Strengthening the Software Supply Chain With SBOM
Posted: August 08, 2024 | Word Count: 783
By Kim Kyoung-ae, Open Source Task Leader of Software Engineering R&D Lab at LG Electronics
Approximately 70 percent of South Korean companies involved in software development use open-source software (OSS), according to the Korea National IT Industry Promotion Agency. OSS is easily accessible and can be utilized by users worldwide through online platforms like GitHub, enabling developers to create, develop, manage and share code. While OSS offers numerous benefits — from cost effectiveness to customizability and flexibility — it also presents significant drawbacks, including the prevalence of malicious code and security vulnerabilities that can spread rapidly.
The global use of OSS has increased, not only on the web and in various applications but also in software embedded in home appliances and telecommunications equipment. As its adoption has spread, new threats to digital products and online services have emerged and multiplied. Cybersecurity incidents now occur daily, with the software supply chain being a common target for cyberattacks. According to PwC’s 2024 Global Digital Trust Insights survey, the proportion of companies experiencing data breaches costing more than USD one million has risen from 27 percent to 36 percent year-over-year.*
To prevent and defend against cyberattacks, various efforts are being made to ramp up software supply chain security, particularly in the U.S. and Europe. The U.S. government has mandated that any company contracted to supply software to a federal agency must submit a self-attestation form confirming compliance with safe software development practices. Similarly, the European Union has proposed a bill mandating the submission of a “software bill of materials” (SBOM). An SBOM is a comprehensive list of the components within a software resource and has emerged as an effective means to enhance supply chain security.
The Korean government is also actively responding to the rise in advanced cyberattacks targeting software supply chains. Earlier this year, Korea’s Digital Platform Government Committee, along with the Ministry of Science and ICT and the National Intelligence Service, created the ‘Software Supply Chain Security Guidelines 1.0.’
These guidelines contain detailed information on minimum SBOM requirements, software security vulnerability inspection criteria, the use of government-supported test beds, and how to specify and utilize software components. Easy to use and follow, the guidelines also include cases verified through last year’s demonstration project for field application, organized by the Korean government.
Large companies, including LG Electronics, are addressing software security vulnerabilities with their own SBOM tools and management procedures. In today’s business environment, software development typically involves the use of OSS and a collaborative system involving multiple partner companies. To ensure the security of the entire software supply chain, it is crucial that each participant plays their role well — taking all necessary steps and using all available tools to prevent security breaches.
For this reason, LG is helping other companies to effectively manage SBOM by releasing the source code of FOSSLight — LG’s in-house developed SBOM tool. FOSSLight can accurately detect a specific piece of OSS, monitor it for security vulnerabilities and retrieve any associated licenses. As the project for open source governance, FOSSLight consists of FOSSLight Hub, an integrated system that can manage open source, and FOSSLight Scanner, which can analyze open source.
LG’s commitment to ensuring security isn’t anything new. At CES 2024, LG CEO William Cho redefined AI as ‘Affectionate Intelligence’ and shared the company’s aspiration to pursue Responsible Intelligence. LG Shield, the company’s AI-based security system, will be applied to every aspect of customer-data collection, storage and usage, and will also be used to protect the software supply chain.
Ultimately, SBOM enhances an organization’s ability to identify and respond to software security vulnerabilities in advance. In addition to preventing organizational information, digital infrastructure, and customer data from being compromised, SBOM can also improve the overall quality of the software used by companies. Furthermore, because it promotes greater transparency in the software supply chain, SBOM is expected to play an important role in strengthening reliability in overseas markets.
This effort was prominently featured in a panel discussion at the OECD Global Forum on Digital Security for Prosperity in July. The panel, titled “Open-source software and vulnerability treatment,” delved into the specific challenges and solutions related to open source software vulnerabilities. The discussion highlighted how both proprietary and open-source software are affected by the reality that increased code complexity often results in more vulnerabilities. The session provided an in-depth exploration of the unique aspects of open-source software and its ecosystem in addressing these issues.
In the future, we hope that the adoption of SBOM will increase throughout the ICT industry, bringing about a safer and more transparent OSS ecosystem that benefits all companies.
* https://www.pwc.com/bm/en/press-releases/pwc-2024-global-digital-trust-insights.html