Software bill of materials

Dr Sybe Rispens writes:

Second, the proof of concept in the medical sector showed that there is nothing domain-specific in SBOMs. What goes for software in the field of medical technology applies to any software chain in any field, be it finance, energy, or manufacturing. Maturity models, methods for assessing the quality of an organization’s continuous improvement processes based on the use of SBOMs, have been set. That is important because the higher the maturity, the better an organization can turn incidents and errors into improvements. Also, new technological standards, such as a way to give software components a global, unique identifier or blockchain techniques, are being tested in the field.

I won’t go in the details for the “hack” that was discussed in the beginning of the linked write-up. Suffice to know is that the global hardware chains has spawned a series of complex interdependent vendors who supply specific components of the hardware that is assembled in a “finishing factory”. For example, Apple doesn’t make its entire components in-house, but depends on the complex network of suppliers and spends more money on marketing to generate the eye-popping margins.

The more complex the supply chain, the larger the surface area for attack and therefore, more chances of introducing software vulnerabilities that can be exploited. I was intrigued about this write up because it specifically discussed the medical technology and it can be applied to extremely complex linear accelerators.

These issues will be magnified with the on-boarding of 5G and IoT devices. Enterprises (and hospitals) need to ensure understanding around these niche domains.