Why banks should incorporate software bill of materials (SBOM) into their third-party risk programs
In the face of rising cybersecurity threats, the Biden administration issued an executive order in May 2021 calling for improvements in the supply chain. Among the recommended requirements is a software bill of materials (SBOM) for software vendors contracting with the government.
The order mandates the adoption of SBOM by large government supply chains and will change how software is supplied to U.S. federal agencies in the years ahead. It is expected that these new regulations will also spur commercial and international markets to adopt SBOM standards set by the U.S.
What is an SBOM?
A SBOM is a written record of all third-party code and dependencies within an application or device. Though their content and form are still being defined, SBOMs could include component names, license information, version numbers, the author of the SBOM, and the manufacturer of the component(s) within the SBOM.
Since most of the software developed today is composed of open-source software or third-party code, SBOMs could provide visibility across the supply chain for anyone building software, buying software, or operating software.
Potential components of SBOMS include the following:
- Data fields – this would include baseline component information such as unique identifiers, dependency relationships and cryptographic hashes of components, in addition to those discussed above.
- Operational considerations – this would include (i) frequency, or when and where the SBOM data is generated and tracked, and stored in the source repository, (ii) depth, or the tracking of dependencies and their derivative dependencies to allow an SBOM consumer to determine the difference between components with varying dependencies, and (iii) delivery, or operationalizing the availability and necessary permissions necessary for viewing an SBOM.
- Automation support – this would include automatic generation capabilities as well as machine-readability. Multiple data formats could be utilized to allow for broad consumption of SBOMs across varying ecosystems and possibly include translation abilities.
The increasing interconnectedness of the financial services industry makes it vulnerable
For financial institutions, the move by the Biden administration to require SBOMs should be embraced. The financial services industry, like many others, is vulnerable to operational and other risks since both physical hardware and software they rely on are made from many components from many suppliers. Moreover, like many other organizations, financial institutions are increasingly connecting operational technologies to networks and deploying connected assets, which heightens their vulnerability to security breaches and other threats.
With the interconnectedness of the industry ever increasing, and global in scale, the risks are growing exponentially. An example of this can be found in the recent Kaseya ransomware attack, in which malicious actors carried out a supply chain attack by leveraging a vulnerability in Kaseya’s VSA software against multiple IT service providers, which in turn affected their customers.
A more recent example can be found in the critical vulnerability that Log4j presented, which is a piece of open-source software that is used in millions of websites and applications worldwide. That vulnerability in the Log4j software package was discovered and exploited to launch attacks and allow malicious users to take control of systems and cause widespread damage.
Transparency leads to greater trust
The response to the rising volume and complexity of threats like these must be to strengthen and expand third-party risk management (TPRM) efforts to ensure the security of information and computer technology supply chains. SBOMs are critical to this effort, as they can serve as a mechanism to achieve greater transparency about the software and hardware banks are buying and using.
SBOMs can be particularly valuable in the procurement process – such as when an outdated library or software component would be detected early – before it becomes an issue. The SBOM could also help streamline software licensing processes among buyers and sellers.
Standardization is key to adoption
The key is to drive greater SBOM adoption and regulations. For SBOMs to be widely embraced, there must be standardization of the SBOM format and more demand by commercial consumers – something that is already underway in industries such as healthcare and critical infrastructure. Bank CISOs should commit to participating in the development of initiatives like SBOM, and actively engaging in industry dialogue about supply chain security issues.
The financial industry has an opportunity to lead the effort on SBOM adoption and define how TPRM practitioners can benefit from SBOMs. To do so, they must show the value of SBOMs and model ways to consume and act upon the data to reduce risk.