Software bills of materials in production environments
Herman, Michael (2024)
2024
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202402122809
https://urn.fi/URN:NBN:fi:amk-202402122809
Tiivistelmä
The practice of using open-source components across different software ecosystems is widespread. This makes is easier for attackers to exploit vulnerabilities without crafting specific attacks. A question then emerges about how to identify and manage hidden dependencies embedded in larger applications. Legacy systems further complicate these issues. One proposed solution is known as a Software Bill of Materials (SBOM). SBOMs are nested inventories of software packages and dependencies. Advocates argue SBOMs promote greater transparency in the software supply chain.
This is desirable because transparency facilitates more efficient and monitoring practices. The implication of this claim is that SBOM-based platforms are more efficient at accurately identifying and remediating vulnerabilities than methods such as active scanning. The study was commissioned by JYVSECTEC to test the feasibility of using SBOM-based infrastructure management in their internal networks. Most of the literature on the subject focuses on the development side. There is surprisingly little literature which examines the relevance of SBOMs from the DevSecOps perspective. This contribution fills that gap.
Three questions organized around the themes of transparency, accuracy and efficiency were formulated to examine the claims above. An additional question concerning the potential use of SBOM-based infrastructure management platforms in offensive contexts such as red team exercises was also asked because of its relevance for JYVSECTEC. The core aim was to test the hypothesis that SBOM-based platforms enhance vulnerability management and security across DevSecOps workflows. An environment was required in which the hypothesis could be tested. Dependency-Track is a popular SBOM-based infrastructure management tool. It was selected due to its maturity relative to the alternatives. Testing occurred in two phases. The first involved setting up a test environment which established Dependency-Track’s baseline capabilities. The second phase involved testing these capabilities in a production environment.
The analysis of the production environment identified a range of problems associated with SBOM-based infrastructure management. Accuracy and depth of information was found to be inconsistent. This calls into question claims that SBOMs enhance supply chain transparency. Accuracy problems required manual intervention because automated solutions were in many cases not possible. It is unclear if the platform provides any efficiency gains over existing methods of infrastructure management. The findings suggest SBOMs exhibit limited applicability for DevSecOps.
This is desirable because transparency facilitates more efficient and monitoring practices. The implication of this claim is that SBOM-based platforms are more efficient at accurately identifying and remediating vulnerabilities than methods such as active scanning. The study was commissioned by JYVSECTEC to test the feasibility of using SBOM-based infrastructure management in their internal networks. Most of the literature on the subject focuses on the development side. There is surprisingly little literature which examines the relevance of SBOMs from the DevSecOps perspective. This contribution fills that gap.
Three questions organized around the themes of transparency, accuracy and efficiency were formulated to examine the claims above. An additional question concerning the potential use of SBOM-based infrastructure management platforms in offensive contexts such as red team exercises was also asked because of its relevance for JYVSECTEC. The core aim was to test the hypothesis that SBOM-based platforms enhance vulnerability management and security across DevSecOps workflows. An environment was required in which the hypothesis could be tested. Dependency-Track is a popular SBOM-based infrastructure management tool. It was selected due to its maturity relative to the alternatives. Testing occurred in two phases. The first involved setting up a test environment which established Dependency-Track’s baseline capabilities. The second phase involved testing these capabilities in a production environment.
The analysis of the production environment identified a range of problems associated with SBOM-based infrastructure management. Accuracy and depth of information was found to be inconsistent. This calls into question claims that SBOMs enhance supply chain transparency. Accuracy problems required manual intervention because automated solutions were in many cases not possible. It is unclear if the platform provides any efficiency gains over existing methods of infrastructure management. The findings suggest SBOMs exhibit limited applicability for DevSecOps.