在一个软件已成为日常生活不可或缺的一部分的世界里, 确保这些产品的安全性和透明度已成为当务之急. 随着基于软件的产品的兴起, regulators have quickly implemented new standards to help manage the complexities of the software supply chain. 在这项工作中获得牵引力的一个工具是软件物料清单(SBOM)。.
SBOM是构成软件产品的所有组件的综合列表. 此列表包含有关每个组件的版本和来源的信息, 提供对产品构成的清晰理解. SBOMs are essential for ensuring software security and transparency because they enable organizations to easily track and manage their software supply chain and identify potential vulnerabilities or malicious code. SBOMs are becoming increasingly mandatory in various industries and are considered a critical component of any organization's regulatory compliance strategy. 要求或建议使用soms的法规和标准包括:
- The US 网络安全 and Infrastructure Security Agency (CISA) recommends using SBOMs as part of its guidelines for secure software development.1 Executive Order 14028 directs the US 国家标准与技术研究所(NIST) to develop guidelines for creating and publishing SBOMs and establish criteria for using SBOMs in federal procurement processes.2, 3 The US National Telecommunications and Information Administration SBOM defines a set of minimum elements that should be included in an SBOM. 这些最小元素是包名, version, 唯一标识符, 授权信息, 依赖关系, 已知的安全漏洞和软件散列.4
- 欧盟网络安全机构(ENISA) 《澳门赌场官方软件》 provides a valuable resource for organizations seeking to enhance their cybersecurity posture and manage supply chain risk associated with software.5
- The UK National Cyber Security Centre (NCSC) recommends that organizations use SBOMs to understand the risk associated with the software components they use and to identify and manage vulnerabilities in those components.6
- 澳大利亚网络安全中心(ACSC) 信息安全手册:软件开发指南 recommends the use of SBOM as it “can assist in providing greater cyber supply chain transparency for consumers by allowing for easier identification and management of security risks associated with individual software components used by applications.”7
- 加拿大通信安全机构(CSE) 提高加拿大数字供应链弹性的建议 recommends the use of SBOM to improve transparency and ability to address software supply chain attacks.8
- International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC) 29147:2018 信息技术-安全技术-漏洞披露 是否有国际标准为漏洞披露提供指引.9 该标准为参与漏洞披露过程的所有利益相关者提供指导, 包括供应商, 漏洞研究人员和用户. It outlines best practices for identifying and reporting vulnerabilities and responding to vulnerability reports in a timely and effective manner. 该标准没有专门针对sbm, but it does provide guidance on vulnerability disclosure that can be used in conjunction with SBOMs to improve the security of software products. By following the best practices and principles outlined and using an SBOM to manage software supply chain risk, organizations can improve the security and resilience of their software products and better protect against cyberthreats.
- NIST特别出版物(SP) 800-218 安全软件开发框架(SSDF)版本1.1:降低软件漏洞风险的建议 提供了使用soms作为安全软件开发一部分的指导方针.10
It is worth noting that these regulations and standards are subject to change and may vary by jurisdiction. Security auditors should stay up to date on the latest developments in their region to ensure that they are aware of the most current requirements and best practices.
The need for SBOM regulations arises from the increasing reliance on software in critical systems and the increasing number of security incidents involving software. 随着软件的发展, 管理这些产品的安全性和完整性变得越来越具有挑战性. 软件产品通常依赖于组件和库的复杂网络, 其中许多是由第三方组织开发和维护的. A vulnerability in one of these components can quickly spread to other products that use the same component, 可能影响数百万个系统.
例如, 2021年12月, 在一个流行的软件库中发现了一个名为Log4Shell的严重安全漏洞, Apache Log4j.11 此漏洞使数百万使用Log4j库的易受攻击版本的系统面临风险. 更糟糕的是, 修复该漏洞需要更新Log4j库, 但这样做既复杂又耗时, 特别是对于大型和复杂的系统. 在Log4Shell漏洞的情况下, the lack of an SBOM for the affected versions of the library made it difficult for organizations to quickly determine whether the vulnerability impacted them, 哪些特定的组件需要更新.
另一个例子是SolarWinds的黑客攻击, a major cyberattack discovered in December 2020 that affected many US government agencies and private enterprises. 一群黑客, 据信是俄罗斯人潜入了太阳风公司, 提供网络管理工具的软件澳门赌场官方下载, 来实施袭击. 他们在澳门赌场官方下载Orion软件的更新中插入了恶意软件, 然后被许多用户下载和安装. 该恶意软件允许黑客访问敏感信息并进行间谍活动. The incident highlighted the vulnerability of software supply chains and the need for improved cybersecurity measures.12 在太阳风黑客事件中, 其中一个关键问题是Orion软件的受影响版本缺乏SBOM. The lack of an SBOM made it difficult for organizations to quickly determine which specific components needed to be updated or removed to mitigate the hack's impact.
Regulators have called for SBOM regulations that require software vendors to furnish complete and accurate information about the components and libraries used in their products. Organizations then use this information to assess the security of and risk posed by the software they use and make informed decisions about what products to use and how to secure them. In short, the need for SBOM regulations stems from the need to ensure the software security and integrity and help organizations make informed decisions about the software they use.
Incorporating an SBOM into an information system audit allows auditors to understand the software used within the organization and identify any security risk that needs addressing. 风险包括以下问题:
- 过时的组件—The SBOM can highlight any components that are no longer supported or have known security vulnerabilities.
- 未经授权的组件- SBOM揭示了组织未批准的任何组件,可能构成安全风险.
- 不遵守规定—SBOM确保软件符合相关的安全法规和标准.
通过将SBOM与信息系统审计相结合, 组织确保其软件的安全性,并保护其数据免受网络威胁. Thus, using SBOMs builds trust in the security of the organization's systems and helps reduce the risk of a security breach.
Incorporating an SBOM into an information system audit allows auditors to understand the software used within the organization and identify any security risk that needs addressing.
SBOM是确保软件产品安全性和透明性的重要工具. 随着监管机构继续强制实施澳门赌场官方下载倒闭, 组织必须投资于工具和过程,以准确地创建和维护soms. 软件开发和供应链管理的未来肯定是由soms塑造的, 使它们成为任何组织的法规遵从策略的关键组成部分.
Endnotes
1 网络安全和基础设施安全局。”软件物料清单” USA
2 Biden, J. R.; 关于改善国家网络安全的行政命令,美国白宫,2021年5月12日
3 国家标准与技术研究所(NIST), 改善国家网络安全:NIST在2021年5月行政命令下的责任,” USA, 12 May 2021
4 美国商务部和国家电信和信息管理局, 软件物料清单(SBOM)的最小元素,美国,2021年7月12日
5 Skouloudi C.; A. Malatras; R. Naydenov; G. Dede; 保护物联网的指导方针,欧盟网络安全机构,希腊,2020
6 国家网络安全中心,”在最近供应链网络攻击上升后,NCSC发布了新的指导意见,英国,2022年10月12日
7 澳大利亚网络安全中心, 信息安全手册:软件开发指南,澳大利亚,2022年
8 加拿大数字基础设施弹性供应链保障工作组论坛 提高加拿大数字供应链弹性的建议,加拿大,2022年
9 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), ISO / IEC 29147:2018 信息技术-安全技术-漏洞披露2018年,瑞士
10 Souppaya, M.; K. Scarfone; D. Dodson; 美国国家标准与技术研究院(NIST)特别出版物(SP) 800-218 安全软件开发框架(SSDF)版本1.1:降低软件漏洞风险的建议, USA, 2022
11 Log4j, “Apache Log4j安全漏洞, 2022年9月13日
12 Temple-Raston D.; ““最可怕的噩梦”网络攻击:太阳风黑客不为人知的故事,美国国家公共电台,2021年4月16日
Shailesh Y. Rangari
是思科公司的安全工程负责人吗. 他在进攻安全方面有超过14年的经验, 安全的开发实践和软件安全. 他曾领导NVIDIA Corporation的攻击性安全实践,并担任Ernst的经理 & 杨的安全咨询业务.