What is an SBOM and why is it critical for IoT security?
The Internet of Things (IoT) is growing rapidly, with the number of connected devices expected to reach 29 billion by 2030, according to Statistica. These devices are increasingly being integrated with artificial intelligence, enabling fast and sophisticated analysis.
Despite the convenience of increasing connectedness, the IoT also poses significant risks. Each connected device is a potential window for a malicious actor to intercept sensitive data sent through the IoT, enabling the compromise of back-end servers, cloud systems, and databases.
One important aspect for addressing the security risks affecting IoT environments is to use a Software Bill of Materials (SBOM). An SBOM provides a clear picture of the software supply chain, revealing potential vulnerabilities. It lists all the components of a software product, including details like the version, programming language, and library.
With the information provided by the SBOM, IoT device manufacturers and users can identify threats and apply patches. It also helps users make more informed decisions when incorporating new components into their software.
What’s in an SBOM?
The US National Telecommunications and Information Administration (NTIA) had established a standard defining the requirements for a Software Bill of Materials. It stipulates that an SBOM should include the following information for each software component:
- Author name—typically the company that developed the software.
- Vendor name—the software vendor (which may be separate from the author).
- Component name—the name of each piece of software, including any aliases (other names).
- Version string—the version information in accordance with standard industry practices.
- Component hash—a cryptographic hash for identifying the software component.
- Unique identifier—an identification number (in addition to the hash) that gives each component a place in the SBOM.
- Relationship—a description of how the component relates to the software package. For example, a component might be marked as “included” in a given package.
Note that these are the minimum requirements for an SBOM, but the document might also include information like common vulnerabilities and exposures (CVEs) and security scores.
How does an SBOM improve IoT and connected device security?
A thorough SBOM is crucial for facilitating cybersecurity processes, allowing you to keep track of software components and find vulnerabilities. The SBOM should list all components, including open-source, custom, and third-party components. It’s important to avoid using an incomplete SBOM, which may be missing some of the modified or recompiled libraries.
Having a complete SBOM allows you to identify security issues in IoT devices. It can help improve the device’s cybersecurity resilience and maintain compliance with security standards. The SBOM is a central tool for identifying points of exposure in the software supply chain allowing you to address security issues proactively.
Another important aspect of a comprehensive SBOM is that it can help your organization demonstrate that it has fulfilled its obligations. Having a complete list of your software components is evidence of due diligence.
How to make a software bill of materials
Organizations typically produce a Software Bill of Materials during the software development stage. There are several SBOM tools that integrate with existing Continuous integration/Continuous Development (CI/CD) pipelines.
Another way to create an SBOM is with a software composition analysis (SCA) tool, which identifies the components present in your software. You can implement SCA scans during the build process or after the software is complete.
It’s important to apply recognized industry standards for exchanging supply chain data. Your SBOM should be machine-readable and human-readable, accessible to developers and end-users alike. The data format must be portable and usable in various applications.
One example of an industry standard for SBOMs is Software Package Data Exchange (SPDX), also known as ISO/IEC 5962:2021. This format can be consumed by vulnerability and patch management solutions that need to understand what underlying components are used by the software.
Other examples include NTIA’s Software Identification (SWID) tags, which provide an easy way to fill in the SBOM data fields portion, and CycloneDX from the Open Web Application Security Project (OWASP).
Final thought
A Software Bill of Materials is an important document for ensuring visibility and traceability in software products, allowing developers and end users to identify and manage software supply chain risks. Maintaining a complete and accurate SBOM is especially crucial for Internet of Things systems, where hundreds or thousands of connected devices could introduce potential vulnerabilities.
Thus, you need to understand how to create and update your SBOMs, ensuring that the data is readable and transferrable. This will allow you to build and expand your IoT projects, and it will also be useful for third parties and end-users looking to identify software vulnerabilities.
About the author
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Check Point, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.
Chipset from Sony Semiconductor Israel to transform IoT landscape
Comments