Cyberattacks on software are increasing, and the best chance organizations have of protecting themselves is to know about potential vulnerabilities through a software bill of materials (SBOM), according to a senior adviser and strategist at the Cybersecurity and Infrastructure Security Agency.

Computer software is in everything from cars to manufacturing equipment, but unlike metal parts, barrels of liquids, or other items used in production, we often know nothing about who created the software and its history. This has created huge risk for organizations, said Allan Friedman during his keynote address at Day 1 of Compliance Week’s virtual Cyber Risk & Data Privacy Summit on Wednesday.

“The security of software has gotten better” over time, but software is created by humans and humans make mistakes, Friedman said. “The starting point is transparency.”

An SBOM is like a list of ingredients for a Twinkie, Friedman said. With that information a family can ensure none of the components of the Twinkie trigger an allergy.

“But the list by itself won’t protect them,” Friedman said. It’s a first step in the process, he noted.

In manufacturing, every barrel of raw material comes with a bill of material, which lists the ingredients and where they came from.

“The vision is: Let’s have that same level of transparency for software,” Friedman said.

Recent high-profile cyber events like the SolarWinds hack and Log4j exploits hammer home the point for organizations and the government. They must know more about the software they use, especially its vulnerabilities, Friedman said.

“Today we have very little visibility,” he said. “It’s pretty embarrassing.”

Allan Friedman 2 Cyber Risk 2023

“An SBOM won’t solve all of our problems for security, but it will be a very good starting point—a data point on which to do risk assessments,” said Allan Friedman, senior adviser and strategist at CISA, during his keynote at CW’s Cyber Risk & Data Privacy Summit.

Approaching software like any other product in manufacturing and pairing it with an SBOM is an essential step toward strengthening cybersecurity, according to Friedman.

President Joe Biden issued an executive order in May 2021 on improving the nation’s cybersecurity. The order included a new requirement that software sold to government agencies must include an SBOM. The Commerce Department’s National Telecommunications and Information Administration issued detailed guidance about the requirement in July 2021.

Leveraging the purchasing power of the federal government to influence the market and build security into software used throughout the nation is the order’s goal, according to the guidance.

The interest in SBOM has continued to grow, moving from a niche topic discussed only by information technology departments to a practice adopted by large businesses and compliance departments tracking SBOM data.

“Software is not written—it’s assembled out of building blocks,” Friedman said. And those blocks have origins, histories, and vulnerabilities that, if disclosed, allow organizations to better defend themselves against cyberattacks, he said.

Ideally, an SBOM should provide details on suppliers, components, components versions, identifiers, and authors, Friedman said.

About 90 percent of software used in large, commercial projects is “open source,” meaning anyone can use it and the code is freely available online. Open source is cheaper compared to commercial software.

“But it is provided ‘as is,’ with no warranties or protections” about its vulnerabilities, Friedman explained.

During the height of the Log4j exploits in December 2021, Friedman was holed up in his in-laws’ guest room trying to find out where the software was being used.

“The lack of visibility into the software meant we spent a lot of time and effort,” Friedman said. “An SBOM won’t solve all of our problems for security, but it will be a very good starting point—a data point on which to do risk assessments.”