Google: SBOMs Effective Only if They Map to Known VulnsGoogle: SBOMs Effective Only if They Map to Known Vulns
SBOMs should be connected with vulnerability databases to fulfill their promise of reducing risk, Google security team says.
June 14, 2022
Software bills of materials (SBOMs) — a detailed list of components, modules, and libraries used to build products — are being endorsed by the National Institute of Standards and Technology (NIST) and US regulators as a way to drive down supply chain cybersecurity risks for consumers.
But Google's Open Source Security Team points out in a blog post today that SBOM use alone isn't an effective tool for assessing exposure. Rather, the documentation should be compared with a database of known vulnerabilities to identify any known software flaws.
"By connecting these two sources of information, consumers will know not just what's in ... their software, but also its risks and whether they need to remediate any issues," the team explains.
The Google analysts detail how they were able to map a Kubernetes SBOM document using the Open Source Vulnerabilities (OSV) database. The OSV database offers both a standardized format for comparison across several databases, including the Github Advisory Database (GHSA) and Global Security Database (GSD), as well as aggregated data across multiple ecosystems, ranging from Python and Golang to Rust, according to the post.
"Our example queried the OSV database, but we will soon see the same success in mapping SBOM data to other vulnerability databases and even using them with new standards like VEX (Vulnerability-Exploitability eXchange), which provides additional context around whether vulnerabilities in software have been mitigated," the blog states.
To make it easier for security teams to assess the full risk picture, the Google researchers recommend that SBOM creators begin to include a reference using a naming convention like a Purl URL for all packages in the software supply chain.
"This type of identification scheme both specifies the ecosystem and also makes package identification easier, since the scheme is more resilient to small deviations in package descriptors like the suffix example above," they say.
Steps toward marrying the software components with known flaws will help SBOMs fulfill their intended purpose: to help manage the prospect of cyberattack, the Google security blog states.
"Continuing on this path of widespread SBOM adoption and tooling refinement, we will hopefully soon be able to not only request and download SBOMs for every piece of software, but also use them to understand the vulnerabilities affecting any software we consume," they said.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware