CBOM/SBOM - Create a Cybersecurity Bill of Materials

A Bill of Materials (BOM) is a list of the raw materials, sub-assemblies, intermediate assemblies, sub-components, parts, and the quantities of each needed to manufacture an end product. We can apply this concept to software development and create a Software Cybersecurity BOM (CBOM/SBOM) – a list of all software packages (with version numbers) that are incorporated into the build of a software product.

Why I should bother creating a Cybersecurity Bill of Materials?

Your customers will like it

With the proliferation of cybersecurity threats, particularly ransomware and botnets, network administrators for healthcare providers (such as hospitals, clinical labs, etc) are becoming increasingly wary of connecting medical devices to their network. If you can present your customers with a Cybersecurity BOM for your device, then anytime a new vulnerability alert is issued, they know whether your device is affected or not. 

Your lawyers will like it

Many medical devices incorporate open source libraries. Many open source licenses have very specific requirements you have to follow to be in compliance. For example, to comply with the GPL license (which applies to the Linux kernel and many Linux utilities) and the LGPL license (which applies to many development libraries), you MUST, somewhere in the user interface of the device, allow the user to view a copy of the license and what software packages it applies to. If you don't know what software packages you have on your device, how can you be sure that you are in compliance with open-source licenses?

You will like it

Setting up a Software Cybersecurity BOM is the first step towards continuously monitoring your devices for new security vulnerabilities. This helps ensure that your device isn't involved in the next major cybersecurity incident. 

How do I create a Cybersecurity Bill of Materials?

The BEST way – Ask your build system

You use a build system that can build a repeatable software image or executable from source code, right?  Right?  Well, for a build system to produce a repeatable image, it must have access to all of the information you need for a software BOM (which is all of the required software packages and their versions).

The advantage of this method is that it can be completely automated. Every new software release can automatically include a software bill of materials. 

  • Java  
  •   mvn dependency:tree
  •   gradle app:dependencies
  • Python
  •   pip freeze
  • Node
  •   npm list
  • C#
  •   References XML
  • C/C++
  •   Makefile
  • Embedded Linux
  •   Yocto (see "buildhistory")
  •   Buildroot
  •   make legal-info
  • PHP
  •   PHP: `composer show`    (thanks @MisterGlass)
  • GO
  •   go list -f '{{ .Deps }}'     (thanks @br_)

The WORST way – Ask your software engineers

You could just ask your software team to come up with a list of all the libraries they used. This is the easiest way to get something, but it's really not recommended. Humans are lazy and error prone. It's tedious for them to do, they will miss something, and you have to repeat the exercise for every new software release in case something has changed.  

BACKUP Method # 1 – Ask your Operating System or Package Manager

This method works if you have an existing device with no repeatable way to recreate the software image. The operating system can generally give you a list of all software packages that are installed via the OS package manager.

Linux:

$ rpm -qa
$ apt list --installed
$ dpkg --list
$ yum list

Windows:

C:\>  wmic /OUTPUT:InstallList.txt product list BRIEF /format:csv

BACKUP Method #2 – Ask your file system

This is another method that can work if you have an existing device with no repeatable way to recreate the software image. The software libraries are usually contained in a few places in the filesystem. For example, on Linux, you may be able to see something like this:

$ find /lib

/lib/libjpeg.so.62.0.0
/lib/libcrypt.so.1
/lib/libm.so.6
/lib/libjson.so.0
/lib/libjpeg.so.62
/lib/libiconv.so.2
/lib/libgcc_s.so.1

This method can be combined with Backup Method #1 to be somewhat automated and somewhat accurate.  However, components can and will be missed by these methods.

OK, I have a CBOM/SBOM. Now what?

You can search the National Vulnerability Database to see if any of your software packages (with version numbers) have any known vulnerabilities. If so, you'll need to mitigate those vulnerabilities or provide a security update to your device's software to upgrade those packages to the latest version.

We've built a tool to create a CBOM /SBOM for you. Paste in your software BOM in one of several supported formats, and the tool will automatically search the NVD and inform you of any known vulnerabilities.

Need help on this topic?
Contact Us
Daniel Beard

Daniel is the technology enthusiast. He is passionate about technologies in web and application development, including security, communication and automation.

linkedin logo
SUBSCRIBE TO
NEWSLETTER
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
ABOUT
PROMENADE SOFTWARE

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade is ISO 13485, and CypherMed Cloud is SOC2 Type II certified.