The Mountain View, Calif. company’s report, “The Cost of Poor Software Quality in the US,” finds that software quality issues may have cost the U.S. economy more than $2.4 trillion this year as the software industry is building up what the company calls a historic number of deficiencies.

The report, sponsored by Synopsys and produced by the Consortium for Information & Software Quality (CISQ), finds that cybercrime is a leading cause of these issues, with losses due to cybercrime rising 64% between 2020 and 2021, with 2022 on track for another 42% increase.

According to the report, cybercrime is predicted to cost the world $7 trillion in 2022, and the average cost of a data breach in the U.S. is now $9.44 million, up from $9.05 million the year prior.

In fact, the quantity and cost of cybercrime incidents have been on the rise for over a decade, and now account for a sum equivalent to the world’s third largest economy after the U.S. and China, the report found.

The software supply issues continues to be a major IT problem and are getting worse, with the report finding that the number of failures due to weaknesses in open-source software components accelerated by 650% from 2020 to 2021.

With problems with underlying third-party components rising significantly, Synopsys and CISQ urge the importance of responsible and comprehensive open-source security and risk management. The report of course highlights high-profile incidents, including the Log4Shell vulnerability which surfaced last year and is still causing problems for organizations.

However, the CISQ and Synopsys report identified technical debt as the largest obstacle for organizations to overcome. Technical debt, the cost of rework in software development and accumulated deficiencies that are time-consuming and expensive to fix, is leaving systems and organizations vulnerable, the report says.

Due to these issues, the technical debt in the U.S. has risen to more than $1.5 trillion this year, the report found.

Herb Krasner, the report’s author and a retired professor of software engineering at the University of Texas, Austin, says the report offers proactive advice for engineers, project teams and organizational leaders to improve the quality of the software the use and build.

“Now is the time to turn our attention to recent developments and emerging solutions to help improve the poor software quality situation as it now exists and stabilize and reduce the growth rate of CPSQ in the near future,” Krasner says.

Meanwhile, Dr. Anita D’Amico, the Synopsys Software Integrity Group vice president of cross-portfolio solutions and strategy and CISQ Board Member, urges the IT industry to adopt software bills of materials (SBOM) to help give organizations a comprehensive inventory of components used to make a piece of software.

“That means when a new vulnerability is identified in an existing component, organizations can quickly identify where it is in their software and take action to remedy it,” D’Amico says.

The post Software Inefficiencies are Costing U.S. Economy Trillions, Study Says appeared first on My TechDecisions.

The company’s software composition analysis (SCA) solution will be integrated into its cloud-native application protection platform Prisma Cloud, which Palo Alto Networks says will help developers and security teams proactive surface and prioritize known vulnerabilities throughout the application lifecycle.

Palo Alto Networks calls Prisma Cloud a complete cloud-native application protection platform (CNAPP) that is context aware at every stage of the application lifecycle, providing a unified view of risk across an organization’s cloud environments and delivering deep dependency detection and remediation of vulnerabilities in open source software before applications reach production.

With the integration of SCA, developers can use the tool to prioritize remediation based on software components that are actually in use.

According to the company, there has been a 188% increase in cloud incident response cases over the past three years, which demands a new approach to cloud security that doesn’t rely on siloed products that provide intermittent visibility. Prisma Cloud, the company says, provides a comprehensive prevention-first framework.

In addition to SCA, Prisma Cloud now also includes a software bill of materials (SBOM) and other capabilities to help developers maintain and reference a complete codebase inventory of every application component used across cloud environments.

Palo Alto Networks says a complete code-to-cloud CNAPP needs to incorporate these key principles, which the company says Prisma Cloud was designed to align with:

• Security from code to cloud — protects applications at every stage of the development lifecycle — from code, build, deploy and run.
• Continuous, real time visibility — uses real-time and contextual security analysis of cloud environments to help prevent misconfigurations, vulnerabilities and threats.
• Prevention-first protection — stopping attacks and defending against zero-day vulnerabilities to drive down mean time to remediation.
• Choice for every cloud journey — aligning security needs with current and future cloud priorities by supporting a breadth of cloud service providers, workload architectures, continuous integration and continuous delivery (CI/CD) pipelines, integrated development environments (IDEs), and repositories with a unified platform
• Cloud scale security — consistently secures applications as cloud environments scale.

Ankur Shah, the senior vice president of Palo Alto Networks’ Prisma Cloud, says developers who leverage open-source software should be able to build applications without having to worry about introducing vulnerabilities into organizations’ environments.

“With the average application consisting of 75% open-source components, SCA on Prisma Cloud is key to protecting the organization from code to cloud and empowering developers to build with speed,” says Shah in a statement.

The post Palo Alto Networks Releases Software Composition Analysis in Prisma Cloud appeared first on My TechDecisions.

Bills of material have long been standard requirements in other industries for decades. Some cybersecurity experts say SBOMs will foster transparency, which will lead to increased security and trust.

The challenges of creating and using an SBOM

While more organizations recognize now that they need an SBOM, that doesn’t mean the process of creating and maintaining one is easy.

Currently, static SBOM tools fail to meet today’s security needs and create too much work. They require manual, single point-in-time scanning to understand changes in the environment.  Static SBOMs yield noisy and complex outputs that make focusing difficult.

Static SBOMs are also limited in scope of what they can see and are often only available in specific parts of the software stack. Within this context, delay and uncertainty result in risk.

For SBOMs to work, they need to have component identification and the ability to scale globally across diverse software ecosystems, sectors, and markets. Although component identification is a critical part of an SBOM, the group acknowledged it will be difficult to come up with a universal, global component identification system.

The minimum elements of an SBOM

The National Telecommunications and Information Administration (NTIA) and the U.S. Department of Commerce were recently tasked with publishing the minimum elements for an SBOM along with a description of use cases for greater transparency in the supply chain.

The departments determined that data fields, automation support, and practices and processes should be the foundation for developing software transparency. There should be data fields for supplier, component name and version, as well as dependency relationship, among other areas.

Automation support refers to automatic data generation and machine-readability to allow for scaling across the software ecosystem. Data formats used to generate and consume SBOMs include SPDX, CycloneDX, and SWID tags.

Practices and processes define the operation, generation, and use of SBOM requests including frequency, depth, distribution, and delivery and access control.

The departments acknowledged that an SBOM is a starting point, and that software is dynamic in nature and subject to change.

“The minimum elements that are deemed feasible in today’s environment do not capture the full range of metadata around software source, processing, and use that is likely to emerge from modern software prochanesses,’’ the Department of Commerce stated. “Some of this data will be incorporated into future extensions of SBOM data.”

Noting that SBOMs will not be the sole resource for supply chain security or software assurance, the department advised taking “a linkable, modular approach … to maximize the potential for flexibility and adoption.”

Two Steps for Creating & Implementing an SBOM

Here are two important steps for successfully creating and implementing an SBOM.

#1 Start small

Software composition analysis (SCA) tools and developer IDE plug-ins are being used to produce digestible reports of components for security use cases. Once an SBOM has been generated, the information must be distributed efficiently.

One approach is to forward the SBOMs to your organization’s data lake or knowledge management system. That way, users within the security organization or elsewhere in the organization can access the data from the central repository to ensure they have up-to-date and accurate information.

KPMG advises organizations to start small and deploy SBOMs to development and security teams first. By doing so, they can determine if any roadblocks exist, ensure that the knowledgebase is being utilized effectively, and then seek for areas of improvements.

Once those first steps are completed, the SBOM should then be distributed to the rest of the organization with help from security champions.

#2 Make sure your SBOM is dynamic and continually updated

An SBOM needs to be updated continuously. This is where a dynamic SBOM comes in. To keep data up-to-date, businesses must deploy software with the capability for a dynamic SBOM that will automatically incorporate updates whenever there are changes.

In addition, a dynamic SBOM provides context about how software components are dynamically used and executed (unlike static SBOMs that just inform on what’s there). This dynamic runtime context is critical in distinguishing latent components from active exploitable threats, understanding true risk factors, and focusing remediation efforts on the relevant parts of your SBOM.

Eventually, it will become a requirement to shift to dynamic SBOMs, especially in organizations that develop software on a regular basis. For organizations that have most recently felt the pain of the Log4j vulnerability, integrating SBOMs into the SDLC and making them dynamic is vital.

The post Static SBOMs vs Dynamic SBOMs appeared first on My TechDecisions.

The consulting and managed services firm’s global survey of 1,400 cybersecurity decision makers found that organizations are taking this into consideration, noting supplier risk as a top challenge for the next six-to-12 months, with plans to increase security budgets by an average of 10% this year.

NCC Group’s research suggests that just over a third of organizations think they are more responsible for preventing, detecting and resolving supply chain attacks than their suppliers. Meanwhile, 53% said both parties are equally responsible for securing software supply chains.

Despite plenty of responsibility to go around, only half of organizations surveyed said it demand suppliers meet certain security standards as part of its contracts. Further, more than a third of organization surveyed said it does not regularly monitor and risk assess the cybersecurity arrangements with its suppliers.

Recent supply chain security issues have renewed calls for software supply chain security, including software bills of materials (SBOM) that spell out each component being used in a piece of software, including where vulnerabilities may exist.

The U.S. government last year defined the minimum elements of an SBOM, calling the document a formal record containing the details and supply chain relationships of various components used in software.

“SBOM will not solve all software security problems, but will form a foundational data layer on which further security tools, practices, and assurances can be built,” the U.S. Department of Commerce said in its report.

Many organizations work closely with its software suppliers by integrating it into its IT infrastructures to increase efficiencies and strengthen operations, but this can actually increase risk by widening potential attack surfaces, said Arina Palchik, global commercial director of remediation at NCC Group, in a statement.

That can lead to security gaps and serve as entry points for cyberattacks such, and judging from NCC Group’s repot, that is playing out.

“It’s encouraging that organizations recognize supplier risk as one of their top challenges for 2022. However, our findings uncovered specific areas for improvement including clarity around responsibility for preventing, detecting and resolving attacks and lax controls for supplier assurance,” Palchik said. “It’s important that any investment in security addresses these areas to reduce third-party risk and enable organisations to work with their suppliers in confidence.”

The post Supply Chain Attacks Jump 51% In Second Half of 2021 appeared first on My TechDecisions.

Advocates say that will help give IT and cybersecurity professionals the knowledge needed to more quickly diagnose potentially security breaches and other issues.

Since the SolarWinds-leveraged attack was discovered in December 2020, several other notable incidents have revived the SBOM movement, including the Log4j vulnerability that impacted thousands of vendors and even more products. Discovering if your products contained the vulnerable versions of the popular Java logging software would have been easier if vendors produced SBOMs, says Liran Tancman, CEO of cybersecurity firm Rezilion.

For many years, organizations have used configuration management databases (CMBD), essentially an inventory of the organization’s IT assets.

“Therefore, the notion of an SBOM shouldn’t be a revolution,” Tancman says. “It’s an evolution.”

The U.S. government has mandated cybersecurity protocols and upgrades in recent years in response to a rise in cyberattacks, so SBOMs are becoming the norm in government agencies. Now, the private secot is beginning to require SBOMs of its vendors, according to Tancman.

However, what should organizations look for in SBOMS? What do SBOMs need to contain for an IT decisionmaker to be satisfied with the security of the product?

What needs to be in an SBOM?

At the bare minimum, an SBOM must contain a complete inventory of all of the software packages running in the product and which entity produced it.

“At a minimum, you need all of the software packages running in it,” Tancman says.

According to Tancman, the U.S. government defined the minimum elements for an SBOM, which includes:

• Baseline information about each component, including supplier, component name, version of the component, other unique identifies, dependency relationship, author of SBOM data and timestamp.
• Support automation, including via automatic generation and machine-readability to allow for scaling across the software ecosystem. Data formats include SPDX, CycloneDX and SWID tags.
• Practices and processes of SBOM requests, including frequency, depth, known unknowns, distribution and delivery, access control and accommodation of mistakes.

Then there are other optional fields, such as a hash or license data, Tancman says, that essentially make up an SBOM document.

Finding vulnerabilities

While the detailed analysis and inventory of the software components of the product make up the SBOM document, another part, called the Vulnerability Exploitability eXchange (VEX), is an addendum to the document that tells the user what vulnerabilities are associated with the components listed in the SBOM.

“What’s really interesting is that it doesn’t just tell you what the vulnerabilities are – it tells you if those vulnerabilities are impactful, if they’re really exploitable, and why,” Tancman says. “If you get a VEX from your vendor, you can really understand the exposure you’re inheriting.”

This helps organizations better evaluate their potential cyber risk and allocate resources to vulnerable parts of the IT system. In addition, this allows organizations to avoid back-and-forth customer service calls with vendors.

“With SBOM and VEX, I think that’s a very good start,” Tancman says.

Understanding the history of SBOMs

The concept of a detailed list of the ingredients that make up a piece of software or firmware comes from the Internet of Things (IoT) devices, which are typically very static and don’t necessarily receive regular updates.

Now, due to SolarWinds and other supply chain attacks, SBOMs are being considered for entire environments and dynamic things such as container images that get updated every day. Essentially, the scope of SBOMs is becoming much larger and applying to “everyone who is doing anything with software,” Tancman says.

“The result is we’re going to a place where it’s much more dynamic,” Tancman says. “We need something that can keep up with the pace of change in the IT environment.”

The post What Needs To Be In An SBOM? appeared first on My TechDecisions.

The term, while already known to IT professionals, became more popular in the wake of several software supply chain security crises, including the SolarWinds compromise, the Kaseya-leveraged ransomware attack and the Log4j vulnerabilities.

The nonprofit open-source advocacy group’s report, “The State of Software Bill of Materials and Cybersecurity Readiness” revealed that 78% of organizations are expecting to either produce or consume SBOMs in 2022, suggesting that IT and security professionals are interested in more transparency of software components.

Currently, just 47% are producing or consuming SBOMs, reflecting how attitudes toward transparency in the software ecosystem is rapidly changing.

In a statement, Jim Zemlin, the foundation’s executive director, says SBOMs are no longer optional.

“Businesses accelerating SBOM adoption following the publication of the new ISO standard (5962) or the White House Executive Order, are not only improving the quality of their software, they are better preparing themselves to thwart adversarial attacks following new open source vulnerability disclosures like those tied to log4j,” Zemlin says.

The report, the results of a survey of 412 global organizations, found that much of the interest in a detailed analysis of software components comes from those recent federal requirements, as more than 80% of organizations are aware of the executive order, and 76% are considering changes because of it.

According to the Linux Foundation, just 6% of organizations have no plans to consume SBOMs, while 42% plan to consume SBOMs in the next 6-24 months, 28% are consuming SBOMs across a few, some, or many segments of their business, and 18% are consuming SBOMs across nearly all segments of their business or have standard practices that include the use of SBOMs.

The research found that 90% of organizations have started their SBOM journey.

The report finds that 10% of organizations have not begun any planning for SBOMs and 14% are in a planning or development phase. Survey participants revealed that 52% are addressing the subject in a few, some, or many areas of their business; 23% are addressing them across nearly all areas of their business or have standard practices that include the use of SBOMs.

This means that overall, 76% of organizations have a degree of SBOM readiness, the report deduces.

Respondents say SBOMs provides a better approach to addressing reporting and compliance requirements, improve decision-making and help organizations more immediately understand their security exposures.

However, the survey did reveal that the IT industry is concerned with some uncertainties, including industry requirements, the availability of tools to automate SBOM consumption and industry consensus on what an SBOM should contain.

“In order to remove the uncertainty about industry-specific requirements for SBOMs, it requires a coordinated effort by government agencies, industry organizations (including industry-specific Information Sharing and Analysis Centers), and IT vendors and service providers to increase messaging around the SBOM value proposition, tools availability, integration capabilities, DevOps processes, and best practices,” the report says.

The post SBOMs Will Become A Necessity In IT Ecosystem appeared first on My TechDecisions.

In particular, organizations have been caught off guard in auditing its own systems, giving hackers a significant head start to take advantage of the flaw.

Asset inventory is ground zero for cybersecurity control. Even though it’s the most basic thing for an organization to do as a form of inventory, the landscape lacks comprehensive solutions and tools to streamline the process of dependency management, a technique for identifying, resolving and patching dependencies in an application’s codebase.

In most cases, this is because of a conscious choice in our programming languages to prioritize novel features over basic security optimizations such as improving dependency management. Older languages which lacked the awareness of dependency management as a security issue are still in wide use, while newer ones have skirted the issue to varying degrees.

With supply chain attacks on the rise and typosquatting on popular packages increasing, it is more important than ever that companies prioritize dependency management by creating a software bill of materials (SBOM).

An SBOM is a complete catalog of all components, libraries and licenses within an application package, including tools, linked libraries and all installed packages for Docker images.

This isn’t just a “nice to have” but will become a requirement under the latest Executive Order on Improving the Nation’s Cybersecurity.

A fundamental, applicable security control, the SBOM provides a reliable manifest of software and dependencies (both direct and transitive) which allows organizations to identify and resolve issues faster. Here’s how to create one:

Secure C-Suite Buy-In

Before starting development, it’s important to help leaders in an organization understand the inevitability of future widespread security threats. In the same way that major vulnerabilities such as Heartbleed (2014) and Spectre/Meltdown (2018) exposed systemic problems with our cryptography and hardware, Log4Shell is begging us to reckon with our supply chains being impacted by ubiquitous libraries we may not even be aware we depend on.

Download: Your Guide to Business Continuity Planning

A complete, up-to-date and accurate SBOM will reduce the time and resources required to triage risk exposure when future vulnerabilities are discovered. Should leadership need more convincing, it’s helpful to keep in mind that in the CIS benchmark controls, widely considered a highly authoritative standard, inventory of software is second only to hardware.

Start With An Inventory

With leadership on board, the first step to creating an SBOM is listing all in-house software, containers and third-party vendor packages or applications used by an organization.

Often organizations are lacking even a basic list of things they have purchased, developed, or used directly. This step alone is low-hanging fruit and will provide immediate benefits.

Once this is finished, teams can identify direct dependencies, followed by transitive dependencies to round out creating a comprehensive inventory of their software and dependencies.

Choose an appropriate tool for your language

Since Log4j is the topic of the day, I recommend practicing this skill by selecting a Java project using a vulnerable version and generating a dependency manifest to check for Log4j.

Using Google’s Open Source Insights tool, search for a vulnerable version of Log4j and then select a dependent project.

In my case, I was able to build the nacos/client project, generate a list of dependencies as a tree, and (optionally) search for log4j in the list.

This assumes you’re using Maven, but similar workflows exist for Go, Python, and other languages. As always, choose the tool that is built for your language

➜  client  git:(develop) mvn dependency:tree | grep log4j

[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.17.0:compile

[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.17.0:compile

[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.0:compile

Don’t Forget Docker Images

While your software may have vulnerable and outdated packages, running in Docker further compounds this issue. Often, images are full of vulnerable system components lurking quietly, waiting to be abused. Even in the case of the most meticulously maintained images, the very latest and freshest of images are stale on arrival.

Consider that the ubuntu:latest image, widely used as a base for other containers, has 97 packages installed by default. At the time of this writing, several were ready for updates.

Further, because of caching and how the standard build process works, you are very likely to be building from an even older base image, magnifying the problem of bloated base images and stale, outdated, potentially vulnerable packages.

While it is entirely possible to audit installed system packages using tools specific to the distribution for that container’s base image, it’s far better security practice to shrink the surface area by opting to use scratch or distroless. This removes all other files (or nearly all in the case of Distroless) and packages, leaving only your application and the bare minimum of things necessary to run it.

You have removed a significant amount of surface area which could have been leveraged against you, making the image far more secure. As an added bonus, the SBOM is now far easier to generate and maintain!

Include Repo Health

An SBOM alone is only the beginning, however. It only provides a manifest of packages as one of potentially many other factors to inform decisions about supply chain security.

In particular, one must consider signals of the overall health of the repository as well as reported vulnerabilities. Who owns it? No, really, who actually owns it? How many contributors are there? How frequently is it updated? Do they have a process for reporting vulnerabilities? Single-developer, poorly supported or funded projects, or projects with poor communication all present additional risk to your organization’s supply chain.

Plan to Update Regularly

Again, an SBOM is only a manifest of packages and dependencies. These must be regularly audited using tools such as Anchore or Snyk to identify vulnerabilities that may not yet be known or are flying under the radar.

A dependency might not meet the qualifications to be reported to the National Institute of Standards and Technology and still present considerable security risks for an organization. Leaders are responsible for thinking critically about the software supply chain and predicting issues that could impact the business in the future.

The ecosystem for auditing dependencies, while undergoing rapid improvements, is still full of sharp edges and potentially difficult problems for teams trying to improve the security of its software supply chain. Asset inventory is the single most fundamental control available to organizations to reduce the risk of vulnerabilities.

Already a promising vector for attackers, supply chain attacks are only going to increase in complexity and become more difficult to defend against, but by being disciplined in the basic controls, we can achieve far better levels of security with lower effort and cost than trying to detect and remediate after an attack has already occurred.

The post Log4j Highlights the Need for a Software Bill of Materials; Here’s How to Create One appeared first on My TechDecisions.