Will 2022 Be the Year of the Software Bill of Materials?

Here, have a can of soup. Nah, we don’t know what’s in it. Could be 30 percent insect parts, could be seasoned with rat hair, who can say? The ingredients keep changing anyway. Just pour it into your network and pray. That, unfortunately, is the current state of cybersecurity: a teeth-grinding situation in which supply-chain attacks force companies to sift through their software to find out where bugs are hiding before cyberattackers beat them to the punch. It’s a lot easier said than done. The problem has been underscored by the massive SolarWinds supply-chain attack and by organizations’ frustrating, ongoing hunt for the ubiquitous, much-exploited Log4j Apache logging library. The problem predates both, of course: In fact, it’s one of the “never got around to it, keeping meaning to” issues that one security expert – Sophos principal security researcher Paul Ducklin – stuck an elbow in our rib about when it came time for end-of-year coverage. “We’re awash in supply chain attacks, whether they’re caused by active and purposeful hacking into software providers to poison code on purpose (e.g. Kesaya), or by an inattentive and casual attitude to sucking software components into our own products and services without even being aware (e.g. Log4Shell),” Ducklin said. “For years, we’ve batted around the idea that computer software and cloud services ought to have a credible Bill of Materials that would make it easy to figure out which newsworthy bugs might apply to each and every…