SoylentNews is people
SoylentNews
Submission Preview
Managing Open Source Software and Software Bill of Materials
The US Department of Defense has published a report entitled, Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials [defense.gov] (warning for PDF) about aligning government activities with industry best practices. It covers principles that software developers and software suppliers can reference, including managing open source software and software bills of materials to maintain and provide awareness about software security. The reports a follow up to the much hyped 2021 executive order on cybersecurity [whitehouse.gov]. Much focus is given to making and using Software Bill of Materials (SBOM) and incorporating them into the work flow:
The SBOM and its contents must be validated and verified. Validation assures that the SBOM data is appropriately formatted and can be integrated into various tools and automation. Verification ensures the content within the SBOM is accurately described and all components and related information on a product for licensing and exporting are represented.
Many organizations are increasingly incorporating tools into the build and source repository facility to automate this process and provide artifacts which can attest to the verification of the SBOM being delivered. Both the content of the package, the executables, libraries and configuration files, and the actual format of the SBOM, should be validated. Any open-source software components should be verified for license or export restrictions. In some organizations, validation is performed first by the developer during build/packing of the product and then by the developer/supplier before customer delivery to verify the integrity of the SBOM being delivered. For more information on the formats and tools available for validation, refer to section 5.1.5 of this document “SBOM Validation.”
A good reference on guidance for the SBOM process can be found in NTIA’s publication “Software Suppliers Playbook: SBOM Production and Provision” guidance. It is important that developers understand the end-user requirements for SBOM generation and how this information might be used by both suppliers and customers. Additional process information relating to SBOMs and acquisitions can be found in the “Software Consumers Playbook: SBOM Acquisition, Management, and Use”.
Don't say that acronym at the airport while working with your team over the phone...
Previously:
(2022) Open Source Community Sets Out Path to Secure Software [soylentnews.org]
