While the Software Bill of Materials (SBOM) has been a part of the cybersecurity vocabulary for some time, its importance has grown, especially in terms of its significance as part of routine cybersecurity workflows. CISA has thrown its weight behind the SBOM’s usage, declaring last year that “SBOMs have emerged as a key building block in software security and software supply chain risk management.”
As such, MSPs should make obtaining SBOMs a regular part of their repertoire because you never know when they’ll be needed.
“SBOM has been compared to a list of ingredients. Say someone has an allergic reaction to a cake, but you have no idea what ingredients are in the cake. Treating the reaction will be more complicated and take longer. But if you know exactly what is in it, you might be able to isolate the allergen. It’s an imperfect analogy, computer systems aren’t human systems, but if you have an SBOM, then you’ll have a head start on solving potential breaches and possibly containing them,” explains Alan Hannigan, a cybersecurity expert in Chicago.
Hannigan encourages MSPs to use SBOMs in their software development and management processes. “Since most MSPs are responsible for managing software systems on behalf of their clients, they need to ensure that the software they are using is secure, up-to-date, and compliant with relevant regulations. By using SBOMs, MSPs have greater visibility into the software supply chain and identify any potential vulnerabilities or compliance issues that may arise,” Hannigan describes.
SBOMs should be an integral part of cybersecurity services offerings
SBOMs, though, aren’t just a “good idea,” in many situations they are a requirement. And if they aren’t a requirement now, they likely will be soon.
Cybersecurity teams need to work toward making SBOMs part of every client service package. “We are seeing various bills in different stages being debated and legislated in the United States and Europe, so their requirement is only a matter of time and MSPs should act as if they are now required across the board,” Hannigan advises.
“Many government agencies and industry groups are increasingly requiring the use of SBOMs as part of their compliance and security initiatives,” Hannigan continues. But he says regulation needs not to stifle innovation and be flexible to the changing needs of software makers.
“The government is increasingly being vocal about SBOMs,” Hannigan points out. For example, the US National Institute of Standards and Technology (NIST) recently published guidelines on SBOMs, and the Cybersecurity and Infrastructure Security Agency (CISA) has encouraged organizations to use them. He says, “Use of SBOMs can help MSPs better manage and secure the software they are responsible for and meet compliance requirements.”
Hannigan advises having an SBOM can help with cybersecurity in the following ways:
- Vulnerability management: By providing information on the software components used in a product, an SBOM can help identify vulnerabilities and potential attack vectors. This information allows organizations to prioritize patches and other security measures to mitigate risks. “We all know IT talent is stretched thin both in-house and at MSPs, so being able to target patches and other mitigatory measures helps efficiency and security,” he says.
- Risk assessment: An SBOM can help assess the risk associated with a software product. This information can be used to evaluate whether the software is suitable for use in critical environments or whether additional security controls are needed. “More and more places, especially in critical verticals, require SBOMs,” he explains.
- Supply chain security: With an SBOM, organizations can better manage their software supply chain. They can assess the security posture of their vendors and ensure that they are not using vulnerable or compromised software components.
- Incident response: In a security incident, an SBOM can help identify the affected software components and provide information on how to remediate the issue
Overall, an SBOM provides greater visibility and transparency into the software supply chain, which can help organizations better manage cybersecurity risks. By understanding what components are used in a product and their associated risks, organizations can make informed decisions and take proactive steps to protect their systems and data. “Still, SBOMs are not a silver bullet by any means, the guidelines for them are often voluntary, and enforcement mechanisms lack, so SBOMs are just one more tool for MSPs to wield,” Hannigan says.
Photo: TierneyMJ / Shutterstock