ITASCA, Ill., May 20, 2021 (GLOBE NEWSWIRE) -- Revenera, producer of leading solutions that help technology companies build better products, accelerate time to value and monetize what matters, is offering software suppliers and software vendors the resources and tools to help develop the Software Bill of Materials (SBOM) required through the White House’s executive order on improving the nation’s cybersecurity.
The Growth of SCA and SBOM
In the last few years, the software industry saw increased demand for software composition analysis (SCA) vendors to provide guidance not just on how to manage open source and risk, but to be able to disclose a list of components, complete with software supply chain partners. New regulations, implemented by organizations like PCI, MITRE, National Telecommunications and Information Administration (NTIA), the U.S. Food and Drug Administration (FDA), and the Open Web Application Security Project (OWASP), put increased ownership on organizations to:
- Maintain an up-to-date SBOM of all open source software components used in their applications,
- Follow a process to identify security vulnerabilities within all open source software components,
- Monitor existing open source components used in their applications for new security vulnerabilities, and
- Implement a policy and patching process to remediate impacted open source software components.
Impact of May 12, 2021, White House Executive Order
On May 12, 2021, the White House issued an executive order on improving the nation’s cybersecurity that recognized that incremental cybersecurity improvements “will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
As a part of this Executive Order, the White House emphasizes the importance of enhancing software supply chain security through the SBOM. The SBOM is defined as “a formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components.” The Federal Government’s increased focus on the SBOM is a mandate that highlights the critical need to protect the software supply chain from cyberattacks and malicious actors.
There are many ways to manage open source compliance, and OpenChain 2.1 ISO/IEC 5320 provides a set of requirements to help evaluate whether your approach is sufficient. Software Package Data Exchange (SPDX), CycloneDX, and Software Identification (SWID) are three key industry accepted formats by which organizations throughout the supply chain can share information about their SBOMs.
“The software industry’s reliance on open source, along with a sharp increase in open source dependencies and the frequency of newly reported security exploits, has set up a perfect storm for supply chain security,” said Alex Rybak, Director of Product Management at Revenera. “Realizing this, the Biden administration has put forth a mandate for the software bill of materials (SBOM) as the means for increased visibility into the software supply chain via a comprehensive executive order. Vendors need visibility into the chain of custody of their software applications to understand both which components are used by an application, as well as which organization is responsible for fixing security issues if they arise. This information is critical to assess impact and act quickly when a new security vulnerability is reported.”
Best Practices for Meeting National Security Guidelines for Open Source Software Usage:
- Maintain an up-to-date software bill of materials (SBOM) for each application that you develop, including ones that are hosted and not distributed to customers. Ensure that the list of open source components is updated frequently.
- Follow a process to identify known security vulnerabilities within open source components used by your applications.
- Monitor existing open source components used by your applications for newly reported security vulnerabilities.
- Maintain a security policy and patching process to fix security issues in your applications.
Additional Resources:
- Information about the growing demand for SBOM, including the White House Executive Order:
- The New Cybersecurity Executive Order: 2021 is the Year of the SBoM (May 13, 2021)
- 2021 will be the year of the automated Software Bill of Materials (February 26, 2021)
- Software Composition Analysis explained:
- Revenera Expands Expanded SCA Functionality Delivers a Complete Software Bill of Materials (SBoM) for Open Source Compliance (December 2, 2020, press release)
- The Software Bill of Materials
- Scan Analysis Techniques
- The Import Process
- Code Insight Reports: SPDX
- Document Your Evidence of Open Source
- Global Inventory/SBOM Demo with Advanced Search
- Open source trends:
- Open source trend report: Revenera 2021 State of Open Source License Compliance
- Analyst brief: Addressing the Hidden Cost of Embedding Open Source Software
- Analyst brief: Open Source Software, With Your Eyes Wide Open
About Revenera
Revenera helps product executives build better products, accelerate time to value and monetize what matters. Revenera’s leading solutions help software and technology companies drive top line revenue with modern software monetization, understand usage and compliance with software usage analytics, empower the use of open source with software composition analysis and deliver an excellent user experience—for embedded, on-premises, cloud and SaaS products. To learn more, visit www.revenera.com.