Jump to content

Software supply chain: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
m Martin.monperrus moved page Software bill of materials to Software supply chain: move to the key umbrella concept "Software supply chain"
def acro per MOS,
 
(27 intermediate revisions by 19 users not shown)
Line 1: Line 1:
{{Short description|Components, libraries, tools, and processes used to develop, build, and publish a software artifact}}
A '''software bill of materials'''<ref>{{cite web |url=https://www.ntia.gov/sbom |title=Software Bill of Materials |publisher=ntia.gov |access-date=2021-01-25}}</ref> (SBOM) is a list of components in a piece of [[software]]. Software vendors often create products by assembling [[Open-source software|open source]] and [[commercial software]] components. The SBOM describes the components in a product.<ref>{{cite web |url=http://www.crosstalkonline.org/storage/issue-archives/2012/201203/201203-Croll.pdf |title=Securing A Mobile World |publisher=Crosstalkonline.org |access-date=2015-06-12}}</ref><ref>{{cite web |url=http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part2/ |title=[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management |access-date=2015-06-12}}</ref> It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause an [[allergic reaction|allergies]], SBOMs can help organizations or persons avoid consumption of software that could harm them.
A '''software supply chain''' is the components, libraries, tools, and processes used to develop, build, and publish a [[Artifact (software development)|software artifact]].<ref>{{cite web |url=https://www.usenix.org/system/files/login/articles/login_winter20_17_geer.pdf |title=For Good Measure Counting Broken Links: A Quant's View of Software Supply Chain Security |publisher=USENIX ;login |access-date=2022-07-04 |archive-date=2022-12-17 |archive-url=https://web.archive.org/web/20221217223413/https://www.usenix.org/system/files/login/articles/login_winter20_17_geer.pdf |url-status=live }}</ref>


A '''software bill of materials''' ('''SBOM''') declares the inventory of components used to build a software artifact, including any [[Open-source software|open source]] and [[proprietary software]] components.<ref>{{cite web |url=http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part2/ |title=[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management |access-date=2015-06-12 |archive-date=2015-06-14 |archive-url=https://web.archive.org/web/20150614155320/http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part2/ |url-status=dead }}</ref><ref>{{cite web |title=Software Bill of Materials |url=https://www.ntia.gov/sbom |url-status=live |archive-url=https://web.archive.org/web/20221130122348/https://www.ntia.gov/SBOM |archive-date=2022-11-30 |access-date=2021-01-25 |publisher=ntia.gov}}</ref> It is the software analogue to the traditional manufacturing BOM, which is used as part of [[supply chain management]].<ref>{{cite web |url=http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part1/ |title=Code, Cars, and Congress: A Time for Cyber Supply Chain Management |access-date=2015-06-12 |archive-date=2014-12-30 |archive-url=https://web.archive.org/web/20141230024245/http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part1/ |url-status=dead }}</ref>
The concept of a [[bill of materials|BOM]] is well-established in traditional manufacturing as part of [[supply chain management]].<ref>{{cite web |url=http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part1/ |title=Code, Cars, and Congress: A Time for Cyber Supply Chain Management |access-date=2015-06-12}}</ref> A manufacturer uses a [[bill of materials|BOM]] to track the parts it uses to create a product. If defects are later found in a specific part, the [[bill of materials|BOM]] makes it easy to locate affected products.


==Usage==
==Usage==
An SBOM is useful both to the builder (manufacturer) and the buyer (customer) of a software product. Builders often leverage available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities.<ref>{{cite web |url=http://embedded-computing.com/article-id/?3826= |title=Software Bill of Materials improves Intellectual Property management |work=Embedded Computing Design |access-date=2015-06-12}}</ref> Buyers can use an SBOM to perform [[Vulnerability (computing)|vulnerability]] or license analysis, both of which can be used to evaluate risk in a product.
An SBOM allows builders to make sure open-source and third-party software components are up to date and respond quickly to new vulnerabilities.<ref>{{cite web |url=http://embedded-computing.com/article-id/?3826= |title=Software Bill of Materials improves Intellectual Property management |work=Embedded Computing Design |access-date=2015-06-12 |archive-date=2018-08-25 |archive-url=https://web.archive.org/web/20180825115542/http://embedded-computing.com/article-id/?3826= |url-status=live }}</ref> Buyers and other stakeholders can use an SBOM to perform [[Vulnerability (computing)|vulnerability]] or license analysis, which can be used to evaluate and manage risk in a product.<ref>{{cite web |title=Appropriate Software Security Control Types for Third Party Service and Product Providers |url=http://docs.ismgcorp.com/files/external/WP_FSISAC_Third_Party_Software_Security_Working_Group.pdf |url-status=live |archive-url=https://web.archive.org/web/20230119154913/http://docs.ismgcorp.com/files/external/WP_FSISAC_Third_Party_Software_Security_Working_Group.pdf |archive-date=2023-01-19 |access-date=2015-06-12 |publisher=Docs.ismgcorp.com}}</ref><ref>{{cite web |title=Top 10 2013-A9-Using Components with Known Vulnerabilities |url=https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities |url-status=live |archive-url=https://web.archive.org/web/20191006034721/https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities |archive-date=2019-10-06 |access-date=2015-06-12}}</ref><ref>{{cite web |title=Cyber-security risks in the supply chain |url=https://www.ncsc.gov.uk/collection/supply-chain-security/principles-supply-chain-security |url-status=live |archive-url=https://web.archive.org/web/20230606054804/https://www.ncsc.gov.uk/collection/supply-chain-security/principles-supply-chain-security |archive-date=2023-06-06 |access-date=2020-07-28 |publisher=Cert.gov.uk |format=PDF}}</ref>


While many companies just use a [[Microsoft Excel]]<ref>{{cite web |url=https://www.arenasolutions.com/resources/articles/excel-bill-of-materials/ |title=Using Excel for Bill of Materials (BOM) Management |access-date=2018-08-02}}</ref> document for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet. SBOMs gain greater value when collectively stored in a repository that can be a part of other automation systems, easily queried by other applications.
While many companies use a [[spreadsheet]] for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet. It is best practice for SBOMs to be collectively stored in a repository that can be part of other automation systems and easily queried by other applications.{{Cn|date=September 2024}}

Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in [[Risk management|managing risk]].<ref>{{cite web |url=http://docs.ismgcorp.com/files/external/WP_FSISAC_Third_Party_Software_Security_Working_Group.pdf |title=Appropriate Software Security Control Types for Third Party Service and Product Providers |publisher=Docs.ismgcorp.com |access-date=2015-06-12}}</ref><ref>{{cite web |url=https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities |title=Top 10 2013-A9-Using Components with Known Vulnerabilities |access-date=2015-06-12}}</ref><ref>{{cite web |url=https://www.ncsc.gov.uk/collection/supply-chain-security/principles-supply-chain-security |format=PDF |title=Cyber-security risks in the supply chain |publisher=Cert.gov.uk |access-date=2020-07-28}}</ref>


==Legislation==
==Legislation==
The Cyber Supply Chain Management and Transparency Act of 2014<ref>{{cite web |url=https://www.congress.gov/bill/113th-congress/house-bill/5793|title=H.R.5793 - 113th Congress (2013-2014): Cyber Supply Chain Management and Transparency Act of 2014 - Congress.gov - Library of Congress |date=4 December 2014 |access-date=2015-06-12}}</ref> was US legislation that proposed to require government agencies to obtain SBOMs for any new products they purchase. It also would have required obtaining SBOMs for "any software, firmware, or product in use by the United States Government". Though it ultimately didn't pass, this act did bring awareness to government and spurred later legislation such as "Internet of Things Cybersecurity Improvement Act of 2017."<ref>{{cite web | url=https://www.warner.senate.gov/public/_cache/files/8/6/861d66b8-93bf-4c93-84d0-6bea67235047/8061BCEEBF4300EC702B4E894247D0E0.iot-cybesecurity-improvement-act---fact-sheet.pdf | title=Internet of Things Cybersecurity Improvement Act of 2017 | access-date=2020-02-26}}</ref><ref>{{cite web| url=https://devops.com/cybersecurity-improvement-act-2017-ghost-congress-past/ | title=Cybersecurity Improvement Act of 2017: The Ghost of Congress Past | date=17 August 2017 | access-date=2020-02-26}}</ref>
The Cyber Supply Chain Management and Transparency Act of 2014<ref>{{cite web|url=https://www.congress.gov/bill/113th-congress/house-bill/5793|title=H.R.5793 - 113th Congress (2013-2014): Cyber Supply Chain Management and Transparency Act of 2014 - Congress.gov - Library of Congress|date=4 December 2014|access-date=2015-06-12|archive-date=2022-12-16|archive-url=https://web.archive.org/web/20221216085631/https://www.congress.gov/bill/113th-congress/house-bill/5793|url-status=live}}</ref> was a failed piece of US legislation that proposed to require government agencies to obtain SBOMs for any new products they purchase and to obtain SBOMs for "any software, firmware, or product in use by the United States Government". The act spurred later legislation such as "Internet of Things Cybersecurity Improvement Act of 2017."<ref>{{cite web | url=https://www.warner.senate.gov/public/_cache/files/8/6/861d66b8-93bf-4c93-84d0-6bea67235047/8061BCEEBF4300EC702B4E894247D0E0.iot-cybesecurity-improvement-act---fact-sheet.pdf | title=Internet of Things Cybersecurity Improvement Act of 2017 | access-date=2020-02-26 | archive-date=2023-01-19 | archive-url=https://web.archive.org/web/20230119154917/https://www.warner.senate.gov/public/_cache/files/8/6/861d66b8-93bf-4c93-84d0-6bea67235047/8061BCEEBF4300EC702B4E894247D0E0.iot-cybesecurity-improvement-act---fact-sheet.pdf | url-status=live }}</ref><ref>{{cite web | url=https://devops.com/cybersecurity-improvement-act-2017-ghost-congress-past/ | title=Cybersecurity Improvement Act of 2017: The Ghost of Congress Past | date=17 August 2017 | access-date=2020-02-26 | archive-date=2022-12-16 | archive-url=https://web.archive.org/web/20221216085645/https://devops.com/cybersecurity-improvement-act-2017-ghost-congress-past/ | url-status=live }}</ref>


The US Executive Order on Improving the Nation’s Cybersecurity of May 12, 2021<ref name="executive-order">{{Cite web|date=2021-05-12|title=Executive Order on Improving the Nation's Cybersecurity|url=https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/|access-date=2021-06-12|website=The White House|language=en-US}}</ref> ordered [[National Institute of Standards and Technology|NIST]] to issue guidance within 90 days to "include standards, procedures, or criteria regarding" several topics in order to "enhance the security of the software supply chain," including "providing a purchaser a Software Bill of Materials (SBOM) for each product." Also mandated within 60 days was for [[National Telecommunications and Information Administration|NTIA]] to "publish minimum elements for an SBOM."
The US Executive Order on Improving the Nation’s Cybersecurity of May 12, 2021 ordered [[National Institute of Standards and Technology|NIST]] and [[National Telecommunications and Information Administration|NTIA]] to lay down guidelines for software supply chain management, including for SBOMs.<ref name="executive-order">{{Cite web |date=2021-05-12 |title=Executive Order on Improving the Nation's Cybersecurity |url=https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ |url-status=live |archive-url=https://web.archive.org/web/20210515153804/https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ |archive-date=2021-05-15 |access-date=2021-06-12 |website=The White House |language=en-US}}</ref> The NTIA outlines three broad categories of minimum elements of SBOMs: data fields (baseline information about each software component), automation support (the ability to generate SBOMs in machine- and human-readable formats), and practices and processes (how and when organizations should generate SBOMs).<ref name="ntia-minimum">{{Cite web |date=2021-07-12 |title=The Minimum Elements For a Software Bill of Materials (SBOM) |url=https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom |url-status=live |archive-url=https://web.archive.org/web/20230605180225/https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom |archive-date=2023-06-05 |access-date=2021-12-12 |website=NTIA.gov |language=en-US}}</ref> The "automation support" requirement specifies the need for "automatic generation," which is possible with the use of [[Software Composition Analysis]] (SCA) solutions.<ref name="ntia-minimum-blog">{{Cite web|date=2021-07-12|title=NTIA Releases Minimum Elements for a Software Bill of Materials|url=https://www.ntia.doc.gov/blog/2021/ntia-releases-minimum-elements-software-bill-materials|access-date=2022-03-22|website=NTIA.gov|language=en-US|archive-date=2022-11-22|archive-url=https://web.archive.org/web/20221122233746/https://www.ntia.doc.gov/blog/2021/ntia-releases-minimum-elements-software-bill-materials|url-status=live}}</ref>


==See also==
The NTIA minimum elements were published on July 12, 2021,<ref name="ntia-minimum">{{Cite web|date=2021-07-12|title=The Minimum Elements For a Software Bill of Materials (SBOM)|url=https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom|access-date=2021-12-12|website=NTIA.gov|language=en-US}}</ref> and also "describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution." The minimum elements consist of three broad categories: data fields (baseline information about each software component), automation support (the ability to generate SBOMs in machine- and human-readable formats), and practices and processes (how and when organizations should generate SBOMs). The "automation support" requirement specifies the need for "automatic generation," which is possible with the use of software composition analysis (SCA) solutions. <ref name="ntia-minimum-blog">{{Cite web|date=2021-07-12|title=NTIA Releases Minimum Elements for a Software Bill of Materials|url=https://www.ntia.doc.gov/blog/2021/ntia-releases-minimum-elements-software-bill-materials|access-date=2022-03-22|website=NTIA.gov|language=en-US}}</ref>
* [[Reproducible builds]]
* [[Software Package Data Exchange]]
* [[Software toolchain]]
* [[Supply chain attack]]
* [[Manifest file]]
* [[Dependency hell]]


==References==
==References==

Latest revision as of 09:44, 12 November 2024

A software supply chain is the components, libraries, tools, and processes used to develop, build, and publish a software artifact.[1]

A software bill of materials (SBOM) declares the inventory of components used to build a software artifact, including any open source and proprietary software components.[2][3] It is the software analogue to the traditional manufacturing BOM, which is used as part of supply chain management.[4]

Usage

[edit]

An SBOM allows builders to make sure open-source and third-party software components are up to date and respond quickly to new vulnerabilities.[5] Buyers and other stakeholders can use an SBOM to perform vulnerability or license analysis, which can be used to evaluate and manage risk in a product.[6][7][8]

While many companies use a spreadsheet for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet. It is best practice for SBOMs to be collectively stored in a repository that can be part of other automation systems and easily queried by other applications.[citation needed]

Legislation

[edit]

The Cyber Supply Chain Management and Transparency Act of 2014[9] was a failed piece of US legislation that proposed to require government agencies to obtain SBOMs for any new products they purchase and to obtain SBOMs for "any software, firmware, or product in use by the United States Government". The act spurred later legislation such as "Internet of Things Cybersecurity Improvement Act of 2017."[10][11]

The US Executive Order on Improving the Nation’s Cybersecurity of May 12, 2021 ordered NIST and NTIA to lay down guidelines for software supply chain management, including for SBOMs.[12] The NTIA outlines three broad categories of minimum elements of SBOMs: data fields (baseline information about each software component), automation support (the ability to generate SBOMs in machine- and human-readable formats), and practices and processes (how and when organizations should generate SBOMs).[13] The "automation support" requirement specifies the need for "automatic generation," which is possible with the use of Software Composition Analysis (SCA) solutions.[14]

See also

[edit]

References

[edit]
  1. ^ "For Good Measure Counting Broken Links: A Quant's View of Software Supply Chain Security" (PDF). USENIX ;login. Archived (PDF) from the original on 2022-12-17. Retrieved 2022-07-04.
  2. ^ "[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management". Archived from the original on 2015-06-14. Retrieved 2015-06-12.
  3. ^ "Software Bill of Materials". ntia.gov. Archived from the original on 2022-11-30. Retrieved 2021-01-25.
  4. ^ "Code, Cars, and Congress: A Time for Cyber Supply Chain Management". Archived from the original on 2014-12-30. Retrieved 2015-06-12.
  5. ^ "Software Bill of Materials improves Intellectual Property management". Embedded Computing Design. Archived from the original on 2018-08-25. Retrieved 2015-06-12.
  6. ^ "Appropriate Software Security Control Types for Third Party Service and Product Providers" (PDF). Docs.ismgcorp.com. Archived (PDF) from the original on 2023-01-19. Retrieved 2015-06-12.
  7. ^ "Top 10 2013-A9-Using Components with Known Vulnerabilities". Archived from the original on 2019-10-06. Retrieved 2015-06-12.
  8. ^ "Cyber-security risks in the supply chain" (PDF). Cert.gov.uk. Archived from the original on 2023-06-06. Retrieved 2020-07-28.
  9. ^ "H.R.5793 - 113th Congress (2013-2014): Cyber Supply Chain Management and Transparency Act of 2014 - Congress.gov - Library of Congress". 4 December 2014. Archived from the original on 2022-12-16. Retrieved 2015-06-12.
  10. ^ "Internet of Things Cybersecurity Improvement Act of 2017" (PDF). Archived (PDF) from the original on 2023-01-19. Retrieved 2020-02-26.
  11. ^ "Cybersecurity Improvement Act of 2017: The Ghost of Congress Past". 17 August 2017. Archived from the original on 2022-12-16. Retrieved 2020-02-26.
  12. ^ "Executive Order on Improving the Nation's Cybersecurity". The White House. 2021-05-12. Archived from the original on 2021-05-15. Retrieved 2021-06-12.
  13. ^ "The Minimum Elements For a Software Bill of Materials (SBOM)". NTIA.gov. 2021-07-12. Archived from the original on 2023-06-05. Retrieved 2021-12-12.
  14. ^ "NTIA Releases Minimum Elements for a Software Bill of Materials". NTIA.gov. 2021-07-12. Archived from the original on 2022-11-22. Retrieved 2022-03-22.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Software_supply_chain&oldid=1256941125"