Complying with NSA SBOM Recommendations

National Security Agency (NSA) has released its “Recommendations for Software Bill of Materials (SBOM) Management”.

‍

The document recommends leveraging SBOM to make Risk Management, Vulnerability Management, and Incident management decisions, and to achieve those goals, the document outlines the capabilities of an ideal SBOM Management System.

‍

The Interlynk platform has been designed with these use cases in mind, making it a comprehensive fit for all recommended capabilities.

‍

Background

National Security Agency (NSA) has released the Cybersecurity Information Sheet (CSI) called “Recommendations for Software Bill of Materials (SBOM) Management”.

‍

This CSI provides network owners and operators with guidance for incorporating SBOM use to help protect the cybersecurity supply chain, with a focus on and some additional guidance for National Security Systems (NSS).

‍

This document has been developed as part of a Cybersecurity Supply Chain Risk Management (C-SCRM) initiative by evaluating various SBOM tools. Therefore, it represents the best capabilities of SBOM tools.

‍

Recommended SBOM Capabilities

• ✅ = Built in Interlynk Platform

‍

SBOM Input

Recommended Features

• ✅ CycloneDX 1.4 or newer, SPDX 2.1 or newer
• ✅ JSON, XML, and CSV import
• ✅ SBOM structure and syntax checks
• ✅ Alert user of SBOM’s compliance with relevant structure and syntax
• ✅ Include an auto-correct option to assist the user

‍

Interlynk Capabilities

Interlynk supports CycloneDX1.4 or newer, SPDX2.1 or newer files in JSON, XML, RDF and Tag-Value and CSV import. The platform identifies the most common errors in the included SBOM, makes its quality assessment, lays out all findings to users, and lets them control the import. The process can be automated for future SBOM imports from the same vendor or pipeline.

‍

SBOM Output

Recommended Features

• ✅ Export SBOMs in CDX or SPDX format
• ✅ Export SBOMs as JSON or XML files
• ✅ Convert one SBOM file type to another
• ✅ Convert one SBOM file to another
• ✅ Aggregate multiple SBOMs into one SBOM

‍

Interlynk Capabilities

Interlynk can interoperate CycloneDX and SPDX SBOMs and export them in JSON and XML with or without vulnerability data. The SBOM from vendors can be linked or flatted into product SBOM using SBOM assembly features.

‍

Generating SBOMs

Recommended Features

• ✅ Generate SBOMs from various types of software development process outputs (for example, from a software build environment, from analysis of a binary file, from system registry query, etc.).

‍

Interlynk Capabilities

Interlynk can bring SBOM from all modern CI/CD pipelines and SBOM storages from SBOM requests sent via Platform or direct import. Interlynk has also built capabilities to build SBOM from scratch for a wide variety of build systems including legacy C/C++ builds without package managers.

‍

SBOM Component handling

Recommended Features

• ✅ Display NTIA-minimum SBOM fields (Supplier Name, Component Name, Component Unique Identifier (CPE, PURL)/Hash, Component Version, Component Dependency Relationship, Component Author) for each component.
• ✅ Enrich SBOM information using additional reference sources. Ideally, it should provide visual cues indicating external information was used to enrich the SBOM data and references source sites of the enrichment data.
• ✅ Include mechanisms to graphically represent component dependencies.
• ✅ Display component provenance information, including external enrichments.

‍

Interlynk Capabilities

Interlynk identifies and allows editing of all NTIA-Minimum SBOM fields including component relationships to each other. The platform detects common errors in product naming and identification and brings additional metadata from publically available sources to suggest fixes.

‍

Validation of SBOM and SBOM component integrity

Recommended Features

• ✅ Capture and display hash information for each component. Ideally, this validation should provide a digital signature for the SBOM and provenance information for each component, as well as the Component Hash, and a PURL or CPE pointer.
• ✅ Include links to information sources where provenance data was gathered (supports ability to verify integrity and assess risk).

‍

Interlynk Capabilities

Interlynk builds a repository of hashes for common publically available components and marks SBOM with ‘verified’ or ‘unverifiied’ components. Interlink also allows the ability to cryptographically sign an outgoing SBOM or allow verification of signature for an incoming SBOM.

‍

Vulnerability tracking and analysis

Recommended Features

• ✅ Provide daily updates from the National Vulnerability Database (NVD) and other vulnerability data. Ideally, these updates should provide continuous extracts and analysis from associated cyber threat intelligence (CTI) and SBOM data enhancement services
• ✅ Notify users of new vulnerabilities and updates, including alerts of emergent critical vulnerabilities and their severity. Ideally, these notifications should clearly distinguish between a new vulnerability and an update to an existing vulnerability, and provide additional information to prioritize vulnerability responses along with risk remediation guidance.
• 👨🏽‍💻 Integrate various sources of threat intelligence in addition to the various software vulnerability/weakness databases.
• 👨🏽‍💻 Provide a flexible policy engine, including the ability to apply and update organization-specific policy rules. Ideally, this customization should enable the integration of threat intelligence as policy rules.
• ✅ Provide multiple ways to identify and research an emergent vulnerability’s existence in the user’s SBOM repository/asset inventory. Ideally, it should quickly identify specific networks or endpoints containing the software and configurations affected by a newly discovered vulnerability.
• ✅ Support and track the timeliness of vulnerability remediation (including configuration management/traceability to a new SBOM to distinguish the vulnerable, replaced software from the remediated/hardened replacement software).

‍

Interlynk Capabilities

Interlynk vulnerability management system in SBOMs is built on continuously updating data from multiple sources including NVD and KEV. A state change in SBOM vulnerabilities can be used for customizable notifications with multiple integrations — Email, Slack, JIRA, and more. Interlynk is building a policy engine to setup specific policy for software build or procurement expectations from the legal and security risk analysis. The vulnerabilities can be mapped back to static or deployed assets, providing a near real-time notification when affected by a newly published vulnerability. The vulnerability metadata, along with software metadata, allows tracking metrics suitable for various compliance, including FDA.

‍

Distinguishing identified vs. exploitable vulnerabilities

Recommended Features

• ✅ Indicate whether a vulnerability is actually exploitable and support accompanying evidence and justification for non-exploitable claims. Ideally, it should annotate and update information about the exploitability of a component vulnerability using Vulnerability Exploitability eXchange (VEX) format.

‍

Interlynk Capabilities

Interlynk tracks the state of each vulnerability across products and its versions. The VEX status as recommended by CISA is baked into the platform itself with CycloneDX and OpenVEX output. The VEX carries across product versions when applicable and can be exported as PDF or CSV for external review.

‍

User interface

Recommended Features

• ✅ Follow Human Computer Interface (HCI) standards.
• Incorporate accessibility features.
• ✅ Provide mechanisms that make the information easy to assess and, if desired, enable the user to easily delve further (often by hovering the cursor over icons or clicking on icons with links) to view the next level of detail.
• ✅ Provide easily understandable graphic representation methods and formats to convey information attributes about software components, vulnerabilities, licenses, supplier organizations, users, and user organizations.
• ✅ Provide multiple ways to ‘drill down’ and obtain additional information for software component provenance, vulnerability, license, and risk status.
• ✅ Provide means to create structured groupings or categories of SBOMs to facilitate asset tracking, vulnerability management, incident management, etc.
• ✅ Provide the ability to filter/sort/group SBOM information according to userselectable attributes (such as, by software/BOM type, software/BOM source, software/BOM PoC; component type, component package, component age, component versions, security trend; vulnerability severity, vulnerability count; and organization level, license type, violation).

‍

Interlynk Capabilities

Interlynk minimal dashboard design focuses on getting the right information at the right time. The underlying data is organized in many layers, from components and their sources to ecosystems, product parts, product versions, and product pipelines. Each context page gets its own set of search and filtering capabilities, and the interface focuses on mapping a vulnerable component to all products and supply chains affected by it.

‍

Output forms and methods

Recommended Features

• ✅ Output standardized reports regarding component attributes, vulnerability information, license information, and component supplier information.
• ✅ Export dependency information in graphic and/or text format.
• ✅ Output graphic representations of analysis results.
• ✅ Ideally, provide a modular means to export specific text and graphics (whether from the SBOM itself or derived from analysis and enhancement processes) for use in external communications.

‍

Interlynk Capabilities

Interlink Platform is built as GraphQL subscriptions API with intuitive, scalable schemas that are immediately usable by any client. Interlynk SBOM processing engine checks for recurring patterns in SBOM across product versions and allows for analysis and “SBOM patching” as needed.

‍

SBOM versioning and configuration management support

Recommended Features

• ✅ Include a scalable configuration management capability for SBOMs. Minimally, it should include mechanisms to organize SBOMs, maintain version history, and track changes of SBOMs/software.
• ✅ Include user-tailorable mechanisms to organize SBOMs on multiple information attributes (such as by organization, software supplier, type of software, type of BOM, license type, etc.).
• ✅ Include a trend graphic showing the number of vulnerabilities for each severity level across each component version and report whether the numbers of component vulnerabilities are increasing or decreasing with each version release.
• 👨🏽‍💻 Compare SBOM versions for the same software and highlights differences (such as by different components or different component versions, different sources, etc.).

‍

Interlynk Capabilities

Interlink Platform is built as GraphQL subscriptions API with intuitive, scalable schemas that are immediately usable by any client. Interlynk SBOM processing engine checks for recurring patterns in SBOM across product versions and allows for analysis and “SBOM patching” as needed.

‍

Integration and workflow with other systems

Recommended Features

• ✅ Employ “API First” design to facilitate import and export of information with other systems. Ideally, information elements within the tool should be individually exportable/downloadable.
• ✅ Integrate with multiple types of SBOM sources and other data that can be combined together for analysis.
• ✅ Leverage format-agnostic, independent, stateless, and scalable API capabilities (such as REST) to automate processes/workflow.
• ✅ Support a secure, integrated Producer/Consumer exchange ecosystem.

‍

Interlynk Capabilities

Interlink Platform is built as GraphQL subscriptions API with intuitive, scalable schemas that are immediately usable by any client. Interlynk SBOM processing engine checks for recurring patterns in SBOM across product versions and allows for analysis and “SBOM patching” as needed.

‍

Supporting access to data sources

Recommended Features

• 👨🏽‍💻 Integrate AI/ML engines and associated ‘data lakes’ that analyze SBOM component information against diverse types of threat signatures and patterns.
• ✅ Include an updatable library of open source software licenses that the SBOM management tool identifies and tracks where applicable.

‍

Interlynk Capabilities

The platform builds a library of open-source licenses and commercial licenses in use and separates them into active and inactive buckets as the software EOL approaches. The platform is investigating use of ML engine towards vulnerability matching.

‍

Scalable architecture

Recommended Features

• ✅ Include mechanisms to support distinct sub-organizations within an enterprise that may have different risk tolerance rules or policies.
• Handle other types of BOMs.
• ✅ Be part of, or support, a suite of tools that work together to accomplish Risk Management, Vulnerability Management, and Incident Management activities.

‍

Interlynk Capabilities

Interlynk is designed with multi-unit Enterprise in mind and supports RBAC, product groupings, and separation of policies and controls by product groups. The platform has been built API-first and has multiple integrations on its roadmap.

‍

SBOM tool setup and configuration

Recommended Features

• ✅ Provide mechanisms and supporting materials to easily download, setup, and integrate in Linux or Microsoft environments. Ideally, it should support both environments.

‍

Interlynk Capabilities

Interlynk is available as a Software-as-a-Service platform with containerize on-prem solution on the roadmap.

‍