IOTCUBE CEO Jinseok Kim : “US starts to mandate SBOM, Korea should prepare too.”

Software (SW) use has been so pervasive across all industries that it would be irrelevant to distinguish the ones who use to the ones who don’t. Although, one can positively evaluate the progression of SW supply, concerns have also risen, in terms of cybersecurity, due to the hacker’s attack area expansion.

To prevent hacking damage, voices are calling for a systematic management of the source code constituting SW. In particular, with the increased use of open source, a majority of companies cannot properly grasp which part of code belongs to which source code. Therefore, they argue that even if vulnerabilities are detected in open-source SW, they are not immediately remediated.

In the future, as SW is expected to have a greater presence in in all industry, the countermeasures to solve these security issues are urgently needed. That is where Software Bill of Materials (SBOM) has emerged. SBOM is all the information contained in all the SW components, such as open-source or library. When source-code related security issues are reported, companies and institutions can quickly respond. It gives a real advantage to systematically being able to examine not only security management but also compliance with open-source licenses.

In an interview, IOTCUBE CEO Jin-Seok KIM argued that SBOM should be institutionalized to strengthen cybersecurity capabilities in Korea. Yet very few companies in Korea are interested in source-code components and their systematic management. However, he also explained that its advantages are great, including the transition from a post-security system in response to cyberattacks to a security system that block potential attack in advance, a risk management based on open-source use and a smooth targeting of overseas SW industries.

IOTCUBE CEO Jinseok Kim

IOTCUBE has released last 18th its version 2.0 of its open-source vulnerability detection solution “Labrador OSS”. In lieu of only detecting security threats based on vulnerabilities known as common security vulnerability and exposure (CVE), 2.0 provides SBOM features. It analyses code snippets in files components and function components, detects hidden security vulnerabilities withing sub-components and modified open source.

IOTCUBE CEO Jin-Seok KIM mentioned the security threats posed by the dependency of open source as the reason for the need for SBOM:

“The number of common vulnerability exposures items (CVE) is known to be around 150,000. These vulnerabilities penetrate open source. When a software called A is using an open source called B, and B uses another open source called C. If a CVE exists in C, even if A is updated from time to time, the vulnerability will remain.”

Labrador OSS source-code analysis results

SBOM is also helpful in terms of sensitive management of open-source licensing issues.

“Companies are disclosing the details of their open-source but in general they only display and select the licenses that they are obligated to disclose. Regardless the duty of notify, there is a complete difference between the case of fully grasping the details of used open-source and only grasping the license that must be notified. There are many instances where open source is not used as is but is only partially imported or modified, making it not easy to manage and retrieve later. Even though it is difficult, it is an area where management is necessary”, Jinseok said.

The fact is that if use open source is later embroiled in a legal dispute, secure alternative source code and the possibility of a large loss or threat should always be taken into account in business operations.

The US, that recently suffered a major hacking accident due to a “Supply Chain attack” targeting SW used by companies and institutions, is stepping up efforts to quickly spread the introduction of SBOM to strengthen cybersecurity. Last May, the government has mandated, with an executive order, the provision of SBOM for all devices supplied to the government; system currently piloted in the energy and medical sectors.

Original article link :
https://zdnet.co.kr/view/?no=20210820124158