In a global economy, a healthy cybersecurity position is essential, especially when working towards or maintaining FedRAMP certification. Key to the overall protection of your business is a Software Bill of Materials (SBOM). MindPoint Group and other cybersecurity defenders utilize SBOMs as a reference to detect and end threats that may be embedded in widely spread code, even from trusted sources.
“Software today is built from components like Legos,” says Mike McPherson of Earthling Security. “There are so many different pieces (of code), libraries, and plugins that come together. Despite the final software coming from a trusted source, there may be things from outside that are in those libraries, and plugins that may not be.” Remember SolarWinds? It was a part of the software hacked long before the final code was rendered.
A well-maintained SBOM can protect against known and unknown problems by recording the place of origin of each piece of software, from the largest scale of programs used all the way to individual code repositories. The information contained in a SBOM can aid cybersecurity teams in finding and solving vulnerabilities. Other companies who may use the same code or software may reference their own SBOMs to protect against the same vulnerability.
It’s important to “make sure there’s not a chunk of code in there that, through an obfuscation, is also reporting back everything it does,”says Joshua Marpet of Earthling Security.
An SBOM is just one element of FedRAMP certified protection, but it is essential to the maintenance of your security. “(The SBOM) generates a conversation,” says Edna McCalla of MindPoint Group. “Do you know that these particular codes belong to so and so, and does that present a vulnerability or a threat?” When it comes to third party risk management, the SBOM is a crucial tool, and mandatory under FedRAMP.
“The cloud service providers that are going to perform and conduct business within the federal government must meet the minimum standards,”says Gabriela Smith-Sherman of MindPoint Group. “It's important to hold us accountable in a way that includes private sector, because this is all also going to touch many lives outside of just the federal government.”
Ultimately, the SBOM also serves the purpose of protecting others, not just ourselves. Tracing invasive code can be difficult and tedious, as discovered by SolarWinds over the last few years. When cybersecurity partners like Earthling Security and MindPoint Group detect and solve problems in distributed code, other businesses can reference their own SBOMs to ensure they’re not affected. If they are at risk, it’s an easier task to find and implement the necessary solution.
Contributors:
Gabriela Smith-Sherman
Joshua Marpet
Mike McPherson
Edna McCalla
Resources:
https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/