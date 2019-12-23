from the how-did-Redmond-get-that-hyphen-in-there dept.
The US Department of Defense has published a report entitled, Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials (warning for PDF) about aligning government activities with industry best practices. It covers principles that software developers and software suppliers can reference, including managing open source software and software bills of materials to maintain and provide awareness about software security. The reports a follow up to the much hyped 2021 executive order on cybersecurity. Much focus is given to making and using Software Bill of Materials (SBOM) and incorporating them into the work flow:
The SBOM and its contents must be validated and verified. Validation assures that the SBOM data is appropriately formatted and can be integrated into various tools and automation. Verification ensures the content within the SBOM is accurately described and all components and related information on a product for licensing and exporting are represented.
Many organizations are increasingly incorporating tools into the build and source repository facility to automate this process and provide artifacts which can attest to the verification of the SBOM being delivered. Both the content of the package, the executables, libraries and configuration files, and the actual format of the SBOM, should be validated. Any open-source software components should be verified for license or export restrictions. In some organizations, validation is performed first by the developer during build/packing of the product and then by the developer/supplier before customer delivery to verify the integrity of the SBOM being delivered. For more information on the formats and tools available for validation, refer to section 5.1.5 of this document "SBOM Validation."
A good reference on guidance for the SBOM process can be found in NTIA's publication "Software Suppliers Playbook: SBOM Production and Provision" guidance. It is important that developers understand the end-user requirements for SBOM generation and how this information might be used by both suppliers and customers. Additional process information relating to SBOMs and acquisitions can be found in the "Software Consumers Playbook: SBOM Acquisition, Management, and Use".
Open source community sets out path to secure software:
The open source community has presented a 10-point plan to improve the security and resilience of its software, bringing together more than 90 executives from 37 organisations, alongside US government officials, at a summit in Washington DC.
[...] OpenSSF executive director Brian Behlendorf added: "What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it. The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action."
The 10-point plan, which can be read in full on OpenSSF's website, is as follows:
- To deliver baseline secure software development education and certification;
- To establish a public, supplier-neutral, objective-metrics-based risk assessment dashboard for 10,000 widely used open source software (OSS) components;
- To accelerate the adoption of digital signatures on OSS releases;
- To eliminate the root causes of many vulnerabilities by replacing non-memory-safe languages;
- To establish an OpenSSF-backed incident response team to help open source projects respond to vulnerability disclosures;
- To improve the ability of maintainers and experts to discover new vulnerabilities in open source projects;
- To establish a programme of third-party code audits and remediation for up to 200 of the most-critical OSS components;
- To coordinate industry-wide data sharing to improve how the community goes about determining what the most-critical OSS components actually are;
- To improve the adoption of software bill of materials (SBOM) tooling and training;
- And finally, to enhance the 10 most-critical OSS build systems, package managers and distribution systems with improved supply chain security tools and practices.
