Software supply chain
{{Short description|Components, libraries, tools, and processes used to develop, build, and publish a software artifact}}
A software supply chain is the components, libraries, tools, and processes used to develop, build, and publish a software artifact.{{cite web |url=https://www.usenix.org/system/files/login/articles/login_winter20_17_geer.pdf |title=For Good Measure Counting Broken Links: A Quant's View of Software Supply Chain Security |publisher=USENIX ;login |access-date=2022-07-04 |archive-date=2022-12-17 |archive-url=https://web.archive.org/web/20221217223413/https://www.usenix.org/system/files/login/articles/login_winter20_17_geer.pdf |url-status=live }}
A software bill of materials (SBOM) declares the inventory of components used to build a software artifact, including any open source and proprietary software components.{{cite web |url=http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part2/ |title=[Part 2] Code, Cars, and Congress: A Time for Cyber Supply Chain Management |access-date=2015-06-12 |archive-date=2015-06-14 |archive-url=https://web.archive.org/web/20150614155320/http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part2/ |url-status=dead }}{{cite web |title=Software Bill of Materials |url=https://www.ntia.gov/sbom |url-status=live |archive-url=https://web.archive.org/web/20221130122348/https://www.ntia.gov/SBOM |archive-date=2022-11-30 |access-date=2021-01-25 |publisher=ntia.gov}} It is the software analogue to the traditional manufacturing BOM, which is used as part of supply chain management.{{cite web |url=http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part1/ |title=Code, Cars, and Congress: A Time for Cyber Supply Chain Management |access-date=2015-06-12 |archive-date=2014-12-30 |archive-url=https://web.archive.org/web/20141230024245/http://blog.sonatype.com/2014/12/cyber-supply-chain-management-part1/ |url-status=dead }}
Usage
An SBOM allows builders to make sure open-source and third-party software components are up to date and respond quickly to new vulnerabilities.{{cite web |url=http://embedded-computing.com/article-id/?3826= |title=Software Bill of Materials improves Intellectual Property management |work=Embedded Computing Design |access-date=2015-06-12 |archive-date=2018-08-25 |archive-url=https://web.archive.org/web/20180825115542/http://embedded-computing.com/article-id/?3826= |url-status=live }} Buyers and other stakeholders can use an SBOM to perform vulnerability or license analysis, which can be used to evaluate and manage risk in a product.{{cite web |title=Appropriate Software Security Control Types for Third Party Service and Product Providers |url=http://docs.ismgcorp.com/files/external/WP_FSISAC_Third_Party_Software_Security_Working_Group.pdf |url-status=live |archive-url=https://web.archive.org/web/20230119154913/http://docs.ismgcorp.com/files/external/WP_FSISAC_Third_Party_Software_Security_Working_Group.pdf |archive-date=2023-01-19 |access-date=2015-06-12 |publisher=Docs.ismgcorp.com}}{{cite web |title=Top 10 2013-A9-Using Components with Known Vulnerabilities |url=https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities |url-status=live |archive-url=https://web.archive.org/web/20191006034721/https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities |archive-date=2019-10-06 |access-date=2015-06-12}}{{cite web |title=Cyber-security risks in the supply chain |url=https://www.ncsc.gov.uk/collection/supply-chain-security/principles-supply-chain-security |url-status=live |archive-url=https://web.archive.org/web/20230606054804/https://www.ncsc.gov.uk/collection/supply-chain-security/principles-supply-chain-security |archive-date=2023-06-06 |access-date=2020-07-28 |publisher=Cert.gov.uk |format=PDF}}
While many companies use a spreadsheet for general BOM management, there are additional risks and issues in an SBOM written to a spreadsheet. It is best practice for SBOMs to be collectively stored in a repository that can be part of other automation systems and easily queried by other applications.{{Cn|date=September 2024}}
Legislation
The Cyber Supply Chain Management and Transparency Act of 2014{{cite web|url=https://www.congress.gov/bill/113th-congress/house-bill/5793|title=H.R.5793 - 113th Congress (2013-2014): Cyber Supply Chain Management and Transparency Act of 2014 - Congress.gov - Library of Congress|date=4 December 2014|access-date=2015-06-12|archive-date=2022-12-16|archive-url=https://web.archive.org/web/20221216085631/https://www.congress.gov/bill/113th-congress/house-bill/5793|url-status=live}} was a failed piece of US legislation that proposed to require government agencies to obtain SBOMs for any new products they purchase and to obtain SBOMs for "any software, firmware, or product in use by the United States Government". The act spurred later legislation such as "Internet of Things Cybersecurity Improvement Act of 2017."{{cite web | url=https://www.warner.senate.gov/public/_cache/files/8/6/861d66b8-93bf-4c93-84d0-6bea67235047/8061BCEEBF4300EC702B4E894247D0E0.iot-cybesecurity-improvement-act---fact-sheet.pdf | title=Internet of Things Cybersecurity Improvement Act of 2017 | access-date=2020-02-26 | archive-date=2023-01-19 | archive-url=https://web.archive.org/web/20230119154917/https://www.warner.senate.gov/public/_cache/files/8/6/861d66b8-93bf-4c93-84d0-6bea67235047/8061BCEEBF4300EC702B4E894247D0E0.iot-cybesecurity-improvement-act---fact-sheet.pdf | url-status=live }}{{cite web | url=https://devops.com/cybersecurity-improvement-act-2017-ghost-congress-past/ | title=Cybersecurity Improvement Act of 2017: The Ghost of Congress Past | date=17 August 2017 | access-date=2020-02-26 | archive-date=2022-12-16 | archive-url=https://web.archive.org/web/20221216085645/https://devops.com/cybersecurity-improvement-act-2017-ghost-congress-past/ | url-status=live }}
The US Executive Order on Improving the Nation’s Cybersecurity of May 12, 2021 ordered NIST and NTIA to lay down guidelines for software supply chain management, including for SBOMs.{{Cite web |date=2021-05-12 |title=Executive Order on Improving the Nation's Cybersecurity |url=https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ |url-status=live |archive-url=https://web.archive.org/web/20210515153804/https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ |archive-date=2021-05-15 |access-date=2021-06-12 |website=The White House |language=en-US}} The NTIA outlines three broad categories of minimum elements of SBOMs: data fields (baseline information about each software component), automation support (the ability to generate SBOMs in machine- and human-readable formats), and practices and processes (how and when organizations should generate SBOMs).{{Cite web |date=2021-07-12 |title=The Minimum Elements For a Software Bill of Materials (SBOM) |url=https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom |url-status=live |archive-url=https://web.archive.org/web/20230605180225/https://www.ntia.doc.gov/report/2021/minimum-elements-software-bill-materials-sbom |archive-date=2023-06-05 |access-date=2021-12-12 |website=NTIA.gov |language=en-US}} The "automation support" requirement specifies the need for "automatic generation," which is possible with the use of Software Composition Analysis (SCA) solutions.{{Cite web|date=2021-07-12|title=NTIA Releases Minimum Elements for a Software Bill of Materials|url=https://www.ntia.doc.gov/blog/2021/ntia-releases-minimum-elements-software-bill-materials|access-date=2022-03-22|website=NTIA.gov|language=en-US|archive-date=2022-11-22|archive-url=https://web.archive.org/web/20221122233746/https://www.ntia.doc.gov/blog/2021/ntia-releases-minimum-elements-software-bill-materials|url-status=live}}