May 9, 2023 - Technology

Biden administration's push for a software ingredient list, explained

Illustration of hand holding a long list with highlighted areas

Illustration: Eniola Odetunde/Axios

One of the most straightforward cybersecurity solutions has become unnecessarily confusing and overhyped as the government pushes to see it implemented, security experts warn.

The big picture: Ever since 2020's SolarWinds cyber espionage campaign, the Biden administration and security vendors have been encouraging companies — especially tech vendors for the federal government — to create what's known as a software bill of materials (SBOM).

  • An SBOM is a nested ingredient list of what components make up a piece of software, including what open-source programs and other tech stacks it pulls from.
  • Security defenders can use the list to see if their own networks are vulnerable when another vendor faces a cyberattack — or executives can use it to decide if they want to purchase a company's possibly vulnerable software.
  • For example, when researchers detected a critical security flaw in the Log4j logging tool in late 2021, organizations could've turned to SBOMs to see if their own products included the vulnerable version of the tool.

How it works: Putting together an SBOM requires time to pull all relevant data and format the list in a usable way, Nurit Bielorai, go-to-market manager at Israel-based Aqua Security, told Axios.

  • "You can always export data and get the version that you need to meet all the requirements," Bielorai said of the SBOM creation process.
  • Organizations mostly need help figuring out how to make their SBOMs readable so they can figure out where they're vulnerable.

Yes, but: Many software vendors aren't ready to invest the needed time and money into fixing the security flaws that SBOMs will highlight, Alex Santos, CEO at Fortress Information Security, told Axios.

  • A lot of software is built quickly to ensure developers and their employers can push high-demand products out the door.
  • But prioritizing speed often leads to insecure products, and many times developers have to completely rebuild their products to patch security holes, Santos said.

What they're saying: "I think people are acting confused about SBOMs because when they start thinking about where the puck is going, they're like, 'I'm going to have to replace these pieces,'" Santos said.

Zoom in: President Joe Biden's 2021 cybersecurity executive order started the process of requiring federal contractors to provide government customers with an SBOM for their products.

  • Shortly after, the Commerce Department's National Telecommunications and Information Administration released "minimum elements" for what those SBOMs should look like.
  • Now, the Biden administration's first cybersecurity strategy, released earlier this year, takes the effort a step further by attempting to make software makers liable for the unpatched vulnerabilities in their software. An SBOM would help reveal those known but unpatched flaws.

The intrigue: SBOMs' capabilities tend to get overinflated. In reality, all a list does is provide much-needed transparency into the security of a company's tech stack.

  • "We're calling these things 'SBOM' when we should be calling them 'software quality' or 'software security,'" Santos said. "SBOMs are the tool that you use in order to get transparency."

Between the lines: Major tech vendors have been pushing back against the administration's SBOM mandates, arguing the tool is too early-stage for agencies to find useful or readable.

  • Corporate lawyers are also skittish about vendors publishing their SBOMs online or sharing them with potential customers because it could make them liable in any future attacks that exploit their products, Santos said.

What's next: Security experts are eyeing the Biden administration's soon-to-be-released implementation plan for its national cyber strategy, expecting it to help answer questions about how publishing an SBOM will fold into liability plans.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper