在我们的 以前的文章, 我们概述了什么是软件物料清单(SBOM), 它是如何创建的, 以及创建和使用soms的好处. 这是我们的一部分 系列博客文章 全球最大的博彩平台 软件供应链的安全性.
在这篇文章中, 我们来看看如何处理SBOM, and how to establish whether there are any potentially damaging vulnerabilities (security flaws) lurking in the code that it catalogues.
你已经 收到物料清单. 那么?
您已经收到了一个SBOM和一个代码包, 或者您已经收到已在使用的产品的更新的SBOM. You now have more information than you would have had before 全球最大的博彩平台 components of the code you are using (or are planning to use).
理想情况下,您将希望检查该代码包是否存在漏洞. New vulnerabilities arise all the time, so this is likely to be an ongoing process.
你可以手工做, comparing the components listed in the SBOM with publicly available lists of vulnerabilities (例如 at www.cve.org ). 这可能既耗时又困难, 所以你可能会自动做, using one of the many tools available; the SBOM is designed to be machine readable.
通过这样做,您可能会发现存在多个漏洞. 其中大部分, 然而, 可能是不相关的:例如, 尽管在组件Y中存在一个已识别的漏洞(X), 正在考虑的代码包不受X的影响. 除非你非常熟悉代码的结构, 你不可能很快识别出哪些是不相关的, 哪些是有问题的,这可能是一项非常重要的任务.
You might think at this point that all the SBOM is doing for you is making more work—but there is a way forward.
脆弱性信息披露
Software suppliers can provide you with information 全球最大的博彩平台 vulnerabilities that their product is known to have, 使用VDR, 还有那些已知不存在的, 使用烦恼:
A VDR (vulnerability disclosure report) is a list of known vulnerabilities within the associated code package and is published by the software vendor. 没有指定的格式, 但它应该列出漏洞, 全球最大的博彩平台它们的详细信息, the likely impact—what an attacker might be able to do as a result—and recommended actions to take.
一个烦恼(漏洞利用交换), 由软件供应商提供, 是否旨在减少无关警报的数量, so you can quickly identify and focus on those vulnerabilities that could be a problem for you.
两者都有各自的位置,但今天我们将重点关注烦恼.
什么是烦恼?
其中SBOM是包中包含的内容的列表, 烦恼表示该包中哪些易受攻击的组件可能, 在实践中, 被攻击者利用.
比如VDR, it is a security advisory issued by a software creator describing the vulnerability status of their product. 不像VDR, 它是机器可读的, built for integration into security management tools and vulnerability tracking platforms, and intended to support more effective use of SBOMs by clarifying whether the vulnerability identified by the SBOM is likely to affect your business.
并不是包中的每个漏洞都可以被攻击者利用. The 烦恼 shows which vulnerabilities are in the package and—importantly—the status of that vulnerability. This includes whether each vulnerability in that specific package can be exploited by an attacker—and therefore whether it is a risk to your business—and provides information about the actions the supplier is taking, 和/或他们向你推荐的行动.
从考虑中剔除误报, a 烦恼 helps reduce the vulnerability management workload for your business and helps prioritise the actions needed.
什么是在一个 烦恼?
The 烦恼 issued by the software supplier should contain the following types of information:
适用于的产品名称和版本, 带有产品标识符, 这样你就能准确地知道哪个产品是相关的
漏洞标识符, 可能还有描述性信息, 因此,您可以找到有关每个漏洞的更多信息
The status of each vulnerability listed: affected / not affected / under investigation / patched. This is so you know whether that vulnerability can be exploited in that product, or whether to expect more information from the supplier once investigation is complete
If the status is ‘affected’, then an explanation of a potential mitigation for the vulnerability. 例如,建议升级,或者在哪里找到补丁.
If the status is ‘not affected’, then an explanation of why the product is not affected. 这可能是, 例如, 因为易受攻击的代码不会被产品执行, 不能被攻击者触发, 或者已经有了缓解措施.
烦恼的时间戳.
可能还包括其他信息,例如相关的SBOM详细信息.
烦恼的意义是什么?
The point of the 烦恼 is to speed up the identification of vulnerabilities in reused components in code, 减少误报(从而减少工作量).
It provides actionable information to support the management of software supply chain risk.
如下图所示, SBOM可能会为您提供更多信息, but you need more information to be able to do something useful with that information—and that is what the 烦恼 is intended to provide.
The SBOM + 烦恼 together provide a list of exploitable vulnerabilities in your software package. This means you can assess the risks of each vulnerability to your business and decide what action you will take to mitigate each risk.
是什么? SBOM / 烦恼的优点?
实现SBOM和烦恼的明显好处是:
In general: the standardization of information about the components of software, 因此对软件的消费者来说也是透明的.
For the consumer: understanding what exploitable vulnerabilities are in the software you are using, 因此你的生意会面临什么样的风险. 然后,您可以确定如何减轻它们.
For the developer: the ability to identify and mitigate vulnerabilities in the code being developed—improving the security of the product.
其他好处包括:
Faster incident response (because you have more knowledge of the vulnerabilities)
Improved vulnerability management / patch triage (because you can take a risk-based approach)
Provision of evidence for stakeholders conducting due diligence into your business (because you have more information)
改善客户服务
更好地完成软件许可证的追踪和核实
并且可能减少所需的渗透测试(或者至少, the fine-tuning of testing) because you will have more knowledge of the vulnerabilities in the code.
在本系列中, we have discussed SBOMs and 烦恼 to explain what they are and the purpose they are intended to serve in supporting security in your business:
如果你想了解更多信息, or to discuss how CSP could help you with the security of your supply chain—or any other cyber security issues that are worrying you—contact us on 0113 5323763 或者通过 webform.
