Journal of Digital Convergence (디지털융복합연구)

The Society of Digital Policy and Management (한국디지털정책학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Software Supply Chain Security Policy for the Strengthening of Cybersecurity: Based on SBOM Policy Cases

사이버안보 강화를 위한 소프트웨어 공급망 보안 정책 연구: SBOM 정책 추진 사례를 중심으로

  • Received : 2021.11.26
  • Accepted : 2022.02.20
  • Published : 2022.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Supply chain attacks target critical infrastructure, causing large amounts of damage and evolving into a threat to public safety and national security. Accordingly, when establishing cybersecurity strategies and policies, supply chain risk management is specified to enhance security, and the US Biden administration recently issued the Executive Order on Improving the Nation's Cybersecurity, SBOM was mentioned as part of the guidelines for strengthening software supply chain security. If the government mandates SBOM and uses it as a security verification tool for supply chains, it can be affected by the domestic procurement system in the future and can be referenced when establishing a security system for domestic supply chains according to the progress of policy implementation. Accordingly, in this paper, countries that are promoting the SBOM policy as a way to strengthen the security of the software supply chain were selected and analyzed with a focus on related cases. In addition, through comparison and analysis of foreign SBOM policy trends, methods for using domestic SBOM in terms of technology, policy, and law were considered. As the value of using SBOM as a supply chain integrity/transparency verification tool is expected in the future, it is necessary to continuously identify trends in the establishment of international standardization and policy development for SBOM and study the standard format.

공급망 공격은 주요기반시설을 타겟하여 피해 규모가 크고 공공 안전 및 국가안보를 위협하는 요소로 진화하고 있다. 이에 사이버안보 전략 및 정책 수립 시 공급망 위험관리를 명시하여 보안성을 제고하고 있으며, 2021년 미(美) 바이든 행정부가 발표한 국가 사이버안보 강화를 위한 행정명령에서는 소프트웨어 공급망 보안 강화를 위한 지침 중 일부로 SBOM을 언급하였다. 정부 차원에서 SBOM을 의무화하여 공급망 보안 검증 도구로 활용한다면, 향후 국내 조달체계에도 영향을 받을 수 있으며 정책 시행 경과에 따라 국내 공급망 보안 체계 수립 시에도 참고 가능할 것으로 보인다. 이에 따라 본 논문에서는 소프트웨어 공급망 보안 강화 방안으로써 SBOM 정책을 추진 중인 국가를 선정하여 관련 사례를 중점으로 분석하였다. 또한, 국외 SBOM 정책 동향의 비교·분석을 통하여 국내 SBOM 도입 시 기술, 정책, 법률측면에서의 활용 방안을 고찰하였다. 향후 공급망 무결성·투명성 검증 도구로 SBOM의 활용 가치가 기대되는바 SBOM에 대한 국제적 표준화 정립 및 정책 개발에 관한 지속적인 동향 파악과 표준 형식 개발 연구가 요구된다.

Keywords

References

  1. Executive Office of the President of U.S. (2021). Improving of Nation's Cybersecurity (Executive Order 14028 of May 12, 2021).
  2. NTIA. (2019). Roles and Benefits for SBOM Across the Supply Chain. Washington D.C. : NTIA.
  3. National Telecommunications and Information Administration(NTIA). (2021). Framing Software .Common Software Bill of Materials(SBOM) - Second Edition. Washington D.C. : NTIA.
  4. The Linux Foundation Projects, (2010). The Software Package Data Exchange. SPDX. https://spdx/dev
  5. NTIA. (2019). Survey of Existing SBOM Formats and Standards. Washington D.C. : NTIA.
  6. National Institute of Standards and Technology(NIST). (2018). Software Identification(SWID) Tagging. NIST. https://csrc.nist.gov/projects/Software-IdentificationSWID
  7. ISO/IEC. (2015). ISO/IEC 19770-2 Information technology-IT asset management-Part2:Software identification tag. ISO. https://iso.org/standard/65666.html/
  8. Open Web Application Security Project(OWASP). (2001). OWASP CycloneDX. OWASP Foundation. https://owasp.org/www-project-cyclonedx
  9. CycloneDX. (2017). CycloneDX Overview. CycloneDX. https://cyclonedx.org
  10. NTIA. (2021). Healthcare Delivery Organization (HDO) Software Bill of Materials (SBOM) Proof of Concept (PoC) 2.0 Quick Start Guide V1.2. Washington D.C. : NTIA.
  11. NTIA. (2021). The Minimum Elements For a Software Bill of Materials(SBOM). Washington D.C. : NTIA.
  12. G. Shea. (2021). A Software Bill of Material Is Critical for Comprehensive Risk Management. Foundation for Defense of Democracies(FDD). https://fdd.org/analysis/2021/09/29/a-software-bill-of-materials-is-critical-for-comprehensive-risk-management
  13. C. Skouloudi, A. Malatras, R. Naydenov & G. Dede. (2020). Guidelines for Securing the Internet of Things. ENISA. https://enisa.europa.eu/publications/guidelines-for-securing-the-internet-of-things
  14. B. Riel, S. Kuijpers & R. Koning. (2021). Using the Software Bill of Materials for Enhancing Cybersecurity. National Cyber Security Centre(NCSC). https://english.ncsc.nl/publications/publications/2021/february/4/using-the-software-bill-of-materials-forenhancing-cybersecurity
  15. MOIS & KISA. (2019). Development Security Guide for E-Government SW Development and Operators. Sejong & Naju : MOIS & KISA.
  16. MOIS. (2021). Guidelines for establishment and operation of information systems for administrative and public institutions. Sejong : MOIS.