Interview with Curtis Yanko principal solutions architect at GrammaTech, who’s active in a group called the SBOM Forum, and on developing solutions for operationalizing Software Bills of Materials
The SBOM Forum has been busy identifying a universal naming convention so that developer tools can feed software vulnerabilities into the national vulnerability database—and lookup vulnerabilities just as easily. Now the SBOM Forum is working on another core problem, how to efficiently publish vulnerability information across ecosystems and platforms so people know how to look for them and remediate vulnerabilities as far left as possible in the development cycle.
A common software vulnerability naming and identification system will also serve buyers from federal agencies who have been given until September 2023 to collect attestations from all software vendors they use. The OMB memo represents the latest actions being mandated since the May 2021 Presidential Order to enhance the security of the software supply chain.
The OMB gives agencies 270 days to collect attestations from their critical software vendors and 365 days to collect attestations from all software vendors. After that, they can only buy or renew software from vendors that attest to meeting NIST guidance on software supply chain security. This guidance stems from NIST’s Secure Software Development Framework (SSDF), SP 800-218, and its Software Supply Chain Security Guidance.
While disappointed that the memo focused mostly on attestation, Curtis is glad that OMB put a stake in the sand because it urges agencies who aren’t already assessing their software-related vulnerabilities to make shifting left a priority.
Learn more in this engaging video interview and follow the links below to the resources we discussed.
Links and resources:
- HR 7900 – https://www.congress.gov/bill/117th-congress/house-bill/7900/text
- NIST SP 880-161 (Rev 1) – https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
- OWASP Blog post about the SBOM Forum paper with a link to the paper in it.
- https://owasp.org/blog/2022/09/13/sbom-forum-recommends-improvements-to-nvd.html