Industries such as aerospace, automotive, aviation, medical, military, and public utilities often require a high degree of security and reliability. And at one time, manufacturers in these industries could require that all supplier software be written to their specifications. This would enable them to understand the provenance of their software and have some assurance of the security of their end products.
However, increased software complexity, multiplying requirements, and reduced implementation times leave manufacturers little choice other than to incorporate specialized third-party components from a vast array of vendors, even when safety, security, and reliability are paramount.
Adding complexity to this is the emergence of regulations that focus on cybersecurity requirements. While embedded systems regulations used to focus on safety, security standards are now forcing manufacturers to become more accountable for the security of their products. For example, the U.S. government’s Executive Order on Improving the Nation’s Cybersecurity requires its vendors to provide software bills of materials (SBOMs) and demonstrate cybersecurity management. This regulation impacts all vendors, suppliers and providers of technology solutions to the U.S. government, particularly in those working in defence and critical infrastructure. As another example, WP.29, the United Nations Economic Commission for Europe’s (UNECE’s) Sustainable Transport Division working party, has established an international automotive cybersecurity regulation that includes performance and audit requirements for cybersecurity and software update management for new passenger vehicles sold in the European Union and many other countries. The WP.29 regulations require that OEMs demonstrate that they are managing cybersecurity risks.
So, in a world complicated by stricter regulations and the introduction of thousands of lines of code from third-party vendors – which often include open source and SOUP (software of unknown provenance) – how can you adequately and efficiently assess critical software when much of it is not readily accessible for analysis and vulnerability detection?
Part of the answer lies in your ability to create an SBOM for your product. An SBOM identifies your product’s software packages, authors, and versions, providing software composition transparency. Getting an accurate picture of the content of the binary package within your product is one of the foundations of establishing secure supply chain management practices. Indeed, by having an awareness of your product’s subcomponents you are better positioned to mitigate a range of risks, including IP disputes and regulatory non-compliance.
Creating an SBOM is just the first step to uncovering and addressing cyberthreats. To understand security risks hidden in your software binaries, your SBOM information needs to be analysed against a vulnerability database, such as the National Institute of Standards and Technology’s (NIST’s) Vulnerability Database (NVD). This can be challenging when both your software and the vulnerability databases you are checking them against are evolving. Ideally, you need to adopt a tool that ensures the vulnerabilities you are detecting are up to date and complete, so you don’t waste time and resources on remediation actions based on false positive results or you don’t miss critical vulnerabilities because of false negatives.
Once you can easily uncover the composition of your software, you can go on to integrate automated vulnerability detection into your CI/CD workflow, track open-source software products and their licensing requirements, and begin to perform more in-depth security analysis.
Manufacturers of mission-critical systems would be challenged to meet market demands without leveraging pre-existing components. Even with easy access to all the source code within their products, it would not make sense to manually search for vulnerabilities, compliance, or quality issues – the many months of an engineering team’s time required for this would be far too costly. For this reason, tools and techniques have been developed to efficiently create an SBOM, to uncover vulnerabilities within software binaries, to analyse them against vulnerability databases, and even to perform more advanced analyses that go beyond SBOM, CVE and OSS detection.
Find out about the best practices and techniques top cybersecurity experts use to uncover, assess and address vulnerabilities hidden within their products’ binaries. Join BlackBerry Technology Solutions CTO Adam Boulton and Brandon Bailey, Senior Cybersecurity Project Leader from The Aerospace Corporation on October 7, 2021 for a one-hour webinar in which they will discuss the reality of performing software assurance on black box software using the latest technologies and techniques. They will cover how to use tools to get insights on software composition with a software bill of materials, detect known common vulnerabilities and exposures (CVEs), discover unknown weaknesses, check for coding standards adherence, and determine licensing compliance – all with access to binary images only. If you need to understand the risk exposure of your black box software, this webinar is for you.