A recent article on The Hill highlights the growing concern over software supply chain risk and the potential solutions available.

One of the main issues is the sheer number of software packages available, with over 200 million software repositories hosted on Github alone. It’s impossible to know what software packages are deployed inside other solutions, which is where Software Bill of Materials (SBOM) tools come in.

However, it’s important to note that SBOM tools alone are not sufficient to solve the security problem for government agencies.

As the article states, this is like thinking your house is safe because you have a new door lock sitting on the kitchen counter. SBOM tools can be easily fooled by even slightly motivated attackers, such as those who modify a software package to include a vulnerability and then publish it with the same labeling as the original package.

An even more insidious attack involves adversaries who change a package header to say that it is up-to-date when, in fact, it is an older version that contains known vulnerabilities they can later exploit. This is why we need continuous monitoring of the actual contents of any packages included in sensitive software and a measurement of the reliability of that package. SBOM solutions need to be more than just naive “software ingredients lists” to be effective.

In a sense, the Zero Trust Architecture paradigm can apply to software systems too.

Software components can be admitted to an application and be provisionally trusted, but a sophisticated SBOM system remains on guard to alert the operator whenever a component (or combination of components) becomes suspect.

At SecureG, we offer solutions for Zero Trust security, with digital identities for real and virtual devices in IoT devices, semiconductors, and 5G networks. Contact us for more information on how we can help you secure your systems against software supply chain risk.