By Byron V. Acohido
President Biden’s call for the mainstreaming of Software Bill of Materials (SBOMs) is a major step forward.
Requiring a formal inventory of all components, libraries and modules in all business applications can help lock down software supply chains, especially in light of the SolarWinds and Colonial Pipeline attacks.
Yet SBOMs will take us only so far. I had a deep discussion about this at Black Hat USA 2024 with Saša Zdjelar, Chief Trust Officer at ReversingLabs (RL). He drew a vivid parallel between food safety and software security. For a full drill down, please give the accompanying podcast a listen.
An SBOM is like an ingredients list, not a recipe for a gourmet dish, Zdjelar argues. Similarly, SBOMs in and of themselves do little to flush out anomalies arising in the wild. In short, SBOMs do not take context into account, he noted.
Context is fast becoming king in cybersecurity. Contextual solutions are more like recipes for securing business networks in a cloud-centric, hyper-interconnected operating environment – without unduly taxing efficiency or user experience.
RL Spectra Assure, for instance, provides context by performing deep analyses of binary code. This technology doesn’t just identify the ingredients in software, it also analyzes how those ingredients — such as third-party components, open-source libraries and other types of dependencies — interact. In doing so, Spectra Assure does what SBOMs cannot, identify malware or tampering. before an application is released or deployed
And it does this in real time by integrating into continuous integration/continuous deployment (CI/CD) workflows for software producers. Or in the case of enterprise buyers, on-demand scanning of commercial software provides a consistently up-to-date view of application risk before deployment or as new updates are made. This is a prime example of contextual security gaining ground in a massively complex, highly dynamic operating environment.
We need a lot more of it. I’ll keep watch and keep reporting.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
August 19th, 2024
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/black-hat-fireside-chat-why-grasping-the-context-of-code-is-a-recipe-for-keeping-software-secure/