In Biden’s Executive Order on Improving the Nation’s Cybersecurity, mandates for the security of the software supply chain were explicitly laid out. It starts with requirements for the National Institute of Standards and Technology (NIST) to “issue guidance identifying practices” for identifying and tracking the third-party software packages in applications used by the government.

This shift raises the question: What will government IT departments do with this new information?

On the one hand, it seems incredible that enterprises and governments are using software without understanding what is in it. Historically, however, this is just how it goes with software—users have never quite known what is in the software they use, because they never get to see how it is made.

Big software applications typically consist of millions of lines of code and hundreds or thousands of third-party code packages. For most, the details of the process are out of sight, out of mind.

To ensure more reliable and secure applications, two new capabilities need to be applied to software:

1. An ability to identify and present in a manifest the source and version of all software contained in an application, and

2. A system to continuously identify and report vulnerabilities in all software packages such that their presence and potential security impact on a finished software application can be known at any time.

Even this approach does not solve all the problems—there are still issues of undiscovered vulnerabilities and unexpected code interactions across packages that can lead to weaknesses and breaches.

Software Bills of Materials (SBOMs) seek to address these requirements, but they only work if the user can trust the statements in the manifest. SecureG is working on the solution–digital certificates for your software inventories that let software vendors trust and trace the origin of all their components and prove to their customers they are in control.

Talk to SecureG for more information.