在我们的 以前的文章, we outlined what a software bill of materials (SBOM) is, how it is created, and what the benefits are of creating and using SBOMs. This is part of our series of blog posts 十大网博靠谱平台 security of the software supply chain.
在这篇文章中, we’re going to look at what to do with an SBOM, 以及如何确定在它编目的代码中是否存在潜在的破坏性漏洞(安全缺陷).
你已经 received an SBOM. 那么?
你已经 received an SBOM alongside a code package, or you’ve received an updated SBOM for a product already in use. 对于正在使用(或计划使用)的代码组件,您现在拥有了比以前更多的信息。.
Ideally, you will want to check that code package for vulnerabilities. 新的漏洞一直在出现,所以这可能是一个持续的过程.
You could do it manually, 将SBOM中列出的组件与公开可用的漏洞列表(例如在 www.cve.org ). This is likely to be both time-consuming and difficult, so you will probably do it automatically, using one of the many tools available; the SBOM is designed to be machine readable.
By doing this, you may discover that there are multiple vulnerabilities. 其中大部分, 然而, are likely to be irrelevant: 例如, though there is an identified vulnerability (X) in component Y, the code package being considered is not affected by X. Unless you are very familiar with the structure of the code, you are unlikely to be able to quickly identify which are irrelevant, and which are problematic—and this could be a very significant task.
在这一点上,您可能认为所有的SBOM都在为您做更多的工作-但有一个前进的道路.
Vulnerability disclosures
软件供应商可以向您提供有关其产品已知存在的漏洞的信息, 使用VDR, and about those that it is known not to have, 使用烦恼:
VDR(漏洞披露报告)是相关代码包中已知漏洞的列表,由软件供应商发布. There is no specified format, but it should list the vulnerabilities, details 十大网博靠谱平台m, 可能的影响—攻击者可能会做什么—以及建议采取的操作.
A 烦恼 (vulnerability exploitability exchange), also provided by the software vendor, is intended to reduce the number of irrelevant alerts, 因此,您可以快速识别并关注那些可能对您造成问题的漏洞.
Both have their place, but today we will focus on the 烦恼.
什么是烦恼?
Where the SBOM is a list of what is in a package, the 烦恼 indicates which vulnerable components in that package could, 在实践中, be used by an attacker.
比如VDR, 它是由软件创建者发布的安全通知,描述其产品的漏洞状态. 不像VDR, it is machine readable, 为集成到安全管理工具和漏洞跟踪平台而构建, 并旨在通过澄清由SBOM确定的漏洞是否可能影响您的业务来支持更有效地使用SBOM.
Not every vulnerability in a package can be exploited by an attacker. 烦恼显示包中有哪些漏洞,更重要的是显示该漏洞的状态. 这包括该特定包中的每个漏洞是否可以被攻击者利用,从而是否对您的业务构成风险,并提供有关供应商正在采取的行动的信息, and/or the action they recommend to you.
By removing the false positives from consideration, 烦恼有助于减少您的业务的漏洞管理工作负载,并有助于确定所需操作的优先级.
什么是在一个 烦恼?
软件供应商出具的烦恼应包含以下类型的信息:
The product name and version it applies to, with a product identifier, so that you should know exactly which product is relevant
Vulnerability identifiers, and possibly descriptive information, so you can find out more about each vulnerability
列出的每个漏洞的状态:受影响/未受影响/正在调查/修补. 这样你就可以知道这个漏洞是否可以在产品中被利用, 或者一旦调查完成,是否期望从供应商那里获得更多信息
如果状态为“受影响”,则说明该漏洞的潜在缓解措施. For example, recommendations to upgrade, or where to find a patch.
如果状态为“不受影响”,则说明产品不受影响的原因. 这可能是, 例如, because the vulnerable code is not executed by the product, cannot be triggered by an attacker, or there are mitigations already in place.
A timestamp for the 烦恼.
There may be other information included, such as the related SBOM details.
What is the point of 烦恼?
烦恼的目的是加快识别代码中重用组件中的漏洞, to reduce false positives (and therefore reduce the workload).
它提供了可操作的信息来支持软件供应链风险的管理.
As you can see from the image below, the SBOM may provide you with more information, 但你需要更多的信息,才能利用这些信息做一些有用的事情——这就是烦恼要提供的.
SBOM + 烦恼一起提供了软件包中可利用漏洞的列表. 这意味着您可以评估每个业务漏洞的风险,并决定将采取什么行动来减轻每个风险.
是什么? benefits of SBOM / 烦恼?
The obvious benefits of implementing SBOM and 烦恼 are:
一般来说:十大网博靠谱平台软件组件的信息的标准化, and therefore also transparency for the consumer of the software.
对于消费者:了解您正在使用的软件中有哪些可利用的漏洞, and therefore what the risks are to your business. You can then establish how you will mitigate them.
对于开发人员:识别和减轻正在开发的代码中的漏洞的能力——提高产品的安全性.
Additional benefits include the potential for:
更快的事件响应(因为您对漏洞有更多的了解)
改进的漏洞管理/补丁分类(因为您可以采用基于风险的方法)
为对你的业务进行尽职调查的利益相关者提供证据(因为你有更多的信息)
Improvements in customer service
Better completion of software licence tracking and verification
And possibly the reduction of penetration testing required (or at least, 测试的微调),因为您将对代码中的漏洞有更多的了解.
In this series, 我们已经讨论了soms和烦恼,以解释它们是什么以及它们在支持您的业务安全方面的目的:
If you’d like more information, 或讨论CSP如何帮助您确保供应链的安全,或任何其他令您担忧的网络安全问题,请十大网博靠谱平台 0113 5323763 或者通过 webform.
