Ion Channel congratulates Dr. Georgina “George” Shea, director of the Foundation for the Defense of Democracies’ Center for Cyber and Technology Innovation, on the publication of FDD’s report, “A Software Bill of Materials is Critical for Comprehensive Risk Management,” which outlines technical and policy requirements for enterprise use of Software Bill of Materials (SBOMs) and provides a reference implementation for compliance with the SBOM requirement of Executive Order 14028.
As a technical enabler of FDD’s SBOM pilot demonstration, Ion Channel analyzed and produced SBOMs for software capabilities used by the federal government and demonstrated that software with no known vulnerabilities against the named product may contain both known and potential risks in nested software components.
These risks include published vulnerabilities (CVEs), as well as leading indicators of risk including end-of-life components, risky patterns of maintenance and technical debt.
Ion Channel’s platform, which maintains longitudinal maintenance data on hundreds of thousands of open source and proprietary software products and components used in critical infrastructure, also revealed, based on SBOM analysis and monitoring, that these risks shift over time, and may include the emergence of risks that are not detectable by traditional software scanners, composition analysis or endpoint detectors.
“FDD’s pilot demonstrates that an SBOM can give a software customer deep visibility into software risk and the supplier’s security posture and operational risk,” says JC Herz, Ion Channel’s CEO.
“Being able to measure how long a supplier takes to remediate and update software risks will do more to raise security posture than a thousand point-in-time controls. Ongoing analysis of SBOMs is a market mechanism for steering dollars to suppliers who invest in security and active maintenance after the sale.”
“Right now, security is a cost center,” says Herz. “No matter what they tell you, suppliers are incentivized to minimize that cost. The kind of transparency we’re creating, which includes detection of active maintenance and a stopwatch on remediation, can make security into a competitive advantage.”
For more such updates follow us on Google News ITsecuritywire News.