Abstract
This paper presents a study of the security vulnerabilities surrounding Internet of Things (IoT) devices, and how these vulnerabilities can be detected and analyzed utilizing the Software Bill of Materials (SBOM). This methodology allows a user to gain more information about a device than what was available before using tools such as an automated vulnerability scanner. Compared to the information available from current popular security vulnerability scanners, the information gathered from the SBOM approach allows a user to have far more insight into a device’s vulnerabilities and composition. This study emphasizes the importance of the SBOM and how it can be used to assess such security vulnerabilities on a deeper level than automated scanners. In this study, we compare the security vulnerability assessment capabilities of three different methods: NetRise, Tenable OT Security, and the free National Vulnerability Database (NVD) provided by the National Institute of Standards and Technology. NetRise is the method that will be used to demonstrate the capabilities of SBOM security. Tenable OT Security is a traditional vulnerability scanner. The last method used is referencing the NVD. This is the U.S. government repository of vulnerability management data. Limitations and deficiencies of the SBOM approach to security analysis are also addressed throughout the study.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Number of Internet of Things (IoT) Connected Devices Worldwide from 2019 to 2023, with Forecasts from 2022 to 2030 (Statista). https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/. Accessed 11 Oct 2023
C. Kolias, G. Kambourakis, A. Stavrou, J. Voas, DDoS in the IoT: Mirai and other botnets. Computer 50(7), 80–84 (2017). https://doi.org/10.1109/MC.2017.201
J. Biden, Executive Order on Improving the Nation’s Cybersecurity (Whitehouse). https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/. Accessed 23 Oct 2023
The Minimum Elements for a Software Bill of Materials (SBOM) (U.S. Department of Commerce, USA, 2021)
B. Xia, et al., An empirical study on software bill of materials: Where we stand and the road ahead (2023). https://doi.org/10.1109/ICSE48619.2023.00219
C.M. Wallen, C.J. Alberts, M.S. Bandor, C. Woody, Software Bill of Materials Framework: Leveraging SBOMS for Risk Reduction (Software Engineering Institute, 2023)
Cybersecurity Infrastructure and Security Agency, Types of Software Bill of Material (SBOM) Documents. https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf. Accessed 14 Nov 2023
A. Qasem, P. Shirani, M. Debbabi, L. Wang, B. Lebel, B.L. Agba, Automatic vulnerability detection in embedded devices and firmware: Survey and layered taxonomies. ACM Comput. Surv. 54(2), 1–42 (2022). https://doi.org/10.1145/3432893
Q. Yin, X. Zhou, H. Zhang, FirmHunter: State-aware and introspection-driven grey-box fuzzing towards IoT firmware. Appl. Sci. 11(19), 9094 (2021). https://doi.org/10.3390/app11199094
P. Oser, R.W. van der Heijden, S. Lüders, F. Kargl, Risk prediction of IoT devices based on vulnerability analysis. ACM Trans. Priv. Secur. 25(2), 1–36 (2022). https://doi.org/10.1145/3510360
S. Carmody et al., Building resilient medical technology supply chains with a software bill of materials. NPJ Digit. Med. 4(34) (2021). https://doi.org/10.1038/s41746-021-00403-w
“Plugins”, Tenable. https://www.tenable.com/plugins. Accessed 25 Oct 2023
M. Janiszewski, M. Rytel, P. Lewandowski, H. Romanowski, Creating vulnerabilities and exploits database of IoT devices, in Proceedings of the 2022 European Interdisciplinary Cybersecurity Conference (EICC ’22), (Association for Computing Machinery, New York), pp. 91–92. https://doi.org/10.1145/3528580.3532990
U.S. Department of Defense, Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption (National Security Agency, USA, 2023)
Acknowledgments
We acknowledge the advice on this research received from Dr. Ping Wang and Jim Mahony. This research is funded by NSF SFS grant # 2234554 awarded to Robert Morris University.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bonacci, J., Martin, R. (2024). Software Bill of Materials (SBOM) Approach to IoT Security Vulnerability Assessment. In: Latifi, S. (eds) ITNG 2024: 21st International Conference on Information Technology-New Generations. ITNG 2024. Advances in Intelligent Systems and Computing, vol 1456. Springer, Cham. https://doi.org/10.1007/978-3-031-56599-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-56599-1_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-56598-4
Online ISBN: 978-3-031-56599-1
eBook Packages: EngineeringEngineering (R0)