Securing the Software Supply Chain: Recommended Practices for Managing OSS and SBOMs 14
automate the inventory process and scanned when vulnerabilities are reported. All third-party
sources are monitored for defects and linked to ongoing vulnerability assessments in both the
supplier and developer roles. Ongoing alerting and monitoring can occur in house by running the
vulnerability scanning activity used within the ingestion process, or can be provided by external
sources, such as reports from a security center, researcher, threat intelligence operations which
look for Zero Day exploits, CISA automated notifications, security bulletins, CVE database
monitoring, red teaming activities or by direct notifications from third-party source providers.
Maintainers can also leverage resources such as automated notifications services and local or
cloud-based scanning technologies that are described in section 3.2, “Vulnerability and Risk
Assessment”.
When vulnerable third-party software is identified, each product is assessed both manually and
using an automated processes to determine what components are affected. A risk assessment for
each affected product is determined using the considerations defined in section 3.2 “Vulnerability
and Risk Assessment.” The risk assessment takes into account the prevalence of the open-source
component and its use within the product. Once identified, vulnerable products are tracked for
remediation or exceptions granted. Remediation may take the form of a configuration change, a
source or binary change, or may require an update of a third-party component. In the case of older
sources that are no longer supported by the open-source provider, the fix may have to be
backported to older source, which is maintained in the build repository or escrow. If a product is no
longer being updated, strong consideration should be made to finding an alternative open-source
solution.
Vulnerable products are tracked for remediation and an action plan created, identifying the actions
to take and a planned timeframe for the delivery of a solution.
The plan also identifies the delivery mechanism that may be used, to include a patch, update or
security bulletin, notice or advisory that can include configuration changes required, or a manual
remediation step to mitigate the vulnerability. In some cases, the solution may require disabling a
service, function or feature by modifying a configuration setting. The solution may also require a
third-party repository update, which should use the procedures defined in the adoption process
outlined above. Any fixes to the third-party component are tested and the repository is updated. All
development groups that use the affected third-party component are notified through the
monitoring roles listed above and all associated products are updated. Changes made to third-party
components may be reflected in an updated SBOM and any associated remediation can be included
in a VEX. These changes may be incorporated automatically at the completion of a product rebuild
or referenced using an intermediate SBOM to the product component being updated. The updates
to the vulnerable product are made available.
The fix is made available to the customer using a number of delivery mechanisms such as an
automated update process, or a link to a download which can be applied at the customer’s
convenience. Updates can be provided using OS specific update package tools for example “apt,”
“yum” or a product update facility. A software update management facility can be used that allows
packaging, inventory and update management functions to be performed automatically, and the
update can be rolled out based on time, day, and other organization-based restrictions. Finally,
updates can be provided by an on premis service engineer.