US calls for a more comprehensive software bill of materials (SBOM) framework may do more harm than good, experts have warned.
Industry experts have suggested that proposed rules could provide threat actors with more information on how to wage targeted attacks against software providers.
The claims come in the wake of a hearing held by the US House Subcommittee on Cybersecurity on 30 November which discussed introducing a “clearer and more comprehensive” framework for SBOMs in light of recent attacks leveraging software supply chain vulnerabilities.
An SBOM is an inventory listing the constituent elements that make up a specific piece of software, including license versions and type of components involved.
Although industry experts are generally in favor of their use to bolster supply chain protections, they have warned against going too far with the scope of the regulations.
Jamil Jaffer, founder and executive director of the National Security Institute at George Mason’s University law school, specifically raised concerns about playing into the hands of threat actors by expanding SBOM requirements in his testimony.
“By exposing everything that's in a bill of materials right in the software — it also gives our adversaries information about what to go after. So there are upsides and downsides."
Chris Hughes, chief security advisor at Endor and cyber innovation fellow at CISA, noted, however, the extended success threat actors are enjoying when trying to infiltrate software supply chains within the current security environment.
“While there is truth that SBOMs can be a “blueprint or roadmap for the attacker” (an argument NTIA/CISA even address in their publications), attackers seem to be doing just fine exploiting systems and wreaking havoc already.”
The case for SBOMs
SBOM's were introduced in 2010 to help secure software development and specifically supply chain risk management.
Using SBOMs, organizations are able to get a clear picture of the security dependencies and components of a particular software application, and can then adjust their security posture accordingly.
The NTIA and CISA have previously released documents on the importance of SBOMs and there are a number of tools available to help organizations generate the inventories.
In August 2023, an executive order by the Biden administration required companies to implement an SBOM as an attempt to improve cyber security hygiene across the country.
Supply chain attacks pose significant threat to government bodies
Last week’s hearing centered specifically on safeguarding the federal software supply chain, which has become a serious concern for business leaders and security experts over recent years.
Block known threats at scale for all users and devices
DOWNLOAD NOW
Supply chain attacks involve hackers using exploits in popular software distribution systems as attack vectors through which they can infiltrate the networks of a wide range of private and public organizations.
Exploits of this nature have wrought havoc on organizations’ IT estates recently with attacks such as the Log4j, MOVEit, or the SolarWinds breaches all causing grave concern among IT leaders.
Although advocating caution before adjusting the SBOM framework, Jaffer did concede the particular threat supply chain attacks pose to national security at the moment.
“When it comes to the threat scenarios, it is worth noting that the exploitation or compromise of our software supply chain not only has national security implications because of its use for potential espionage or the delivery of destructive malware, but also because of it continued use to expand the massive economic impact of nation-state-enabled IP theft.”
