Cloud Controls Matrix

Expand all | Collapse all

Linux Foundation Software Bill of Materials (SBOM) and Cybersecurity Readiness

  • 1.  Linux Foundation Software Bill of Materials (SBOM) and Cybersecurity Readiness

    Posted Feb 08, 2022 02:29:00 AM
      |   view attached
    Hi All,

    The Linux Foundation recently published a Software Bill of Materials (SBOM) and Cybersecurity Readiness Report

    This report talks extensively about SBOM readiness as well as
    the level of SBOM production and consumption. These questions
    were designed to identify where organizations are in their SBOM
    journey, ranging from no interest to planning to various stages
    of adoption. Because SBOM readiness was the best overall identification of SBOM adoption,
    we consolidated responses to this
    question into three categories: SBOM procrastinators, SBOM
    early adopters, and SBOM innovators. Respondents self-selected
    the category they were reported under. For details on how
    these categories mapped to SBOM readiness responses, see the
    Methodology section of this report.

    Michael Roza CPA, CISA, CIA, MBA, Exec MBA

  • 2.  RE: Linux Foundation Software Bill of Materials (SBOM) and Cybersecurity Readiness

    Posted Feb 09, 2022 09:08:00 AM
    In the context of 'cloud security' and SBOM:

    This paper indicates "The most pressing issue [is] the need for industry consensus on best practices to integrate the production and consumption of SBOMs into software development". I think this holds doubly true in a cloud environment. Do we even agree that a "bill of materials" is the key factor when trusting a SaaS? How does an SBOM inform the development and trust of pure cloud offers composed of other cloud offers? My sense is that the basic SBOM components discussion, although interesting in its own right, isn't particularly informative to the more cloud specific hurdles facing cloud assurance frameworks.

    At another point the paper indicates, "The primary purpose of SBOMs is to uniquely and unambiguously identify components and their relationships to one another" (emphasis mine). 

    I think these relationships are the area with the most potential in SBOM4cloud. A structured format for articulating and evaluating the relationships and data flows between cloud, and internal, components is a prerequisite for risk management, threat modeling, or vendor security assessments. Structured solutions in this space will enhance automated assessment frameworks and also inform human assessments. I think this an under-defined space with large opportunities for a cloud focused organization to lead in. 

    Max Pritikin
    Principal Engineer