Cryptographic Bill of Materials (CBOM): The Key to secure your Software Supply Chain

Supply chain attacks are diverse, impacting both corporate organizations and government entities. With commercial software products and open-source software used by hackers as potential targets of these attacks, it is important for your organization to have a clear visibility into the software and cryptographic assets used across your software development and deployment pipelines to safeguard and mitigate against these attacks.   

In 2020, the SolarWinds supply chain attack not only impacted thousands of organizations but also the U.S. government. Hackers injected a backdoor, called SUNBURST, into the Orion IT update tool.  

In February 2021, a security researcher, Alex Birsan, was able to breach Microsoft, Tesla, Uber, and Apple using Dependency confusion by executing malware on their network by overriding software packages called “dependencies” with malicious packages of the same name.  

To improve the security against such attacks, the U.S. government, in 2021, released an executive order requiring the software vendors to provide a software bill of materials (SBOM). The SBOM is a comprehensive list of all the modules, libraries, and third-party dependencies as well as metadata information such as licenses and versions associated with your software applications allowing you to quickly identify and update the components impacted by a supply chain attack.  

Additionally, The National Institute of Standards (NIST) has recommended extending the SBOM with a Cryptography Bill of Materials (CBOM) as part of its guidelines for the adoption of Post Quantum Cryptography (PQC). 

What is a Cryptographic Bill of Material (CBOM)?  

A CBOM provides a detailed insight into the various cryptographic assets associated with your SBOM inventory. Whereas your SBOM inventory would typically include operating system, Web server\Application server, SSL\TLS library (OpenSSL), configuration, monitoring, and log management tools along with their metadata information, your CBOM inventory, on the other hand, would augment your SBOM inventory with details such as X.509 certificates, SSH keys and their sizes, public key cryptographic algorithms like RSA, ECDSA and others, hashing algorithms like SHA1, SHA2, etc and  any additional metadata information such as license and any known vulnerabilities.   

How would CBOM help in improving your security posture?  

CBOM provides your organization a detailed insight into the cryptographic assets related to the various commercial and open source software being used across your organization, thus helping in the management and monitoring of your organization’s cryptographic footprint which further helps in improving your organization’s security agility by taking proactive steps to safeguard against various supply chain attacks and allow for faster response times to respond and recover from any such attacks by quickly identifying and patching the affected components. In contrast, without a CBOM, the operational and financial implications of any security breach would be manifold. Having an updated CBOM inventory would also help your organization in aligning with various regulatory compliance requirements such as NIST, ISO 27001 and GDPR.   

As CBOM provides a deeper insight into our cryptographic assets it would also help in planning the migration from existing algorithms such as RSA, DSA, ECDSA, and ECDH to the Post Quantum Cryptography (PQC) algorithms like ML-KEM, ML-DSA, SLH-DSA.   

Key considerations for implementing CBOM in your organization

Let’s look at some of the key considerations for implementing CBOM in your organization.

1. Discovering the cryptographic entities

   One of the important aspects for creating your CBOM inventory is to identify various cryptographic entities within your system such as third-party applications (database, configuration management and automation tools), source code, data at rest (configuration files, digital certificates, passwords and keys), data in motion (SSL/TLS protocols and VPN configurations) and hardware (HSMs and IoT devices).

2. Creating and Maintaining the CBOM inventory

   Another aspect to consider is determining when to generate the inventory during the various stages of development and deployment of a system. Each stage may generate their own inventory augmenting the inventory from previous stages capturing the link between the stage at which an inventory component got introduced thus facilitating analysis and remediation of any vulnerabilities. Additionally, various stakeholders in the organizations would have different requirements for the scope of inventory. For example, the product development team would be interested in the cryptographic inventory related to source code, software dependencies and application configuration whereas the IT operations team might be interested in a larger inventory scope related to software, PKI, SaaS, network, data and hardware.

3. Audit and review of the CBOM inventory

   Regular audits and review of the CBOM is crucial to ensure the cryptographic entities align with the latest security standards and fix any impending vulnerabilities for example, replace vulnerable key sizes and algorithms, renew and revoke certificates, etc.

How could Encryption Consulting help?  

Encryption Consulting’s PQC assessment service could help your organization by conducting a detailed assessment of your on-premises, cloud, and SaaS environments, identifying vulnerabilities and recommending the best strategies to mitigate the quantum risks.  

Our PQC assessment service covers a detailed risk evaluation of your current cryptographic environment, develop strategy and roadmap plan to mitigate the identified risks and implementation of required technologies and solutions to achieve a resistant environment.  

For more information related to our products and services please visit Post Quantum Cryptographic Services.

Conclusion

Concluding, identifying, and managing your organization’s software and their associated cryptographic assets using SBOM and CBOM respectively is the key to safeguarding and mitigating the risks associated with software vulnerabilities and cryptographic attacks.