The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency, Office of the Director of National Intelligence, and partners have released guidance on software bill of materials (SBOM) generation and consumption, as part of ongoing efforts to better secure the software supply chain.
The guidance was developed by the Software Supply Chain Working Panel, which was established by the Enduring Security Framework (ESF) and is a collaborative partnership across private industry, academia, and government. The Working Panel has developed a three-part Recommended Practices Guide series, that covers best practices to help ensure a more secure software supply chain for developers, suppliers, and customer stakeholders.
The latest guidance is aimed at software developers and suppliers, and includes industry best practices and principles, including managing open source software and SBOM to maintain and provide awareness about the security of software.
Cyber actors are increasingly targeting the software supply chain and are searching for software vulnerabilities that can be exploited to allow them to attack all users of the software, such as the 2020 cyberattack on the SaaS provider SolarWinds. The attack is believed to have been conducted by the Russian state-sponsored hacking group Cozy Bear, which compromised the SolarWinds Orion IT performance and monitoring solution and added a backdoor. When a software update was rolled out to customers, so was the backdoor, resulting in the compromising of an estimated 18,000 systems. The hackers then conducted follow on activities on selected high value targets.