On August 17, the US House of Representatives passed HR 7900 – National Defense Authorization Act for Fiscal Year 2023, and section 6722 states that all organizations seeking to conduct business with the Department of Defense (DoD) or Department of Energy (DoE) is now required to provide a Software Bill of Materials (SBOM) for each new and existing software contract.
What is Software Bill of Materials (SBOM)?
A Software Bill of Materials (SBOM) is technical documentation that lists the various components used in a particular piece of software. Similar to a list of components, an SBOM includes third-party libraries, Open Source Software, and commercial libraries used by the software.
While the concept seems simple, organizations often don’t know every component contained in deployed software, and this creates serious security concerns—because a vulnerable component can introduce an opening for exploitation of threat actors. Situations like this have been observed in recent supply chain attacks, but their full force was felt when Log4Shell was discovered. Hundreds of vendors were caught because many vendors were unsure whether their own products contained vulnerable versions of the widely used log4j library. Months after the initial disclosure, vendors are still publishing advisories and fixes for their own software.
How Flashpoint helps SBOM use cases
SBOM, CycloneDX, and Dependency-Track
Organizations will face incredible pressure from their own leadership, as well as the federal government to create and maintain SBOMs. To help organizations, Flashpoint’s VulnDB® offering integrates with SBOM standards such as CycloneDX. Designed by Steve Springett, Senior Architect at ServiceNow in 2017, it was developed for use with the open source OWASP Dependency-Track Project.
Early last year, Steve spoke with Jake Kouns, General Manager at Risk Based Security to define SAST, DAST, IAST, SCA, and SBOM—in addition to the PURL standard. Check out the video below to learn more about SBOMs, and how CycloneDX generates them (including timestamps):
Fixing vulnerabilities affecting listed items
While having the ability to create SBOMs is important, the ability to identify and fix vulnerabilities that affect listed items is equally important. However, organizations may find that testing and remediating vulnerabilities affecting listed items, especially those involving third-party libraries and open source software, can be difficult.
It is likely that once a bill of materials is generated, security teams will have to conduct lengthy research testing the discovered components. However, even after several hours of research, teams may have little or no results if relying on CVE / NVD. This is due to the fact that CVE / NVD does not have a significant scope of vulnerabilities affecting third-party libraries, open source software, and legacy software. And for the vulnerabilities they get, they often lack the actionable details needed for remediation.
Therefore, to maintain a quality SBOM, organizations need comprehensive and detailed vulnerability intelligence. Using VulnDB®, security teams have access to over 297,000 vulnerabilities, including over 94,000 that were missed by CVE / NVD.
Each vulnerability entry found in VulnDB® has actionable metadata and all known details. VulnDB® captures the following and more:
| VulnDB® | CVE / NVD | |
| Use the details | Yes | Limited |
| Details of the location of the attack | Yes | Limited |
| Solution details | Yes | Limited |
| Technical notes | Yes | Nope |
| Affected product | Yes | Limited |
| Affected versions | Yes | Limited |
| Vendor and Product Risk Ratings | Yes | Nope |
Maintain quality SBOMs with Flashpoint
Organizations that can provide quality SBOMs to their supply chain, as well as regulatory agencies can demonstrate a strong security posture. Using VulnDB®, organizations can discover critical vulnerabilities affecting listed items on their bill of materials—and use Flashpoint data to address them in a timely manner. Sign up for a free trial of VulnDB® to take advantage of quality vulnerability intelligence, as well as its integration with CycloneDX.
Do you have some third party libraries or OSS components that you need to research? Contact us to add specific coverage to your vulnerability intelligence needs.