Due Diligence and Ongoing Monitoring

Hello,

Have people been receiving Software Bills of Service when requesting diligence documentation from their tech vendors? If so, what are you doing with these? Do you have a way to import the information on these to be used later? We are looking for a way to export the information from these documents to be used later in case there happens to be a breach (or something similar) so we can quickly search all of these fourth party vendors.

Thanks!

Hello, thank you for your question.

I think you're referring to software bill of materials (SBOM). With this assumption as a jumping off point, here is what I recommend… First, SBOMs are described as a "nested inventory that make up software components."

How they would be used by the organization or the consumer? This information can be used in Sourcing's RFP process for selecting a vendor towards software product creation.

A software bill of materials, or SBOM, sheds light on an application's contents and code origins, and, when paired with vulnerability management tools, can help identify vulnerabilities and highlight risk for subsequent mitigation.

• The reasons a person would want to retain such information – Damage and risk mitigation
• The cost of not locating and addressing a security vulnerability only serves to highlight and stress the need for SBOMs; the reputational fallout can be devastating to a company when a supply chain attack occurs. Pulling in code from unknown repositories increases the potential for vulnerabilities that can be exploited by hackers. Two recent cyberattacks, namely the SolarWinds and log4j attack, affected supply chain software vendors. Risk Mitigation

In order to identify software application dependencies, risk needs to be identified and evaluated from the start to finish in software supply chain management.

According to the blog cited below - SBOMs are important because they:

• Enable organizations to identify and track all third-party components, in particular open source components, and comply with licensing requirements1.
• Improve the resilience and security of the software supply chain by allowing developers to discover issues earlier in the development process2.
• Provide a comprehensive list of all the components and dependencies used to build software, which can help organizations take steps to address any security vulnerabilities and reduce the risk of security breaches3.
• Give developers, DevOps teams, security specialists, and others visibility into the code base and sources of your organization's software and security4.
• Enable a standard approach to understanding what is in an application and why, and provide ongoing visibility into the history of an application's creation, including details about third-party code origins and host repositories5

I can't provide information on capturing and reporting that data because of the variation of systems and your organization's capabilities.

Make sure to loop in your organization's cybersecurity team for identifying which information should be captured and reported in the event of a breach or other cybersecurity event.

References:

https://www.cisa.gov/sbom,

https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf,

https://www.cisa.gov/sites/default/files/2023-04/sbom-sharing-lifecycle-report_508.pdf

I'd love to hear other members' thoughts.