Software Bill of Materials (sBOMs) (Removing Barriers to the application of tooling to C-SCRM and Software Assurance) Robert A. Martin Sr. Secure Software & Technology Prin. Eng. Trust & Assurance Cyber Technologies Dept. Cyber Solutions Technical Center Presented at the DoD, DHS, NIST, and GSA sponsored Software and Supply Chain Assurance Forum hosted at MITRE McLean, VA © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 Everything is Becoming Software-Enabled and Connected, Either through Task Dependency, Supply Chain, or Information Flow Today Your System is: • attackable or • susceptible to a hazard… We need to be assured When this Other System that not only are our own gets subverted through: systems trustworthy but • an un-patched vulnerability; • a mis-configuration; also everything we • an application weakness; depend upon… • a counterfeit item; • tainted software or hardware; or • the system’s susceptibility to a hazard… © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 The Supply Chain for Software-Enabled Capabilities is Opaque Tier 4 Manufacturer/ ? Supplier ? ? ? ? Tier 2 Manufacturer/ Tier 3 Manufacturer/ Tier 4 Manufacturer/ ? Customer Supplier Supplier Supplier ? Tier 3 Manufacturer/ Supplier Contractor ? Tier 2 Manufacturer/ ? Integrating Supplier Manufacturer/ US ? Supplier Tier 3 Manufacturer/ Global ? Supplier Tier 2 Manufacturer/ Tier 2 Manufacturer/ Foreign Supplier Supplier Off-shore Foreign Supplier Location Software COTS US Foreign Developers Supplier Reuse Acquire Develop Outsource In-house ? ? ? ? ? © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 Market Transparency through “Software Bill of Materials” • Third party components are a known systemic risk. • Transparency can drive tools and behavior to document risk, support mitigations, and drive better SW development practices. • NTIA at Commerce launched an open, community-driven, cross- sector “multistakeholder process” to promote software component transparency. • Understand the problem and define basics of SBOM • Develop use cases across sectors on how such data can be used, today and in the future. • Guidance on how to use existing standards to implement SBOM • Software ID tags (SWID) • Software Package Data Exchange (SPDX) • Expected draft deliverables late spring 2019 • More info or to join: [email protected] © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 Use Cases for sBOM Refer-Acquire-Transfer Formulation (definition of what it is) (how it was compiled/formed) Pedigree Assurance (history of how it was produced) (trustworthiness of it) License Management sBOM of a Service (conditions about its use) (sBOM of sw delivering service) Provenance Patch Currency (chain of custody of it) (known fixes are applied to it) Integrity Automated Response (cryptographic basis of unalteredness) (sBOM parsing/action) Market Transparency Assured Mket Transp (public DBs of components) (public DBs of components) © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 Use Cases for sBOM Refer-Acquire-Transfer Formulation (definition of what it is) (how it was compiled/formed) Pedigree Assurance (history of how it was produced) Tools and environments for: (trustworthiness of it) License Management • Embedded apps sBOM of a Service (conditions about its use) Software• Desktop Composition apps Analysis Tools(sBOM of sw delivering service) Provenance Patch Currency (chain of custody of it) • Server apps (known fixes are applied to it) Integrity • Web apps Automated Response (cryptographic basis of unalteredness) • Cloud apps (sBOM parsing/action) Market Transparency Assured Mket Transp (public DBs of components) • Orchestration of code (public DBs of components) Between Tiers Spanning Tiers sBOM Development Tools Developer Customer Deployed S/W Tools Contract/Agreement © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 Potential sBOM elements Refer-Acquire-Transfer Formulation (definition of what it is) (how it was compiled/formed) Pedigree Supplier Assurance (history of how it was produced) •----------- (trustworthiness of it) •----------- Components License Management (sources, executables, patches) sBOM of a Service (conditions about its use) •----------- (sBOM of sw delivering service) •----------- Provenance Version Patch Currency (chain of custody of it) •----------- (known fixes are applied to it) Created Using Hash/Signature Integrity •----------- Automated Response (cryptographic basis of unalteredness) •----------- Created By (sBOM parsing/action) Market Transparency •----------- sBOM Assured Mket Transp (public DBs of components) Item Hash/Signature (public DBs of components) Between Tiers Spanning Tiers sBOM Development Tools Developer Customer Deployed S/W Tools Contract/Agreement © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 Potential sBOM elements Refer-Acquire-Transfer Formulation (definition of what it is) (how it was compiled/formed) Pedigree Supplier Assurance (history of how it was produced) •----------- (trustworthiness of it) •----------- Components License Management (sources, executables, patches) sBOM of a Service (conditions about its use) •----------- (sBOM of sw delivering service) •----------- Provenance Version Patch Currency (chain of custody of it) •----------- (known fixes are applied to it) Created Using Hash/Signature Integrity •----------- Automated Response (cryptographic basis of unalteredness) •----------- Created By (sBOM parsing/action) Market Transparency •----------- sBOM Assured Mket Transp (public DBs of components) Item Hash/Signature (public DBs of components) Between Tiers Spanning Tiers sBOM Development Tools Developer Customer Deployed S/W Tools Contract/Agreement © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 Potential sBOM elements Refer-Acquire-Transfer Formulation (definition of what it is) (how it was compiled/formed) Pedigree Supplier Assurance (history of how it was produced) •----------- (trustworthiness of it) •----------- Components License Management (sources, executables, patches) sBOM of a Service (conditions about its use) •----------- (sBOM of sw delivering service) •----------- Provenance Version Patch Currency (chain of custody of it) •----------- (known fixes are applied to it) Created Using Hash/Signature Integrity •----------- Automated Response (cryptographic basis of unalteredness) •----------- Created By (sBOM parsing/action) Market Transparency •----------- sBOM Assured Mket Transp (public DBs of components) Item Hash/Signature (public DBs of components) Between Tiers Spanning Tiers sBOM Development Tools Developer Customer Deployed S/W Tools Contract/Agreement © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 Potential sBOM elements Refer-Acquire-Transfer Formulation (definition of what it is) (how it was compiled/formed) Pedigree Supplier Assurance (history of how it was produced) •----------- (trustworthiness of it) •----------- Components License Management (sources, executables, patches) sBOM of a Service (conditions about its use) •----------- (sBOM of sw delivering service) •----------- Provenance Version Patch Currency (chain of custody of it) •----------- (known fixes are applied to it) Created Using Hash/Signature Integrity •----------- Automated Response (cryptographic basis of unalteredness) •----------- Created By (sBOM parsing/action) Market Transparency •----------- sBOM Assured Mket Transp (public DBs of components) Item Hash/Signature (public DBs of components) Between Tiers Spanning Tiers sBOM Development Tools Developer Customer Deployed S/W Tools Contract/Agreement © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 18-1804-45 Potential sBOM elements Refer-Acquire-Transfer Formulation (definition of what it is) (how it was compiled/formed) Pedigree Supplier Assurance (history of how it was produced) •----------- (trustworthiness of it) •----------- Components License Management (sources, executables, patches) sBOM of a Service (conditions about its use) •----------- (sBOM of sw delivering service) •----------- Provenance Version Patch Currency (chain of custody of it) •----------- (known fixes are applied to it) Created Using Hash/Signature Integrity •----------- Automated Response (cryptographic basis of unalteredness) •----------- Created By (sBOM parsing/action) Market Transparency •----------- sBOM Assured Mket Transp (public DBs of components) Item Hash/Signature