The Linux Foundation, Joint Development Foundation, and the open-source SPDX community jointly this week revealed that the Software Package Data Exchange (SPDX) specification for creating software bill of materials (SBOMs) is now recognized as the ISO/IEC 5962:2021 international standard.
The ISO recognition provides a shorthand mechanism for setting expectations for what should be at a minimum included in an SBOM that can be easily referenced by not just developers but also purchasing agents and legal firms, says Kate Stewart, SPDX tech team co-lead at the Linux Foundation. “It’s easier to just cite an ISO number,” she says. “It sets an expectation for what should be included.”
Intel, Microsoft, Siemens, Sony, Synopsys, VMware, and WindRiver are among the organizations that already employ the SPDX specification to standardize the way in which metadata describing the contents of a software package is described.
The need for that specification has become critical as software becomes more complex, says Phil Odence, general manager for Black Duck Audits at Synopsys, a provider of tools for securing applications. “There are a lot more hidden dependencies,” says Odence.
The challenge is even when there is an SBOM, it is constructed very differently by each development team. The Linux Foundation makes available a set of tools for building SBOMs based on the SPDX file format that standardizes how the fields used to describe an SBOM are defined.
SBOMs can also play a critical role in maintaining the security of a software supply chain. Today’s major challenge is that an SBOM isn’t often created, which makes it simple to discover what software components have been included in a package. That makes it difficult for organizations to determine if they are employing a version of a software component that now has a critical vulnerability that was recently discovered.
The SBOM tools also enable organizations to respond to President Biden’s executive order pertaining to the security of software supply chains. The National Telecommunications and Information Administration (NTIA) is currently asking for feedback to define the minimum requirements for an SBOM to comply with that executive order.
It may take a while before there is an agreed-upon SBOM standard. Still, as more software that lacks any kind of manifest to describe what’s in it is deployed, the more challenging application security becomes. In the wake of a series of high-profile security breaches, it’s now only a matter of time before reviews of software supply chains result in mandates that require an SBOM for every module of code being created.
Developers, unfortunately, are not always sure themselves what’s inside, for example, a container image that they have downloaded from a repository. The trouble is that cybercriminals are getting a lot more adept at inserting malware into the code they know will be employed in myriad downstream applications that they can later compromise. In effect, for the want of an SBOM, the application security war is being lost.