Tag Archives: Software bill of materials

So You Think Your Open Source Software is Good?

I bet there is a large chunk of the folks reading this that will say that we don’t use open source software.

And then there is another large chunk that says we’re good; all up to date.

My guess is that both of these statements are wrong.

Synopsys did a study and found these two inter-related statistics:

99% of commercial software programs examined included at least one open-source component, so those of you who checked the first statement, unless you are part of the 1%, are wrong.

91% of those commercial software products contained OUT OF DATE or ABANDONED open-source code. So those of you you checked the second statement – you, too, are likely wrong.

I know you are probably tired of me beating on the software bill of materials drum, but I will keep doing it until the problem is fixed.

Synopsys says that of the 1,250+ software codebases that they reviewed, 91% contained components that were either more than FOUR YEARS OUT OF DATE or had seen NO DEVELOPMENT ACTIVITY IN THE LAST TWO YEARS.

Basically, we are making it very easy for the hackers to break in. Do you think that the code that is four years out of date had no bugs in it four years earlier? That doesn’t count the code that is three years out of date or two years out of date.

If hackers weaponize patches within 7 days of release on average, what do you think happens with code that is 4 years out of date?

This audit was of commercial software. Open source software is likely just as bad.

75% of the audited codebases included open source components with KNOWN VULNERABILITIES.

What could possibly go wrong?

49% contained HIGH RISK vulnerabilities.

Part of your vendor risk analysis needs to include auditing whether the vendor has a secure software development process and whether they have a software bill of materials management process.


What is the likelihood that all of your vendors – including cloud vendors – are in that one percent?

I’d say the likelihood is zero percent. Credit: ZDNet

FDA Issues Medical Device Warning – But They Are Not Sure for What

Well that makes me feel a whole lot better.

The FDA says that devices that use the decades old IPNet software are vulnerable to hacking,

But they are not sure what devices that  may include.  Possibly insulin pumps.  Maybe pacemakers.

They also don’t know how many devices are affected.

Given that, I am not sure what use the warning is, other than to make people who use medical devices or have them implanted, worry.

They do say that they have identified 11 vulnerabilities that allow hackers to take over these devices.

The FDA also says that the bugs allow “anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”

The FDA is working with device makers, but they say that the problem is complicated.

Well, actually, it is pretty simple, but we are talking about the government, after all.

The concept is called SOFTWARE BILL OF MATERIALS.

Think of a home appliance such as a toaster.  The bill of materials for a toaster might include a heating element or two, a timer, a glass door, a display, etc.

In the software world, a software bill of materials means a list of every piece of third party software that is used in the system that is delivered.

At one point in time, things were made out of hardware.  Now, virtually everything contains software.

Manufacturers don’t want to have to produce Bills of Materials because it tells competitors what is inside and they have to upgrade the document when they make changes.

As long as customers don’t demand bills of materials, vendors are not going to produce them and make them available.

Occasionally, not knowing what is in the software you use can cause problems.  Perhaps you have heard of a small breach at Equifax?  Because they did not realize that Apache Struts was used on a particular server, that server wasn’t completely patched.  And the rest is history.

The Department of Defense is looking at making software bills of materials a required deliverable on defense contracts.

If you as a customer know that a system that you use contains a particular software library or module, then you can proactively watch to see if that software has been updated.  You probably will have to contact the vendor at that point to get an upgrade, but at least you can ride herd on the vendor.

In the case of medical devices, things are way simpler.  Since vendors have to submit paperwork to the FDA to get devices approved, the FDA **COULD** require those vendors to provide a bill of materials.  Then that data could be entered into a database and easily searched, avoiding warnings like this one.

But, we are talking about the government, so do not hold your breath.  Source: CNBC