In today's digital landscape, software development often relies on a vast ecosystem of third-party components and libraries to both ease development and enhance functionality. But while leveraging third-party software can streamline processes and promote innovation, it also introduces a variety of risks that organizations must be aware of and monitor closely.
As any other software, open-source third-party software can be vulnerable to cyberattacks, and although these projects benefit from community collaboration and transparency, they may also lack dedicated resources for security oversight and maintenance, and vulnerabilities in open-source code can be exploited by attackers to infiltrate systems, execute malicious code, or compromise sensitive data. Also, the complex, interconnected nature of software dependencies can amplify the impact of security flaws, allowing attackers to exploit weaknesses in upstream components to compromise downstream systems.
What is a Software Bill of Materials (SBOM)?
A Software Bill of Materials (SBOM) is a critical document or data structure that serves as a comprehensive inventory of all the components, libraries, modules, and dependencies that constitute a software application, comparable to the list of ingredients but for software solutions, providing detailed insights into the composition of said software, enabling stakeholders to understand the underlying building blocks of an application and its associated supply chain, typically including information like the names and versions of software components, their sources (e.g., open-source repositories, third-party vendors), licensing information, and any known vulnerabilities or security issues. This level of granularity allows organizations to gain visibility into the software stack, track the origins of each component, and assess potential risks associated with third-party dependencies.
SBOMs play a crucial role in vulnerability management and risk mitigation, helping organizations to quickly identify and address potential threats within their software infrastructure, and allowing security teams to promptly assess the impact of vulnerabilities, prioritize remediation efforts, and implement appropriate security measures to safeguard their systems and data. It also contributes to a more effective supply chain management by enabling organizations to evaluate the security posture of third-party vendors and assess the trustworthiness of software components sourced from external providers. By integrating it in their procurement processes and vendor assessments, organizations can make better informed decisions about software acquisitions, mitigate supply chain risks, and uphold security standards across their ecosystem.
Illustrative Example of Software Life Cycle and Bill of Materials Assembly Line
Existing Laws and Regulations
Given the significant risks associated with unidentified vulnerabilities within expansive IT ecosystems, there have been advancements over the last years with various cyber resilience initiatives, all stressing the use of SBOMs. The Presidential Executive Order (EO) 14028 in the United States, and the European Commission (EU) Cyber Resilience Act in the European Union, will both require software developers to produce an SBOM for their products. Although the US initiative initially targets Independent Software Vendors (ISVs) supplying software to the government, it is highly probable that this requirement will eventually expand to encompass critical infrastructure sectors such as energy and transportation.
The Log4j Vulnerability and Why SBOM Matters
The Log4j vulnerability, officially designated as CVE-2021-44228, refers to a critical security flaw discovered in the Apache Log4j library, a very popular Java-based logging utility used by numerous software applications and services. This flaw allowed attackers to remotely execute arbitrary code on systems that used the affected versions of Log4j, and thus posed a significant security risk as it could be exploited by cybercriminals to compromise servers, applications, and other software systems that relied on that library for logging functionality.
Disclosed in December 2021, it gained widespread attention due to its severity and the potential impact on many systems across various industries; many organizations struggled to patch their systems and update their software dependencies, to mitigate the risk of exploitation. The widespread use of Log4j across a broad range of software applications and services meant that the vulnerability had far-reaching implications, prompting swift action from security researchers, software vendors, and IT professionals to address the issue and protect vulnerable systems.
Another example are the different vulnerabilities (CVE-2023-46805, CVE-2024-21887, CVE-2024-21893 and CVE-2024-22024) recently discovered to affect the VPN solution/appliance offered by a renowned UEM vendor. Close forensics examination of the firmware operating on the appliances through reverse engineering uncovered several vulnerabilities, highlighting once more the difficulty in securing software supply chains. One of them was the fact that said appliance was still relying on an 11-year-old version of CentOS Linux operating system (OS), unsupported since November 2020, not to mention the numerous outdated libraries it contained.
Both examples underscore the critical importance of having Software Bills of Materials (SBOMs), highlighting the necessity of transparency and accountability in software supply chains, providing comprehensive documentation of software components and dependencies, so organizations could quickly identify vulnerable elements like Log4j within their own systems.
What To Do Next?
Implement a solution to monitor your whole infrastructure, including back-end messaging servers, EMM/UEM solutions, IoT devices and all employees’ endpoints, from desktop computers to mobile devices. ISEC7 SPHERE, our technology-agnostic platform, provides management, insight, and monitoring capability in a singular console across all your digital workplace solution. It can monitor over 750 parameters and flag potential issues before they impact end-users. Proactive alerts are sent to assigned IT staff who can resolve issues before they turn into outages. With only one system to manage, issues are identified and resolved faster, requiring less IT staff with a significant impact on the operational cost.
Vulnerability Management
ISEC7 SPHERE collects Common Vulnerability and Exploit (CVE) for all your monitored systems from the National Vulnerability Database (NVD), a public vulnerability repository maintained by the Cybersecurity & Infrastructure Security Agency (CISA), that provides information about known vulnerabilities, as published by the corresponding software vendors. Once found, ISEC7 SPHERE displays them under the affected system and can consider that information to calculate the server status; administrators can easily click on said CVEs to review them, then acknowledge them once installed on the corresponding systems.
Example of CVE monitoring results for an affected Ivanti EPMM server under ISEC7 SPHERE
Note that publishing Common Vulnerabilities and Exposures (CVE) information in the National Vulnerability Database (NVD) is voluntary, collaborative effort between software vendors, security researchers, and the CVE Program; it is not mandatory for software vendors to publish CVE details there.
Security Patch Revisions
ISEC7 SPHERE can also display a chart with the number of mobile devices that are operating using security patch levels of the given timeframes in months, helping quickly identify which devices need to be updated, to not only improve the device’s overall performance, but most importantly, ensure said devices remain safe and protected from potential security threats.
Example: Security Patch Levels
Benefits and Limitations
SBOM presents several advantages for enhancing cybersecurity posture. Primarily, it offers transparency into the software supply chain, enabling organizations to identify and assess potential security risks associated with third-party components and dependencies. This transparency facilitates proactive vulnerability management, as organizations can quickly pinpoint and address vulnerabilities within their software ecosystem. Furthermore, SBOM aids in regulatory compliance by providing documentation of software components and their associated security vulnerabilities, helping organizations meet compliance requirements more effectively.
However, its implementation also comes with its share of challenges and drawbacks. Maintaining an accurate and up to date SBOM can be resource-intensive, particularly for complex software systems with numerous dependencies. Additionally, sharing detailed information about software components through SBOM may raise security concerns, as sensitive data could be exposed to unauthorized access or misuse. Furthermore, attackers may exploit SBOM information to identify potential targets and launch targeted attacks against vulnerable components, highlighting the need for robust security measures to protect SBOM data from malicious exploitation.
Finally, organizations must establish robust patch management processes, as part of good cybersecurity practices, that prioritize critical vulnerabilities, automate patch deployment where possible, regularly assess their infrastructure for weaknesses, and maintain clear communication channels to ensure timely response to emerging threats. Having SBOM and Software Self-Attestation information for the different solutions present in an organization is only good if said organization is ready to take remedy actions in a coordinated, timely manner whenever they are published by the vendor.
Maintaining up-to-date software is a critical part of cybersecurity as it fixes bugs and vulnerabilities that attackers will exploit to gain access to information systems. No matter the size or how widely deployed your ecosystem is, understanding your business and the operational needs of your cybersecurity solution is paramount in providing the right solution to address your specific vulnerabilities.
The team of experts at ISEC7 can not only provide an objective assessment of your organization’s infrastructure, but also a demo of ISEC7 SPHERE and show you how to monitor your entire mobile infrastructure, find and address vulnerabilities, and ultimately secure your environment through this one essential solution.
Please feel free to contact the team at ISEC7 and we can help you take steps to secure your infrastructure.