Managing Open Source Software and Software Bill of Materials
canopic jug writes:
The US Department of Defense has published a report entitled, Securing the Software Supply Chain: Recommended Practices for Managing Open Source Software and Software Bill of Materials (warning for PDF) about aligning government activities with industry best practices. It covers principles that software developers and software suppliers can reference, including managing open source software andsoftware bills of materials to maintain and provide awareness about software security. The reports a follow up to the much hyped 2021 executive order on cybersecurity. Much focus is given to making and using Software Bill of Materials (SBOM) and incorporating them into the work flow:
The SBOM and its contents must be validated and verified. Validation assures that the SBOM data isappropriately formatted and can be integrated into various tools and automation. Verificationensures the content within the SBOM is accurately described and all components and relatedinformation on a product for licensing and exporting are represented.
Many organizations are increasingly incorporating tools into the build and source repositoryfacility to automate this process and provide artifacts which can attest to the verification of theSBOM being delivered. Both the content of the package, the executables, libraries and configurationfiles, and the actual format of the SBOM, should be validated. Any open-source softwarecomponents should be verified for license or export restrictions. In some organizations, validationis performed first by the developer during build/packing of the product and then by thedeveloper/supplier before customer delivery to verify the integrity of the SBOM being delivered.For more information on the formats and tools available for validation, refer to section 5.1.5 of thisdocument "SBOM Validation."
A good reference on guidance for the SBOM process can be found in NTIA's publication "SoftwareSuppliers Playbook: SBOM Production and Provision" guidance. It is important that developersunderstand the end-user requirements for SBOM generation and how this information might beused by both suppliers and customers. Additional process information relating to SBOMs andacquisitions can be found in the "Software Consumers Playbook: SBOM Acquisition, Management, andUse".
Don't say that acronym at the airport while working with your team over the phone...
Previously:
(2022) Open Source Community Sets Out Path to Secure Software
Read more of this story at SoylentNews.