Security and automation with SBOMs
Unboxing
In recent years, the software supply chains at SolarWinds and Kaseya, among others, have been targeted, along with identified vulnerabilities in widely used open source libraries, including Heartbleed in 2014, a vulnerability in OpenSSL, and Log4j in 2021. In both cases, innumerable systems were affected.
Back in May 2021, the United States introduced an obligation to provide a software bill of materials (SBOM) in a Presidential Executive Order on Improving the Nation's Cybersecurity [1]. The European Parliament recently adopted (March 2024) the Cyber Resilience Act (CRA), which also calls for an SBOM [2].
The need for action by all companies that produce and distribute software as a standalone product or as part of products such as electrical appliances or machines is real. At the same time, the SBOM offers every company the opportunity to better understand and manage the attack surface and respond more quickly to threats.
Software Bill of Materials
The vast majority of modern software is no longer coded from scratch and then compiled; rather, it makes extensive use of standard libraries such as those already mentioned or frameworks such as OpenSSL or Log4j, which provide functions such as SSL/TLS encryption or logging. A very large proportion of these libraries are open source and freely available. In addition to the basic libraries, other services are also used in software, whether in technical goods, as standalone applications, or in the form of cloud services. For cloud applications in particular, these are typically platforms as a service (PaaS), from databases to artificial intelligence (AI).
Today's reality is characterized by complex, multilayered software from a variety of sources, which creates the challenge, thus far difficult to understand, as to what
...Buy this article as PDF
(incl. VAT)