By Ling Cheng (Senior Product Marketing Manager)
In today’s interconnected world, the security of software supply chains has become a paramount concern. As the software-defined vehicle (SDV) ecosystem continues to advance, the extensive use of open-source components highlights the need for robust security measures more than ever before. While third-party code streamlines the development process and accelerates time to market, it also introduces vulnerabilities whether the components are acquired or open-sourced.
According to NIST NVD statistics, there was a 25% increase in the number of vulnerabilities from 2021 to 2022. This brings the significance of software security to the fore as these often hidden risks not only pose threats to the connected car supply chain but also engender financial risks to OEMs — in light of the growing percentage of software-related recalls, which went up to 14% from 10% within a three-year span, according to a Sibros report.
When a newsworthy cyberattack occurs, stakeholders would like to know the following:
- Impact assessment: How can they determine whether their vehicle or device is affected?
- Component usage: Which areas of their business use the affected component?
- Vulnerability exploitation: What is the impact if attackers exploit the vulnerability?
- Mitigation: What steps should they take to mitigate the risks?
This kind of situation is where the importance of the software bill of materials (SBOM) comes into play.
SBOM: Enhancing software supply chain visibility
To address this growing concern about software supply chain risks, the concept of the SBOM emerged as a critical component in this evolving threat landscape. An SBOM is a comprehensive inventory of all software components and dependencies used in building a particular piece of software. It provides a detailed record of the components, their versions, and the relationships between them, essentially functioning as a list of parts for software. (Software Package Data Exchange or SPDX 2.3 provides essential information on SBOM formats.)
The three most important pieces of information in an SBOM are:
- Component identification: This refers to the details about each software component, including its name, version, and unique identifiers.
- Licensing information: This refers to the license details of the software components to ensure compliance with relevant licensing obligations.
- Dependencies: This refers to information on the dependencies between components, including any open-source libraries or third-party software used.
When an incident occurs, the product security team can swiftly determine whether the product’s software has used any affected components or whether their versions match by using the aforementioned information. Moreover, such valuable information enables the security team to seamlessly trace and probe the entire supply chain. The team can promptly identify which products incorporate a specific open-source component and subsequently identify customers who have made purchases, thus enabling the team to immediately notify affected customers.
Benefits of using an SBOM
The increasing complexity and interdependence of software systems have made it difficult to track and manage the components that make up a software product. The use of an SBOM provides a structured approach to understanding the software supply chain by documenting its building blocks. It facilitates transparency and accountability in the development process, which are vital for security.
Stakeholders of the SDV ecosystem can take advantage of the benefits that the implementation of an SBOM brings, including:
- Identifying vulnerabilities: Integrating an SBOM into the vulnerability management platform allows for automated checks against known, zero-day, and undisclosed vulnerabilities. This automated approach accelerates the identification of potential threats.
- Licensing compliance: An SBOM offers a comprehensive inventory of software components, along with their corresponding licenses. This visibility enables organizations to easily verify their compliance with the licensing terms for each component integrated into their products or services.
- Efficient risk management: With an SBOM, organizations can proactively identify and mitigate risks within their software supply chains, reducing the likelihood of disruptions or security breaches.
- Streamlined software updates: An SBOM facilitates better tracking of software versions and dependencies, leading to more efficient and accurate software updates and patch management.
- Dependency analysis: An SBOM reveals the interdependencies among different software components. By understanding these relationships, security professionals can pinpoint vulnerable components and assess the overall risk posture.
It is therefore not surprising that over the past few years, more standards and regulations have adopted the implementation of SBOMs. The significance of SBOMs has been acknowledged not only by the US federal government but also by the automotive industry. US President Joe Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity, issued in May 2021, emphasizes the requirement for companies selling software to the federal government to furnish a comprehensive SBOM. Also, certain countries are actively considering incorporating an SBOM as a regulatory requirement, making it an essential prerequisite for vulnerability analysis in the automotive industry.
How to start your SBOM implementation
Traditionally, creating an SBOM involved the laborious process of manually writing software details on paper or spreadsheets. In the case of a modern car running over a hundred million lines of code, as the software scales and more components are added, the task of manually entering and updating data becomes increasingly time-consuming and inefficient, sometimes even requiring daily updates. This places a heavy burden on employees and is an unwise use of their time. In addition, relying on manual processes renders it susceptible to errors, which not only lead to legal implications but also hinder the early identification of vulnerabilities. This consequently erodes trust in the automotive supply chain.
To alleviate the burden of manual management, there are available software composition analysis (SCA) tools that are tailored to the needs of the automotive industry. These specialized products enable the automatic generation and efficient management of SBOMs, streamlining processes and enhancing cybersecurity practices in the automotive industry.
In the second installment of this two-part series of articles, we discuss how organizations can optimize the benefits of using SBOMs to make connected cars more secure.