A Bill of Materials (BOM) is a list of the raw materials, sub-assemblies, intermediate assemblies, sub-components, parts and the quantities of each needed to manufacture an end product. We can apply this concept to software development and create a Software Cybersecurity BOM (CBOM)– a list of all software packages (with version numbers) that are incorporated into the build of a software product.
With the proliferation of cybersecurity threats, particularly ransomware and botnets, network administrators for healthcare providers (such as hospitals, clinical labs, etc) are becoming increasingly wary of connecting medical devices to their network. If you can present your customers with a Cybersecurity BOM for your device, then anytime a new vulnerability alert is issued, they know whether your device is affected or not.
Many medical devices incorporate open source libraries. Many open source licenses have very specific requirements you have to follow to be in compliance. For example, to comply with the GPL license (applies to the Linux kernel and many Linux utilities) and the LGPL license (applies to many development libraries), you MUST, somewhere in the user interface of the device, allow the user to view a copy of the license and what software packages it applies to. If you don't know what software packages you have on your device, how can you be sure you are in compliance with open-source licenses?
Setting up a Software Cybersecurity BOM is the first step towards continuously monitoring your devices for new security vulnerabilities, which will help make sure your device isn't involved in the next major cybersecurity incident.
You use a build system that can build a repeatable software image or executable from source code, right? Right? Well, for a build system to produce a repeatable image, it must have access to all the information you need for a software BOM – all the required software packages and their versions.
The advantage of this method is that it can be completely automated. Every new software release can automatically include a software bill of materials.
You could just ask your software team to come up with a list of all the libraries they used. This is the easiest way to get something, but it's really not recommended. Humans are lazy and error prone. It's tedious for them to do, they will miss something, and you have to repeat the exercise for every new software release in case something has changed.
This method works if you have an existing device with no repeatable way to recreate the software image. The operating system can generally give you a list of all software packages that are installed via the OS package manager.
$ rpm -qa
$ apt list --installed
$ dpkg --list
$ yum list
C:\> wmic /OUTPUT:InstallList.txt product list BRIEF /format:csv
This is another method that can work if you have an existing device with no repeatable way to recreate the software image. The software libraries are usually contained in a few places in the filesystem. For example, on Linux, you may be able to see something like this:
$ find /lib
This method can be combined with the package manager method above to be somewhat automated and somewhat accurate. However, components can and will be missed by these methods.
You can search the National Vulnerability Database to see if any of your software packages (with version numbers) have any known vulnerabilities. If so, you'll need to mitigate those vulnerabilities or provide a security update to your device's software to upgrade those packages to the latest version.
We've built a tool to do this for you, at www.devicevulnerabilitychecker.com. Paste in your software BOM in one of several supported formats, and the tool will automatically search the NVD and inform you of any known vulnerabilities.