Cisco is proud to announce the general availability of an entirely new capability in the software industry and a first for Cisco: the distribution of SPDX-formatted Software Bill of Materials (SBOMs). SBOMs are a crucial step forward in providing visibility and ultimately, greater resilience across the entire software supply chain. As of June 2023, most customers and partners can request an SBOM for any supported on-premise Cisco software released after September 2022.
I have blogged about Cisco’s commitment to transparency, specifically our support for SBOMs and our desire to collaborate across the software community to build the next generation of transparency. Today, Cisco stands ready to distribute SBOMs. This comes before other large technology vendors, ahead of the forthcoming government mandates, to customers outside of the public sector, and in a standardized, machine-readable format. Considering the shared complexities across the software industry, this is an important moment to recognize in our march toward software transparency that reduces risk.
The idea of an SBOM is deceptively simple, a machine-readable data format for organizing metadata describing the composition of software artifacts. SBOMs document the third-party software components contained in a downloadable software image. Cisco customers can download and use software in many ways, including client applications that run on end-user devices (e.g., Cisco Secure Client with AnyConnect), hardware-based appliances with applications running on Cisco-maintained operating systems (e.g., Identity Services Engine), virtualized applications that run in customers’ data centers or public cloud environments (e.g., Intersight), and network operating systems that power Cisco routers, switches, and firewalls (e.g., IOS XE, IOS XR, Nexus OS, FTD). The pervasiveness and scale of software across networks combined with decades of software evolution highlights the incredible complexity that SBOMs are attempting to overcome.
The novelty of SBOMs is in standardizing how dependency metadata is documented; Cisco can make software dependency information which was previously only used internally useful for customers and organizations beyond Cisco. Sharing SBOMs across organizational boundaries provides customers with visibility into a software vendors’ upstream dependencies. Distributing SBOMs to our customers and partners underscores Cisco’s commitment to software transparency that both improves software supply chain resiliency and reduces cascading risk.
I often describe the software supply
chain graph to illustrate the complexities that make documenting SBOMs an intricate problem shared across the software industry. Several factors have contributed to Cisco’s ability to deliver on this commitment, which we believe will help your organization to adopt SBOMs:
- Strong Foundation: For more than a decade, an internal ecosystem of tools and processes has managed Cisco’s third-party software. At Cisco SBOM requirements are part of the Cisco Secure Development Lifecycle policy. Start by defining your internal policies for third party software risk management and compliance.
- Standardized Approach: Cisco supports the development of SBOM-related standards, including SPDX, CSAF, and OmniBOR. We have improved internal tools supporting these external standards and have set internal standards to ensure quality and consistency in the SBOMs we distribute. Start by defining the process you will use across your organization; at Cisco we refer to this as the SBOM workflow.
- Centralized Services: New investments across Cisco have enabled the centralized development of capabilities that any engineering team can use to reduce duplication of SBOM tools and services and to accelerate SBOM adoption. Start by identifying the distinct types of software your organization distributes and creating requirements for centralized services to support all your software distribution types.
- Unified Commitment: A collaborative rollout of SBOMs across multiple engineering organizations at Cisco underscores our focus to meet our customers’ needs. Start by gaining support from organizational leaders; at Cisco we regularly communicate updates to engineering and security leaders.
While this is a significant step forward, industry is early in this SBOM journey, and at Cisco we continue to identify areas to improve. To accelerate adoption, SBOMs must be natural biproducts of the software build process. Software build environments are the manufacturing lines for products. Breaking the build process by instrumenting new tools or updating libraries can have significant economic repercussions. It will take time for SBOM tooling to become stable, scalable, and available across programming languages, version control systems, compilers and linkers, CI/CD and pipeline automation tools, and packaging ecosystems. General availability of these tools is necessary to minimize human intervention as we aim to improve the accuracy and completeness of SBOMs.
Additional work in standardizing the distribution, consumption, and analysis of SBOMs alongside other datasets is also necessary. We welcome your comments and encourage you to consider the following two questions:
- How are you adopting SBOMs in your organization?
- What is your biggest priority as SBOMs continue to gain traction?
Learn more about SBOMs at Cisco.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels