2nd Edition

Tracking the trends and news for IT and IT Security

Paul Davis

US addresses securing software supply chain for managing open-source software, SBOM – Industrial…

US addresses securing software supply chain for managing open-source software, SBOM – Industrial…
Industry Cyber – Anna Ribeiro
A recent cybersecurity technical report by U.S. security agencies, expanding on a June 2023 memo from the Office of Management and Budget (OMB), focuses on enhancing the security of the software supply chain, especially for open-source software (OSS) and software bills of materials (SBOM).
The guidance, titled ‘Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials,’ was developed by the Enduring Security Framework (ESF) Software Supply Chain Working Group involving the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and the Cybersecurity and Infrastructure Security Agency (CISA).
The report provides comprehensive guidance for managing open-source software and SBOMs, recommending activities for developers and software suppliers to maintain and provide awareness about the software security.
It highlights the importance of secure-by-design management practices for open source software and SBOMs to prevent vulnerabilities.
Additionally, the report outlines processes for maintaining, monitoring, and updating approved OSS integrated into product delivery, as well as creating SBOMs and their relation to vulnerability management.
Moreover, it details the EO 14028 directive issued by U.S.
President Joe Biden, emphasizing the need for an SBOM, software security, and the publication of the ‘Minimum Elements For a Software Bill of Materials (SBOM)’
The guidance lays out best practices and principles for managing OSS and SBOM across the software lifecycle, including practices for risk evaluation, crisis management, and vulnerability and threat report handling.
The report also emphasizes the importance of VEX (vulnerability explanation) documents to provide additional context and reduce false positive vulnerabilities in SBOM due to a specific package instance.
Furthermore, it suggests that organizations use the guide to assess and measure their security practices across the software supply chain’s acquisition, deployment, and operational phases.
The guidance aligns with industry best practices and principles, providing critical insights for software development and supply chain security.
Link: https://industrialcyber.co/supply-chain-security/us-addresses-securing-software-supply-chain-for-managing-open-source-software-sbom/

Categories:

Tags: