Following the increase of supply chain attacks, Karamba has recently launched a free Software Bill of Materials (SBOM) analysis and free relevant CVE alerts tool. In this blog post we will explain why it is the right time to manage an SBOM and stay on top of new vulnerabilities.
Supply Chain Software attacks are becoming a preferred vector of attack for organized crime. SolarWinds, Microsoft, CodeCov, Kaseya and quite a few others were used by organized crime and nation-state attackers as conduits through which they attacked multiple customers of those companies, by exploiting software vulnerabilities that were discovered by the hackers and, in some cases, even maliciously and actively introduced.
Before attackers started weaponizing this vector, there was already a major blind spot in security programs: vulnerabilities in 3rd-party code and applications originating in the supply chain. Those vulnerabilities were not intentionally introduced; They originated from developer error, and from the convoluted supply chain which many software providers have that complicates the process of identifying 3rd-party components and updating them when a vulnerability is discovered.
When those vulnerabilities are a blind spot for a software vendor, they are in turn unknown to its customers as well, exposing everybody to easy attacks.
In light of those attacks and vulnerabilities targeting many US companies and government agencies, the White House issued an Executive Order (EO) on May 12th 2021 requiring a tightening of supply-chain-related cyber security measures.
An important component in this effort is identifying commercial software components and their associated vulnerabilities for the end customer. A document specifying this information – a Software Bill of Materials (SBOM) – will become mandatory.
In response to the recent attack patterns and the EO, we at Karamba Security have decided to support our industry’s efforts, and we are making VCode – the Binary Analysis component of our Lifecycle Product Security suite – available for free, allowing SBOM generation as well as registration for CVE update notifications. By making this service free, and easy to use, we hope that it will help Product Security Officers gain better visibility into their supply chain, and that it will allow many vendors to improve their security posture and acquire new business.