Software Bill of Materials (SBOMs) have quickly become one of the go-to tools to help manage risks in software supply chains; however, most of the focus has been on helping organizations properly create and distribute SBOMs.
Admittedly, this is where NetRise has spent most of our efforts as well, particularly around helping XIoT (The Extended Internet of Things — IoT, OT, IoMT, and other typically unmanaged connected devices) device manufacturers and asset owners automatically analyze firmware to create SBOMs for these devices. NetRise uses a variety of technologies including knowledge graphs, machine learning, and many years of specialized experience, but creating SBOMs is only half the battle.
If a manufacturer creates an SBOM but nobody uses it, does the software still introduce risk?
An SBOM is like a comprehensive list of ingredients in a recipe, representing the components used in a piece of software or a device. However, on their own SBOMs do not convey risk. They offer transparency by disclosing the software components in a firmware or application, but assessing the potential risks posed by these components requires additional context. So what happens when organizations receive an SBOM from a vendor? How can they effectively assess the risks associated with the components used in the software or devices they rely on?
The Asset Owner Use Case
Imagine you are an enterprise using security cameras from a vendor, and they provide you with an SBOM for the camera firmware. While it offers transparency regarding the software components used, determining the risks these components introduce to your network is your responsibility. For example, the firmware might utilize version 1.0.0 of a popular web server but the SBOM does not tell you the latest version of the software is version 5.6.1 and all versions prior to it are vulnerable to multiple remote code execution vulnerabilities. While the vendor is being transparent about the software they are using, it is the responsibility of the organization operating the device to determine the associated risk and continuously monitor it for new risks and vulnerabilities.
The NetRise Platform now allows asset owners to upload SBOMs from third-parties and automatically enrich the identified components with vulnerability intelligence information and display it in our intuitive user interface. NetRise supports both CycloneDX and SPDX, enabling downstream customers to correlate components and vulnerabilities across multiple manufacturers using differing SBOM formats. It’s like being able to play Final Fantasy 7 on your N64, or watching a Blu-Ray of the extended cut of The Fellowship of the Rings on the HD DVD player you regret buying. Once uploaded to the NetRise Platform, components will be enriched with crucial information, including details such as whether a CVE is in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, exploit availability (with references), CVSS scores, EPSS scores, and more.
SBOM assets are treated just like any other asset uploaded to the NetRise Platform — our knowledge graph helps correlate data points across your entire organization, allowing you to answer the question “where else does this vulnerability or component exist?” with the click of a button.
The Device Manufacturer Use Case
Asset owners are not the only organizations who can make use of this capability. As a device manufacturer, you likely integrate third-party applications into your products. When vendors provide you with SBOMs for these third-party components, you or your product security team need to assess the SBOM for any associated risks. With NetRise Platform you can upload all of your third-party SBOMs and have them enriched with vulnerability intelligence within minutes, eliminating the guesswork of identifying vulnerabilities and trying to prioritize them.
Additionally, if vendors provide their SBOMs in a format that is incompatible with your internal tools or processes, the NetRise Platform automatically converts them to SPDX and CycloneDX to help you easily integrate them into your workflow.
For organizations operating in sensitive environments or those who are not ready to put their full trust in a cloud-based product (we strongly urge you to reconsider) but still need a way to easily monitor their software components for vulnerabilities, you can upload your product SBOMs in lieu of the entire firmware and accomplish a similar result. This can help streamline your risk assessment and pre-production processes to ensure that you are fixing issues before they ship to asset owners.
To find out more about the unique value NetRise provides for SBOMs, contact us today.