We got Shiny SBoM; What Next?

A presentation at C0c0n 2024 in November 2024 in Gandhinagar, Gujarat, India by Anant Shrivastava

We got the Shiny SBoM; what next? Anant Shrivastava

Anant Shrivastava ● Chief researcher @ Cyfinoid Research ● 15+ yrs of corporate exposure ● Speaker / Trainer: BlackHat, c0c0n, nullcon, RootConf, RuxCon ● Project Lead: ● ○ Code Vigilant (Code Review Project) ○ Hacking Archives of India, ○ TamerPlatform (Android Security) (@anantshri on social platforms) https://anantshri.info (C) Cyfinoid Research 2

What is Software Bill of Material • Itemized list of all the ingredients in the software • Ingredients means mostly third-party components • • • • • Software name Version Checksum License information Dependencies list if possible • SBoM’s are mostly for one level depth only with other levels plugged in each other. https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom (C) Cyfinoid Research 3

Events Incidences • SolarWind • CodeCov • Colonial Pipeline Resultant • EO by US President • NIST SSDF Framework • SLSA by google • 2024 : Cert-in issued guidelines (C) Cyfinoid Research 4

Every standard starts with competition • SPDX • ISO Standard • Github provides default export in this format • CycloneDX • OWASP Supported • Now an ISO Standard • SWID • Alternative ISO specification https://www.ntia.gov/files/ntia/publications/sbom_formats_survey-version-2021.pdf (C) Cyfinoid Research 5

Where are we in the SBoM Journey Generation Distribution (C) Cyfinoid Research Verification Consumption 6

Users of SBoM Producer Consumer End User • Library Authors • Base functionality • Creating Product using 3rd party • Need to consume and produce SBoM • Only Leverages product • Cant do anything besides upgrade or hold (C) Cyfinoid Research 7

How to create SBoM • Github provides dependency Graph in “Insights” • SBoM generation tools • Cdxgen • https://github.com/CycloneDX/cdxgen • SPDX Generator • https://github.com/spdx/tools • /dev/hand if all else fails (Its XML) (C) Cyfinoid Research 8

GitHub Export SBOM Option (C) Cyfinoid Research 9

Github API automation (C) Cyfinoid Research 10

Extract SBoM from Github (C) Cyfinoid Research 11

SBoM can help security • Identifying incorrect use of software • Identify what to fix in scenarios like log4shell • Identify impact in sec bug release in a core component • Basically, Inventory problems Ref: XKCD.com/2347 (C) Cyfinoid Research 12

Security efforts already in progress • VDR : Vulnerability Disclosure Report • VEX : Vulnerability Exploitability eXchange • xBoM’s • • • • • • Software-as-a-Service Bill of Materials (SaaSBOM) Hardware Bill of Materials (HBOM) Machine Learning Bill of Materials (ML-BOM) Cryptography Bill of Materials (CBOM) Manufacturing Bill of Materials (MBOM) Operations Bill of Materials (OBOM) • Attestations (C) Cyfinoid Research 13

Funny thought Most of the times software industry is fixing problems, that are created by software industry (C) Cyfinoid Research 14

What problems have we created • Software build automation == quicker release cycle • Automated release cycle == less wait for features • Faster feature release == less inclination to upgrade dependencies • Too much focus on OSS Codebase without helping the maintainers • Impossible segregation of features and bug fixes • Automated notification of vulnerability (hedonic hamster wheel) (C) Cyfinoid Research 15

Is SBoM really useful • SBoM rose to prominence coz of exec order by US President. • Requirement is to create SBoM • No directions around usage, consumption etc • SBoM Tells you software composition nothing else • Industry representatives have started asking Questions? • Should we focus on building SBOM or fix issues in that time? (C) Cyfinoid Research 16

Thoughts from Industry around SBoM • Why should I disclose my composition to the world • I will only share the SBoM to NDA covered entities • I don’t need SBoM coz I don’t sell to USA • Better to spend time in fixing bugs then making SBoM (C) Cyfinoid Research 17

Another thought • Infosec has never had the luxury of well-maintained inventory • SBoM can help with it • we never had inventory; we don’t even know what to do with it when its created (C) Cyfinoid Research 18

Consequences for Infosec For Practitioners both infosec and Devops • We have been asking for better visibility, this is it For Industry entities • This is like “opening the kimono” moment (C) Cyfinoid Research 19

If security practitioners want to preserve this facility they need to act now (C) Cyfinoid Research 20

(C) Cyfinoid Research 21

Security efforts already in progress • VDR : Vulnerability Disclosure Report • VEX : Vulnerability Exploitability eXchange • xBoM’s • • • • • • Software-as-a-Service Bill of Materials (SaaSBOM) Hardware Bill of Materials (HBOM) Machine Learning Bill of Materials (ML-BOM) Cryptography Bill of Materials (CBOM) Manufacturing Bill of Materials (MBOM) Operations Bill of Materials (OBOM) • Attestations (C) Cyfinoid Research 22

What can we do • Security is largely considered a cost center and any incentive that is solely useful for security is a cost. • Inventory allows organization to make data driven decisions • Make SBoM’s usefulness visible for other departments • If more people especially profit centers and business requirements (HR, Finance) need it, its hard to kill (C) Cyfinoid Research 23

SBoM Usage beyond security teams Use each SBoM as part of inventory, Consolidate then and then draw inferences from it • Development • Acquisitions and mergers • Compliance (adjunct security) • Risk Management (C) Cyfinoid Research 24

Consolidated SBoM Tooling • Format agonistic bom tools • Bomctl : https://github.com/bomctl/bomctl • Policy driven security tooling • Vet : https://github.com/safedep/vet • SBoM Quality check • sbomqs: https://github.com/interlynk-io/sbomqs • https://github.com/ServiceNow/sbom-status • SBoM merging utility • https://github.com/interlynk-io/sbomasm • End of Life Focused • https://github.com/xeol-io/xeol • ScoreCard • https://github.com/eBay/sbom-scorecard • And a lot more (C) Cyfinoid Research 25

Interesting terms and thoughts • EOL Code • Drift in packages • License Volitation • OSSF ScoreCard (C) Cyfinoid Research 26

SBoM usage for Developers • Manage technical Debt • Reduce dependency scatter • Consolidate efforts for usage • Simplified package selection in case of newer project (C) Cyfinoid Research 27

SBoM usage for Acquisitions & Mergers Use SBoM as an indicator for future cost and decision • Too many outdated / EOL / unmaintained software in use leads to high cost of ownership after acquisitions • If the toolset / techstack is vastly different than existing, then extra talent cost • If too many techstacks in picture, shows non cohesive teams (C) Cyfinoid Research 28

SBoM usage for Compliance • Licensing policy spread not just at product but at input component level • Possible cost of rework due to non-compliance with company policy • Possible repercussions if my code touches this code (GPL restrictions to name as one) (C) Cyfinoid Research 29

SBoM usage for Risk Management Interesting questions that can be answered • Do I want to include X amount of risk by purchasing this vendor’s software? • If risk is low but product will be highly visible, can I still afford it. • Even with high risk, in a self-contained environment is it okey • Do I really want my SSO auth token going into this software (C) Cyfinoid Research 30

What is needed • Working with other teams to identify ($ / ₹ value to the scenario) • Changing a library • Upgrading a package • Distributing the software • Rewriting code • GUI / Output in PDF / HTML / EXCEL format not pipeline / cli / cmd (C) Cyfinoid Research 31

What is needed : Overall • Better tooling (tech and UX) • Current tools are not easy to use even for practitioners • Collaboration and seeking feedback from other parties • Don’t make tooling for yourself make it for others • Focus on usage not on glamorizing tech • We technologists focus too much of technical side. (C) Cyfinoid Research 32

Is it really hard? • To be honest it is about intention and ideas at this point • It is simple to play with SboM’s • Hard bit is quantifying and placing the $ / ₹ value to it • https://github.com/cyfinoid/sbomplay • Download Org Level SBoM’s • Store in Sqlite • Create reports from SQLite (C) Cyfinoid Research 33

To Conclude • I believe SBoM is a Boon for overall IT Industry to move in better directions. • Newton’s first law of motion stands : Inertia can only be countered by greater force • There is a bright future ahead if we can muster the courage for it (C) Cyfinoid Research 34

Thanks for listening & open to Questions? (C) Cyfinoid Research 35

Anant Shrivastava
@anantshri

1 / 35

We are reaching a scenario where SBoM generation, verification and distribution is being actively looked at. the need of the hour is to look at SBoM consumption and to look beyond security what else SBoM can be used for.

Resources

The following resources were mentioned during the presentation or are useful additional information.

Github Repo

Github repo with code base sample to play with bom’s