Viktor Petersson logo

Podcast

Follow Me

Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.

Unveiling SBOMs: Insights from Allan Friedman of CISA

Play On Listen to podcast on YouTube Listen to podcast on Spotify Listen to podcast on Apple Listen to podcast on Amazon music
28 JUL • 2024 1 hour 26 mins
Share:

In this episode, I’m joined by Allan Friedman from CISA for an in-depth exploration of Software Bill of Materials (SBOMs). Allan brings unique insights from his work at CISA, where he’s been instrumental in shaping how we approach software supply chain security.

We begin by discussing CISA’s role in cybersecurity, with Allan explaining their mission of “defending today and securing tomorrow.” What particularly interests me is how they balance immediate threat response with building more secure infrastructure for the future. Allan’s explanation of CISA’s international partnerships and their collaboration with other US government agencies provides valuable context for understanding the broader security landscape.

The conversation gets especially interesting when Allan draws parallels between software transparency and food labeling. We dive into the technical details of SBOM formats like CycloneDX and SPDX, exploring their origins and key differences. I found his insights into the communities supporting these formats particularly valuable for understanding their practical applications.

We tackle the real-world challenges of implementing SBOMs, from automation issues to maintaining accuracy in dynamic software environments. Allan shares practical advice for organizations starting their SBOM journey, and we explore related tools like VEX (Vulnerability Exploitability Exchange) and their role in securing software supply chains.

If you’re involved in software development or security, you’ll find plenty of practical takeaways here. Allan brings both policy expertise and technical understanding to the discussion, making complex security concepts accessible while maintaining their technical depth.

Links:

Related episodes:

Transcript

Show/Hide Transcript
[00:04] Viktor Petersson
Before we dive into the show, I want to talk about a project I created called Spomify.
[00:08] Viktor Petersson
See, there are three parts to Nestbom.
[00:10] Viktor Petersson
There is the generation side, there is the collaboration side, and then there is the analysis side.
[00:16] Viktor Petersson
sbomify solves for the collaboration part.
[00:19] Viktor Petersson
It can integrate directly into your CI CD pipeline, and then you can invite and share both internal and external stakeholders.
[00:27] Viktor Petersson
So check out spomify at sbomify.com.
[00:30] Viktor Petersson
and now onto the show.
[00:31] Viktor Petersson
Welcome back to another episode of nerding out with Victor today.
[00:36] Viktor Petersson
I have Alan Friedman on the pedicle podcast with me today, and we are going to talk about all things s bombs.
[00:43] Viktor Petersson
Alan is from Scisa.
[00:45] Viktor Petersson
And welcome to the show, Alan.
[00:48] Allan Friedman
Thanks so much for having me.
[00:50] Viktor Petersson
So maybe before we dive in, we should talk about where you actually work.
[00:56] Viktor Petersson
So, Saisa, what Saisa and what does it do?
[01:01] Viktor Petersson
Or what does the agency do?
[01:02] Allan Friedman
I guess so.
[01:04] Allan Friedman
The Cybersecurity and Infrastructure Security Agency is the lead us government civilian cybersecurity agency.
[01:13] Allan Friedman
Our mission is to defend today and secure tomorrow.
[01:18] Allan Friedman
So we have a variety of roles, some of them operational, securing the american civilian government, working to address ongoing threats against american businesses, american communities, and also looking to build better, more secure infrastructure.
[01:38] Allan Friedman
So we spend a lot of time thinking about critical infrastructure.
[01:41] Allan Friedman
We do international partnerships with our partner agencies in cybersecurity.
[01:46] Allan Friedman
And of course, we work with the other hubs of cybersecurity expertise in the us government, including cyber Command and the NSA.
[01:56] Allan Friedman
We work with our friends overseas, especially close relationship with NCSC UK.
[02:06] Allan Friedman
And we work a lot with industry.
[02:07] Allan Friedman
So most of my work is actually outward facing, helping with the broader cybersecurity community.
[02:15] Viktor Petersson
And my understanding is that SaiSA is an advisory agency to other agencies inside the us government and outside as well.
[02:23] Allan Friedman
So it's not exactly, we are not a regulator, but we do spend a lot of time working with other government organizations.
[02:35] Allan Friedman
And one of the things we do is we have a role in helping secure other government agencies.
[02:42] Allan Friedman
So we do have some ability to sort of say, hey, everyone.
[02:46] Allan Friedman
Now, in the us government do this?
[02:49] Viktor Petersson
Develop blueprints and best practices, I presume.
[02:51] Allan Friedman
Yeah, and even some of your audience is probably familiar with the known exploitable vulnerability list or the Kev list, where we say, hey, these are high profile vulnerabilities.
[03:01] Allan Friedman
So every government agency needs to drop what they're doing and fix those immediately.
[03:06] Allan Friedman
And we have some force to compel.
[03:08] Allan Friedman
We have some ability, legal ability to compel that.
[03:11] Viktor Petersson
Okay.
[03:12] Viktor Petersson
And this is a relatively new agency, I presume, or we are.
[03:18] Allan Friedman
I think we're still the newest government agency in the us government.
[03:23] Allan Friedman
We nominally sit under the Department of Homeland Security, which, of course, is a very broad mission, and we grew out of the Department of Homeland Security.
[03:33] Allan Friedman
We're small, but growing.
[03:35] Allan Friedman
I think we've grown by 50% in the last four years.
[03:40] Allan Friedman
And covering just as you know, cybersecurity is a pretty big waterfront, and so we're trying to cover as much of it as possible.
[03:48] Viktor Petersson
Amazing.
[03:49] Viktor Petersson
All right, so the reason why I wanted to have you on the show today is because I was introduced to you from, actually, a fellow guest on the podcast.
[03:56] Viktor Petersson
What I was really curious about on deep diving into the world of s bombs, and you have kind of played a hub in becoming, like, a person that is affiliated with all things Sbom.
[04:09] Viktor Petersson
We dive into the different camps in a second, but you have your fingers in a lot of pies across the whole world of SBom and have a really good understanding of what it is, why it matters, and the latest development of in the world of Sboms.
[04:24] Viktor Petersson
Really.
[04:25] Viktor Petersson
So we've talked about s bombs on the podcast before, but maybe we should do a quick recap for people who haven't actually listened to the podcast before.
[04:34] Viktor Petersson
What are s bombs?
[04:35] Viktor Petersson
What's the origin story, and why do they exist?
[04:40] Allan Friedman
Sure.
[04:40] Allan Friedman
Software bill of materials is the radical notion that we should actually know what's in our software.
[04:47] Allan Friedman
You go to the store, you buy a chocolate, comes with lists of ingredients.
[04:52] Allan Friedman
Why do we expect more transparency from a mid afternoon snack than we do from the software that's running our businesses, our critical infrastructure, our national security systems?
[05:04] Allan Friedman
So the list of ingredients metaphor isn't perfect, but it is helpful.
[05:09] Allan Friedman
And we can dive into what nice bomb won't do a little later.
[05:12] Allan Friedman
But the notion behind it is machine readable, built for automation, and it's also just a data layer on which we can build further use and applications.
[05:26] Viktor Petersson
And this came out of the National Telecom and Information Administration, I believe, right?
[05:32] Allan Friedman
It did.
[05:34] Allan Friedman
So NTIA is a tiny part of the US Department of Commerce, and their mission is really to sort of think about how do we promote a better and healthier, more useful digital ecosystem.
[05:51] Allan Friedman
And I was there at the time doing some work on various cybersecurity topics.
[05:56] Allan Friedman
So, for example, back in 2015, we ran the first public private discussion on coordinated vulnerability disclosure.
[06:09] Allan Friedman
Remember back ten years ago?
[06:11] Allan Friedman
This used to be a really hot button topic where were still fighting overdose.
[06:15] Allan Friedman
How should researchers and producers and maintainers of software work together?
[06:21] Allan Friedman
We said, you know, we're going to throw everyone in a room.
[06:26] Allan Friedman
We're going to have a big american flag behind us.
[06:28] Allan Friedman
So at least the big tech companies have to show up.
[06:32] Allan Friedman
And when the big tech companies show up, I was able to go to the hacker community and say, hey, guys, you're going to want to join because you want to sort of make sure that your voice is in the room.
[06:40] Allan Friedman
And we actually got a pretty good mixed, including some great leaders in the security research community.
[06:49] Allan Friedman
Dan Kaminsky spoke at our kickoff meeting.
[06:52] Allan Friedman
We had Katie Viserys, we had Josh Korman.
[06:54] Allan Friedman
So people that have been leaders in the hacking community and sort of found some common ground and software build materials seemed like a good fit for developing in this model.
[07:09] Allan Friedman
The idea wasn't new.
[07:10] Allan Friedman
It's been around for a while, been advocated.
[07:14] Allan Friedman
People like Hardy mentioned Josh Corman.
[07:16] Allan Friedman
Jeff Williams, one of the founders of OwASP, has been talking about it, but there wasn't a common way of doing it.
[07:25] Allan Friedman
It wasn't common practice, and there wasn't even a generally accepted idea of what it should be, especially not cross sector.
[07:33] Allan Friedman
So there were movements already happening in certain communities, like the medical device community.
[07:39] Allan Friedman
But we wanted to make sure that this didn't end up as, okay, here's the way it's done in the military, and here's the way it's done for web apps.
[07:47] Allan Friedman
We needed a common vision.
[07:50] Allan Friedman
And so that vision began back in 2018 where we really said, okay, let's define the basics and move from there.
[07:59] Viktor Petersson
And this was really, I guess, accelerated industry when the executive order came out.
[08:08] Viktor Petersson
Right.
[08:08] Viktor Petersson
Because that was really when they came, not just not a draft document, but rather, oh, if we do not do this, there are bottom line implications.
[08:18] Viktor Petersson
And I think that's where the industry really woke up.
[08:20] Viktor Petersson
So maybe speak a bit about that for a moment.
[08:23] Allan Friedman
Sure.
[08:23] Allan Friedman
So the initiative at NTI started in 2018, began Pikmin momentum.
[08:30] Allan Friedman
We had a lot of participation from different corners of the community, major medical device manufacturers, energy manufacturers, a lot of the large software manufacturers were involved.
[08:43] Allan Friedman
And were starting to see a market.
[08:44] Allan Friedman
There were people who were saying, hey, we can help other people build this data, manage this data, consume this data.
[08:52] Allan Friedman
And so when the Biden administration came and said, we want to do an executive order that focuses on making sure that we have better quality software in the ecosystem, S BOM was a natural building block of their vision.
[09:09] Allan Friedman
So the executive order back in 2021, executive order 14028, for those of you who love to track your government documents.
[09:21] Viktor Petersson
I'll link to it in the show notes.
[09:24] Allan Friedman
In the introduction, the president says, the trust we place in our digital infrastructure should be based on how trustworthy and how transparent that digital infrastructure is.
[09:37] Allan Friedman
And so transparency sort of is a foundational piece of it.
[09:43] Allan Friedman
It sets out a vision that says we're not going to buy software that doesn't have basic security properties qualify to be used in the us government.
[09:55] Allan Friedman
It's got to have these basic properties.
[09:57] Allan Friedman
I'll give you a hint.
[09:58] Allan Friedman
The us government buys a lot of stuff and these were basics.
[10:05] Allan Friedman
This is stuff that should have been table stakes.
[10:07] Allan Friedman
Already have multifactor authentication.
[10:11] Allan Friedman
Make sure that your build environment is separate from your development environment.
[10:15] Allan Friedman
Use vulnerability management tooling on your software.
[10:19] Allan Friedman
And of course, the new thing that you mentioned is it said, and by the way, you're going to have a software bill of materials.
[10:27] Allan Friedman
And so that meant people who are just sort of vaguely aware of it.
[10:30] Allan Friedman
I think we have done a good job.
[10:33] Allan Friedman
You mentioned that.
[10:34] Allan Friedman
I'm often known for it.
[10:35] Allan Friedman
I think my real contribution is not anything technical, it's just being the guy who would always chime in and say, and to s bomb whenever were talking about software security.
[10:48] Allan Friedman
So the executive order really sort of made everyone stand up, focus on it.
[10:55] Allan Friedman
And for organizations that were starting to think about it, accelerate towards building that out.
[11:03] Allan Friedman
And also it helped the community that was looking to provide solutions both in the open source world and in the commercial tooling world, and say, oh, now we actually have to get our game up and we can go find people and help them do this.
[11:19] Viktor Petersson
So it went from a nice to have to, oh shit, we actually need to do this.
[11:23] Viktor Petersson
Right.
[11:24] Viktor Petersson
And I think that was the fire or the sense of urgency that really kicked off the whole ecosystem, I would say.
[11:32] Viktor Petersson
Right.
[11:33] Allan Friedman
I think it was right.
[11:35] Allan Friedman
This is an example of, you know, to zoom out when we talk about what's the role of government in cybersecurity, I think this sort of shows these two roles, which is one, we can start the conversation, we won't run it, but we'll sort of help it.
[11:50] Allan Friedman
And then as progress is made, we can say, all right, now let's make it an actual part of how we think about our commercials.
[12:03] Allan Friedman
They used to talk about part of a balanced breakfast.
[12:05] Allan Friedman
So now this is part of the balanced breakfast that is supply chain and security.
[12:11] Viktor Petersson
And what we have seen since is obviously a lot more debate around S bombs, but you've also seen it creeping into other frameworks.
[12:21] Viktor Petersson
So NIST two, which was released, what, two months ago, three months ago, which was an overhaul on NIST one, obviously it stops just shy of stating s bombs as a requirement, but it kind of hints at, well, I guess the word used was transparency software transparency.
[12:37] Viktor Petersson
And I think that's, they don't say S bombs, but it kind of implies it, I guess.
[12:44] Viktor Petersson
And I would say you start to see more and more of that creeping into various frameworks beyond government as a buyer.
[12:52] Viktor Petersson
Right.
[12:53] Allan Friedman
I think there's been some people have looked at payment card industry, PCI, DSS Standard and said, oh, you need to know everything that you're running.
[13:05] Allan Friedman
And that according to some interpretations would include the full dependency model.
[13:12] Allan Friedman
We're seeing some great work advanced from other governments.
[13:15] Allan Friedman
So the Netherlands published a starters gig to help dutch companies make progress on this.
[13:24] Allan Friedman
The Japanese are now on version 1.1 of their national guidance on how to think about S bomb.
[13:32] Allan Friedman
So one thing is even while it's starting to enter long term requirements, we're realizing, okay, we need to give a little more help and guidance to help people move in that direction.
[13:45] Viktor Petersson
Yeah.
[13:46] Viktor Petersson
And yeah, Japan indeed seems to be a pretty strong country for the S bomb, in the S bomb community, even though they're not like a country you think of usually in the tech world, but in this, they are punching above their weight in the contributions, I would say, in this space.
[14:01] Viktor Petersson
Right.
[14:02] Allan Friedman
I agree completely.
[14:04] Allan Friedman
The Ministry of Economics, Trade and Industry, METI has just been doing great work in promoting this in the japanese industry as well as working with global partners on this front.
[14:16] Allan Friedman
And I think they are looking at the supply chain and taking it very seriously.
[14:24] Allan Friedman
And we can go all the way back to thinking about the origins of modern supply chain science.
[14:32] Allan Friedman
The Toyota revolution with Deming.
[14:35] Allan Friedman
That's something that Japan has always been a leader on.
[14:39] Allan Friedman
And so that's one of the stories we can tell about how they became such a great leader.
[14:43] Allan Friedman
But I think you're right, this is a real feather in their cap for sort of being in some ways even more advanced than we are here at CisA.
[14:52] Viktor Petersson
Yeah.
[14:52] Viktor Petersson
And it's funny, I've been invited to a few of these s balm working groups or various things.
[15:00] Viktor Petersson
One company that stands out is Lockheed Martin.
[15:03] Viktor Petersson
Right.
[15:04] Viktor Petersson
They've been very vocal in supporting, and Ayan is one of the guys leading a lot of things in the S bam world.
[15:12] Viktor Petersson
And I guess there are some parallels with how a company like Lockheed and the manufacturing sector in Japan sees the world.
[15:23] Viktor Petersson
Right.
[15:24] Viktor Petersson
They are very process oriented and very structured, and I guess that plays to their strength.
[15:30] Viktor Petersson
S bombs really plays to their strength culturally, I guess so.
[15:36] Allan Friedman
I'll give echo your shout out to Ian Dunbar hall, who is one of the leads at Lockheed, and his focus has been on open source.
[15:47] Allan Friedman
And I think that's one of the other pieces that has really helped us appreciate the importance of transparency, is we all kind of knew that very few people write their own software anymore.
[16:02] Allan Friedman
Everyone was sort of vaguely aware of the importance of open source, but especially with the log four j crisis and the realization that really made senior policymakers stand up, the White House had a sort of emergency meeting just a few weeks after that vulnerability broke, saying, guys, what are we going to do about this?
[16:29] Allan Friedman
This is something that now needs to be addressed at the highest levels.
[16:32] Allan Friedman
So that realization of the widespread use of open source and a recognition that it's not bad, open source is great, but it requires those of us who use open source to track the data.
[16:49] Allan Friedman
And that's where SBOM comes in, which is it helps give transparency on the use of open source.
[16:55] Viktor Petersson
And it also highlights something that people like myself have been working with open source and in open source world for a very long time now.
[17:05] Viktor Petersson
It shows you that how dependent we are on a very small amount of people.
[17:11] Viktor Petersson
I mean, just look at the OpenSSL vulnerabilities two years ago, and there are so many of these libraries that are maintained by one or two people that are used as transient dependencies for so much of the blueprint for the modern web based applications or any modern applications.
[17:32] Viktor Petersson
And I guess Sbon's really put spotlight on that, right?
[17:36] Viktor Petersson
And we need to figure out a long term strategy for this.
[17:40] Allan Friedman
I think you hit on a couple things there.
[17:43] Allan Friedman
One is the idea of transitive dependencies.
[17:46] Allan Friedman
Yes, I know that I'm using this library, but it turns out this library depends on a dozen, and each of those depends on another dozen.
[17:55] Allan Friedman
And so we sort of this radical massive under the water line set of dependencies.
[18:03] Allan Friedman
And then two, having visibility in and of itself is not the goal.
[18:12] Allan Friedman
The goal is using that visibility.
[18:14] Allan Friedman
So you talked about single maintainer projects.
[18:17] Allan Friedman
Well, if you're a corporate risk officer, that should be high on your risk.
[18:22] Allan Friedman
What happens?
[18:25] Allan Friedman
There's a common term in the community called the bus problem.
[18:29] Allan Friedman
What happens if someone gets hit by the bus?
[18:30] Allan Friedman
It's always been very macabre to me.
[18:32] Allan Friedman
I prefer either talking about what happens if someone wins the lottery, or what happens if someone gets a romantic partner and then says, oh, this is a lot more fun than maintaining an open source project.
[18:46] Allan Friedman
And so having that risk on book is critical.
[18:52] Allan Friedman
And so again, it's not just about finding known vulnerabilities, but understanding the overall risk picture.
[19:01] Viktor Petersson
And absolutely and I think an extension of this debate is really how do we fix this and make open source sustainable?
[19:11] Viktor Petersson
The glib C vulnerability earlier this year about the openssage is a good example of that.
[19:15] Viktor Petersson
It's like, yeah, it was a few overworked people that just were a bit too trigger happy on hitting the merge button.
[19:22] Viktor Petersson
And who can blame them?
[19:24] Viktor Petersson
It's not for a lot of people, it's not their day job.
[19:29] Viktor Petersson
It puts spotlight on that show problem that we've seen the open source world, we'd known about it for a long time, and much of it comes down to purely about funding at the end of the day.
[19:40] Allan Friedman
And this is where I can give a shout out.
[19:42] Allan Friedman
CisA does a lot of work across cybersecurity and we have recently, along with everyone else in the world, looked at open source from a security perspective.
[19:53] Allan Friedman
We stood up a special office.
[19:58] Allan Friedman
We've hired a couple of great people who come from the open source world and indeed are skeptical of not just government, but also big corporate model to help us build.
[20:12] Allan Friedman
And we recently published an open source security roadmap of what we need to do features prominently, both in terms of how we're going to use open source in the government.
[20:24] Allan Friedman
One of the things we call for is having open source policy offices in government agencies.
[20:31] Allan Friedman
So most big companies, both in the US, Europe, Asia, have auspos, and government should too.
[20:40] Allan Friedman
And also making sure and prioritizing the idea that not only were you responsibly using it, but part of responsible use means giving back, making sure that we are aware of the communities that are building and maintaining them, and ideally helping out in time, in resources, in other ways.
[21:02] Allan Friedman
And so that's been a priority for us at CISA, independent of the whole s bond thing.
[21:09] Viktor Petersson
Yeah, I mean, I think that's a great priority.
[21:10] Viktor Petersson
I mean, I think open source should be almost considered a public utility in almost like road czar, because we are all dependent on them.
[21:20] Viktor Petersson
So there is, I think, a valid argument to say that, yes, taxpayer money should, it probably support this, just like roads in a sense.
[21:30] Allan Friedman
And I want to sort of tip my cap to the german government, which has funded a number of efforts to do exactly that, sort of identify key areas in the open source world and support them through direct grants using the existing foundation structures and organizational structures that the open source world has created.
[21:55] Viktor Petersson
Yeah, no, that's a good example.
[21:58] Viktor Petersson
So let's go back to cybersecurity frameworks a bit, because the other thing beyond NIST is the EU Cyber Salient act.
[22:08] Viktor Petersson
And Dora, which I believe EU Cybersecurity act is a subsection of Dora.
[22:13] Viktor Petersson
Or maybe they're independent, I'm not fully aware.
[22:16] Viktor Petersson
But that's another legislation that is pushing the european side to play catch up on the s bomb side.
[22:23] Viktor Petersson
So maybe if you want to speak a few moments, a few minutes about how you see that.
[22:28] Allan Friedman
Sure.
[22:29] Allan Friedman
And this is where I get to do the caveat that, of course, I am not an expert on european policy, but we do try to work closely with both.
[22:39] Allan Friedman
The European Commission staff is helping to assemble these as well as Anisa, the European Network Information Security Agency, which often gets tasked by the commission to sort of drive technical standards.
[22:57] Allan Friedman
And the Cyber Resilience act calls trying to raise the floor of security properties, not just for things that are purchased by governments, but in their case, they are addressing everything that is sold in the European Union, which is pretty large market.
[23:20] Allan Friedman
Everyone who sees themselves selling things sells into that market for s bomb.
[23:28] Allan Friedman
The vision that's spelled out is not that it has to be made public.
[23:32] Allan Friedman
I'm sympathetic to that.
[23:34] Allan Friedman
I think we may not be ready for every organization to make their s bombs public, and we can talk about that if you want to.
[23:45] Allan Friedman
But their vision is you must have an S bomb internally.
[23:49] Allan Friedman
And I think that's half the battle, is saying you should not be selling things without having the data easily available in a machine readable form so that you know what you're selling and so that you can respond when I.
[24:05] Allan Friedman
There's the next log for J Glib, C crisis, et cetera, and potentially make it available when asked to your national regulator.
[24:18] Allan Friedman
And so that is going to again be more of helping national cybersecurity regulators sort of up their game as well.
[24:27] Allan Friedman
So that's the vision that is spelled out in the CRA, which is sort of, hey, everything has to have an S mark, right?
[24:34] Viktor Petersson
And then let's go back to the executive order, because that was a mandate for anybody selling software to the us government.
[24:41] Viktor Petersson
They need to provide an S bomb through like an S bomb portal.
[24:44] Viktor Petersson
But that got pushed back, right?
[24:46] Viktor Petersson
There was a deadline, I believe, last fall.
[24:49] Viktor Petersson
Was it?
[24:50] Viktor Petersson
And then it was pushed forward until.
[24:53] Viktor Petersson
Yeah, you tell me the day I forgot.
[24:54] Viktor Petersson
But I know it was delayed, at least for the implementation.
[24:58] Allan Friedman
So here we're getting to the nuts and bolts of how sausage is made, where an executive order, high level vision shared by the president and the White House, and then it's up for other parts of the government to spell out exactly what that means.
[25:15] Allan Friedman
We need to be right.
[25:17] Allan Friedman
You can't just say, do something without defining exactly what you mean by something is.
[25:23] Allan Friedman
And so a different part of the White House office of Management and Budget said, well, actually, let's go further, which is first, NIST, the National Institute for Standards and Technology, incredibly smart technical standards people defined what secure development means writ large.
[25:40] Allan Friedman
So they published a document called the Secure software development Framework, SSDF.
[25:47] Allan Friedman
And that framework is really helpful.
[25:49] Allan Friedman
It sort of lays out, if you want to get a secure development process for your organization, here are all the things that you need to think about, and it's organized hierarchically.
[26:00] Allan Friedman
Think about these broad buckets.
[26:02] Allan Friedman
Inside each of these buckets, here are sub buckets.
[26:04] Allan Friedman
Inside each of these sub buckets, here are some technical standards that you can go and look at to find out exactly how to do it.
[26:11] Allan Friedman
So it's very helpful for organizing strategy.
[26:16] Allan Friedman
Then different part of the White House office of Management Budget came along and said, okay, now, to make this a reality for purchasing, we're going to create something called a self attestation form, where we're going to map specific pieces of that secure development framework.
[26:37] Allan Friedman
And each company had to say, okay, I pledge, I'm putting my name signing a document that says, I am doing this.
[26:47] Allan Friedman
So in this case, it was, I'm using multi factor authentication across my organization.
[26:54] Allan Friedman
I am tracking, I'm using vulnerability scanning on this software.
[27:00] Allan Friedman
And for Sbom, it was, I am tracking the provenance of my code and third party code to the greatest extent feasible.
[27:13] Allan Friedman
And so that's now sort of written into this form.
[27:16] Allan Friedman
We wanted to get that form right.
[27:18] Allan Friedman
This is the first version of the form.
[27:21] Allan Friedman
So we've publicly said we're going to be updating it, but this is the first version.
[27:26] Allan Friedman
And so we gave ourselves an extension as government, but we don't think that too many people industry were complaining because we wanted, they would sort of rather us, hey, get this right.
[27:41] Allan Friedman
Still working on making forward progress.
[27:43] Allan Friedman
We wanted to make sure we could incorporate technical feedback that we had heard.
[27:48] Allan Friedman
And so that went into effect in June for critical software, and then it'll go into effect for September, for June of this year.
[27:57] Allan Friedman
So it's already in effect as we're recording.
[28:01] Allan Friedman
And by September of 2024, it will apply to all software.
[28:08] Viktor Petersson
Okay, and I guess we're going to zoom in on sboms and actually, from a tech perspective next.
[28:17] Viktor Petersson
I think that kind of brings it into a natural transition into, like, the neon's the best bombs, because, yeah, I think most people can agree on that's a great idea.
[28:27] Viktor Petersson
But the devil is always in the details, right?
[28:29] Viktor Petersson
So there are two major formats of S bombs.
[28:34] Viktor Petersson
There are more, but two major formats that are, I guess, considered quasi standards at this point in time.
[28:39] Viktor Petersson
There's Cyclone DX and there's SPDX.
[28:42] Viktor Petersson
Do you want to speak a bit about both what they are, their purpose, and who's backing and supporting them?
[28:50] Viktor Petersson
Sure.
[28:51] Allan Friedman
So we want to convey this data.
[28:55] Allan Friedman
Data should be conveyed in a machine readable format.
[28:58] Allan Friedman
And, you know, when we set out to do this, were hoping that we would avoid having to make a new standard, a new way of conveying this data.
[29:07] Allan Friedman
And the good news was there was at least one data format that was already out there in 2018.
[29:13] Allan Friedman
The bad news was that there were two, and it didn't look like they were going to merge any time soon.
[29:23] Allan Friedman
And there has been some healthy competition between the two data formats.
[29:32] Allan Friedman
Competition is good, right.
[29:33] Allan Friedman
It breeds quality.
[29:36] Allan Friedman
Sometimes we could do with a little less sniping because it has fed.
[29:41] Allan Friedman
When they criticize each other publicly, it tends to give fuel to people who don't want to do anything.
[29:49] Allan Friedman
As an example, from my perspective, in the us government, we've adopted a position of radical neutrality, which is, they're both great, they're both open source, they both have active communities developing them, they both have active communities making tools for them.
[30:06] Allan Friedman
They both have companies that are shipping s bombs in those formats today.
[30:11] Allan Friedman
More importantly, at the end of the day, it's just JSON, or in some cases, still just XML.
[30:19] Allan Friedman
And you know what computers are really good at?
[30:22] Allan Friedman
Well structured data.
[30:23] Viktor Petersson
Right?
[30:24] Allan Friedman
So we've adopted a position from the beginning that we're not going to interfere in or pick a winner in a standards discussion.
[30:38] Allan Friedman
Again, the United States government doesn't have the best track record in picking a winner or a loser, a technical standards fight.
[30:45] Allan Friedman
So we're ticking very.
[30:49] Allan Friedman
One thing we have done is working with some colleagues at the Science and Technology Directorate of DHS.
[31:00] Allan Friedman
We have helped create and fund a translator tool.
[31:05] Allan Friedman
It's now an open source security foundation opensSF project called Protobomb Public.
[31:12] Allan Friedman
And the vision here is it'll translate between them.
[31:17] Allan Friedman
It can be freestanding, but it can also be integrated into tooling.
[31:22] Allan Friedman
And so that really, for us, means everyone should be able to produce an S bom in either format and consume an S Bom in either format, and it shouldn't matter which.
[31:35] Allan Friedman
And when we talk to large organizations, almost everyone else, almost everyone who's sort of starting to mature said, yeah, maybe we'll start in one or the other.
[31:46] Allan Friedman
But we, and again, one exercise, they're both great.
[31:51] Allan Friedman
We love all of our children equally, but they are.
[31:55] Allan Friedman
At the end of the day most organizations are sort of gearing up to say, yeah, we can handle both.
[32:02] Viktor Petersson
And if you submit to the government portal, the portal itself is agnostic.
[32:06] Viktor Petersson
I think it only accepts Jason, but it's agnostic either side.
[32:11] Viktor Petersson
Either format you use.
[32:13] Allan Friedman
Yes, at the moment the way to submit to the general us government submission model is we're not doing any validation at the moment to say is this one or the other?
[32:26] Viktor Petersson
Yeah, right.
[32:27] Viktor Petersson
All right, let's dive into what's the actual content of an S bomb because this is where it gets interesting and a lot more complicated because in theory we can agree, yes, it makes up for what the software includes, but it gets a lot more murky than that, obviously.
[32:44] Viktor Petersson
And the same goes for the formats.
[32:46] Viktor Petersson
In theory they have the same data, but in reality they don't.
[32:50] Viktor Petersson
So maybe speak a few words on what does that look like and how does that, what's in these JSON files?
[32:59] Allan Friedman
Sure.
[33:00] Allan Friedman
So from our interest, when we sort of say thou shalt have an S bomb, the first natural question that everyone should ask is what's an S bomb?
[33:14] Allan Friedman
And so we want to be specific.
[33:17] Allan Friedman
So we start out with some easy ones.
[33:20] Allan Friedman
It's got to be machine readable in a widely used data format.
[33:25] Allan Friedman
So some of the early language said here are three potential formats.
[33:32] Allan Friedman
S wid was originally sort of potentially seen as an option.
[33:36] Allan Friedman
Software id tags.
[33:39] Allan Friedman
There hasn't really been uptake, there aren't tools.
[33:42] Allan Friedman
So now we really talk about two formats.
[33:44] Allan Friedman
So that part's easy.
[33:47] Allan Friedman
Then we start asking a couple of different questions.
[33:51] Allan Friedman
First, got to have the software components okay, what data do you need for each component?
[33:57] Allan Friedman
And trying to flesh this out is important.
[34:04] Allan Friedman
The overall goal is you need to have enough data so that most of the people that are using the SBom data can say okay, this is the component, we're all on the same page that it's this blob of bits.
[34:19] Allan Friedman
What does that look like?
[34:20] Allan Friedman
Well, we can start talking about who's the supplier, what's the component, what's the version.
[34:28] Allan Friedman
We're good, except these are sometimes a little tricky to define.
[34:33] Allan Friedman
Is it Microsoft or Microsoft Inc.
[34:36] Allan Friedman
Is the component Windows ten or Windows ten?
[34:40] Allan Friedman
So we're bumping into the naming problem.
[34:44] Allan Friedman
There's no obvious solution.
[34:46] Allan Friedman
We can talk a little bit about that in a moment.
[34:49] Allan Friedman
Then there's some of the identifiers.
[34:51] Allan Friedman
So the government funded vulnerability databases tend to use CPE, common platform enumeration, large amounts of open source has sort of settled into package URL's or perls.
[35:07] Allan Friedman
Perl isn't an identifier per se.
[35:10] Allan Friedman
It's an identifier wrapper that takes advantage of the fact that many, though not all, package managers have a unique local namespace.
[35:21] Allan Friedman
So I just point you to NPM, and NPM's job is to make sure that there's only one foo in that database or in that package.
[35:32] Allan Friedman
Then we start to walk into some of the other types of things that we may want.
[35:36] Allan Friedman
Well, hash is always useful when you're talking about bits.
[35:41] Allan Friedman
How do we take the hash?
[35:42] Allan Friedman
What format do we use?
[35:44] Allan Friedman
And as we look at complex systems and complex directories, what am I taking the hash of for a directory?
[35:55] Allan Friedman
So if I do that, and there are always fun edge cases on how to take that.
[36:03] Allan Friedman
So there's some basic data that we want for each component.
[36:07] Allan Friedman
One other thing that often comes up is key use cases, license management.
[36:13] Allan Friedman
It's not always a security issue.
[36:17] Allan Friedman
You can tell the security story around licensing.
[36:20] Viktor Petersson
Let's put a pin in that for a second, because I want to dive into the whole use case afterwards.
[36:25] Viktor Petersson
Let's start with the structure, and then we can zoom into the actual use case after, because I think that's worth a longer discussion.
[36:35] Allan Friedman
We've got the basic type of data that we need for each component.
[36:40] Allan Friedman
This has been spelled out in a document called the NTI minim elements.
[36:44] Allan Friedman
That was written in 2021.
[36:46] Allan Friedman
That's a lifetime ago, three years ago, which it's nice to look behind us and say, oh, we've made a lot of progress.
[36:55] Allan Friedman
So there are a number of efforts to try to update this so that we have a shared vision, not in the formats, but a little higher up to, say, specification.
[37:06] Allan Friedman
What counts as an S bomb?
[37:07] Allan Friedman
Then we talk about the structure itself.
[37:09] Allan Friedman
So in theory, a simple vision of an S bomb is just a tree graph or directed acyclic graph, and there'll be some joining.
[37:19] Allan Friedman
Right.
[37:20] Allan Friedman
Two different parts of your supply chain can use the same product.
[37:24] Allan Friedman
Depends on the language and context about whether you have multiple copies or not.
[37:29] Allan Friedman
So one key question is, what's the depth?
[37:34] Allan Friedman
Three years ago, when we first started saying this, wasn't sure that we could actually say, have a complete sbom.
[37:44] Allan Friedman
Tell us everything that's in your software.
[37:46] Allan Friedman
So the language that's used from three years ago is have all the information for your direct dependencies, your top level dependencies, with enough information about each of them so that you can find out more.
[37:59] Viktor Petersson
Right.
[37:59] Allan Friedman
I think moving forward, there are going to be calls to have better ways of describing depth and pushing for more depth.
[38:08] Allan Friedman
Thinking about log for j, that was almost no one's direct dependency.
[38:13] Allan Friedman
It was definitely transitive for most approaches, but there are some that are conquered.
[38:21] Allan Friedman
So the german government, for example, has written an s bomb specification that calls for a complete s bomb.
[38:27] Allan Friedman
I think that's a wonderful aspiration, but it's unclear whether we actually will get there today, also very next year.
[38:37] Viktor Petersson
It's possible, yeah.
[38:39] Viktor Petersson
It's also very language specific.
[38:40] Viktor Petersson
Right.
[38:41] Viktor Petersson
Some languages are more mature than others to do these transient lookups because it's fairly complicated to do this well at scale.
[38:51] Viktor Petersson
Right.
[38:52] Allan Friedman
And now we're getting into the nuances.
[38:55] Allan Friedman
If we're trying to apply this to all software, the language is important and the type of tool that we're using to capture the data is going to be important as well.
[39:07] Viktor Petersson
Absolutely, yeah.
[39:08] Viktor Petersson
And then we've spoken largely about an SBom being a JSON file, but in reality, in any real beyond like a hello world reference implementation.
[39:20] Viktor Petersson
And if you look at a product we can use like a smart thermostat as an example.
[39:26] Viktor Petersson
Right.
[39:26] Viktor Petersson
You would have, you would have an iOS app, you would have a backend, you would have probably a web front end, you have a firmware.
[39:34] Viktor Petersson
All of them would have separate S bombs.
[39:37] Viktor Petersson
That needs to be all linked to.
[39:40] Viktor Petersson
And there is, in Cyclodx, at least there is a reference model where you can say, here is a pointed to another component.
[39:48] Viktor Petersson
Because the argument we saw earlier almost like, well, let's just flatten everything to a list.
[39:52] Viktor Petersson
But that becomes completely unusable because then you're like, oh, I have this vulnerable dependency.
[39:58] Viktor Petersson
I have no idea where it actually comes from.
[40:02] Allan Friedman
Indeed.
[40:02] Allan Friedman
And for, even for something straight forward of a system, we can say this is the hierarchy here.
[40:14] Allan Friedman
I've got this system with this subsystems.
[40:17] Allan Friedman
As you start to look to more complex, especially embedded space systems of systems, that's where we are sort of bumping into some challenges where there isn't an intrinsic hierarchy.
[40:32] Allan Friedman
And so we just need some way, some common way of having, of relating these.
[40:38] Allan Friedman
We're spinning up a work stream at CISA that is trying to look at this exact question, which is how do we think about complex systems of systems?
[40:47] Allan Friedman
A cardinal where, okay, what's the top, what's actually dependency?
[40:53] Allan Friedman
Are these subsystems all in direct dependence of the car?
[40:58] Allan Friedman
And then they have their own.
[40:59] Allan Friedman
Is there a better way that we can do it?
[41:01] Allan Friedman
And again, trying to focus on the use case and then working backwards, say, okay, that's how we should represent them.
[41:09] Viktor Petersson
And I think you don't have to go that advanced and complicated as a car.
[41:14] Viktor Petersson
You just have to look at, say, microservices.
[41:16] Viktor Petersson
Right.
[41:16] Viktor Petersson
If you have a Kubernetes cluster that runs a few microservices, well, each service would have some language specific dependencies.
[41:25] Viktor Petersson
So that rust, Python, go, whatever that may be, you then have a docker container that runs it, which would have its own set of dependencies there.
[41:33] Viktor Petersson
You have already here at a per container basis, you now have two sboms for each microservice, and then you might have 20 microservices running in the same cluster.
[41:44] Viktor Petersson
That makes up for a product, a simple source product, because having.
[41:47] Viktor Petersson
Right, 510 microservices is kind of boilerplate or very common today, like, as we've moved away from monoliths.
[41:54] Viktor Petersson
Right.
[41:55] Viktor Petersson
So I think that's, there's a problem far earlier than that.
[42:00] Allan Friedman
Agree.
[42:01] Allan Friedman
And modern, dynamic applications sort of bump into things where, okay, hey, how do we treat these dependencies?
[42:13] Allan Friedman
Since not everything will be called in a deterministic fashion.
[42:20] Allan Friedman
Two for third party API calls, or even local but ephemeral APIs, also a little tricky in terms of being able to track them.
[42:36] Allan Friedman
There's some really good work that's happening in different corners of the ecosystem.
[42:43] Allan Friedman
CNCF has been doing some great work on this.
[42:45] Allan Friedman
OWasp has been doing some good work on this, of sort of trying to say, here's a way to describe at least most of the problem, and we'll document the tricky edge cases as we go.
[42:57] Viktor Petersson
Yeah.
[42:57] Viktor Petersson
So, as I've been kind of like emerging myself in the sbom world, one thing, the first thing I discovered when I started to apply this at screenly, and building SBom to screen was first, was the whole, like, well, we have ten microservices that all have separate s bombs.
[43:13] Viktor Petersson
Then we have some other things here, but then finally we have a device side of that as well.
[43:17] Viktor Petersson
So building this whole device structure became somewhat complicated.
[43:22] Viktor Petersson
And then once we started to realize that was the first problem, the second problem was, well, an S bom is a snapshot in time truth.
[43:35] Viktor Petersson
It's not an absolute truth.
[43:37] Viktor Petersson
Right.
[43:38] Viktor Petersson
Every CI CD pipeline run, you do, even if you pin your dependencies, your transient dependencies may not be pinned.
[43:46] Viktor Petersson
So every single run would potentially produce a different s bom, unless you have a deterministic build, which is a nice idea, but in reality, nobody really does.
[43:59] Allan Friedman
Be nice to debian.
[44:01] Allan Friedman
They're great.
[44:03] Viktor Petersson
Right?
[44:04] Viktor Petersson
But I mean, like, but even if, regardless of your distro, right, like, it's, the reality is that it's not, it shouldn't be considered a static element, as I think a lot of the debates talk about s bomb tend to treat it, but rather a dynamic element.
[44:25] Allan Friedman
And this is where we get back to the idea of why are we doing this?
[44:29] Allan Friedman
And the goal isn't to just have the data, it's to make sure we have the data available for use.
[44:36] Allan Friedman
So last year, CiSa published a document that was drafted by the community on what does SBom mean for SAS?
[44:45] Allan Friedman
And acknowledged that there are some differences.
[44:49] Allan Friedman
So in terms of a use, if I'm looking at a blinking box that's keeping grandma alive in the hospital, I need to know what's on that because the manufacturer may disappear or there may be a short term vulnerability.
[45:04] Allan Friedman
I can't patch it since grandma is still plugged in, but I can know about what's on there, so I can take other mitigations.
[45:11] Allan Friedman
If my data is in a SAS platform, then I won't have the same operational role.
[45:18] Allan Friedman
I can't patch SAS.
[45:21] Allan Friedman
And my option may only be just to like, say, I'm going to pull my data off.
[45:25] Allan Friedman
Now, most of the major attacks we know about, it's too late, but there's still lots of use cases that we can have.
[45:34] Allan Friedman
So one is just compliance.
[45:35] Allan Friedman
Let me just make a regular approach to say, okay, I need to know on a regular basis that my data isn't touching software that was created by a company that's on a government's no list.
[45:52] Allan Friedman
So, you know, for example, in the United States, we just said no Kaspersky labs.
[45:59] Allan Friedman
So people will need to be able to show that they are complying with that.
[46:04] Allan Friedman
But also, let's go even further back, which is before I sign the check and before I commit to putting my data and my customers data on SaaS or having that SaaS integrated into my operations, I want that snapshot.
[46:19] Allan Friedman
That snapshot still has huge value, and we can talk about how often I'm going to want that.
[46:27] Allan Friedman
So I agree that, yes, a daily build, an hourly build something faster means that the data isn't going to be fixed.
[46:37] Allan Friedman
But that's okay, because a lot of what I need to know is either is one, does my supplier of the s bomb, my supplier needs to be able to instantly say, oh, God, someone's exploiting this now let's go make sure that we're covered.
[46:55] Allan Friedman
So that's one piece of value, too.
[46:59] Allan Friedman
We bucket this in terms of s bomb is value for the people who make software, for the people who choose software before I make that decision.
[47:07] Allan Friedman
And then once we're operating it and just in SAS, we break that last bucket into the operators and the subscribers because, you know, hey, you know, my local instance may be run by a third party that's not the supplier, but they still have admin rights eyes the subscriber don't.
[47:25] Allan Friedman
So there's roles for everyone in that, in this model.
[47:30] Viktor Petersson
Yeah.
[47:30] Allan Friedman
No.
[47:31] Viktor Petersson
The reason why sbombs even appeared on my radar, I've heard the phrase from time to time at conference talks and whatnot.
[47:37] Viktor Petersson
But the reason why I started paying attention to it was really like we started to get a, our customers asking for response.
[47:44] Viktor Petersson
And that's kind of that screen.
[47:45] Viktor Petersson
That's when I started to like, oh, this is more than theoretical.
[47:49] Viktor Petersson
Nice to have is actually, this will become a thing.
[47:52] Viktor Petersson
Right.
[47:52] Viktor Petersson
And that's when I'm like, how do you make that operational?
[47:58] Viktor Petersson
And that's why I was like, I, for me as a SaaS, coming from a SaaS world, like the whole generation and sharing needs to live in a CI CD pipeline.
[48:08] Viktor Petersson
Otherwise it's just a snapshot in time, which you are correct, it has value, but not as much value.
[48:14] Viktor Petersson
Right, right.
[48:15] Allan Friedman
And in fact, where we see the most adoption for s Bom today is internally developed software by mature organizations, you know, banks, large corporations that produce a massive amount of software.
[48:34] Allan Friedman
But it's all written internally, ideally with good modern tools, good modern processes.
[48:40] Allan Friedman
And Ns bom should just fall out of your CI CD pipeline.
[48:46] Allan Friedman
It should be a natural part of as you track where your containers are deployed.
[48:52] Allan Friedman
Great.
[48:53] Allan Friedman
Track the metadata in that.
[48:55] Allan Friedman
Metadata should be, heres everything thats in that stripped down operating system thats running in your container.
[49:02] Viktor Petersson
Yeah.
[49:02] Viktor Petersson
And that takes me to another thing.
[49:04] Viktor Petersson
There was a report bringing out from Saisa about, I think was called the sharing prime or something like that.
[49:11] Viktor Petersson
The sharing report that talked about how s pumps are being sent and shared.
[49:18] Viktor Petersson
And to me it seems like the way sbums are dealt with today is much like we dealt with software patches in the nineties.
[49:27] Viktor Petersson
Like we're sending patches by email.
[49:30] Viktor Petersson
Right.
[49:30] Viktor Petersson
That's still, I've spoken to quite a few companies about their spons in last few months.
[49:35] Viktor Petersson
And to a great degree, it's just a tick box.
[49:40] Viktor Petersson
It's just like, yes, I received it and I put in my sharepoint.
[49:43] Viktor Petersson
Cool.
[49:44] Viktor Petersson
That's the extent of it, right?
[49:46] Viktor Petersson
So I can say, oh, cool, I have received it.
[49:48] Viktor Petersson
Great.
[49:50] Viktor Petersson
And that again is a snapshot in time.
[49:52] Viktor Petersson
At one point it's probably like 45 build releases behind what is actually running production.
[49:58] Allan Friedman
So again, it depends on how we're deploying our software.
[50:04] Allan Friedman
If I'm sending an update, pretty straightforward.
[50:07] Allan Friedman
If I'm sending software that's ending up as bits on a platter someplace, then it's pretty straightforward.
[50:14] Allan Friedman
You move your blob, your metadata comes with your blob.
[50:19] Allan Friedman
We get a little more complicated when we get to devices, embedded systems, where of course, in the SaaS context, right now, what a lot of the major manufacturers are doing is they're setting up portals.
[50:35] Allan Friedman
Now, I was an adolescent in the 1990s.
[50:41] Allan Friedman
For me, the best year of music was 1994.
[50:45] Allan Friedman
And kids these days, they need to know about music from the nineties.
[50:50] Allan Friedman
But we don't need to tell them about portals.
[50:53] Allan Friedman
We don't need to go back to a web portal model.
[50:57] Allan Friedman
We need to have a better way of having this scale.
[51:01] Allan Friedman
The biggest challenge is, of course, for access control.
[51:05] Allan Friedman
So how do I make sure that my customer can get the data but that it's not public?
[51:11] Allan Friedman
Totally get the idea that we don't want this to be, or many organizations don't want this to be public today, I think where we will head eventually may involve more of this data being public, just because it's such a hassle to have scalable access control where I can have the data and I can feed the data into my vuln management, my asset management, my data lake, my CMBB.
[51:39] Allan Friedman
And managing that flow at scale is going to be key.
[51:45] Allan Friedman
The newest market that I've seen has been in the vulnerability of the SBom management space, where, as you say, okay, how do I track data is coming in?
[51:55] Allan Friedman
How do I automate that?
[51:57] Allan Friedman
How do I map that data to where things are deployed?
[52:01] Allan Friedman
How do I map that data to my compliance engines?
[52:04] Allan Friedman
And that is right.
[52:07] Allan Friedman
Plumbing, as folks who work in it know, plumbing is boring.
[52:11] Allan Friedman
And it's also one of the things that everyone at the end of the day is going to have to pay for, because data management at scale in an automated fashion means you've got to usually have some system that just puts all of the pipes to each other.
[52:25] Allan Friedman
There are a couple of great organizations that are doing this, some of the big players, but also a number of really cool startups in this space.
[52:32] Viktor Petersson
Yeah, because what we really need is the equivalent of GitHub for s pumps.
[52:37] Viktor Petersson
That's really what we're looking for.
[52:39] Viktor Petersson
I think that's a reasonable analogy for the context.
[52:44] Viktor Petersson
Cool.
[52:45] Viktor Petersson
Well, we've spoken at length now about what sboms are, and a bit going at that.
[52:51] Viktor Petersson
So now we talked about cycling DX and we talked about SPDX.
[52:57] Viktor Petersson
But let's talk a bit about why there are two formats, and you kind of hint at this already with licensing being one of them, which is where SPDX coming from.
[53:05] Viktor Petersson
But let's talk there.
[53:06] Viktor Petersson
Let's start with SPDX.
[53:08] Viktor Petersson
Their focus is licensing and SPDX.
[53:13] Allan Friedman
So SPDX was the first approach for managing this data, and its original model was for licensing.
[53:24] Allan Friedman
Right.
[53:24] Allan Friedman
It was a Linux foundation project, because the open source community was tired of I've got this lovely project, maybe it's under a patch here at MIT, and then someone does some commits and whoops, I've been running GPL code.
[53:38] Allan Friedman
So even the commercial world sort of has some challenges.
[53:42] Allan Friedman
Even the open source world is challenging that.
[53:46] Allan Friedman
Cyclone DX came along out of the Oauth world.
[53:50] Allan Friedman
The DX is actually sort of a nod to SPDX for that.
[53:59] Allan Friedman
They're both, again, I'm going to read it.
[54:02] Allan Friedman
They're both great, and both of them get the job done very well.
[54:08] Allan Friedman
Both of them are evolving.
[54:10] Allan Friedman
And all of the problems we've talked about in terms of the nuts and bolts of implementation exist in both.
[54:17] Allan Friedman
The implementation stuff is at a higher level because the philosophies are different.
[54:23] Allan Friedman
There are some subtle differences.
[54:25] Allan Friedman
So SPDX was built to convey data across supply chain, and so there was sort of an intrinsic idea that it's going to flow across organizational boundaries.
[54:39] Allan Friedman
And so that's why I think we've seen uptick the most adoption from large organizations that are supply chain focused, that are thinking about the data is going to move.
[54:54] Allan Friedman
And the implementation of SBOM comes from engineers and managers who are thinking about supply chain.
[55:05] Allan Friedman
Cyclone DX comes out of Owasp, and so it's sort of built by devs for devs.
[55:12] Allan Friedman
And so that's for people who are saying, I want to implement Sbom that are wearing their developer hat or their appsec hat, as opposed to a product security hat.
[55:24] Allan Friedman
If they're wearing an appsec hat, Cyclone DX is just.
[55:27] Allan Friedman
It's going to resonate a little more, right?
[55:29] Allan Friedman
It's sort of one of these sort of, you see rhymes and it sort of.
[55:34] Allan Friedman
It wears your clothes.
[55:38] Allan Friedman
That's not a universal thing.
[55:39] Allan Friedman
I know plenty of appsec people use who uses SPDX.
[55:43] Allan Friedman
I know a number of major P certs who use Cyclone DX, but that's sort of where you sort of see the resonance.
[55:53] Allan Friedman
Both of them are aiming for international standard status.
[55:59] Allan Friedman
But again, where I think we should be ultimately focusing on for governments and for policy is don't standardize the format, standardize the specification above it.
[56:15] Viktor Petersson
Right.
[56:16] Viktor Petersson
And at least as of this recording, it seems like Cyclone DX is the one that has more momentum right now, at least from what I can see in terms of tooling at least.
[56:27] Viktor Petersson
But maybe that's, maybe you have a different opinion on that.
[56:31] Allan Friedman
You know, I haven't done the legwork.
[56:35] Allan Friedman
I talked to a lot of people who like both.
[56:39] Allan Friedman
And again, I think it's sort of, it speaks to the communities.
[56:44] Allan Friedman
Right.
[56:45] Allan Friedman
If you're in a dev world, you have many small open source tools.
[56:50] Allan Friedman
If you're wearing a product security hat, then you're going to have a little more of custom rig and you're going to be sort of building for scale.
[57:04] Allan Friedman
And that's just again, I really don't see either moving more.
[57:13] Allan Friedman
Both of them keep adding new features.
[57:16] Allan Friedman
Cyclone DX has sort of added a lot of saying, okay, well, we can provide bills of material in other formats.
[57:23] Allan Friedman
SPDX has done a very similar thing where they built out with a different philosophy, where they built out a formal data model, which is a very big deal in the standards world with a new SPDX 3.0.
[57:39] Allan Friedman
But tooling is only beginning to emerge that is specifically targeted at 3.0.
[57:48] Allan Friedman
I wish they had been a little faster on the 3.0 rev.
[57:51] Allan Friedman
Yeah.
[57:52] Viktor Petersson
Because a good example of that is this notion of referencing other s bombs in SBOM.
[57:57] Viktor Petersson
Right.
[57:58] Viktor Petersson
Cyclone DX added that in 15176.
[58:01] Viktor Petersson
I believe they're one seven now, I think.
[58:03] Viktor Petersson
Right.
[58:04] Viktor Petersson
And that's just coming into SPDX three, which for me feels like a fairly critical building block in doing this at scale.
[58:16] Allan Friedman
It is.
[58:17] Allan Friedman
I mean, to get deep into the background and again, the Cyclone DX, sort of reflective of, sort of the appsec world, has done a bunch of small revs, introducing features that sort of said, okay, we'll figure out the details as we go.
[58:39] Allan Friedman
SPDX, I think, because again, they're working with some larger organizations, said we're going to create a more formal model.
[58:50] Allan Friedman
Again, personally, I wish they had moved a little bit faster, but I think it's one of those invest now so that you can scale more later.
[59:01] Allan Friedman
I don't think either of them are inherently better or worse.
[59:06] Allan Friedman
My advice is look at both of them and see what meets your needs the best.
[59:13] Viktor Petersson
That's fair and pragmatic.
[59:18] Viktor Petersson
And just to recap that SPDX is more oriented towards licensing and cycle NDX, more oriented towards security due to their roots I guess lithe federation versus OWASP.
[59:34] Allan Friedman
I don't think it's licensing per se.
[59:37] Allan Friedman
I think it's that because SPDX can definitely convey security, it's the.
[59:43] Allan Friedman
Are you oriented towards keeping?
[59:46] Allan Friedman
Is this, is the data going to be used locally?
[59:50] Allan Friedman
It's going to be used where the focus is.
[59:53] Allan Friedman
And again, Cyclone DX can definitely be shared with customers and things like that.
[59:57] Allan Friedman
I don't want to dismiss this, but it's sort of the philosophy behind it is I want this data to keep it as I'm doing my dev and AppSec work, whereas SPDX is saying, yeah, I want the data locally, but I also, right, it seems to have a philosophy of saying, let me share it on the supply chain side.
[01:00:19] Allan Friedman
So it's sort of the.
[01:00:21] Allan Friedman
And you need security data on both pieces.
[01:00:23] Allan Friedman
So both of them, I think are, yeah, I do.
[01:00:35] Allan Friedman
No one benefits from having two standards that actively, publicly fight.
[01:00:41] Allan Friedman
And so this is where I keep coming back to.
[01:00:45] Allan Friedman
If you're an organization that is going to be using S bombs or sharing S bombs with your customers, you should have a long term plan to think of it to be bilingual.
[01:00:56] Allan Friedman
Right.
[01:00:56] Allan Friedman
We're all going to be Canada.
[01:00:58] Allan Friedman
And in the short run, either one is great.
[01:01:04] Allan Friedman
Pick the vendor you like, pick the tool you like.
[01:01:07] Allan Friedman
Start with that.
[01:01:09] Viktor Petersson
Right?
[01:01:10] Viktor Petersson
That's fair.
[01:01:10] Viktor Petersson
That's fair.
[01:01:11] Viktor Petersson
All right, so let's talk about tooling, because this week, just this week, or last week, I think, was, there was a report coming out of an italian university where they'd done some work around s bombs on what SBom generated from GitHub's dependency graph, right?
[01:01:28] Viktor Petersson
Because we all agree that s bombs are nice and they have utility, the devil's in detail.
[01:01:34] Viktor Petersson
How do you implement it?
[01:01:35] Viktor Petersson
How do you use them?
[01:01:35] Viktor Petersson
How do you build them?
[01:01:36] Viktor Petersson
And it seems to be that the obvious thing for most people, including myself, when I started looking at this, it's like, well, GitHub is probably where I want to start looking at this.
[01:01:47] Viktor Petersson
GitHub has my source code, they have my dockerfiles.
[01:01:50] Viktor Petersson
They're in a pretty good position to build a high quality sbom.
[01:01:54] Viktor Petersson
Turns out that it wasn't quite as straightforward.
[01:01:58] Viktor Petersson
Do you want to speak a bit about that report and kind of like the, I guess, controversy in a sense of their findings?
[01:02:06] Allan Friedman
Sure.
[01:02:07] Allan Friedman
So this is work out of the University of Sano and the University of Salerno down in southern Italy.
[01:02:14] Allan Friedman
Really exciting.
[01:02:15] Allan Friedman
One of the things that I love about my job is I got to say, hey, let's get this random.
[01:02:20] Allan Friedman
I think he's a first.
[01:02:21] Allan Friedman
The author wrote it as part of his master's thesis.
[01:02:24] Allan Friedman
His advisors joined it and so he published it at a pretty good tier ACM conference.
[01:02:32] Allan Friedman
And then I got to say, hey, come, I want you to talk to 150s bomb experts.
[01:02:39] Allan Friedman
I didn't get to do that when I was a junior PhD student, so that was just a lot of fun to sort of engage that.
[01:02:51] Allan Friedman
It's not that GitHub data is useless, it's still valuable.
[01:02:56] Allan Friedman
The question is, how do we get as complete data as possible?
[01:03:04] Allan Friedman
And I think we're now at a point where when we started off with s bom, it was a dear God, have anything is better than nothing because we just had so little visibility, especially as we had more complex projects that were multi language and that we're using other people's dependencies that enlarge dependencies.
[01:03:27] Allan Friedman
We're now at a level, at a point where collectively we're talking about the quality of data.
[01:03:33] Allan Friedman
And so where we wanna, if we're looking for good data we want to get into, how do we make sure that we're getting the max amount?
[01:03:43] Allan Friedman
This is where some of that first wave of free tools may not be getting us as complete information as we want.
[01:03:51] Allan Friedman
It's definitely a good starting point, but for organizations that want certain assertions, I refer to this as proving the negative.
[01:04:00] Allan Friedman
How do I say with a high degree of confidence that something is not in my product?
[01:04:07] Allan Friedman
If something is not running on my network, then you're probably going to want to use some specialized tools that are built for the language, for the architecture, for the sector, because there are, you know, a car is not a heart monitor.
[01:04:25] Allan Friedman
And we now have companies that specialize in S bombs for automotive systems and S bombs for medical devices.
[01:04:35] Allan Friedman
Similarly, you know, go Lang isn't c.
[01:04:39] Allan Friedman
And there are communities that are specializing in sort of building out s bombs for different types.
[01:04:47] Viktor Petersson
And I think because one of the problems with generating S bombs in an automated fashion is it's hard to differentiate by.
[01:04:56] Viktor Petersson
Neon says, right, how do you programmatically determine what's a dev dependency or what's a test dependency versus a production dependency?
[01:05:05] Viktor Petersson
Sure, you could structure a repo so that it makes sense for a human to parse that by just naming conventions, but there are no standards to that scale across languages.
[01:05:17] Viktor Petersson
So that normal tool can do that for you right now.
[01:05:20] Allan Friedman
Exactly.
[01:05:21] Allan Friedman
You've hit one of the key things that has really risen is, okay, if I'm just looking at a source repo, I may have a lot of other things in there.
[01:05:31] Allan Friedman
Is this detrimental?
[01:05:33] Allan Friedman
It's going to oversample, right?
[01:05:35] Allan Friedman
It's going to give you a false inclusion, which I would argue for almost all use cases is better than a false exclusion.
[01:05:47] Allan Friedman
But it still doesn't give you this sort of accuracy where we measure this.
[01:05:52] Allan Friedman
I think it sort of does.
[01:05:54] Allan Friedman
It's almost a philosophy of science question or philosophy of technology question, which is there a true platonic absolute correct s bomb out there or does what's in my software really change based on when and how I measure it?
[01:06:17] Allan Friedman
And other parts of science have dealt with this question, and it's fascinating.
[01:06:23] Allan Friedman
I spent time studying philosophy of science because it was a nice change of pace from engineers.
[01:06:31] Allan Friedman
And the common ways of where we look for s bombs and how we measure them, we can say, okay, first case where a lot of people start is source repository, and that's where a lot of the research is happening because.
[01:06:45] Allan Friedman
Right, GitHub open data.
[01:06:47] Allan Friedman
So you can see, but there are many reasons why source won't give you truth.
[01:06:54] Allan Friedman
There's, one of them is, as you mentioned, there's a lot of other things that are going to be in a repo that look like dependencies, but that are the not actually prod.
[01:07:03] Allan Friedman
Another is your compiler is going to do weird things.
[01:07:07] Allan Friedman
I think there are like seven people in the world that actually understand how compilers work.
[01:07:13] Allan Friedman
It's dark arts, and trying to manage that is tricky.
[01:07:23] Allan Friedman
People will often say the purest place to actually measure and build your s bomb is at time of build.
[01:07:32] Allan Friedman
And the, that's great if you can.
[01:07:45] Allan Friedman
Sometimes folks will say, after I don't have access to the build, right, the software already exists, or I'm using a, you know, I'm using a binary as part of my build, so I still need it.
[01:08:00] Allan Friedman
So then we have binary analysis tools.
[01:08:05] Allan Friedman
This may not be optimal, but it is often what we have.
[01:08:09] Allan Friedman
And I'll also say that binary analysis tools have gotten a lot better in the last three or four years.
[01:08:15] Allan Friedman
It started off as pretty basic stuff, which is just you throw a commodity decompiler and then you do some string matching.
[01:08:24] Allan Friedman
There are now organizations that really have specialized in different kinds of binaries.
[01:08:30] Allan Friedman
They know the languages, they have experts in languages, and they just have incredible data as well.
[01:08:35] Allan Friedman
So this is almost, it's usually going to be proprietary, but there are lots of cool things out there.
[01:08:42] Allan Friedman
We see this a lot.
[01:08:43] Allan Friedman
There are a couple companies that are doing build s bombs for embedded systems, but a lot of the embedded and critical infrastructure stuff that matters to governments happens in binary analysis.
[01:08:57] Allan Friedman
And then there's a long tail of where else we can measure so we can say, hey, listen, if I'm spending $5 million on a piece of software, chances are it's going to be custom.
[01:09:07] Allan Friedman
And so I want to look at not what was built, but what was actually deployed in a complex ot system or in a complex web, you know, private cloud system.
[01:09:20] Allan Friedman
Then the last place that people are measuring it is there's a term of a runtime s bomb where they say, ok, the only thing that matters is it's running.
[01:09:31] Allan Friedman
So I'm just going to build based on what's running.
[01:09:34] Allan Friedman
I think that's really powerful, that fits into the XDR model of cybersecurity, but it isn't as useful for some use cases.
[01:09:43] Allan Friedman
Like I need to know what's in there before I run it because I want to make the decision.
[01:09:48] Viktor Petersson
Or like the Glibz example is a good one for that.
[01:09:51] Viktor Petersson
Right?
[01:09:51] Viktor Petersson
Like you might have an openssh and like, yeah, that looks fine, but the reality is that it's actually vulnerable because of the sub dependency or this library.
[01:09:59] Allan Friedman
Exactly.
[01:10:00] Allan Friedman
Yeah.
[01:10:02] Viktor Petersson
All right, so that's, I think is a good way of painting all the neon sets there.
[01:10:07] Viktor Petersson
Then the last thing I want touch on is kind of like auxiliary features around their spawns.
[01:10:14] Viktor Petersson
So we have a whole family of S bombs, and the one I kind of start with is O bomb, which is an operational material, which kind of goes into what we're talking about, where S bomb is one tree.
[01:10:28] Viktor Petersson
Oh, sorry, one.
[01:10:29] Viktor Petersson
One arm in this tree, or one branch, I guess, in a tree.
[01:10:33] Viktor Petersson
And then you have more information about how is it actually running.
[01:10:36] Viktor Petersson
So maybe talk a bit about how does this fit into the whole framework and structure.
[01:10:42] Allan Friedman
Sure, sure.
[01:10:43] Allan Friedman
So S bomb will not solve everything, right?
[01:10:49] Allan Friedman
I had to sort of repeatedly say the SB and S bomb does not stand for silver bullet.
[01:10:55] Allan Friedman
An S bomb will not go pick up your dry cleaning or watch your kids if you're running late.
[01:11:02] Allan Friedman
But so as we think about this, we want to look at other types of data.
[01:11:13] Allan Friedman
There are a couple of different philosophies of how we assemble our data.
[01:11:15] Allan Friedman
One is to say, let's build a single model that can cover everything.
[01:11:19] Allan Friedman
And another approach says, hey, let's focus on gathering data through separate models and then linking both of them are challenging.
[01:11:31] Allan Friedman
Very large data structures don't have a great track record.
[01:11:36] Allan Friedman
Trying to have sort of some one size fits all approach where we can put all the use cases together often disappoints, especially if we don't have a very expensive and time consuming formal data model.
[01:11:51] Allan Friedman
On the other hand, the assumption that says, well, let's have data and link it together, well, that requires really good identity and the ability to sort of actually say, this is correlated with this, and we can track them all the time.
[01:12:06] Viktor Petersson
And they're dynamic.
[01:12:07] Viktor Petersson
It's a dynamic object, not a static.
[01:12:09] Allan Friedman
It'S a dynamic system.
[01:12:12] Allan Friedman
What I try to focus on is let's make sure that they're all built for automation.
[01:12:17] Allan Friedman
And I'll give an example of some work that's happening right now on something called AI bombing.
[01:12:25] Allan Friedman
Hey, we can't have a podcast on cybersecurity without mentioning Aih.
[01:12:31] Allan Friedman
So you almost.
[01:12:36] Allan Friedman
Yes, and some people say we have software builds of material.
[01:12:41] Allan Friedman
Let's talk about what we have for generative AI.
[01:12:45] Allan Friedman
And the vision is to, there is some work that exists already.
[01:12:52] Allan Friedman
So we have data cards, we have model cards and things like that.
[01:12:55] Allan Friedman
But are they machine readable and are they machine generatable?
[01:13:00] Allan Friedman
And sort of, for me, that's sort of the table stakes is making sure that we're not just logging the data, because if you log data can be thrown over in a corner, in a pile, but we're actually keeping the data in a way that I can slot it into other tools to use.
[01:13:18] Allan Friedman
And that's some of the discussion that's happening right now.
[01:13:21] Allan Friedman
This has a working group that's run by some super smart people who have both security expertise and AI expertise and sort of trying to say, okay, how do we move towards transparency that's built towards use cases?
[01:13:37] Allan Friedman
Same thing.
[01:13:39] Allan Friedman
There's been some great work on cryptographic build materials where as we shift and orient towards a post quantum world, let's start tracking key material.
[01:13:53] Allan Friedman
Let's start tracking what algorithms are being implemented.
[01:13:56] Allan Friedman
And Cyclon DX has done some great work on this.
[01:14:00] Allan Friedman
But again, it's good to make sure we can map them.
[01:14:06] Viktor Petersson
There's no reason why we keep it.
[01:14:08] Allan Friedman
In the same structure.
[01:14:09] Viktor Petersson
Yeah, exactly.
[01:14:11] Viktor Petersson
Because that needs to live side by side with your s bomb for your backend.
[01:14:15] Viktor Petersson
Right.
[01:14:15] Viktor Petersson
Because it's a function of the backend.
[01:14:17] Viktor Petersson
So they are inherently related.
[01:14:20] Allan Friedman
Right, agree.
[01:14:22] Allan Friedman
But the data, the challenge of keeping things together is if there are hidden assumptions that aren't there.
[01:14:28] Allan Friedman
Right.
[01:14:29] Allan Friedman
So my cryptographic build materials is based on my work, but I also have s bomb data that came from somewhere else.
[01:14:36] Allan Friedman
Well, do we assume that data is there?
[01:14:39] Allan Friedman
Same thing, similar thing with the keeping vulnerability data with the s bomb.
[01:14:43] Allan Friedman
If I know how all the data was generated and it's live, then by all means, it would be stupid not to keep your vulnerability data closely bound and integrated to your SBOm data, and that's why a lot of teams do it.
[01:15:00] Allan Friedman
However, if we think there's a chance that mysbom data is going to move to a different organization, then we're introducing a huge risk, because I don't know if that vulnerability data is going to be kept live.
[01:15:16] Allan Friedman
That's one of the core challenges is making sure that we can do this.
[01:15:23] Viktor Petersson
My counter argument that would be.
[01:15:24] Viktor Petersson
Well, if you assume that the Sbom is a snapshot in time generated at build CI CD, however you do that you can then if you include or nothing, it's relatively trivial with open source tools today to generate a list of CV's or vulnerable packages based on any sbom, right?
[01:15:45] Viktor Petersson
So I guess including or not, it's kind of like.
[01:15:52] Viktor Petersson
It's kind of like.
[01:15:54] Viktor Petersson
What's the phrase I'm looking for?
[01:15:56] Viktor Petersson
It's a silly way of obfuscation, right?
[01:15:59] Viktor Petersson
It's not really.
[01:15:59] Viktor Petersson
You're not actually solving anything, you're purely obfuscating it.
[01:16:03] Viktor Petersson
It's still there.
[01:16:04] Viktor Petersson
You could easily look it up.
[01:16:05] Viktor Petersson
So it's not like you actually.
[01:16:07] Viktor Petersson
It's not unless you run the version of it.
[01:16:10] Allan Friedman
No, I agree completely.
[01:16:11] Allan Friedman
But again, that speaks to how the data is going to be used.
[01:16:15] Allan Friedman
And that's where we need to be explicit about what assumptions are in the metadata.
[01:16:22] Allan Friedman
And so as long as everyone has that slotted in, it's great.
[01:16:27] Allan Friedman
When we have a mismatch between how the data was collected and maintained and how it's being used, that's where you're going to have.
[01:16:34] Allan Friedman
Right.
[01:16:34] Allan Friedman
Whoops.
[01:16:35] Allan Friedman
That slipped through.
[01:16:36] Allan Friedman
And now we have another.
[01:16:38] Allan Friedman
The famous Equifax breach.
[01:16:42] Allan Friedman
Equifax had a scanning tool.
[01:16:44] Allan Friedman
It just wasn't scanning the right things.
[01:16:47] Allan Friedman
And so that's why their infrastructure was still using Apache struts, the vulnerable version.
[01:16:52] Allan Friedman
And we have one of the most costly data breaches.
[01:16:56] Viktor Petersson
Right, fair enough.
[01:16:57] Viktor Petersson
Fair enough.
[01:16:58] Viktor Petersson
The last thing I want to figure, I want to talk about is the security side of this.
[01:17:02] Viktor Petersson
You already mentioned Vex.
[01:17:03] Viktor Petersson
And maybe for people not savvy in both terminology and Sbom Lingo, what's Vex and how does it fit into the whole SBom conversation?
[01:17:15] Allan Friedman
Vex is the vulnerability exploitability exchange.
[01:17:19] Allan Friedman
Probably one of the worst name projects in all cybersecurity.
[01:17:24] Allan Friedman
It was my fault.
[01:17:25] Allan Friedman
They said, we need a temporary name for this.
[01:17:26] Allan Friedman
Let's just give it this name.
[01:17:27] Allan Friedman
And some of you may know that the most permanent things in the world are temporary government ideas.
[01:17:33] Allan Friedman
So we have that.
[01:17:35] Allan Friedman
But the idea is pretty straightforward, but also I think, really important, which is that we need to not all vulnerabilities actually put someone at risk.
[01:17:47] Allan Friedman
There's lots of times where I may be using a piece of software and having, and using vulnerable software.
[01:17:56] Allan Friedman
Right, OpensSL version, old, but I'm only using the pseudo random number generator and so the web server piece is not even going to be included in my product.
[01:18:08] Allan Friedman
Maybe the compiler strips it out and so there is no heartbleed risk.
[01:18:14] Allan Friedman
But a naive scanner will see versionold old and it will just light up saying heartbleed, heartbleed.
[01:18:23] Allan Friedman
Vex is just a machine readable way of communicating whether or not a vulnerability affects a given piece of software.
[01:18:31] Allan Friedman
So it's a binding of some sort of software identifier, some sort of vulnerability identifier, and then a status.
[01:18:38] Allan Friedman
And the status says you're affected, which is just an ordinary security advisory, you're not affected, and that's valuable.
[01:18:45] Allan Friedman
And then there's also, I patched it.
[01:18:47] Allan Friedman
So there's a new version, or the last one is just under consideration, which is, I know about this, I'm working on it.
[01:18:57] Allan Friedman
Give me a second.
[01:19:00] Viktor Petersson
This can be linked in the sbom file.
[01:19:03] Allan Friedman
It can, it can be linked in the sboms file and it can also live independently.
[01:19:07] Allan Friedman
And again, that gets back to the, what are you trying to use?
[01:19:11] Allan Friedman
How are you doing it?
[01:19:12] Allan Friedman
So if you have a local dev shop, right, you're making software internally, then, yeah, this is great.
[01:19:19] Allan Friedman
Someone can say, okay, here's a vulnerability that's showing up from my basic.
[01:19:24] Allan Friedman
I have an s bomb.
[01:19:25] Allan Friedman
I've scanned my s bomb against a vulnerability database.
[01:19:28] Allan Friedman
Oh, it lights up now I don't have, now policy forbids me from pushing this to production.
[01:19:33] Allan Friedman
Damn it, we need to get this out.
[01:19:35] Allan Friedman
Okay, let me look at this.
[01:19:37] Allan Friedman
Oh, this vulnerability doesn't actually affect the product, right?
[01:19:40] Allan Friedman
We've got inline controls or, you know, I'm really good at thinking about software and I can tell that the attacker can't actually touch this piece of code.
[01:19:51] Allan Friedman
And in fact, all of these are automatic flags are in vex.
[01:19:58] Allan Friedman
And now if I have a Vex, then my policy will let me push it, or alternatively I have an S bomb that ships with the product.
[01:20:09] Allan Friedman
And now I as a vendor can publish a Vex that my customer can integrate into their vulnerability management system that says, okay, Sbom turns the dashboard light on.
[01:20:21] Allan Friedman
Vex turns it off.
[01:20:23] Viktor Petersson
Right, okay.
[01:20:24] Viktor Petersson
And this takes me to the last point I have on my talking points here, which is attestation because it kind of a hot topic around s bombs and I guess highly relevant for VEX as well because if it's just a plain text without any cryptographic signature of any kind, any shape or form, it's obviously subject to exploit.
[01:20:43] Viktor Petersson
So maybe like bring the audience up to speed on what's the state of attestation and signed s bombs and how do you see that world shaping up?
[01:20:57] Allan Friedman
I think the future of software security and supply chain security is going to be attestations where we have the ability to document every action in the process of software creation, software build, software deployed, and as we go we can document that and securely sign the action.
[01:21:22] Allan Friedman
So we can show that I did the action securely, and then securely document that action was taken.
[01:21:30] Allan Friedman
This is a very grand vision.
[01:21:32] Allan Friedman
It'll be a while before we get this for all software, but I think that's where we should be headed is having these machine generated attestations and machine generated assertions that we can then link to very specific tools so that I can say listen, I trust that you're using Jenkins did this.
[01:22:00] Allan Friedman
I trust that it was this version of Jenkins, I trust that Jenkins did this securely.
[01:22:06] Allan Friedman
And so now we can move forward or I pulled this into my Monorepo and we can actually show this is the bits that were pulled in and then we can trace that to this is the bits that were used in the build and so on.
[01:22:21] Allan Friedman
There are some projects out there that are doing this.
[01:22:25] Allan Friedman
So in Toto is probably the open source project that's the most advanced, that's Linux Foundation, I think it's CNCF project.
[01:22:37] Allan Friedman
A couple of years ago I looked at it and said this is cool, this is just research.
[01:22:40] Allan Friedman
And now there are a number of organizations that are sort of helping instrument this and other companies that are instrumenting this and there are startups that are focusing on helping companies actually implement this and delivery.
[01:22:55] Allan Friedman
And again, as we sort of orient, nothing we do in security today could be done without automation from the beginning.
[01:23:05] Allan Friedman
And ideally we should start to add to that sentence, nothing should be done without automation and cryptographic validation and cryptographically supported documentation.
[01:23:19] Viktor Petersson
Yeah, just every time you see about this thing, attestation and the likes of all roads lead to PGP and it's just one of those things that it's a project that will never die and because it's just you forget about it for a few years but then you always like, you always run across it every once in a while so good.
[01:23:42] Viktor Petersson
This has been super fun, at least for me.
[01:23:44] Viktor Petersson
Alan, I kind of want to do a shout out for the conference you were organizing, or sliced or Guido, which is in the four.
[01:23:54] Viktor Petersson
Unfortunately, I would not be able to make it.
[01:23:55] Viktor Petersson
I wish I could make it in person, but unfortunately won't be able to do it.
[01:23:59] Allan Friedman
Fortunately, it's going to be a hybrid event, but in person is always better.
[01:24:03] Allan Friedman
If you want to meet 200 people who are all active in SBOM, come to Denver, September 11 and 12th, Denver, Colorado in the United States.
[01:24:15] Allan Friedman
It's a two day event.
[01:24:16] Allan Friedman
Day one is we're just going to talk about SBOM.
[01:24:20] Allan Friedman
We'll hear from governments, we'll check in with sectors, we'll talk about new technologies.
[01:24:25] Allan Friedman
It'll be vendor neutral.
[01:24:26] Allan Friedman
Day two, we're going to flip it around.
[01:24:28] Allan Friedman
We're going to have the first s bomb solution showcase.
[01:24:31] Allan Friedman
Got two dozen s bomb vendors, including at least one group representing an open source project that will say, hey, here's all the different ways that we can address these challenges.
[01:24:45] Allan Friedman
So if you're looking for S bomb solutions, you're simply not going to find a better place.
[01:24:49] Allan Friedman
Free for everyone to attend.
[01:24:52] Viktor Petersson
Amazing.
[01:24:52] Viktor Petersson
Anything else you want to shout out about before we wrap up?
[01:24:57] Allan Friedman
If you want to know, we have a weekly s bomb meetup meeting.
[01:25:02] Allan Friedman
We cover a huge range of topics.
[01:25:04] Allan Friedman
We've got announcements.
[01:25:05] Allan Friedman
You hear about research, you hear about new technology advances, completely biz dev free that meets at 11:00 a.m.
[01:25:14] Allan Friedman
uS east coast time, which is 05:00 p.m.
[01:25:17] Allan Friedman
central european time, which I guess is 04:00 p.m.
[01:25:20] Allan Friedman
london time these days, depending on daylight savings.
[01:25:23] Viktor Petersson
I believe it's 05:00 p.m.
[01:25:24] Viktor Petersson
my time.
[01:25:24] Viktor Petersson
Currently 05:00 p.m.
[01:25:25] Viktor Petersson
your time.
[01:25:26] Allan Friedman
Great.
[01:25:26] Viktor Petersson
Thank you.
[01:25:28] Allan Friedman
I'm american.
[01:25:29] Allan Friedman
We're bad at other countries.
[01:25:32] Allan Friedman
And then if you want to know more, Cisa dot gov sbom.
[01:25:37] Allan Friedman
Cisa dot gov sbom for all your Sbom needs, we have a library with a huge amount of resources.
[01:25:45] Allan Friedman
Papers published by the community, papers published by governments around the world.
[01:25:49] Allan Friedman
Your one stop shop.
[01:25:51] Allan Friedman
Feel free to reach out if you want to know more.
[01:25:53] Viktor Petersson
Amazing.
[01:25:54] Viktor Petersson
Thanks again, Alan, much having gone to show.
[01:25:57] Viktor Petersson
Amazing.
[01:25:57] Viktor Petersson
Thanks much.
[01:25:58] Viktor Petersson
Cheers.
[01:25:58] Allan Friedman
Really appreciate it, Victor.
[01:25:59] Allan Friedman
A lot of fun.

Found an error or typo? File PR against this file or the transcript.