Black Hat insights: How to shift security-by-design to the right, instead of left, with SBOM, deep audits

By Byron V. Acohido

There is a well-established business practice referred to as bill of materials, or BOM, that is a big reason why we can trust that a can of soup isn’t toxic or that the jetliner we’re about to board won’t fail catastrophically

Related: Experts react to Biden cybersecurity executive order

A bill of materials is a complete list of the components used to manufacture a product. The software industry has something called SBOM: software bill of materials. However, SBOMs are rudimentary when compared to the BOMs associated with manufacturing just about everything else we expect to be safe and secure: food, buildings, medical equipment, medicines and transportation vehicles.

An effort to bring SBOMs up to par is gaining steam and getting a lot of attention at Black Hat USA 2021 this week in Las Vegas. President Biden’s cybersecurity executive order, issued in May, includes a detailed SBOM requirement for all software delivered to the federal government.

ReversingLabs, a Cambridge, MA-based software vendor that helps companies conduct deep analysis of new apps just before they go out the door, is in the thick of this development. I had the chance to visit with its co-founder and chief software architect Tomislav Pericin. For a full drill down on our discussion please give the accompanying podcast a listen. Here are the big takeaways:

Gordian Knot challenge

The software industry is fully cognizant of the core value of a bill of materials and has been striving for a number of years to adapt it to software development. However, software development has evolved so rapidly and so dynamically — especially over the past decade as digital transformation has taken hold — that listing the ingredients of any new software package has become a Gordian Knot challenge.

“As an industry, we’ve been trying to replicate the things that other industries have been using for quite a long time, which is that bill of ingredients for a plane or a food item or anything like that,” Pericin  says. “In software that idea is a little more novel.”

Up until recently, it typically was left up to the developer to toss third-party software components into the pot and then self-report what went into the recipe, Pericin told me. This gave developers much too much leeway.

“When it’s self-reported, this list is obviously not always kept up to date and it’s a little bit inaccurate because you’re only thinking about your direct dependencies,” Pericin told me. “You’re not thinking about the dependencies of your dependencies.”

Exploiting SBOMs

What Pericin is referring to is the fact that modern software is pieced together using modular, pre-written snippets of coding, i.e. software packages bundled in more modular coding, i.e. software containers. These building blocks – much of it open-source code – get spun up on an as-needed basis in virtual servers hosted by Amazon Web Services, Microsoft Azure and Google Cloud Platform.

Meanwhile, the software libraries that group together coding components are growing and subdividing exponentially. This complex, highly dynamic assembly process is light years away from the static, linear way software used to get manufactured. And it does spit out cool new business and consumer apps very rapidly.

However, the flip side is that nightmare network breaches have begun  playing out — with numbing regularity. Clever threat actors essentially are taking full advantage of the lack of visibility surrounding how the ephemeral ingredients of “agile” software get fitted together. In short, cyber criminals are essentially exploiting weak SBOMs. These recent, high-profile breaches make this point: SolarWinds; Kaseya; Codecov.

In this overheated environment, the National Telecommunications and Information Administration (NTIA) has quickly followed up on President Biden’s cybersecurity executive order. In June, NTIA commenced collecting industry feedback as part of defining a formal SBOM standard. A standardized list of components, such as libraries and modules, is on the immediate horizon. Once this standard gets imposed on federal contractors it should seep through to the rest of the private sector. And this should start to give much needed visibility to rapidly shifting software supply chain relationships.

If this sounds like playing catch up to a runaway train that’s already around the bend, it is. But closing the gap must start somewhere. For its part, ReversingLabs, as part of its core services, is fully behind nurturing more robust SBOMs, Pericin told me. And he also pointed out how ReversingLabs is going a few steps further.

He described how ReversingLabs is set up to help companies near the very end, or to the far right, of the software development cycle. On the face, this seems counter-intuitive to the mantra – repeated widely at Black Hat this week – to shift security to the far left, as early as possible in the software development cycle.

Catching a runaway train

This shift to the right gets done by cross checking against the latest, most accurate SBOM available just before a new software package gets shipped – and then it essentially extends that SBOM audit. It does this by additionally conducting deep analysis of the about-to-ship software package and grading its security characteristics.

“We look at a few different categories of potential problems,” he says. “Are there any known vulnerabilities? Has the code base been hardened against unknown vulnerabilities? Has everything been properly (digitally) signed? Are there any embedded tokens or any other secrets?


“This helps the compile the most accurate view possible of the assembled software at the very end of the release process; it’s an image of the package as the user is going to use it. And tearing apart those binaries, and then recursively analyzing them, helps produce the most complete software bill of materials.”

So who’s using ReversingLabs’ deep analysis service today? Pericin says the early adopters fall into two groups. The first group is comprised of enlightened developers – those coders who are attuned, not just to speed and agility, but also to the long-run reliability of their code.

For these developers, the ability to tear apart a package and get a clear view of the deficiencies before it goes out the door is invaluable, he says. Gaps can be closed. And the composition of the software now has a security baseline that can be tracked and improved over time.

The second group is comprised of software purchasers, mainly CISOs. The value for them is that they can acquire something that’s very elusive at this moment for all enterprises as they shift to deeper reliance on cloud infrastructure: network visibility.

Observes Pericin: “A CISO can scan a bunch of virtual machines and better understand how to build the company’s network topology; how to isolate all of those virtual machines and understand every single bit of risk that is in those images — all of the private keys and certificates and all of the vulnerable pieces of the application.”

It’s an encouraging development that the software industry is now on track to catch up to other industries in the leveraging BOM. Over time, wide use of standardized SBOMs should do much to bring the runaway train within striking distance.  I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone