Defense Needs a Vision for Software Bills of Materials.

• Author: Heidorn, Ryan
• Position: Industry Perspective

"Everything we do today as a society in some way, shape, or form is touched by software."

That was the message from Jason Weiss, who during his final public appearance as the Defense Department's chief software officer laid out a strategic vision for using a "software bill of materials" to achieve "visual clarity" of vulnerabilities in computer programs that power everything from administrative networks to weapons systems.

With the rise in supply chain attacks targeting software vulnerabilities, there is heightened focus on gaining visibility into the software we use, in order to better protect against exploitation of software's individual components.

President Joe Biden's 2021 executive order, "Improving the Nation's Cybersecurity," requires agencies to adopt software bills of materials, likening them to "a list of ingredients on food packaging." In that manner, the bills are expected to articulate "the details and supply chain relationships of various components used in building software," the executive order said.

The need to visualize software "ingredients" was painfully highlighted in December 2021, when a critical vulnerability discovered in Log4j--an open-source code widely used in applications that impact virtually every organization--sent info-tech teams across the world scrambling to understand if and where they were affected.

At an April 7 cybersecurity conference hosted by the National Defense Industrial Association's New England chapter, Weiss highlighted a "lack of visual clarity in this ecosystem," going on to explain that "despite existing Defense Department processes for [authorization to operate], governance, audit and cybersecurity dashboards, the department consistently lacks the necessary visual clarity to fully appreciate the threat surface across the totality of its software supply chain."

Obtaining a complete and granular picture of where software is deployed would allow the Defense Department to forecast risk in software supply chains and enable stronger risk-based decision making. Achieving that visual clarity also enables the department to take advantage of existing threat intelligence as applied across that more comprehensive picture.

For example, Weiss envisioned a defense official--before selecting an open-source software library for use within a critical program--asking the FBI, "what do you know about this committer?"

A committer is a contributor to an open-source software project.

Based on intelligence, the...