With the recent reveal of the White House’s Executive Order on cybersecurity, many developers and DevOps shops are wondering what it means for them today – and in the future. Every digital aspect comes with a security risk if not handled properly. With billions of people using online and digital technologies worldwide, there are ample opportunities for hackers to break the security wall and create unrest all around.
In today's digital world, it is not just about having speed, reaching your customers quickly, easy setup, mind-blowing features, etc., but rather, it is about how safe or secure your systems, data, or features are.
Cybersecurity attack of Solarwinds and Biden’s executive order
Cybersecurity adversaries and attacks are a global concern. When software developers build applications with known vulnerable open source components, or once safe components are later discovered to have vulnerabilities, everyone using the application is at risk.
In recent times, the most significant cybersecurity attack was of SolarWinds, a major US information technology firm, where the attack went undetected for months and was first reported by Reuters in December. This cybersecurity breach is regarded as one of the most impacted in the 21st century. This hack also referred to as the SolarWinds attack, has been referred to as “…the largest and most sophisticated attack the world has ever seen.”, according to Microsoft’s President Brad Smith.
The attack is named for the software tools provided by SolarWinds, a major software company with many thousands of customers. The attack on SolarWinds is commonly referred to as a supply chain attack, because the hackers attacked a third-party provider to gain access rather than attacking the targeted organization’s networks directly. For example, third-party software components being utilized in various systems and products are a prime attack target for hackers, given the difficulty in identifying the third-party components utilized in a specific system or product. This opaqueness prevents management of vulnerabilities, because you can’t protect what you don’t know about.
SolarWind's attack was so terrifying that it shook the whole nation. Regarding this, the Biden administration started working towards straightening the cybersecurity regulations to prevent such attacks from happening and proposed billions to boost security. With this, the software companies/providers of the nation are under pressure to renew and realign with strengthening their cybersecurity rules. This means that cybersecurity will be given the highest priority in the coming years by the software providers, and it seems like a great move to tackle the security invasion by attackers.
The Executive Order from the White House is very clear: It states that cybersecurity is equivalent to national security for the United States government. To attain a more strong security posture, any software sale to the Federal Government will require not just stable, valuable applications but also adhere to strict Software Bill of Materials requirements that include all of the components utilized to build the software.
Software Bill of Materials (SBOM)
A software bill of materials is a list of all the open source and third-party components present in a codebase. A software BOM also lists the licenses that govern those components, the versions of the components used in the codebase, and their patch status. Open source components helps in shortening development time, increase the speed of execution thus helping software companies profitably deliver their products to customers. Analysts such as Forrester and Gartner note that the vast majority of IT organizations use open source software for mission-critical workloads and that some applications comprise up to 90% open source components.
But few companies have much visibility into the open source they use. Even fewer can produce an accurate, up-to-date software bill of materials that includes open source components. A comprehensive software BOM lists all open source components in your applications as well as those components’ licenses, versions, and patch status.
SBOM is considered highly valuable for security reasons since it contains every minute detail. So, if any disaster or security issues appear, it is easy for the vendors to track back what caused the problem and helps to resolve or mitigate the challenges.
CycloneDX and SBOM
CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis. In CycloneDX, everything is a component. Components can be included within other components, and the level of granularity can be defined by the organization utilizing it. This is similar to the system, sub-system, parts assembly that is common in physical supply chains. In general, a component will be the name and version of an open source application, library, or framework. However, a component may also be an operating system or file.
The process of generating CycloneDX BOMs varies slightly depending on the technology stack used, but the approach remains the same; generate one automatically when the software is built. Once the BOM is produced, the components within can be tracked and continuously analyzed throughout the softwares lifecycle. Applications such as Dependency-Track, a flagship OWASP project, are specifically designed for this purpose.
CycloneDX provides a set of tools for creating BOMs for various types of projects. They have global tools for repositories such as NPM, NuGet and Pip.
Generating a Bill Of Materials (SBOM)
To generate a BOM, the first step is to install the CycloneDX BOM generators for the various package management solutions that your software is using. For e.g in our company we mainly use NPM and NuGet.
So to install the generator for NPM and NuGet, you can run the following commands at the command prompt.
npm install -g @cyclonedx/bom
dotnet tool install --global CycloneDXAfter the tools are installed, we can generate BOMs by executing each one of these over the project directories.
cyclonedx-bom -o bom-npm.xml
dotnet cyclonedx -o bom-nuget.xml
The BOM.xml that is generated looks a little bit like this.
Once the BOMs are generated, now it’s time to take a look at Dependency-Track. Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.
There is a docker container that you can pull and run to get started. To get up and running in docker with Dependency-Track, you can run the following commands.
# Pull the image from the Docker Hub OWASP repo
docker pull dependencytrack/bundled
# Creates a dedicated volume where data can be stored outside the container
docker volume create --name dependency-track
# Run the bundled container with 8GB RAM on port 8080
docker run -d -m 8192m -p 8080:8080 --name dependency-track -v dependency-track:/data dependencytrack/bundledOnce it’s up and running you can visit the UI in your web browser by going to http://localhost:8080. You can now setup new projects in Dependency Track and upload the BOMs to the respective projects. The tool will process the BOM and display the results in a nice dashboard about all the packages included in your product. This includes information about known vulnerabilities and license information.
You can visit the Components page to see all the components, including version number, that are included with your products. Your project will have a nice little overview of all the vulnerabilities, dependencies and licenses.
Integrating BOM upload and tracking to your CI tools
According to the OWASP team, the best practice is to integrate the whole process into continuous integration pipelines. Every time a new build is queued, the CycloneDx tool is ran as part of the build which generates the BOM. These can be uploaded to the dependency track instance to track new dependencies and report it via the dashboard or can configure alerts using Slack, Email or Teams.
The upload can be either done via curl or PowerShell commands (Continuous Integration & Delivery | Dependency-Track (dependencytrack.org))
留言