CNCF, CISA address hurdles to SBOM for cloud security
Discussions in the tech industry about how to overcome cloud security challenges for SBOMs include an early-stage CNCF idea that uses a graph database to manage transitory metadata.
Software bill of material use for cloud security has been stymied by unresolved technical issues, even as interest in SBOM has exploded in the year since a presidential executive order mandated their use by federal government agencies.
An SBOM provides a machine-readable list of an application's underlying components and dependencies. It has emerged as a key component of software supply chain security, itself a hot topic in the industry in the wake of the SolarWinds attack and Log4j critical vulnerability, where comprehensive lists of software components would have helped IT pros mitigate security issues faster.
SBOM was also among the tools for securing software supply chains mentioned in Executive Order 14028, issued by the Biden Administration in May 2021, which mandated a new baseline of software security standards used by the federal government. The order directed agencies such as the National Telecommunications and Information Administration (NTIA), to publish the "minimum elements" for SBOM. It also requires federal agencies to request SBOM from software and service providers in conformance with that NTIA definition.
However, NTIA's definition specifically focuses on on-premises software deployments in its initial version and describes unsolved problems with cloud and SaaS SBOM use. These include the shared responsibility model, in which a cloud or SaaS provider takes on responsibility for low-level infrastructure and operating systems components, while a customer takes responsibility for higher-level frameworks and applications. Customer and provider are not privy to detailed information about each other's software components and dependencies, making it difficult to establish a comprehensive SBOM for the entire environment.
Further complicating SBOM use for cloud security is that even if a full SBOM for a given cloud environment could easily be created, it would be accurate for only a limited period, given the short-lived nature of cloud resources.
"Capturing meaningful metadata about the full application stack and third-party services is ongoing work, but not yet standardized or sufficiently mature for cross-organization implementation," according to the NTIA.
Still, it's clear that SBOM is well on its way to becoming a key component for cloud security both inside and outside the federal government. A February Linux Foundation report on SBOM and cybersecurity readiness stated that of 412 organizations surveyed, 47% are producing or consuming SBOM. Further, SBOM use is forecasted to grow by 66% in 2022 and 88% of organizations will use SBOM by 2023.
"There are solutions emerging, but industry-wide practitioner consensus has yet to consolidate around a particular methodology, format and tooling workflow," the report added. "Highly visible support by the software and services vendor community would serve as a key accelerator of growth and validate the role of SBOMs in securing the software supply chain."
CISA seeks industry coherence on SBOM
Emerging cloud security vendors such as Rezilion and Anchore already claim to offer SBOM that can keep pace with fast-changing cloud and container infrastructures. These vendor tools also pinpoint which software components within dynamic SBOM are actually in use within an environment, which helps operators prioritize vulnerability mitigation.
However, industry watchers say, it will take a larger cross-organizational effort to address the broad swath of SBOM requirements for cloud security.
Rezilion, a vulnerability management software vendor, focuses on remediation as well as the creation of SBOM -- it offers its SBOM visibility tools free. Within this space, however, there is still plenty of room for consolidation and standards in the broader industry, especially standards that span on-premises, public cloud, mobile and SaaS environments, said Liran Tancman, CEO at Rezilion.
Officials at the Cybersecurity and Infrastructure Security Agency (CISA) and the Cloud Native Computing Foundation (CNCF) agree. This week, CISA concludes a series of listening sessions about ongoing issues with SBOM, including two dedicated specifically to cloud security challenges.
CISA does not plan to use these sessions to inform federal government policy, but instead to facilitate a broader industry discussion around standard ways to solve these problems, according to Allan Friedman, senior advisor and strategist at CISA. Friedman is leading this month's listening sessions.
Allan FriedmanSenior advisor and strategist, CISA
"[The] challenge is going to be to narrow down the range of possible activities so that [SBOM can] accommodate the flexibility that different organizations and different types of technologies demand, [without] a billion different solutions floating around," Friedman said in an interview this month.
Some participants in these discussions, who hail from diverse organizations that include government agencies, open source communities such as the CNCF and hyperscale vendors such as Microsoft and Google, suggested that in the absence of standards for cloud SBOM, organizations should focus instead on ways to quickly ascertain whether their cloud apps are vulnerable. One standardized method for this is the Vulnerability Exploitability eXchange, a machine-readable format for security advisories, which can pinpoint exactly which cloud security vulnerabilities are relevant in cloud environments at a given point in time.
"In the short run, [some organizations] are much more interested in attestations," Friedman said. "I'm not saying that this is what we would expect to see in the cloud domain, but we are very sensitive to the idea that different parts of the ecosystem are going to move at different paces and are looking for different items."
CNCF skunkworks project envisions SBOM graph database
Members of CNCF's Security Technical Advisory Group (STAG) are working on issuing guidance for cloud-native SBOM. The group also hosted a presentation from Palo Alto Networks this month about infrastructure bills of material, a concept that would pull configuration data from infrastructure-as-code tools into SBOM's list of components to offer a clearer point-in-time picture of cloud-native environments.
Another very early stage effort within CNCF -- as yet unnamed and undocumented, but referenced by CNCF STAG officials during CISA's listening sessions -- would use a graph database to track relationships between SBOM metadata components, effectively creating a queryable and composable SBOM that can accommodate ephemeral cloud resources across multiple environments.
"The thought process is, can we ingest all this metadata that's coming out, around [code] provenance and SBOMs, and put that into a graph database that would be queryable in the future?" said Parth Patel, COO and co-founder at software supply chain security startup Kusari. He is also a member of CNCF's STAG and participating in early discussions about the graph database project idea.
CNCF STAG will also be working on standardizing which data fields need to be included in cloud SBOM, the better to consistently feed information into such a database, Patel said.
"The whole thing about making sure that even if they're in different formats, as long as the information is there, we can query it, at least," Patel said.
Patel said he expects the CNCF group working on the database project to put out a blog post about its idea by the end of this month, and prepare a more detailed presentation for KubeCon North America in October.
"How do you know when the SBOM is no longer valid? That's our question," Patel said. "We're continuously going to be pulling in information from all the different data sources that are available...so if it is invalid or out of date, we would handle that."
Keeping track of quickly changing metadata is just one small piece of the cloud SBOM puzzle, however. Ways to share and exchange SBOM information between organizations merited their own set of CISA listening sessions this month, where concerns ranged from how to provide customers with SBOM data without revealing potentially sensitive or proprietary information through the use of access controls to a need for standardized naming conventions for resources across environments.
"Fitting all these pieces together isn't just as simple as saying, 'Hey, now we're done,' but it's also something that is going to evolve," Friedman said. "But we've seen incredible progress over the last 12 months, and I don't see a reason why that pace should slow."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.