Over recent years, the number of cyber attacks to software supply chains has exponentially increased (Statista). To help proactively mitigate this growing risk, the National Security Agency (NSA) has released the Cybersecurity Information Sheet (CSI) Recommendations for Software Bill of Materials (SBOM) Management.
In the words of the NSA Press Room, “This CSI provides network owners and operators with guidance for incorporating SBOM use to help protect the cybersecurity supply chain, with a focus on and some additional guidance for National Security Systems (NSS)” (NSA Releases Recommendations to Mitigate Software Supply Chain Risks).
The recommendations (which can be read in full here) define the how SBOMs, their visualisation and management of information they surface can help to mitigate supply chain risk. The NSA explicitly calls out “SBOMs and SBOM management tools bridge this gap to support an improved cybersecurity posture. Specifically, users should leverage SBOMs, as part of a cybersecurity tool suite, to make:
- Risk Management decisions about acquiring and deploying software,
- Vulnerability Management decisions about software deployment and ongoing operations, and
- Incident Management decisions to detect and respond to new software vulnerabilities during vital operations.”
These recommendations are a guidance cornerstone, that moving the US government (and vendors who sell to them!) will need to meet.
How does Vulnerabilities.io make this easy?
- Real-time (schema compliant) SBOMs available at any time: Be able to see your ensure software supply chain at any time, across all of your source control systems. Forget about needing to manually produce such complex artefacts or needing to keep them up to date.
- Full risk life cycle management: Take pro-active ownership of risks inline with your risk appetite and focus on what’s important to you.
- Package vulnerability identification: Whether you’re reliant on a component or something downstream is. Covering the whole software supply chain.
- End of life package identification: Understand where you’re being ‘held over a barrel’ and depend on packages that are beyond end of life or out of support. Knowing this is critical to pre-actively ensuring you’re in the best position to respond to zero-days or other new vulnerabilities.