LGPD
Guia de Resposta a Incidentes de Segurança para LGPD
CDCP
FIREWALL Audit CHECKLIST
FIREWALL Audit CHECKLIST
GitGuardian
Secrets Management Maturity Model
Secrets Management Maturity Model
MegaCorp One
Sample Penetration Test Report
Sample Penetration Test Report
FORTINET
Routing in FortiGate
Routing in FortiGate
FUTURE OF PRIVACY FORUM
Risk Framework Body Related Data (PD) Immersive Tech
Risk Framework Body Related Data (PD) Immersive Tech
ENISA
Remote ID Proofing Good Practices
Remote ID Proofing Good Practices
Google
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Red Canary
Threat Detection Report 2024
Threat Detection Report 2024
HADESS
Pwning the Domain Persistence
Pwning the Domain Persistence
Australian Goverment
PROTECTIVE SECURITYPOLICY FRAMEWORKSecuring government business:Protective security guidance for executive
PROTECTIVE SECURITYPOLICY FRAMEWORKSecuring government business:Protective security guidance for executive
CISC (Comité Internacional Sobre Ciberseguridad)
Política Nacional de Ciberseguridad 2023-2028
Política Nacional de Ciberseguridad 2023-2028
Google
Perspectiveson Securityfor the Board
Perspectiveson Securityfor the Board
HADESS
OSINT Method for Map Investigations
OSINT Method for Map Investigations
CCN-CERT
Observatorio Riesgos Ciberseguridad 2024
Observatorio Riesgos Ciberseguridad 2024
CYBERTHEORY
The ISMG Cybersecurity Pulse Report 2024 is a treasure trove of insights from the RSA Conference, revealing the dynamic landscape of cybersecurity. From AI to Zero Trust: A comprosive guide to the key themes and expert opinions from RSA CONFERENCE 2024 – #RSAC2024
The ISMG Cybersecurity Pulse Report 2024 is a treasure trove of insights from the RSA Conference, revealing the dynamic landscape of cybersecurity. From AI to Zero Trust: A comprosive guide to the key themes and expert opinions from RSA CONFERENCE 2024 – #RSAC2024
FORTINET
Bloking Malware Through Antivirus Security Profile in FortiGate
Bloking Malware Through Antivirus Security Profile in FortiGate