In the wake of the discovery and remediation efforts surrounding the Log4shell vulnerability in the Apache library that contains Log4j, the Cybersecurity and Infrastructure Security Agency (CISA) called for efforts to push forward a software bill of materials (SBOM). Those calls were reiterated today at a Senate hearing on the vulnerability by industry witnesses involved in remediation efforts.
At a Senate Homeland Security and Governmental Affairs hearing, Chairman Gary Peters, D-Mich., expressed his ongoing concerns about the vulnerability, and witnesses explained how SBOMs would aid in quicker remediation of future vulnerabilities.
“The weakness in log4j is just one example of how widespread software vulnerabilities, including those found in open-source code, or code that is freely available and developed by individuals, can present a serious threat to our national and economic security,” Peters continued.
David Nalley, president of the Apache Software Foundation, explained the Log4j library has been around since 2001 and can be used to record a computer’s operating events, as well as “storage management software, software development tools, virtualization software and (most famously) the Minecraft video game.”
Nalley said that despite the vulnerability, open-source software should not bear the brunt of the blame. He credited open-source projects like the Log4j library with solving problems widely shared across the community, “enabling faster innovation.”
“Open source is not simply a large component of the software industry – it is one of the foundations of the modern global economy,” Nalley told the committee. “Whether they realize it or not, most businesses, individuals, non-profits, or government agencies depend on open source; it is an indispensable part of America’s digital infrastructure.”
“Every stakeholder in the software industry – including its largest customers, like the Federal government – should be investing in software supply chain security,” he emphasized. “While ideas like the Software Bills of Materials won’t prevent vulnerabilities, they can mitigate the impact by accelerating the identification of potentially vulnerable software. However, the ability to quickly update to the most secure and up-to-date versions remains a significant hurdle for the software industry.”
President Biden’s cybersecurity executive order called for work on SBOMs, and the Log4j vulnerability just amplified those calls. The call for SBOMs was also shared by Sen. Jacky Rosen, D-Nev., who asked whether legislation requiring SBOMs for any Federal contractors looking to do business with the Federal government
“President Biden’s executive order on improving the nation’s cybersecurity is pushing our Federal agencies to adopt the software bill of materials,” Rosen said. “It contains the details in the supply chain relationships, but basically, we have that in our lives every day. Look on the backs of any box of food in your pantry and you’ll see a list of ingredients. We look on any sweater you’re wearing or jacket it has a list of materials in your clothes.”
Trey Herr, the director of the Cyber Statecraft Initiative at the Atlantic Council, agreed with Sen. Rosen when asked if such legislation would be helpful. Herr said that requiring SBOMs for contractors “should be a basic condition of doing business.”
“The expansion, and formalization, of the Software Bill of Materials as a leading mechanism for software supply chain transparency are nothing but encouraging,” Herr said in his prepared statement.
“SBOMs, if widely used and rigorously implemented, will provide policymakers, vendors, and most importantly software consumers a necessary wealth of information about the products and services they depend on,” he added. “These bills of materials can tell organizations a great deal about the composition of the software we use and provide information for broader risk assessment and management efforts.”