As part of cyber guidelines for engineering teams, including a Software Bill of Materials (SBoM) can be a good idea. In many areas, such as with medical devices, it is a mandatory aspect of the development process. Generating a complete SBoM requires multiple techniques and tools that can vary widely based on the product being cataloged. Different languages and technologies can be processed differently and may require some specialized knowledge. This will serve as a general framework for how SBoMs get generated and what some holdups may be.
Automated tooling is extremely helpful for SBoM generation and can save massive amounts of time and energy. Many different open-source and commercial tools are available, each with advantages and disadvantages. These tools tend to provide different outputs on the same project due to the different techniques that each one uses. When selecting a tool, it can be worth comparing the output of several different ones to see what provides the best results.
These automated tools work through a codebase and look for any dependencies mentioned. This can then provide a good report of all of the external components included in your codebase and allow for a clear picture of everything that is being pulled in externally. Codebases can get complex quickly depending on the project, so having a solution for combing through files as opposed to manual searching can save a lot of time.
Components must be checked for vulnerabilities as a major part of SBoM generation. A component having a vulnerability does not necessarily mean that your product will be vulnerable, but it should set off alarm bells that the problem should be addressed. Vulnerabilities in 3rd party components can have massive consequences if left unchecked, so it is important to evaluate the risk in all aspects of your device carefully.
Often, it may simply be a certain aspect of the component that is vulnerable. In such cases, that aspect can be avoided or circumvented while keeping the 3rd party component in the system. Doing this should be carefully documented, with a skilled security professional reviewing solutions for effectiveness. This type of compensating control is good when a 3rd party library or software is necessary for the system, and even changing versions will cause major problems. It should be noted that this can not be possible when the entire component is vulnerable.
In cases where every aspect of the component is vulnerable or a critical function used in the system, looking for an alternative solution may be a better idea. Often this can be as easy as simply upgrading to a newer version that does not hold the same problems. Other times, this can be a more complicated problem. If there are no patches to mitigate the problem, the next best solution is likely finding an alternative product and modifying the custom software to accommodate the new aspect.
While automated tooling can take care of a large portion of the work, it can still be a good idea to go in deeper with some manual enumeration. This can often catch areas that tooling missed or research certain areas that were not in the main codebase. A good example of this would be a product that includes OS images. Scanning these with automated techniques can be hard, so going through them manually may provide better results.
Manual analysis can also involve more collaboration between the security and development teams. Engineers should carefully document any software utilized in their end product. Even with diligence when documenting this, certain things can slip through the cracks. That is where the security team comes in to validate that documentation is correct and everything is kept fully secure.
Remediating vulnerabilities identified in components through manual analysis will largely be the same as automated tooling. One difference that may come up is the type of component identified. Software found in harder-to-reach areas accessed through manual testing may involve some more complicated solutions to ensure security. Again, this is where the services of a skilled security professional can be helpful.
Blue Goat Cyber Can Help
Let our team help you with the SBoM process and ensure your device is properly documented and secured. We are familiar with regulatory requirements for a wide range of industries and can help reduce the time you spend dealing with security headaches. Contact us to find the right solution for your team.