在 最后发表 我们讨论了知识的重要性 软件包中包含哪些组件. 了解这一点有助于测试, 维护, 以及代码的安全性, and will reduce the risk to your business of a software supply chain security problem.
In this post we are going to look at SBOMs—software bills of material—and how they can help by identifying software components.
什么是an ? SBOM?
An SBOM is essentially a machine-readable list or catalogue of the details and relationships of components used in building software. sbm现在是美国政府采购的要求, 因此很有可能在各个行业蔓延开来. 虽然在英国还没有规定, the National Cyber Security Centre is recommending the use of SBOMs, 世界各地的同等机构也是如此.
什么是物料清单?
The US National Telecommunications and Information Administration (NTIA) has specified the minimum elements for an SBOM.
所以你, SBOM的使用者, 能有效地利用它们, 预计soms将至少包括:
供应商名称
组件名称和版本
Any other unique identifier to help the SBOM consumer (you) find components in key databases
Dependency relationship (usually ‘includes’, for example, X includes component Y)
Author name (author of SBOM data, usually but not always the software supplier)
时间戳(SBOM创建日期和时间)
How the SBOM was created (typically which tool; manual creation is possible, but time-consuming).
此外:
The SBOM must be in one of three formats, so it can be machine readable
必须生成新的SBOM
随着每一个新的软件版本,所以它是最新的
如果原始版本包含错误
or if the creators learn more information about the components
The SBOM should include all top-level components and all transitive dependencies; and the SBOM must also explain where dependency relationships probably exist but are not yet known.
Other useful information that could be included might be, for example, the licensing status.
什么 an的好处是什么 SBOM -作为制作人?
Using SBOMs as a producer means that the software company will be able to:
Improve development and testing by understanding the dependencies and identifying potential vulnerabilities in the product
可能会减少调用库的数量, 以及潜在漏洞的程度
展示对代码内容和质量的了解, 可能获得作为供应商的优惠待遇
什么 an的好处是什么 SBOM -作为消费者?
使用soms作为消费者意味着您将能够:
知道你得到了什么, and improve development and testing with a common understanding of software content and dependencies
Track vulnerable components and plan remediation to improve security
Understand your legal position regarding licensing and use of external code components.
什么 其他的 do I 需要知道?
Whether consumer or producer of SBOMs, there are things you’ll need to bear in mind.
每当代码库发生变化时,都需要一个新的SBOM
An SBOM contains sensitive information, so storage and access should be controlled and secure
They may not capture all the dependencies so may not include enough information to capture all the vulnerabilities in the codebase
They are not yet always produced to the same standard: they may not always be compliant with the NTIA requirements, or they may have been produced in inconsistent ways (NTIA is the US National Telecoms and Information Administration agency)
对于小型企业来说,它们不容易管理, 而且目前还没有一个成熟的生态系统, 尽管这种情况正在改变.
有什么建议吗?
SBOMs available in your business could quickly get out of control, as new ones should be issued along with every new version of software. 控制文档泛滥的技巧包括:
创建中央存储库
Automate the generation and management of SBOMs if possible; there are an increasing range of tools available to help with this
Consider the security of the SBOM (for both storage and transmission) because it contains sensitive information that could be used in an attack
作为企业的消费者
ask for an SBOM for all incoming software and software components (including software-as-a-service applications), to maximise the value of the knowledge base you are creating in your repository
actively analyse the information provided as part of your risk management process, 评估并降低软件供应链中的风险
作为sbm的创造者:
choose one of the three standard formats, and be consistent about which one you use
schedule regular updates to make sure that they are accurate and up to date; you should revise the relevant SBOM every time you create an update to the software
add as much metadata as possible to your SBOM, to make it easier for the consumer of your SBOM
use the SBOM to reduce the redundancies in your codebase; create a standard list of components
use the SBOM to validate your compliance with any licensing requirements for the components you are using
Remember that an SBOM is primarily a catalogue of components; what you do with that catalogue will be the topic of our next blog post: how to make use of SBOMs.
如果你想了解更多信息, or to discuss how CSP could help you with the security of your supply chain—or any other cyber security issues that are worrying you—contact us on 0113 5323763.
