Loading...
What Is a Cryptographic Bill of Materials or CBOM?
A Cryptographic Bill of Materials (CBOM) is a comprehensive inventory of all cryptographic assets, tools, or components used in a software application, hardware system, or other IT infrastructure.
Like the Software Bill of Materials (SBOM) lists the software components, libraries, and dependencies, a CBOM establishes transparency of the cryptographic algorithms, key lengths, protocols, certificates, and libraries built into or related to the application.
A CBOM captures and provides a documented inventory of the cryptography in the environment. With organizations moving toward encryption and cryptographic security around sensitive data, the number and complexity of cryptographic assets can grow exponentially.
The CBOM assists security teams, compliance teams, or auditors, and also keeps an understanding of the cryptographic health of a system, recognizes unsafe or outdated cryptographic implementations, and tracks compliance with NIST, PCI-DSS, HIPAA, or GDPR standards.
The CBOM takes organizations a step closer to managing their crypto-agility by allowing organizations to address cryptographic vulnerabilities in cryptography faster or address vulnerable cryptographic behaviors or practices, which can assist in upholding and applying a robust security best practice.
Elements of a Cryptography Bill of Materials (CBOM)
Cryptographic Algorithms
A CBOM starts with a list of the cryptographic algorithms being used in the organization, including symmetric algorithms such as AES (Advanced Encryption Standard), followed by asymmetric algorithms such as RSA, ECC (Elliptic Curve Cryptography), DSA, etc., together with hashing algorithms including SHA-256 or SHA-3.
Once the algorithms are documented, this is an immediate opportunity for the organization to compare the prevalence and strength of its particular cryptographic mechanisms.
Also Read: Asymmetric vs. Symmetric Encryption
For example, the CBOM may demonstrate that the organization is using outdated or deprecated algorithms such as SHA-1 or MD5, indicating a very likely potential weakness.
This enables the information to be passed to security teams for adjustment and migration to stronger options. As well, documented algorithms can fulfill compliance obligations that reference FIPS-validated or NIST-endorsed cryptographic standards.
Key Sizes and Parameters
The strength of any cryptographic algorithm is directly related to the key size and configuration used in the algorithm. A CBOM should document all key lengths for any used encryption key and signing key.
For example, AES-128; AES-256; RSA-2048; RSA-4096; ECC keytype sepc256r1). Other parameters include those values that are sometimes used during encryption or hashing, such as initialization vectors (IVs), salt values, and padding schemes.
These are important for compliance with cryptographic standards and for understanding the amount of risk you may be taking on with encrypted data exposure.
If the key lengths are weak or the configuration was done improperly, encryption of sensitive data may not be enough against today’s attacks.
A properly maintained CBOM will assist teams in standardizing key policies throughout their organization and in eliminating insecure implementations.
Certificates and Certificate Authorities
Digital certificates are a key element to ensure secure communications related to identity assertion. A CBOM provides a manifest of all digital certificates in use, whether they be SSL/TLS Certificates, code-signing certificates, document-signing certificates, S/MIME certificates, or other types.
This section is to cover the certificate subject, certificate issuer (Certificate Authority), serial number, expiration date, key usage, and the certificate chain. It will also cover root and intermediary CA information.
It will cover both the CA revocation status by CRL or OCSP. Tracking certificates helps to manage service disruptions due to expired certificates and helps identify unauthorized or rogue certificates.
This area is a significant part of certificate lifecycle management, allowing processes of automation, renewal, and replacement.
Protocols and Standards
Protocol determines how cryptographic algorithms are used. In a CBOM, this section identifies the cryptographic protocols used, such as TLS (Transport Layer Security), SSH (Secure Shell), IPsec (Internet Protocol Security), S/MIME, and PGP.
It will also capture the protocol versions, cryptographic suites of algorithms, handshakes, and sessions.
For example, if the communication protocol is TLS 1.2 with strong cryptographic suites, then it is secure, but if it were, say, TLS 1.0 or SSL 3.0, then it is NOT secure and DOES NOT conform to security standards.
This information is particularly useful to understand whether secure communication channels are secure and valid at the time of use.
This information can help determine whether various standards, such as FIPS 140-3 or ISO/IEC 19790, are being followed.
Cryptographic Libraries and SDKs
Most applications make use of third-party cryptographic libraries or Software Development Kits (SDKs) to provide the operations that you need for encryption, decryption, and signing.
Examples of common libraries include OpenSSL, Bouncy Castle, Microsoft CNG, WolfSSL, and libsodium. If you have a CBOM, it is advisable to list the libraries you are using, along with version numbers and configuration details.
This would be especially useful when dealing with vulnerabilities, as it is not uncommon for older versions of libraries to have vulnerabilities through known security imperfections. For example, a certain version of OpenSSL was impacted by the Heartbleed vulnerability.
By keeping track of libraries, the organization has a quicker indication when a new threat surfaces and a more reliable indication of whether they need to apply any patches or updates. A library list is also helpful for code reviews, software audits, and compliance reviews.
Use Cases of CBOM
Regulatory Compliance and Auditing
One of the most important use cases for a Cryptographic Bill of Materials (CBOM) is regulatory compliance with adherence to standards like the GDPR, HIPAA, PCI DSS, FIPS 140-2, and other regulatory frameworks that govern cryptographic protections.
Regulations and standards are typically more favorable about compliance when applying robust cryptographic means to embedded sensitive data.
Also Read: What is Cyber Security Audit? Importance, Best Practices and Strategies
Compliance requires organizations to be able to provide evidence that the cryptographic components used in their products (e.g., algorithms, key sizes, certificates, cryptographic libraries) comply with government/regulatory agency-approved standards.
A CBOM provides a clear accounting of these cryptographic components and organization and recording of good cryptographic practices to support auditing and evidence of compliance with the government/regulatory agency standards.
A CBOM is a catalog of critical cryptographic assets and how they are configured to assure security teams that they are using secure industry standard practices.
When auditors audit for compliance against relevant government standards, it is preferable that the auditors be able to reference the CBOM quickly instead of having to inspect all of the security controls and attributes cataloged in the CBOM.
By referring to the CBOM, the auditor will easily assess that the organization’s security requirements meet the standard being assessed and keep the organization in compliance with its operating requirements for avoiding non-compliance and additional penalties.
Vulnerability Management and Risk Assessment
Cryptographic vulnerabilities pose high risks to an organization in terms of its security posture. Vulnerabilities exist, for example, from weak algorithms and libraries that have expired and are no longer supported or maintained.
A CBOM is vital for a vulnerability management program. The CBOM provides an inventory of cryptographic components used by an organization’s technology.
Security teams can regularly validate the cryptographic algorithms in use, their configurations, and libraries associated with them, to identify potential weaknesses that might expose systems to jeopardization from attacks.
For example, if noted that the SHA-1 algorithm is found in the CBOM, and if it is allowed to stay, then it will potentially put all the organization’s technologies that leverage it subject to security breaches, as SHA-1 has been deprecated and not allowed for new technology implementations.
The CBOM, also used as part of better benefits, as many vulnerabilities are being found in those libraries that were previously thought to be reasonably secure from being compromised by adversaries.
The CBOM profiles, which libraries (and the required update and patch statuses for the libraries) will allow organizations to mitigate security vulnerabilities to keep their systems more intact and defendable.
Supply Chain Security
Many modern software developments not only depend on the source code they write, but also on third parties that produce libraries, tools, and platforms, which implement cryptographic operations.
This introduces security risks because if a third-party component has a vulnerability, then the entire ecosystem is put at risk.
When managing supply chain security, a CBOM is very valuable because it provides detailed visibility to all of our external cryptographic dependencies.
By documenting all of the components, with version numbers and configurations, organizations can monitor and understand when known vulnerabilities exist in third-party libraries.
When a known vulnerability is found in a library, a CBOM provides the organization with much more clarity for determining the extent of exposure and applying patches or plugins to avoid compromising security.
Deciding on how to manage or eliminate exposure from cryptographic dependencies allows organizations to mitigate risks from supply chain attacks.
Incident Response and Forensics
Having a quick and efficient incident response process is vital for any organization that experiences data breaches or other security incidents.
A CBOM is helpful during the incident response process because it provides information regarding the cryptographic component involved in the protection of sensitive data.
For example, if a security team determined that an attacker had exploited a vulnerability in a cryptographic algorithm or library on a CS-5, the CBOM could present them with the necessary information to quickly find affected systems and whether any encryption keys or certificates needed to be revoked.
During the forensic investigation, CBOM can assist the security team with how assets were utilizing the cryptographic tools across various systems and applications.
The CBOM can assist them in determining how the breach happened and the data that was compromised. Identifying and remediating weaknesses quickly underpins the organization’s ability to limit the damage and immediately restore a secure environment.
Software Development and Secure Coding
When developing software, it is always a good idea to take strong cryptographic precautions to develop secure applications.
Creating a CBOM is an effective way to inform software developers and security engineers of the accurate status or inventory of cryptographic elements.
A process for supporting secure cryptographic practices for software developers from cradle to grave is therefore achievable via processes that incorporate a CBOM.
By including a CBOM for the internal development process, organizations can track cryptographic algorithms, key sizes, and key libraries used in a codebase, as well as maintain up-to-date, continued security concerning their components.
For example, if scant security patches are performed on a cryptographic library and a new version is released, the CBOM provides a mapping for developers to see where they could improve their cryptographic library in the project.
This allows developers to integrate and demonstrate a proactive process that can reduce the risk of insecure or outdated cryptography being introduced during the software development lifecycle, improving the overall security posture of the application.
How would CBOM help in improving your Security Posture?
Cryptographic Bill of Materials (CBOM) is very important for improving security posture by providing granular visibility into the cryptographic components and usage in its systems.
Having a complete CBOM in place allows organizations to quickly understand what cryptographic algorithms, libraries, keys, and certificates are in use, and if their usage aligns with industry-recommended practices.
With a current inventory of all cryptographic components being utilized, security teams can quickly assess if there are aspects that are outdated or insecure – such as deprecated algorithms or unpatched OpenSSL library – and replace them with more secure implementations.
By doing this, the organization will reduce, if not eliminate, potential vulnerabilities that could be exploited by attackers.
Key Considerations for implementing CBOM in your organization
Automation and Tooling
The manual creation and maintenance of a Cryptographic Bill of Materials (CBOM) can be time-consuming, error-prone, and inefficient, particularly in IT environments of complexity.
To take the manual creation of your CBOM process and inject it with speed and certainty, automation and tooling are vital investments.
Automated tooling can scan your system(s) and codebase and identify cryptographic components used in your systems, such as algorithms, libraries, key management systems, and certificates.
The automated tooling may provide an inventory of your cryptographic assets that will both mitigate human error and be far quicker than if you were to do so manually.
Also Read: What is a Data Breach? Top Causes & Examples of Human Error Data Breaches
However, considering the cryptographic landscape that may include the continuous generation and updating of your CBOM will provide insights to ensure your cryptographic landscape is updated, monitored, reported on accurately, and aligned with security best practices.
Moreover, automation will aid in the scaling of your CBOM. As your organization courses through its lifecycle and incorporates additional systems or software components, maintaining a manual inventory for an increasing number of cryptographic assets can be an arduous task.
Whereas, with automated tooling, you can apply your CBOM management during significant growth in scale, covering the many environments and use cases.
Finally, as mentioned, automation will ensure your cryptographic inventory is current and potentially avoid using cryptographic components suffering from obsolescence and vulnerability.
Integration with SBOMs and Asset Management Systems
A Cryptographic Bill of Materials (CBOM) should not be treated in a vacuum, but rather, as a component of a larger asset management strategy for the organization.
Integrating CBOMs with Software Bill of Materials (SBOMs), vulnerability management solutions, and IT asset management tools provides the organization with the ability to comprehensively see, control, and manage its cryptographic assets.
SBOMs tell you what’s inside the software components running in your environment, and when combined with CBOMs, you get a reliable view of your cryptographic dependencies.
Also, by combining both documents, you have a degree of consistency and centralization, allowing your security teams to correlate risks from cryptography with run-time vulnerabilities from software and configuration issues or even outsider threats, in real-time.
Combining your CBOM with asset management systems provides another layer of detail so you can manage the lifecycle of cryptographic components as part of your other IT assets.
Centralizing product documentation for your cryptographic assets makes the prioritization of risk-mitigating actions easier when your processes need to manage updates and correctly mitigate those associated with regulatory and security standards.
The better we can communicate these complex processes with other involved teams, such as security, IT, and compliance teams, the easier to truly manage risk effectively and efficiently.
Frequency of Updates
Cryptographic environments are dynamic, where new vulnerabilities, cryptographic patches, and updates to cryptographic algorithms or libraries are consistently released.
For a CBOM to be effective and fulfill its purpose – “to maintain an up-to-date inventory of known needs” it must be updated frequently to reflect these changes.
Organizations should implement a clear policy related to the frequency of updates to the CBOM. This may include continuous updates, where the CBOM is automatically updated in real-time as changes occur, or periodic updates may be at a set frequency, such as quarterly or after every major software update.
Due to the dynamic nature of cryptographic standards and the speed of cyber threats, it is important to ensure that the CBOM is updated regularly.
Without timely updates, a CBOM may become stale as new cryptographic components may be introduced, and/or generic vulnerabilities are overlooked.
Regular updates are also an effective way to help ensure that your cryptographic environment is secure, compliant, and resilient to emerging threats.
The establishment of routine management and updates for the CBOM also supports continuous risk assessment and monitoring, which is an important part of lessening exposure to a potential breach in security.
Governance Policies
Governance policies provide organizations with clarity regarding the roles and responsibilities for creating, managing, and reviewing their CBOMs, as well as maintaining and applying security policies around them.
Knowing who is responsible for the CBOM will help the organization define broader risk management and governance within its larger security governance framework.
For example, the organization’s security teams could be responsible for ensuring the CBOM accurately reflects the required cryptographic artefacts currently in use, whereas the organization’s compliance officers may be interested in whether the CBOM meets regulatory compliance requirements.
Governance around the CBOM should also define auditing, revising, and reviewing of the CBOM.
Regular reviews of cryptographic components and materials used in the organization should help ensure that they are secure and that they are compliant with any internal and external obligations.
Vendor and Supply Chain Coordination
Often, organizations that issue cryptographic components for use in their environment obtain these from a third-party vendor in the digital ecosystem. Responsibility for the best practices, developing, maintaining, and managing CBOMs, or the implementation of CBOMs, starts with vendors or partners.
Organizations should also require vendors and partners to issue CBOMs for their SBOMs, as applicable, concerning hardware and software components used in critical or sensitive environments (aka national security systems).
All cryptographic assets, even from an external vendor, need to be documented and tracked for security and compliance purposes.
When organizations engage their vendors and supply chain partners in the best practices approach, organizations should be able to track and have visibility into the cryptographic components leveraged throughout their environment.
Conclusion
When partnering with Certera’s offerings, you can be assured your cryptographic components will be secured, managed, and appropriate compliance protocols will be established. Start improving your cryptographic posture today. Contact Certera to discuss how our platform can enable you to implement a CBOM strategy for your organization.
