fbpx
Wikipedia

Software supply chain

February 15, 2024

A software supply chain is composed of the components, libraries, tools, and processes used to develop, build, and publish a software artifact.[1]

Software vendors often create products by assembling open-source and commercial software components. A software bill of materials[2] (SBOM) declares the inventory of components used to build a software artifact such as a software application.[3] It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause allergies, SBOMs can help organizations or persons avoid consumption of software that could harm them.

The concept of a BOM is well-established in traditional manufacturing as part of supply chain management.[4] A manufacturer uses a BOM to track the parts it uses to create a product. If defects are later found in a specific part, the BOM makes it easy to locate affected products.

Usage edit

An SBOM is useful both to the builder (manufacturer) and the buyer (customer) of a software product. Builders often leverage available open-source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities.[5] Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.

While many companies just use a spreadsheet for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet. SBOMs gain greater value when collectively stored in a repository that can be a part of other automation systems, easily queried by other applications. This need for automated SBOM processing is addressed by CycloneDX and Software Package Data Exchange (SPDX), both being open document standards.

Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.[6][7][8]

Legislation edit

The Cyber Supply Chain Management and Transparency Act of 2014[9] was US legislation that proposed to require government agencies to obtain SBOMs for any new products they purchase. It also would have required obtaining SBOMs for "any software, firmware, or product in use by the United States Government". Though it ultimately didn't pass, this act did bring awareness to government and spurred later legislation such as "Internet of Things Cybersecurity Improvement Act of 2017."[10][11]

The US Executive Order on Improving the Nation’s Cybersecurity of May 12, 2021[12] ordered NIST to issue guidance within 90 days to "include standards, procedures, or criteria regarding" several topics in order to "enhance the security of the software supply chain," including "providing a purchaser a Software Bill of Materials (SBOM) for each product." Also mandated within 60 days was for NTIA to "publish minimum elements for an SBOM."

The NTIA minimum elements were published on July 12, 2021,[13] and also "describes SBOM use cases for greater transparency in the software supply chain, and lays out options for future evolution." The minimum elements consist of three broad categories: data fields (baseline information about each software component), automation support (the ability to generate SBOMs in machine- and human-readable formats), and practices and processes (how and when organizations should generate SBOMs). The "automation support" requirement specifies the need for "automatic generation," which is possible with the use of Software Composition Analysis (SCA) solutions.[14]

See also edit

References edit

  1. ^ "For Good Measure Counting Broken Links: A Quant's View of Software Supply Chain Security" (PDF). USENIX ;login. Retrieved 2022-07-04.
  2. ^ "Software Bill of Materials". ntia.gov. Retrieved 2021-01-25.
  3. ^ "[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management". Retrieved 2015-06-12.
  4. ^ "Code, Cars, and Congress: A Time for Cyber Supply Chain Management". Retrieved 2015-06-12.
  5. ^ "Software Bill of Materials improves Intellectual Property management". Embedded Computing Design. Retrieved 2015-06-12.
  6. ^ "Appropriate Software Security Control Types for Third Party Service and Product Providers" (PDF). Docs.ismgcorp.com. Retrieved 2015-06-12.
  7. ^ "Top 10 2013-A9-Using Components with Known Vulnerabilities". Retrieved 2015-06-12.
  8. ^ "Cyber-security risks in the supply chain" (PDF). Cert.gov.uk. Retrieved 2020-07-28.
  9. ^ "H.R.5793 - 113th Congress (2013-2014): Cyber Supply Chain Management and Transparency Act of 2014 - Congress.gov - Library of Congress". 4 December 2014. Retrieved 2015-06-12.
  10. ^ "Internet of Things Cybersecurity Improvement Act of 2017" (PDF). Retrieved 2020-02-26.
  11. ^ "Cybersecurity Improvement Act of 2017: The Ghost of Congress Past". 17 August 2017. Retrieved 2020-02-26.
  12. ^ "Executive Order on Improving the Nation's Cybersecurity". The White House. 2021-05-12. Retrieved 2021-06-12.
  13. ^ "The Minimum Elements For a Software Bill of Materials (SBOM)". NTIA.gov. 2021-07-12. Retrieved 2021-12-12.
  14. ^ "NTIA Releases Minimum Elements for a Software Bill of Materials". NTIA.gov. 2021-07-12. Retrieved 2022-03-22.

February 15, 2024
software, supply, chain, software, supply, chain, composed, components, libraries, tools, processes, used, develop, build, publish, software, artifact, software, vendors, often, create, products, assembling, open, source, commercial, software, components, soft. A software supply chain is composed of the components libraries tools and processes used to develop build and publish a software artifact 1 Software vendors often create products by assembling open source and commercial software components A software bill of materials 2 SBOM declares the inventory of components used to build a software artifact such as a software application 3 It is analogous to a list of ingredients on food packaging where you might consult a label to avoid foods that may cause allergies SBOMs can help organizations or persons avoid consumption of software that could harm them The concept of a BOM is well established in traditional manufacturing as part of supply chain management 4 A manufacturer uses a BOM to track the parts it uses to create a product If defects are later found in a specific part the BOM makes it easy to locate affected products Contents 1 Usage 2 Legislation 3 See also 4 ReferencesUsage editAn SBOM is useful both to the builder manufacturer and the buyer customer of a software product Builders often leverage available open source and third party software components to create a product an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities 5 Buyers can use an SBOM to perform vulnerability or license analysis both of which can be used to evaluate risk in a product While many companies just use a spreadsheet for general BOM management there are additional risks and issues in an SBOM written to a spreadsheet SBOMs gain greater value when collectively stored in a repository that can be a part of other automation systems easily queried by other applications This need for automated SBOM processing is addressed by CycloneDX and Software Package Data Exchange SPDX both being open document standards Understanding the supply chain of software obtaining an SBOM and using it to analyze known vulnerabilities are crucial in managing risk 6 7 8 Legislation editThe Cyber Supply Chain Management and Transparency Act of 2014 9 was US legislation that proposed to require government agencies to obtain SBOMs for any new products they purchase It also would have required obtaining SBOMs for any software firmware or product in use by the United States Government Though it ultimately didn t pass this act did bring awareness to government and spurred later legislation such as Internet of Things Cybersecurity Improvement Act of 2017 10 11 The US Executive Order on Improving the Nation s Cybersecurity of May 12 2021 12 ordered NIST to issue guidance within 90 days to include standards procedures or criteria regarding several topics in order to enhance the security of the software supply chain including providing a purchaser a Software Bill of Materials SBOM for each product Also mandated within 60 days was for NTIA to publish minimum elements for an SBOM The NTIA minimum elements were published on July 12 2021 13 and also describes SBOM use cases for greater transparency in the software supply chain and lays out options for future evolution The minimum elements consist of three broad categories data fields baseline information about each software component automation support the ability to generate SBOMs in machine and human readable formats and practices and processes how and when organizations should generate SBOMs The automation support requirement specifies the need for automatic generation which is possible with the use of Software Composition Analysis SCA solutions 14 See also editReproducible builds Software Package Data Exchange Software toolchain Supply chain attack Manifest file Dependency hellReferences edit For Good Measure Counting Broken Links A Quant s View of Software Supply Chain Security PDF USENIX login Retrieved 2022 07 04 Software Bill of Materials ntia gov Retrieved 2021 01 25 Part 2 Code Cars and Congress A Time for Cyber Supply Chain Management Retrieved 2015 06 12 Code Cars and Congress A Time for Cyber Supply Chain Management Retrieved 2015 06 12 Software Bill of Materials improves Intellectual Property management Embedded Computing Design Retrieved 2015 06 12 Appropriate Software Security Control Types for Third Party Service and Product Providers PDF Docs ismgcorp com Retrieved 2015 06 12 Top 10 2013 A9 Using Components with Known Vulnerabilities Retrieved 2015 06 12 Cyber security risks in the supply chain PDF Cert gov uk Retrieved 2020 07 28 H R 5793 113th Congress 2013 2014 Cyber Supply Chain Management and Transparency Act of 2014 Congress gov Library of Congress 4 December 2014 Retrieved 2015 06 12 Internet of Things Cybersecurity Improvement Act of 2017 PDF Retrieved 2020 02 26 Cybersecurity Improvement Act of 2017 The Ghost of Congress Past 17 August 2017 Retrieved 2020 02 26 Executive Order on Improving the Nation s Cybersecurity The White House 2021 05 12 Retrieved 2021 06 12 The Minimum Elements For a Software Bill of Materials SBOM NTIA gov 2021 07 12 Retrieved 2021 12 12 NTIA Releases Minimum Elements for a Software Bill of Materials NTIA gov 2021 07 12 Retrieved 2022 03 22 Retrieved from https en wikipedia org w index php title Software supply chain amp oldid 1178924477, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.