Best practices for assessing today’s software risks

Today’s software offerings are constructed from a plethora of home-grown, open-source, purchased and AI-generated code. Assessing the vulnerability risk in each of these components is common practice in DevSecOps processes, but it’s becoming increasingly apparent that the combination and interdependencies between these components often creates intolerable risk that is not exposed from standard vulnerability practices.

To address this issue the concept of a Software Bills of Materials (SBOMs) has emerged. SBOMs provide a concise inventory of a software offering’s components, their license information and the interdependencies between them. Security best practices today include analysis of SBOMs to achieve visibility into your software portfolio and thus to improve software supply chain security and reliability. Here are some behaviors exhibited by leading software development teams on how you can achieve this goal.

1. Use the build and release process as the integration point. Make it a standard practice for developers to generate and update SBOMs for each software release.

2. Establish an automated lifecycle process for SBOMs. Continuously monitor for changes and updates in your third-party components, including security patches.

3. Establish a clear ownership structure for the SBOM lifecycle with clearly established roles and responsibilities

4. Share SBOMs with relevant stakeholders, such as customers, partners, or auditors, and ask your partners to provide SBOMs to you. Establishing transparency around your software supply chain builds trust, strengthens your brand and anticipates regulation.

5. Use automated tools and services that can scan your software code and dependencies to generate and analyze accurate and up-to-date SBOMs. Following the old adage of ‘Tools not Rules’, automation helps ensure consistency and reduces the risk of human error. Select tools that have a broad user community, like OWASP Dependency-Track ).

These best practices can help you establish a robust culture and process for the security of your software supply chain.