Security Transparency Consortium Announces Activity Vision for Improving and Utilizing Security Transparency
- Promoting comprehensive cybersecurity capabilities in the supply chain using SBOMs -

Tokyo - February 16, 2024 - NTT Corporation (NTT) and NEC Corporation (NEC) launched the "Security Transparency Consortium" in September 2023, aiming to reduce supply chain security risks. In addition to ALAXALA Networks Corporation, NTT DATA Group Corporation, FFRI Security, Inc., Cisco Systems G.K., Hitachi, Ltd. and Mitsubishi Electric Corporation, which have participated in the consortium since its inception, NRI Secure Technologies, Ltd. and Tokyo Electron Ltd. are now also participating. As a result of recent consortium activities, it has summarized the problems faced by the "user side" when using visualization data provided by the "creators" of products, systems, services, etc., and announced the consortium's activity policy for solving these problems as its activity vision.

1. Background

Supply chain security risks, such as when products, systems, services, etc. are subject to security breaches through the supply chain, require responses from the entire global supply chain, including the suppliers of each component. Under such circumstances, countries around the world are increasingly requiring each business entity in the supply chain to create and provide "visualization data" on software configurations based on the software bill of materials (SBOM) format, a standard data format for listing the software components included in a product.

As this movement increases focus on the perspective of "creators" of visualization data, it can lead to too much emphasis on dealing with "creator side" issues, such as the costs associated with generating visualization data. As a result, attention may shift to creating visualized data within a realistic range, and there is a risk that the benefits that visualized data were originally intended to bring may be lost. However, if it is possible to find the data content conditions (*1) that must be satisfied in order to use visualization data effectively, for example, by conducting studies from the perspective of the "users", it will be easier for the "creators" to avoid generating unnecessary data when generating visualization data, and this will bring about other benefits.

In order to truly solve problems like this, it is essential to address issues from the perspective of the "users" in particular, in addition to cooperation between various businesses on the "creator" and "user" sides of the supply chain.

2. Outline of the activity vision

The consortium aims to enhance security transparency throughout the supply chain by utilizing SBOM and other visualization data, and to drastically reduce supply chain security risks related to products, systems, services, etc. While efforts to reduce costs and solve other issues on the "creator side" of visualization data are progressing, consortium activities in coordination with "users" of visualized data are expected to lead to a positive cycle of greater demand for the creation and provision of visualization data.

The consortium has identified a series of issues that are being faced by "users" when utilizing visualization data. As part of addressing these issues, the consortium has set out a series of policies and activities in order to achieve associated goals on its website (*2).

This will serve as a starting point for discussions to create common understanding of the issues faced by many businesses that have begun or are considering the use of SBOM and other services, and to resolve these issues in a coordinated manner.

3. Outlook

Through this consortium and concerted efforts across various businesses, countermeasures will be co-created for challenges in the utilization of visualization data, and they will be published on the consortium's website (*2) as "Knowledge Base for the Utilization of Visualization Data" (provisional title).

4. Participating companies (as of February 16, 2024)

The following companies are participating in the consortium. NTT and NEC are overseeing the secretariat. Additional participants are being recruited on the consortium's website.

ALAXALA Networks Corporation
NRI Secure Technologies, Inc.
NTT DATA Group Corporation
FFRI Security, Inc.
Cisco Systems G.K.
Tokyo Electron Ltd.
NEC Corporation
NTT Corporation(*3)
Hitachi, Ltd.
Mitsubishi Electric Corporation

5. Endorsement

■ Satoshi Iitsuka, Cybersecurity Division, Commerce and Information Policy Bureau, Japan's Ministry of Economy, Trade and Industry

"In July 2023, Japan's Ministry of Economy, Trade and Industry formulated a manual that outlines the benefits of introducing SBOMs and points to recognize when implementing SBOMs.
　To realize the effects of the introduction of SBOMs, such as shortening the initialization period for dealing with software vulnerabilities and reducing management costs, it is important to consider not only the creator but also the "users" perspective of SBOMs. We expect that this consortium will promote the utilization of SBOMs by companies and lead to the improvement of cybersecurity capabilities in Japanese industry."

Notes:

^(*1)Conditions such as assortment, format, and value of data items to be included in SBOM and other visualization data are defined from the perspective of the user's application, such as security operations

^(*2)Security Transparency Consortium Website
https://www.st-consortium.org/?lang=en

^(*3)Through the participation of NTT Corporation, the following NTT Group companies will also cooperate with the consortium
NTT EAST Corporation
NTT WEST Corporation
NTT DOCOMO, INC.
NTT Communications Corporation
NTT Advanced Technology Corporation
NTT TechnoCross Corporation

About NTT

NTT contributes to a sustainable society through the power of innovation. We are a leading global technology company providing services to consumers and business as a mobile operator, infrastructure, networks, applications, and consulting provider. Our offerings include digital business consulting, managed application services, workplace and cloud solutions, data center and edge computing, all supported by our deep global industry expertise. We are over $97B in revenue and 330,000 employees, with $3.6B in annual R&D investments. Our operations span across 80+ countries and regions, allowing us to serve clients in over 190 of them. We serve over 75% of Fortune Global 100 companies, thousands of other enterprise and government clients and millions of consumers.

About NEC Corporation

NEC Corporation has established itself as a leader in the integration of IT and network technologies while promoting the brand statement of "Orchestrating a brighter world." NEC enables businesses and communities to adapt to rapid changes taking place in both society and the market as it provides for the social values of safety, security, fairness and efficiency to promote a more sustainable world where everyone has the chance to reach their full potential. For more information, visit NEC at http://www.nec.com.