Riaan I-SCSW Isifaniso esivamile uma kukhulunywa nge-software bills of materials (ama-SBOM) wuhlu lwezithako ezitholakala emaphaketheni okudla azisa abathengi ukuthi yini ekumachips amazambane asebezowadla.
Ngokufanayo, an I-SBOM iwuhlu lwezingxenye zocezu lwesofthiwe, ithuluzi elibalulekile ngesikhathi lapho izinhlelo zokusebenza ziyiqoqo lekhodi elivela emithonjeni eminingi, eminingi evela ngaphandle kwethimba lokuthuthukisa inhlangano.
“Uma kukhulunywa nge-SBOM, kubaluleke kakhulu [as the nutrition labels on food] ngoba ubungozi abukho empilweni yakho engokomzimba kepha buyingozi ebhizinisini lakho, ”kusho uMark Lambert, iphini likamongameli wemikhiqizo kwa-ArmorCode. Irejista. “Ingozi ongase udalule kuyo ibhizinisi lakho uma usebenzisa isofthiwe ukuthi awuqondi ukuthi iquketheni.”
Uma lokho kwenzeka, “u … uzibeka engozini ongaphezu kwamandla akho. Uma ungabonakali kulokho, ngeke ukwazi ukuthatha izinyathelo zokuphepha ukuze uqiniseke ukuthi awuvezwanga ngokweqile.”
Kungakho ama-SBOM eminyakeni embalwa edlule abe yisizinda sokwanda software supply chain isithombe sokuphatha njengoba amazinga osongo enyuka. Ngokusetshenziswa okukhulayo kwesofthiwe yomthombo ovulekile kanye nezingxenye zesofthiwe ezisebenziseka kabusha, iminikelo evela emithonjeni eminingi, i-tempo yokukhishwa kwekhodi esheshayo, kanye namapayipi okuhlanganiswa okuqhubekayo kanye nokulethwa okuqhubekayo (CI/CD), ukuthuthukiswa kwesimanje kuye kwaba ngokushesha futhi okuyinkimbinkimbi.
“Njengoba uchungechunge lokuhlinzekwa kwesoftware luba nzima kakhulu, kubalulekile ukwazi ukuthi yimuphi umthombo ovulekile owusebenzisa ngokungaqondile njengengxenye yemitapo yolwazi, izinsizakalo, ama-API, noma amathuluzi ezinkampani zangaphandle,” kusho uLambert.
Abakhohlakele bayazi ukuthi ngokujova ikhodi enonya nganoma isiphi isikhathi kunqubo yokuthuthukiswa noma ukuxhaphaza ubungozi engxenyeni, bangakhuphukela phezulu futhi bathelele i-sysytem eminingi, njengoba kubonakala ku-multiple sysytem. Ukuphulwa kweSolarWinds ngo-2020 kanye nokuhlukunyezwa kwe- Iphutha le-Log4j.
Isidingo sokwazi
Ama-SBOM nawo ayiphuzu elibalulekile ohlelweni lukazwelonke lokuvikeleka ku-inthanethi olwakhiwe yi-Biden Administration kanye khululiwe kuleli viki. Abagcini nje ngokutshela izinhlangano ukuthi yiziphi izingxenye ezakha isofthiwe abaza nayo, kodwa nokuthi iyiphi ikhodi elapho.
Ama-SBOM aqinisekisa ukuthi “awazi kuphela izithako zesofthiwe yakho, kodwa futhi izithako zalezo zithako, ngezinye izikhathi ezibizwa ngokuthi i-transitive dependence,” uDonald Fischer, umsunguli kanye ne-CEO ye-Tidelift, utshele. Irejista. “Emthonjeni ovulekile, amaphakheji amaningi abiza amanye amaphakheji, okungenzeka noma awazi ukuthi uyawasebenzisa, futhi ama-SBOM angakusiza ukuthi uqonde ngokugcwele lobu budlelwano.”
Ukutholwa kwe- I-Apache Log4j iphutha ngoDisemba 2021 lathumela ukushaqeka emhlabeni wonke ngenxa yokuthi ithuluzi lokugawula elalisetshenziswa kabanzi lalisetshenziswa kabanzi ukuze kubekwe engcupheni izinhlelo ezisengozini ngomjovo owodwa wekhodi enonya.
Ukusetshenziswa kwayo bekubanzi kangangokuthi kwathinta izinhlangano eziningi, eziningi zazo ezazingazi ukuthi ziyathinteka. Phakathi namasonto ambalwa ubungozi buvela, kwaba khona imibiko kwezigidi ezingu-10 ze-Log4j zixhaphaza imizamo ngehora.
“I-Log4j isetshenziswa ku-software eminingi,” kusho u-ArmorCode’s Lambert, wengeza ngokuthi igqamisa isidingo sama-SBOM. “Nini [the flaw in] I-Log4j ikhonjiwe, sonke sachayeka khona manjalo ekubeni sengozini. I-Log4j ibeka yonke into ekugxilweni okubukhali. Inkinga isinesikhathi ikhona.”
Ama-SBOM afika endaweni yesigameko
Umbono we-SBOM usemusha. Kuvele ngo-2018 neNational Telecommunications and Information Administration, uphiko loMnyango Wezolimo wase-US, onamazinga ashicilelwe eminyakeni emithathu kamuva. UMongameli Biden I-Executive Order ngoMeyi 2021 wacela uhulumeni wobumbano ukuthi athuthukise ukuphepha kwawo kwe-IT ngemuva kweSolarWinds kanye ne-Log4j, zombili ezithinte izikhungo zikahulumeni.
“Njengalokho okwenzeka ngokuvamile, i-EO ikhuphule i-SBOM kusukela esicini esihle sokuba nayo kuya kwisixazululo esiyisibopho manje esihlolwayo kuzo zonke izinhlaka zikahulumeni namabhizinisi amakhulu,” kubhala umhlaziyi omkhulu wocwaningo lwe-TAG Cyber uJohn Masserini. okuthunyelwe kwebhulogi okweReversingLabs.
Inselele ukuthi ukusebenzisa nokuphatha ama-SBOM kuyinto eyenziwa ngesandla, okuyizindaba ezimbi kubaphathi nabathuthukisi. Ukushuba kwesimo esiqhubekayo lapho kukhulunywa ngokuvikeleka kochungechunge lokuhlinzekwa kwesofthiwe kuqinisekisa ukuthi izimfuno zokuphepha azivimbeli isivinini esikhulayo sokuthuthukiswa kwesofthiwe yesimanje.
Okuzenzakalelayo kuyisihluthulelo
Yingakho ukuzenzela inqubo ye-SBOM kubalulekile. I-NIST ejwayelekile ihlanganisa izici eziningi, kusukela kungxenye yesofthiwe esetshenzisiwe kanye nomphakeli wayo kuya kuzinombolo zenguqulo nokufinyelela endaweni yokugcina yengxenye. Amaleveli enguqulo kufanele ahlolwe kuqhathaniswa namaleveli okukhululwa, izinsongo ezingaba khona ezitholakele, futhi kunqunywe ubungozi.
“Ukukhulula izinhlelo zokusebenza ezinkulu, kusukela kumasistimu okusebenza omthombo ovulekile, kuya kuzinhlelo zokusebenza ezithuthukisiwe zangaphakathi, kuya kuzitaki zenkampani yangaphandle ‘ezigoqekile’ kugcwele izinselele zomongo, izindlela zokusungula, nokuqinisekisa okwenziwa ngesandla, konke okuthambekele ekwenzeni iphutha, “Kubhala uMasserini.
Yize inqubo yokuhlonza kanye nokubika izinkinga ididiyelwe, “ayibheki indaba yokugcinwa kwalolu hlu mathupha kanye nokuqinisekisa ngokuqhubekayo okuqukethwe kwayo,” usho kanje.
Ukuzenzakalela kufanele kufakwe kuzo zonke izinyathelo zenqubo, kusukela ekukhiqizeni nasekushicileleni ama-SBOM kuya ekuwadleni – bese iletha ukulungiswa kobungozi ezinhlelweni zabo zamanje zokuphepha ngaphandle kokuthi basebenzise ukugeleza komsebenzi okusha, kusho u-Lambert.
Okufanele ukwenze ngama-SBOM
Kukhona okunye okucatshangelwayo. Ama-SBOM aletha ulwazi oluningi, kodwa izinhlangano kudingeka zinqume ukuthi zizolusebenzisa kanjani. I-“SBOM” iyindlela elula yokubamba-yonke isethi ebanzi yezinkinga ze-software supply, kusho uFischer kaTidelift.
Futhi bayingxenye yenqolobane enkulu yobuchwepheshe bokuphepha be-supply chain, njenge-SLSA (Supply chain Levels for Software Artifacts), uhlaka lokuqinisekisa ubuqotho be-software yobuciko kulo lonke uchungechunge lokunikezela oluzalwa ngaphakathi. Ithuluzi le-Google futhi manje a iphrojekthi yemboni okufaka izinhlangano ezifana ne-Intel, i-VMware, i-Linux Foundation, kanye ne-Cloud Native Computing Foundation.
“Ama-SBOM ngokwawo awalona inhlamvu yesiliva,” usho kanje. “Kufanele siqonde ukuthi zisebenza kahle kuphi futhi zingasetshenziswa kuphi. Ziyakwazi ukukusiza ukuthi uqonde izingxenye ezingena ku-software yakho. Aziwusizo kangako ekuthuthukiseni iphrofayili yokuphepha yalezo zingxenye.”
Kunamafomethi ambalwa abalulekile ajwayelekile we-SBOM – I-Software Packet Data Exchange (SPDX), i-CycloneDX, ne-Software Identification (SWID) Ukumaka.
Okudingekayo manje ukuhwebelana okuvikelekile nokuphakathi nendawo lapho izinkampani zingabelana ngolwazi mayelana namaphutha, kusho uLambert. Ukuba nedatha ye-SBOM kuyasiza, kodwa uma ubungozi buvezwa, ukuxhumana ngakho kuseyiphuzu nephuzu futhi lolo lwazi ludinga ukwabiwa ngokushesha nangokubanzi, waphawula.
Khokha abanakekeli
Olunye udaba oluvelayo ukuthi ama-SBOM nokunye kusho umsebenzi omningi kulabo abagcina isoftware yomthombo ovulekile esetshenziswa ezinhlelweni eziningi, kusho uFischer. Futhi iningi labanakekeli – amaphesenti angama-60, ngokusho kukaFischer – awakhokhelwa, empeleni angamavolontiya.
“Ngokujwayelekile abanakho ukuhleleka, ingasaphathwa eyesisusa, sokubhekana nezinhlu ezinde zezinqubo zentuthuko ezivikelekile,” esho. “Uma kuqhathaniswa nesizinda sokukhulisa ukunaka kukahulumeni kanye nezimboni ekuvikelekeni kwe-inthanethi ngenxa yobungozi obuphezulu obufana nalokhu obuthinte i-SolarWinds ne-Log4j, izimfuno kulawa basebenzi bokuzithandela zikhula kakhulu.”
Ukuthuthukisa ukuvikeleka kudinga amathuluzi – njengama-SBOM – nabantu. Sekuyisikhathi sokuqala ukukhokhela abalondolozi bemithombo evulekile njengezinkampani ezenza noma ngubani omunye obhekele ukuphepha kwesoftware.
Ama-SBOM, njengamathuluzi amaningi asetshenziselwa ukuvikela uchungechunge lokunikezela, asemusha futhi adinga ukuvuthwa. Uma kubhekwa isivinini lapho izigebengu ziqhamuka khona nezindlela zokuhlasela uchungechunge lokunikezela, lapho ukuvuthwa kwenzeka ngokushesha, kuba ngcono.
“I-SBOM inendlela okufanele ihambe ngayo, kodwa yisixazululo esihle,” kusho uLambert. “Ukuba nezinga akukubi. Ukungabi nezindinganiso kuyinkinga.” ®
