Skip Navigation
BlackBerry ThreatVector Blog

U.S. Cybersecurity Order Requires Software Bill of Materials for Supply Chain Security

BLACKBERRY QNX / 05.28.21 / Yi Zheng

Cybersecurity is becoming top of mind for organizations worldwide. In the past month alone, two major cyberattacks have wreaked havoc: the SolarWinds attack that infiltrated numerous organizations spreading malware, and the Colonial Pipeline ransomware attack that forced the shutdown of a major U.S. fuel distribution pipeline. These two examples painfully demonstrate the vulnerability of key infrastructure to cyber exploits. This isn’t news: the red light has been flashing for years. Now, the U.S. has taken action that affects any vendor, supplier, or provider of technology solutions to the U.S. government, particularly in areas such as defense and critical infrastructure.

As part of President Biden’s Executive Order on Improving the Nation’s Cybersecurity, the U.S. requires U.S. government vendors to provide a software bill of materials (SBOM) and demonstrate other cybersecurity management measures. This action takes a necessary step toward addressing what the Cybersecurity and Infrastructure Security Agency (CISA) called “concentrated sources of cyber risk” to the nation’s critical infrastructure, specifically security vulnerabilities in the software supply chain.

What is an SBOM?
A software bill of materials or SBOM is a complete list of all software within a product. The executive order describes an SBOM as “a formal record containing the details and supply chain relationships of various components used in building software.” Software developers often create technology products that bring together open source software, commercial software, and proprietary code within a single application or set of libraries. An SBOM details all the software components used to create the technology product and provides an essential step in mapping out security vulnerabilities.

What’s in a Software Bill of Materials?
Both the vendor creating the application and the purchaser are challenged to fully understand what vulnerabilities exist in the software, which makes a software bill of materials indispensable. You can think of an SBOM as a list of ingredients for a software application. Just as it is standard practice in the food, chemical, and manufacturing industries to label products and provide a list of key ingredients to ensure safety and quality standards, software products will be required to do the same. But a tool that maps a software bill of materials to software issues goes a step further. While ingredient lists for food lets you know the composition of a product, a software composition analysis tool can identify the deficiencies in the composition of the product, specifically, what vulnerabilities are introduced by the product’s components. By identifying these software ingredients and the issues associated with those ingredients, “a determination can be made about the potential vulnerability exposure for a given application,” explains IIoT World in the white paper, Protecting the Embedded and IoT Software Build Environment with Software Composition Analysis.

The increasing pervasiveness of open source software adds to the complex web of dependencies in the software supply chain. The average software application depends on more than 500 open source libraries and components. More than 90 percent of commercial software applications contain outdated or abandoned open source components. By requiring an SBOM, the executive order ensures federal agencies and critical infrastructure owners and operators can make informed procurement decisions—including replacing software with a history of security, performance or reliability issues. The identified software components can be compared against known security databases, such as the NIST National Vulnerability Database.

How Can an SBOM Improve Cybersecurity?
As the executive order states, “too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit.” The SolarWinds hack was due in part to the inability of the software purchaser — government entities and businesses — to adequately assess the security of software products. This lack of information about software vulnerabilities opened a dangerous door for bad actors to exploit in the digital infrastructure of the U.S. Federal Government, technology firms, and utility companies.

Biden’s executive order ensures that software companies that sell to the federal government will “provide a [federal] purchaser an SBOM for each [software] product directly or by publishing it on a public website.” This SBOM requirement will be an invaluable tool for procurement officers managing cybersecurity and software supply chain risk and will help developers and operators uncover vulnerabilities that hackers are targeting.

Software Composition Analysis Technology Creates SBOMs Automatically
In many cases, it is a massive time-consuming and costly undertaking to manually inspect all third-party software to create a software bill of materials and ensure the quality of a multi-tier software supply chain. Applications built using previously compiled libraries can be evaluated through a type of analysis called software composition analysis (SCA). “This type of analysis examines the compiled application and identifies the component libraries that were used to create it. It is especially useful because it does not require access to any source code,” explains the security white paper, Protecting the Embedded and IoT Software Build Environment with Software Composition Analysis. BlackBerry® Jarvis™ is unique in the world of SCA tools as it is tailored for embedded and safety critical systems such as those in the automotive, medical, critical infrastructure, and aerospace and defense sectors.

How BlackBerry Jarvis Can Support Compliance with Biden’s Executive Order
BlackBerry Jarvis automates the enumeration of software bills of materials, and can scan a software product for vulnerabilities and software craftsmanship. Since BlackBerry Jarvis extracts the characteristics and attributes from compiled binaries, access to source code is not required to gain insights into the final product. BlackBerry Jarvis prevents the loss of effort and time associated with false positives with its accuracy in detecting CVEs (common vulnerability exposures).

BlackBerry Jarvis is tailored for embedded and safety critical systems such as those in the automotive, medical, critical infrastructure, and aerospace and defense sectors. An analysis conducted on behalf of the United States Department of Defense (DoD) by The Aerospace Corporation recommended the most proficient binary analysis solutions on the market for embedded software and cited BlackBerry Jarvis as the most promising and robust after a rigorous assessment of key players. Brandon Bailey, Cybersecurity Senior Project Leader at Aerospace commented, “As a result of its extensive vulnerability coverage and superior test performance, BlackBerry Jarvis appears to be the ideal single-tool solution for embedded platforms,” in a recent press release.

To ensure the full benefit of a powerful tool like BlackBerry Jarvis, it’s a good idea to engage an expert. By working with security experts like the ones from BlackBerry, development and integration teams can dive deeper into the results of their software analysis, and identify areas that need hardening and remediation actions. Experts with deep security expertise can also help organizations meet cybersecurity regulations from both the process and product perspectives.

BlackBerry QNX Can Help
BlackBerry QNX Security Services experts help organizations assess the security of code, both in development and in the field. Contact us to discuss how to get started in complying with this executive order or learn more about software composition analysis, in the Protecting the Embedded and IoT Software Build Environment with Software Composition Analysis white paper.

Yi Zheng

About Yi Zheng

Yi Zheng is Product Manager, BlackBerry QNX.