Protobom, now an OpenSSF sandbox project, is the first of multiple software supply chain security efforts funded under the Silicon Valley Innovation Program.
Against a backdrop of software supply chain security worries brought on by an attempted attack on Java's XZ Utils, a faltering National Vulnerability Database and the omission of SBOMs from CISA's self-attestation form, a 2023 investment by the U.S. Department of Homeland Security has begun to yield positive results.
Protobom, formally accepted into the Open Software Security Foundation (OpenSSF) this week as a sandbox project, is the first to emerge out of a consortium of seven software supply chain security startups funded in 2023 by the Department of Homeland Security (DHS) under its Silicon Valley Innovation Program (SVIP). The seven companies -- AppCensus, Chainguard, Deepbits, Manifest Cyber, Scribe Security, TestifySec and Veramine -- co-developed Protobom over the last year.
Protobom translates common data fields between two major data-sharing standards, SPDX and CycloneDX, that have arisen for software bills of materials (SBOMs). It does so using protocol buffers, a set of mechanisms established by Google that can write and read structured data between various types of data streams and programming languages.
Protobom could potentially be used by enterprise developers at organizations that supply the federal government and contractors such as Lockheed Martin that now require SBOMs from critical software suppliers. But it's most likely to be used by SBOM management vendors such as Endor Labs, which said this week it will consider adopting it, as well as members of the seven-company consortium that developed it.
"That's part of the intent. In fact, one of the things that DHS wanted us to do was to incorporate this into our product," said Cole Kennedy, founding CEO at TestifySec, based in Huntsville, Ala.
TestifySec has a command-line tool in the works named Protobomit that produces SBOMs verifiable by the open source in-toto attestation mechanism, Kennedy said. Consortium member Manifest Cyber in Westport, Conn., also plans to incorporate Protobom in the next few months, co-founder and CEO Marc Frankel said this week.
Protobom's success will depend on its adoption by SBOM management vendors. But it could solve one of the major hurdles to exchanging SBOMs, said Katie Norton, an analyst at IDC.
"CycloneDX and SPDX are never going to become one. They've evolved to [suit] different use cases," Norton said. "[That leaves] kind of a big gap in the exchange of information. It's one thing to generate an SBOM and store it and another to be able to manipulate it [and] search it. … Something like Protobom can help there."
CycloneDX creates bills of materials for hardware and cloud systems along with software packages, while SPDX was designed primarily for the governance of software code. The divergent paths between the tools make Protobom necessary but also limit the overlap between them, meaning Protobom remains at the "least common denominator" stage for now, Kennedy said.
"You're going to lose a little bit of fidelity depending on what format you use when you translate back and forth. But the minimum elements of SBOM as defined by CISA [the Cybersecurity Infrastructure and Security Agency] will be translated over," he said. "That's what the focus of this tool is."
DHS funds multi-phase SBOM development
The agreement among the seven startups and DHS doesn't end with Protobom, Kennedy said. Each has individual products under development as part of the program. Further collaborative efforts among the companies will also follow over the course of the multi-year agreement, with the goal of supplying production-ready tools for the federal government, according to Kennedy, who declined to disclose further details.
It's one thing to generate an SBOM and store it and another to be able to manipulate it [and] search it. … Something like Protobom can help there.
Katie NortonAnalyst, IDC
Manifest Cyber received funding under the SVIP to support Vulnerability Exploitability Exchange (VEX) documentation, automate security incident and event management system tickets and compliance report generation, build a global SBOM repository, and support integration with commonly used asset management tools, according to the DHS website.
Frankel shed some light on his company's future SVIP plans in an online interview with TechTarget Editorial this week.
"Phase 1 was about prototyping. Phase 2, for us, is hardening, FedRAMP High compliance -- we just passed our audit -- and preparation for a DHS red team exercise," he said. "The subsequent phases will be about ensuring deployability to FCEB [Federal Civilian Executive Branch] environments."
SBOM qualms linger as supply chain alarms sound
The DHS funding under the SVIP Software Supply Chain Visibility portfolio emphasizes SBOMs. But the once-trendy approach to software supply chain security lost significant momentum when it was omitted from CISA's self-attestation form for federal government suppliers last month, Norton said.
"It's like one of the rocket boosters on the rocket went out during launch. It's not going to get to the moon as fast as maybe it would have had they left that in there as [an explicit] requirement," she said.
SBOM development won't grind to a halt either, Norton said. But it's still rare even for SBOM management companies to receive requests for SBOMs from customers. Kennedy said TestifySec just got its first such request this month.
It's also rare, according to anecdotal reports, for SBOMs to be used in response to real-world vulnerabilities even though security problems created by the Log4Shell vulnerability in Java were part of the impetus for a 2021 executive order on software supply chain security. This executive order led to CISA's self-attestation form, which called for SBOMs in early drafts.
In part, declining momentum for SBOMs has been due to the relative immaturity of tools and standards. But concerns have also recently emerged among cybersecurity experts about the maintenance of a related public cybersecurity resource, the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD).
"Around February 15 of this year, we observed an absence of critical metadata from new vulnerabilities listed in the NVD, which is essential for cybersecurity functions in organizations worldwide," wrote 55 cybersecurity researchers and practitioners in an open letter to the chairpersons of four Congressional committees and the U.S. Department of Commerce on April 12.
"This shutdown has disrupted essential resilience efforts across the public and private sectors," according to the open letter, which called it "a cybersecurity crisis in waiting."
Kevin E. Greene
A poorly maintained NVD will directly undermine the efficacy of SBOMs in vulnerability management, among other systemic issues with secure software development, according to a public post on April 1 by Kevin E. Greene, public sector CTO at OpenText Cybersecurity and a former cyber research and development program manager at DHS.
"[SBOM] has been one of CISA's major initiatives, and even without NVD issues, has been slow to be fully operationalized and adopted by industry," Greene wrote. "One of the main issues is with CPEs (Common Platform Enumeration) mappings to CVEs [Common Vulnerabilities and Exposures]. …Without appropriate and accurate CPE-to-CVE mappings, it is difficult to determine what software is affected … [and] SBOMs and VEX (Vulnerability Exploitability eXchange) are useless."
NIST issued a public statement in February and updated it on April 2 saying that it intends to bring in more support for NVD, including "the establishment of a consortium of industry, government and other stakeholder organizations that can collaborate on research to improve the NVD." But multiple signees to the open letter said this week that they have not received any further response.
OpenSSF GM calls for further government action
The OpenSSF is willing to collaborate with NIST on NVD, but it's still unclear what specific resources it needs, said Omkhar Arasaratnam, general manager of the OpenSSF and one of the open letter's signees.
Omkhar Arasaratnam
"My understanding is the challenge with NVD has been a scaling and labor challenge, so I'm not sure what form the consortium will take," Arasaratnam said. "But once that's better articulated by NIST, we'll be able to comment more as to how we may be able to support it."
OpenSSF also issued a warning about the growing threat of open source social engineering takeovers this week. The company plans to release tools to help open source maintainers communicate with each other about threats and indicators of compromise, Arasaratnam said.
"The recent attempted XZ Utils backdoor (CVE-2024-3094) may not be an isolated incident, as evidenced by a similar credible takeover attempt intercepted by the OpenJS Foundation, home to JavaScript projects used by billions of websites worldwide," according to a Foundation blog post on Monday. "The OpenSSF and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects."
In the meantime, the OpenSSF still has yet to reach a $150 million funding goal for an Open Source Software Security Mobilization plan set forth during a summit at the White House in 2022. That's despite commitments in the tens of millions of dollars from private-sector companies and donations of time to OpenSSF community projects.
Next, Arasaratnam said he'd also like to see funding like Germany's Sovereign Tech Fund coming from the U.S.
"What I have not yet seen is our federal government take the same approach as the German government … where they're setting up actual monies to ensure the sustainability of open source," he said. "From my perspective, truly secure open source software requires input and commitment from the community, private sector and public sector. And until we're all putting forward effort as well as funds, our mission won't yet be complete."
Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
Dig Deeper on IT systems management and monitoring
Kevin E. Greene
Omkhar Arasaratnam
