Viktor Petersson logo

Podcast

Follow Me

Join Viktor, a proud nerd and seasoned entrepreneur, whose academic journey at Santa Clara University in Silicon Valley sparked a career marked by innovation and foresight. From his college days, Viktor embarked on an entrepreneurial path, beginning with YippieMove, a groundbreaking email migration service, and continuing with a series of bootstrapped ventures.

SBOMs, CycloneDX, and Software Security with Steve Springett

Play On Listen to podcast on YouTube Listen to podcast on Spotify Listen to podcast on Apple Listen to podcast on Amazon music
20 OCT • 2024 1 hour 12 mins
Share:

Today I’m diving into the world of Software Bill of Materials (SBOMs) with Steve Springett, one of the core working group stewards behind CycloneDX. Steve’s work on standardizing how we communicate about software components is reshaping security practices across the industry.

We start by exploring what makes CycloneDX different from other SBOM standards. Steve explains their pragmatic approach to design, focusing on automation and real-world usability. What really caught my attention was how they’re tackling the challenge of dependency tracking and software supply chain security - issues I’ve wrestled with myself in various projects.

The conversation takes an interesting turn when we discuss different types of SBOMs within CycloneDX. Steve walks me through how their approach allows for creating a single bill of materials by linking different components together. Even in small deployments, this leads to multiple SBOMs, and we explore the practical implications of managing this complexity.

I was particularly interested in Steve’s vision for the future of software security and compliance. We discuss how organizations could potentially communicate autonomously through standardized SBOMs, and the real-world impact this could have on security practices. Steve shares some fascinating insights about Project Koala, which is taking a similar approach to CycloneDX.

If you’re working in software development or security, you’ll find plenty of practical takeaways here. Steve brings deep expertise in software supply chain security while keeping the discussion grounded in real-world applications. Whether you’re just starting with SBOMs or looking to improve your existing security practices, this conversation covers both the fundamentals and advanced concepts you need to know.

Related episodes:

Transcript

Show/Hide Transcript
[00:04] Viktor Petersson
Before we dive into the show, I want to do a quick mention of a product that I've created called Spomify.
[00:08] Viktor Petersson
Spomify is an SBOM hub.
[00:11] Viktor Petersson
It integrates directly into your CI cd pipeline, so you can upload all your sboms straight into Spomify, and from there, you can share sboms with all your relevant stakeholders.
[00:21] Viktor Petersson
So check out [email protected].
[00:25] Viktor Petersson
and now onto the show.
[00:27] Viktor Petersson
Welcome back to another episode of Nerding out with Victor.
[00:31] Viktor Petersson
Today I have Steve Spriggit on the episode.
[00:34] Viktor Petersson
Welcome to the show, Steve.
[00:35] Steve Springett
Hey, Victor.
[00:36] Steve Springett
Thanks for having me.
[00:37] Steve Springett
Appreciate it.
[00:38] Viktor Petersson
Super excited to have you.
[00:39] Viktor Petersson
You're one of the most prominent figures in the Cyclone DX s bomb world.
[00:44] Viktor Petersson
So I'm really excited to kind of do almost like a follow up to my episode with Alan Friedman and kind of dive into more like applied s bombs, more so than s bombs in theory.
[00:55] Viktor Petersson
And we've our path run across such a few different things around the sbom world.
[01:00] Viktor Petersson
So we have a lot of grounds to cover.
[01:02] Viktor Petersson
So maybe a good starting point is you obviously have used Sbom for a long time in your day job, so maybe give a backstory like your day job and how you kind of started using SBOn for sbons for a thing.
[01:17] Viktor Petersson
Really?
[01:18] Steve Springett
Yeah.
[01:18] Steve Springett
Yeah.
[01:18] Steve Springett
No, thanks.
[01:20] Steve Springett
I don't know if prominent figure is.
[01:22] Steve Springett
I don't know how to take that.
[01:23] Steve Springett
That just means I have a target on my back at some point.
[01:28] Steve Springett
But no, I had a prior employer of mine.
[01:32] Steve Springett
We had some really basic requirements, right?
[01:35] Steve Springett
I had a requirement to track the inventory of things that were delivering to market.
[01:43] Steve Springett
And that thing that were most concerned about just because of the use cases that it was, you know, used in and who those customers were, was full stack.
[01:54] Steve Springett
Right?
[01:54] Steve Springett
It was a server appliance.
[01:56] Steve Springett
And so I had, you know, full stack requirements where I needed to track the.
[02:02] Steve Springett
All the individual hardware components.
[02:05] Steve Springett
Not going down to the, you know, resistor capacitor type level, but, you know, going down to maybe the mainboard type level, right.
[02:13] Steve Springett
What are the kind of cards that are in this system?
[02:16] Steve Springett
What is the firmware that's on this thing?
[02:19] Steve Springett
What is the operating system?
[02:20] Steve Springett
And the packages for that OS?
[02:23] Steve Springett
What is the application and the application libraries?
[02:28] Steve Springett
I had a need to track that entire thing, and what resulted in that was essentially the very first version of OAuth's dependency track.
[02:40] Steve Springett
It was horrible.
[02:41] Steve Springett
It was absolutely horrible.
[02:43] Steve Springett
But I hired an intern, and, you know, we kind of hashed it out because there was nothing on the market that really allowed me to do this.
[02:51] Steve Springett
Right.
[02:52] Steve Springett
You know, there wasn't even a file format that allowed me to do this, but I had this requirement, I couldn't say no.
[03:00] Steve Springett
So you had to invent something.
[03:02] Viktor Petersson
But that was around, sorry, this was around.
[03:06] Steve Springett
This is around 2012.
[03:08] Steve Springett
Okay, so this is twelve years ago, and I had been doing supply chain stuff before that, right.
[03:14] Steve Springett
I had gotten into physical supply chain starting in 2008.
[03:19] Steve Springett
I was working on, not on the specification itself, but one of the implementations, it was a specification called epedigree.
[03:28] Steve Springett
And epedigree was an EPC global standard that really tracked the inventory and the, how would you say all those raw materials eventually came to be pharmaceuticals, and where those pharmaceuticals were then delivered.
[03:50] Steve Springett
Right.
[03:51] Steve Springett
Who were the different parties in the supply chain?
[03:54] Steve Springett
What flowed to whom and in what form did that flow, right.
[03:59] Steve Springett
So it was capturing both the inventory as well as the time aspect of not quite time series.
[04:07] Steve Springett
But it was complicated enough, which is actually one of the reasons why that specification failed.
[04:12] Steve Springett
It was really complicated and I learned a tremendous amount from that experience because I basically learned what works and what doesn't when developing a spec.
[04:23] Steve Springett
Right.
[04:23] Steve Springett
The state of California and the state of Florida at the time were the only states that really did it, and it was too bloody expensive for them to keep doing it.
[04:34] Steve Springett
Right.
[04:35] Steve Springett
The, you know, the manufacturing industry in pharmaceuticals, they push back, and rightfully so, because it was way too costly for them to do it.
[04:47] Steve Springett
And anyway, so I had some experience doing some supply chain stuff.
[04:51] Steve Springett
So when I was asked to do this task back in 2012, you know, I kind of knew what I needed to do and what I needed to stay away from.
[05:02] Steve Springett
And so that was good.
[05:04] Steve Springett
That kind of gave me a good starting point.
[05:07] Steve Springett
But basically what I did in 2012 with that full stack inventory eventually became the data model for dependency track, which that very first version was horrible, but it did the job, right?
[05:21] Steve Springett
It did.
[05:21] Steve Springett
Okay.
[05:22] Steve Springett
I maybe had a dozen users.
[05:24] Steve Springett
Right?
[05:25] Steve Springett
That's it.
[05:26] Steve Springett
Right, right.
[05:27] Steve Springett
And, but that data model kind of still exists today, and it exists in the, you know, the completely rewritten, you know, widely used dependency track, but it also exists in the cycle and the specification.
[05:45] Steve Springett
Right.
[05:45] Steve Springett
There's, there's a lot of synergies between these things because, you know, while we needed a portable format, these things were ultimately designed to work together, right.
[05:59] Steve Springett
A solution, not a specific solution, but a solution was designed to very easily work with the specification.
[06:09] Steve Springett
And so that's kind of the story of how I got into this and why.
[06:15] Steve Springett
And the s bomb community is certainly not perfect.
[06:20] Steve Springett
I know, NTIA started their effort in 2018.
[06:25] Steve Springett
I had no idea s bomb was a thing.
[06:28] Steve Springett
I mean, to me, why would you limit yourself to just software?
[06:32] Steve Springett
That doesn't make any sense to me.
[06:34] Steve Springett
But I posted an article on medium, like a couple of years ago, and I basically equated that to, like, the physical supply chain folks.
[06:44] Steve Springett
I think I equated it to, like, maybe an automobile manufacturer.
[06:48] Steve Springett
Right.
[06:49] Steve Springett
Having a bomb specific for, you know, carbon fiber parts and another bomb specific for the aluminum parts and another.
[06:57] Steve Springett
That doesn't make any sense.
[06:59] Viktor Petersson
Right, right, yeah.
[07:01] Viktor Petersson
And at the time, predating the whole, I guess, s bomb tipping point that happened around the executive order being announced, where everybody jumped on it.
[07:13] Viktor Petersson
Prior to that, like the googles of the world, they already have something equivalent to this internally.
[07:18] Viktor Petersson
Like all the really sophisticated tech shops, they had these inventory systems in house, right.
[07:23] Viktor Petersson
That were completely developed in house and did not adhere to any standard whatsoever.
[07:28] Viktor Petersson
Like, what kind of, like, were there any inspiration from that you drew from?
[07:32] Viktor Petersson
Or like, did you kind of work in the silo, or how did you think about that back in those days?
[07:38] Steve Springett
No, no.
[07:39] Steve Springett
That's a great point.
[07:40] Steve Springett
A lot of these tech firms, even my own one today, I mean, we have all this data.
[07:46] Steve Springett
It just wasn't in a standardized format and still isn't, and it's never going to be, which is kind of the point.
[07:54] Steve Springett
Now we can, which means that we can kind of spit out whatever format that exists today or in the future without issue.
[08:03] Steve Springett
For me, for my employer, that also includes all the services.
[08:07] Steve Springett
When we spit out an S bomb, you get the software, but you also get all the hundreds of services that you can optionally enable as well.
[08:14] Steve Springett
And other vendors that other software manufacturers that have an inventory of either software services, in some cases, hardware that they deliver to market.
[08:28] Steve Springett
Right.
[08:29] Steve Springett
Producing these types of bills and materials is relatively elementary.
[08:34] Steve Springett
Right.
[08:35] Steve Springett
It's just a matter of conforming to the whatever specification, assuming that specification can actually capture what it is that you want to communicate.
[08:45] Steve Springett
Yeah.
[08:46] Steve Springett
So, yeah, so, Cyclone Washington, one of the things I learned early on from that epedigree experience is that the perfect standard will eventually be too complex, too costly to implement.
[09:05] Steve Springett
I'll give you an example.
[09:07] Steve Springett
There was about a dozen or so valid use cases.
[09:13] Steve Springett
I had my entire team spend, I don't know, six, eight months developing hundreds of negative test cases, things that you can do with a spec that should never happen in real life.
[09:27] Steve Springett
That tells me that the specification is just too complex.
[09:33] Steve Springett
One of the things that we wanted to do with Cyclone early on, and we carry this philosophy today, is that we are not trying to create the perfect object model, because that will obviously be too costly, etcetera.
[09:51] Steve Springett
What we wanted to do was create a good enough object model whereby it is a little bit prescriptive and by which it would be a little bit more difficult for adopters to shoot themselves in the foot.
[10:11] Steve Springett
There's really only one way to do something in Cyclone DX, whatever it is that you want to do.
[10:16] Steve Springett
There's usually only one, maybe two ways to do something, and that's by design, that we wanted to limit the flexibility in order to save the users a bunch of hurt down the road.
[10:33] Steve Springett
At the same time, we really wanted the specification to be highly automatable.
[10:39] Steve Springett
Now, anything could be automated.
[10:40] Steve Springett
Right.
[10:40] Steve Springett
I can automate stuff all day, however, and I'm sure we're going to get into this in a bit, because I know you've been working on some of this stuff with some of the CiSA stuff, but I've never ever considered s bomb creation as a one time thing.
[10:56] Steve Springett
I consider it a process.
[10:58] Steve Springett
And when you consider it a process, you need lots and lots of really small tools that focus on really small things.
[11:09] Steve Springett
Maybe you're building an S bomb and maybe you need to enhance it with some information.
[11:14] Steve Springett
Well, I don't need that one little tool that does the enrichment to understand the entirety of the specification.
[11:21] Steve Springett
I just needed to concentrate on that one little aspect and that's what it was.
[11:26] Steve Springett
Cyclone.
[11:27] Viktor Petersson
It's like the Unix philosophy, right?
[11:28] Viktor Petersson
Do one thing I do well.
[11:29] Viktor Petersson
Right?
[11:30] Steve Springett
Right.
[11:30] Viktor Petersson
It could be chained together, and I think that's.
[11:34] Viktor Petersson
I merged myself in Sbomwell for the last eight months or so now.
[11:38] Viktor Petersson
And I think that's one of the huge difference between.
[11:41] Viktor Petersson
I don't want to get into the format war, but between SPDX and Cyclone DX is more pragmatic and easier to understand.
[11:53] Viktor Petersson
You can probably do things in SPDX that could not do in cycling DX, for instance, and probably vice versa too.
[11:59] Viktor Petersson
But the bar to get into it, to your point, is a lot lower with Cyclo DX, and it's just a JSON file.
[12:09] Viktor Petersson
Sure, a recipe can also be adjacent file, but it's a much more programmatic object rather than a JSON file, if that makes sense.
[12:18] Steve Springett
Yep.
[12:18] Steve Springett
Yep, absolutely.
[12:20] Steve Springett
I've read the entirety of the SPDX specification multiple times.
[12:25] Steve Springett
I know it very well.
[12:26] Steve Springett
Now, I have not done the same with SPDX three, but we actually consider SPDX three to be a competing bomb format.
[12:34] Steve Springett
SPDX two is not really that keep in mind that even though people can use it for such things, the NTIA effort that kicked this whole thing off, they didn't start with let's find out existing bills and materials formats.
[12:56] Steve Springett
That's not what they did.
[12:57] Steve Springett
What they did was let's figure out do formats exist that can meet our use case.
[13:03] Steve Springett
And there were three of those formats.
[13:06] Steve Springett
Obviously the worst example of misuse would be s wid.
[13:11] Steve Springett
Completely not designed for this.
[13:13] Steve Springett
It is by name software identity.
[13:16] Steve Springett
Right.
[13:17] Steve Springett
So can you misuse s wid four s bom?
[13:20] Steve Springett
Sure.
[13:21] Steve Springett
And you really have to stretch yourself to do that.
[13:25] Viktor Petersson
Not even part of the debate anymore.
[13:27] Steve Springett
It's not.
[13:28] Steve Springett
But at the same time, if you actually, and I would encourage folks to actually read SPDX version two because that's the most widely used specification.
[13:38] Steve Springett
Read it, read it, read the specification.
[13:41] Steve Springett
Truly understand the words that are on the page because you might have a little bit different perspective when you do.
[13:49] Viktor Petersson
Yeah, I mean they are.
[13:51] Viktor Petersson
I think they're coming from two philosophical, different approaches to solving that problem.
[13:55] Steve Springett
Right.
[13:55] Viktor Petersson
And I think that's, well, we can get into formats later, but I mean, I think the format in long run will probably be an implementation detail, hopefully.
[14:05] Steve Springett
Exactly.
[14:06] Steve Springett
I think we're going to be talking about exchanging and stuff like that later on.
[14:10] Steve Springett
And I do believe I agree with you.
[14:13] Steve Springett
If we're still arguing about formats in five years, we failed as an industry.
[14:18] Steve Springett
My opinion.
[14:18] Viktor Petersson
Yeah, yeah, absolutely.
[14:21] Viktor Petersson
So in your day job going back to like early days of s bombs and bringing that you started with, I presume you started with a pain point around security, I believe.
[14:32] Viktor Petersson
I mean that's dependency track does do licensing audit as well, but it's coming from the strong side of security audits.
[14:39] Viktor Petersson
Right.
[14:39] Viktor Petersson
So that was the actual business need you were trying to solve for.
[14:41] Viktor Petersson
It's like give me my entire stack, show me the cv's I'm affected by.
[14:45] Viktor Petersson
I presume that was the advantage you came correct.
[14:49] Steve Springett
Yeah, well, we had two requirements, again, because of the customers that were selling into, we first and foremost had to have an inventory of everything that were delivering.
[15:00] Steve Springett
That was use case number one.
[15:02] Steve Springett
And then once you actually have that inventory.
[15:04] Steve Springett
Yes, security was that secondary use case because we also had additional requirements on informing those customers on any kind of vulnerabilities.
[15:15] Steve Springett
And then of course when we do, you know, that starts the whole stopwatch.
[15:21] Steve Springett
Right.
[15:21] Steve Springett
So there was some other use cases built on top of that.
[15:24] Steve Springett
But yeah, licensing really wasn't too much of a concern for those customers at that time.
[15:31] Steve Springett
But yeah, s bombs obviously can be used for licensing as well.
[15:35] Steve Springett
One of the interesting things that I feel that kind of gets overlooked with licensing is that while most of us talk about licensing from, like, open source perspective, one of the really interesting things is that once you get a lot of really ingrained adoption in some large organizations, suddenly they actually care.
[16:01] Steve Springett
Depending on where they're located in the world, it might vary, but they care a lot about commercial licensing.
[16:08] Steve Springett
And, you know, tracking the type of license it is, whether it's per seat, per server, you know, if it's an embedded type of license, if it's a service, if it's a subscription.
[16:19] Steve Springett
Right.
[16:20] Steve Springett
What actually happens to that software when that subscription or license expires?
[16:25] Steve Springett
Well, that's no longer a legal thing.
[16:27] Steve Springett
That's a security thing.
[16:28] Steve Springett
If you look at the CIA triad now, availability is impacted.
[16:32] Steve Springett
So we're having a lot of folks voice interest in the commercial licensing support.
[16:38] Steve Springett
So we delivered that, like, a couple of.
[16:41] Steve Springett
Couple of versions ago in Cyclone DX.
[16:44] Viktor Petersson
Yeah.
[16:46] Viktor Petersson
I've been toying with quite a bit of these metadata elements in, well, both in cycling DX and SPDX.
[16:53] Viktor Petersson
And it is a complicated matter.
[16:57] Viktor Petersson
Right.
[16:57] Viktor Petersson
And it's kind of like you're getting into not only security, but also discoverability and inventory tracking.
[17:05] Viktor Petersson
So it's kind of like it's.
[17:07] Viktor Petersson
And that's.
[17:08] Viktor Petersson
We'll get into the whole O bomb structure later on, but it's kind of like, where do you draw the line between S bomb and when is an S bomb no longer an S bomb?
[17:16] Viktor Petersson
Right.
[17:16] Viktor Petersson
Because all of a sudden, are you tracking your network infrastructure, your clusters, in an S bomb?
[17:22] Viktor Petersson
Like, is that really the right toll for job?
[17:25] Viktor Petersson
And I know there are elements there.
[17:26] Viktor Petersson
So maybe.
[17:27] Viktor Petersson
Maybe that's a good kind of transition into the whole concept of O bombs, which, first time I discovered that, I was like, yeah, that just makes sense.
[17:35] Viktor Petersson
Right.
[17:35] Viktor Petersson
S bomb is just, like the starting point towards something much greater.
[17:40] Viktor Petersson
So maybe start with, like, laying out the foundation for what.
[17:44] Viktor Petersson
What's.
[17:45] Viktor Petersson
What's O bombs?
[17:46] Viktor Petersson
And, like, how do s bombs fit into that bigger picture?
[17:49] Steve Springett
Yeah.
[17:50] Steve Springett
So the.
[17:51] Steve Springett
Your s bomb for any given piece of software is essentially, well, it should be immutable.
[17:56] Steve Springett
It should never change for a version of a piece of software, that inventory doesn't change.
[18:02] Steve Springett
Now, if you apply a patch, if you update it, well, that's a new piece of software.
[18:07] Steve Springett
It's a new s bomb.
[18:09] Steve Springett
But your s bomb for a given version should not change.
[18:12] Steve Springett
Now, when that s bom is ultimately.
[18:16] Steve Springett
When that software is ultimately deployed somewhere, whether it's like an on prem server.
[18:20] Steve Springett
Whether it's in your Kubernetes cluster doesn't matter, right.
[18:24] Steve Springett
It's deployed somewhere.
[18:26] Steve Springett
Well now you have to take into consideration what is the configuration of that thing.
[18:32] Steve Springett
What other kind of environmental attributes do I need to take into consideration for that inventory, for example, I'll give you an example in the Java world just because, you know, even though folks love to harp on Java for being entirely verbose, and I will note disagree with that, it still is widely used in enterprise.
[18:59] Steve Springett
But I'll give you an example in Java.
[19:02] Steve Springett
Say for example, I get a web application from a vendor, well I deploy that thing maybe out to a Tomcat container or whatever it is.
[19:14] Steve Springett
Well Tomcat wasn't actually delivered by the vendor, right.
[19:18] Steve Springett
That thing, that runtime component, Tomcat and the JVM, well that's part of my stack as well.
[19:25] Steve Springett
So when I need to know vulnerabilities, well you know, so that's the addition part of the vulnerabilities.
[19:33] Steve Springett
Now the interesting thing about Obom, depending on the ecosystem that you're working in Java, let's take log four shell as an example.
[19:45] Steve Springett
Well if that same piece of software had a vulnerable version of log four j, I honestly don't need the vendor to patch anything.
[19:56] Steve Springett
There's a way in Java to say, well, here's my extended class path, I want you to use this thing first.
[20:03] Steve Springett
I can literally deploy fixed versions of log four j out to my entire enterprise and not actually have the vendors actually modify their R's or the wires or their R's, their web archives.
[20:18] Steve Springett
So that additional version of log four j that might be safe, that is now also now part of my inventory.
[20:29] Steve Springett
So essentially you have more of a fluid type of specification for representing the obom.
[20:40] Steve Springett
This, this is not a static thing, right.
[20:42] Steve Springett
This is a living breathing document because it could change day to day, hour to hour based on, you know, organizational need.
[20:52] Viktor Petersson
And then you can then tie that into the whole sauce bombs, ML bombs.
[20:58] Viktor Petersson
There's like, there's a whole like this diagram on the cycling Dx website about like how they all link together essentially.
[21:05] Viktor Petersson
And you have these reference like Vex files is not a good example of that.
[21:09] Viktor Petersson
That's like, it's not really part of the S bomb, but it's kind of referenced in S bomb.
[21:13] Viktor Petersson
So like maybe like how does your worldview look like assuming that s bombs do take off and that becomes like, which I think at least I'm very bullish on, it's gonna be the standard for anybody who's like security oriented, needs to meet any compliance.
[21:27] Viktor Petersson
Right.
[21:27] Viktor Petersson
That's gonna be the world that we live in.
[21:29] Viktor Petersson
Five years.
[21:30] Viktor Petersson
So now that we have S bombs, that's one big piece of the puzzle.
[21:33] Viktor Petersson
How do you see the next stepping stone from that?
[21:37] Viktor Petersson
Assuming we do have that, how would that world look like for you?
[21:41] Viktor Petersson
Ten years out?
[21:43] Steve Springett
Yeah, I think that ten year out perspective, I think, in my opinion, s bomb will be basically just, oh, well, of course you need that.
[21:53] Steve Springett
It's kind of like unit testing, right?
[21:55] Steve Springett
Yeah, of course.
[21:56] Steve Springett
Technology testing.
[21:57] Steve Springett
Right.
[21:58] Steve Springett
So, I mean, it's.
[21:59] Steve Springett
It's.
[22:00] Steve Springett
It's a new thing to the software industry.
[22:02] Steve Springett
Relatively new.
[22:04] Steve Springett
I mean, our hardware counterparts have been, parts have been doing that for 50 years.
[22:08] Steve Springett
Right.
[22:09] Steve Springett
It's, you know, it was very common in the.
[22:10] Steve Springett
In the 1970s, for example.
[22:13] Steve Springett
Right.
[22:13] Steve Springett
Just knowing what you have right now, the hardware world has some interesting things that we don't necessarily have to deal with.
[22:21] Steve Springett
So a lot of their maturity is kind of built around their reality, which is very different than ours.
[22:26] Steve Springett
For example, if they're delivering a specific model of maybe a router, right?
[22:31] Steve Springett
I guess you would say router.
[22:35] Steve Springett
You're delivering an electronic device to market that has software, and you might have a hardware component in that particular device that.
[22:47] Steve Springett
That maybe that supplier is out of.
[22:49] Steve Springett
So you have an alternative supplier that you haven't changed the model number, but technically, this is a different inventory than the one next to it because you ran out and you had replacement.
[23:04] Steve Springett
This happens in hardware all the time.
[23:06] Steve Springett
And I understand why the hardware folks don't want software in their stuff, because they've.
[23:15] Steve Springett
They've got processes that have been fully vetted, fully baked for many decades, and they don't want us.
[23:22] Steve Springett
Oh, with our s bombs coming around and mucking it up, I don't blame them.
[23:27] Steve Springett
But at the same time, I think it's increasingly important that we understand that software and s bomb is just one part of the equation.
[23:41] Steve Springett
And manufacturers specifically, like IoT devices, they should deliver h bombs.
[23:49] Steve Springett
They should deliver s bombs to market.
[23:53] Steve Springett
I believe in ten years, having services information will be just.
[23:58] Steve Springett
Well, of course you would.
[24:01] Steve Springett
I get questions all the time.
[24:03] Steve Springett
Even for the open source stuff like dependency track, organizations might want to lock it down and they come out with a list.
[24:11] Steve Springett
Well, what does it need to connect to so I can have my firewall guys ensure that.
[24:18] Steve Springett
Well, here's my services bomb for that.
[24:21] Steve Springett
Here's my bomb that has just the services information.
[24:24] Steve Springett
It has all the URL, the endpoint URL's, it has all the data classifications that directional flow of data in there.
[24:33] Steve Springett
This is everything your firewall guys need.
[24:36] Viktor Petersson
I mean that's beautiful.
[24:37] Viktor Petersson
Imagine you can plug this into your Kubernetes cluster and it does automatically provisioning all your routing rules, for instance, automatically.
[24:45] Viktor Petersson
And say if this service tries to talk to something else.
[24:48] Viktor Petersson
Well I know there are ways to define this in the Kubernetes world, but having agnostic format for this that can be pluggable, that describes.
[24:58] Viktor Petersson
These are the ways I need to talk to, and at least in my experience in my other company where network requirements for an IoT device is like a very frequent talking point in enterprise, they're like, okay, tell me exactly which ports this device on.
[25:13] Viktor Petersson
These endpoints these devices need to talk to because we need to open up our firewalls for this.
[25:17] Viktor Petersson
And the current solution for that in the IoT world is like well here's a wiki page, we will update that at some point.
[25:26] Viktor Petersson
We will try not to, but the reality is that we might need to change that.
[25:30] Viktor Petersson
But there's no dynamic discovery process of that at all.
[25:33] Steve Springett
Right?
[25:33] Steve Springett
Right, exactly.
[25:34] Steve Springett
Yeah, it's very static.
[25:35] Steve Springett
So you know, in ten years time, you know, I kind of see software and services kind of being.
[25:42] Steve Springett
Well of course you would.
[25:43] Steve Springett
Right.
[25:43] Steve Springett
Just part of what we do in developing software.
[25:46] Steve Springett
But hopefully in ten years time.
[25:50] Steve Springett
Right now, right now we have kind of a, I would describe the industry as just very immature.
[26:01] Steve Springett
We're trying to drive model t's down the Nurburgring.
[26:08] Steve Springett
We have a long way to go.
[26:10] Steve Springett
And what I predict or where I envision the industry going to is not having a bunch of these tools that kind of produce and generate s bombs.
[26:24] Steve Springett
Right.
[26:25] Steve Springett
That's if we're still there in ten years.
[26:27] Steve Springett
I think again, we've failed as an industry.
[26:30] Steve Springett
Where I see this going is kind of like you mentioned cloud a lot.
[26:35] Steve Springett
So I'll give you a cloud example.
[26:39] Steve Springett
In cloud you have this concept of observability, which is essentially looking at the real time performance of all your microservices across your entire deployment, right.
[26:49] Steve Springett
And trying to pinpoint things that are either going wrong or could go wrong, right?
[26:54] Steve Springett
Yeah, I believe that in order for us to do this right, we're essentially going to need some kind of observability layer on top of our existing build infrastructure that automatically starts doing this stuff for us, not just the generation of the bills and materials, but in some cases accounting for the deficiencies in some of our infrastructure as well.
[27:23] Steve Springett
Now I'll give you an example of the deficiencies right now.
[27:27] Steve Springett
If you sell to the us federal government.
[27:28] Steve Springett
Right.
[27:29] Steve Springett
SSDF is a hard requirement.
[27:31] Steve Springett
You have to do it.
[27:33] Steve Springett
And part of SSDF is providence.
[27:35] Steve Springett
And I'm not talking about salsa providence.
[27:37] Steve Springett
That's something entirely different.
[27:38] Steve Springett
I'm talking about actual provenance.
[27:40] Steve Springett
So knowing where your chain of custody, where you got something from.
[27:46] Steve Springett
Now, many organizations have like on prem, like repository servers, whether it's something like artifactory or nexus repo or one of the many others.
[27:56] Steve Springett
Right.
[27:58] Steve Springett
Well, the use of those repos speeds things up.
[28:01] Steve Springett
It also hides where you actually got something in many cases, because those repos are usually out of the box, set up as the easy button.
[28:11] Steve Springett
Right.
[28:11] Steve Springett
They proxy maven central, they proxy NPM, J s, they proxy pypod.
[28:17] Steve Springett
Did you actually get those components from there?
[28:20] Steve Springett
I don't know.
[28:22] Steve Springett
So part of that observability layer would be to account for some of the DNS changes that might happen.
[28:30] Steve Springett
Because if you get something from one mirror versus another, sometimes that matters.
[28:35] Steve Springett
Not always, but sometimes it does.
[28:37] Steve Springett
It accounts for things like, you know, organizations with local repository servers.
[28:43] Steve Springett
Right.
[28:44] Steve Springett
And not being able to track where the province actually lies.
[28:49] Steve Springett
So I think as an industry, that's something we need to get to eventually.
[28:54] Steve Springett
But I haven't seen any tools come around or any, or even any papers that I can kind of look at that kind of discuss this kind of challenge and possible ways to solve it.
[29:08] Viktor Petersson
But isn't that in part solved with hashes in the s bomb, like in the NTIA minimum elements, for instance, which kind of like considered somewhat of the gold standard for like what you should look like in theory, but only in reality, because it's really hard to do in reality, as it turns out.
[29:25] Viktor Petersson
But I, one of the things they call for is hashing all the dependencies.
[29:29] Viktor Petersson
So you say, well, here's my SHA 256 for this python package.
[29:34] Viktor Petersson
If I have that, assuming there is no collision in the SHA 256 hash, which is, I don't think there are any known ones because I don't think anybody uses MD five anymore.
[29:45] Viktor Petersson
You can, regardless where you procure that, you can trust that it is the file that you anticipate or a package anticipate to get.
[29:54] Viktor Petersson
So the repository where you retrieve it from is somewhat irrelevant, but I'm not sure.
[30:00] Steve Springett
Oh, okay.
[30:01] Steve Springett
I'll give you some examples.
[30:03] Steve Springett
So this has actually happened, and I can't tell you where it happened, but I know that it has occurred and it probably still is occurring to this day.
[30:14] Steve Springett
So some nation states have a very long tail long strategy, right?
[30:22] Steve Springett
In terms of getting into organizations not really doing anything that would suggest that they were in their networks, whatever.
[30:40] Steve Springett
One thing that I know many government agencies are interested in is, of course they're interested in Providence.
[30:49] Steve Springett
But it is possible, for example, for a nation state adversary to compromise your build infrastructure in a way where instead of resolving dependencies from your local repository server, you're resolving it from one of theirs that they control.
[31:06] Steve Springett
Now, they can control that repository server that you're fetching all your artifacts from.
[31:13] Steve Springett
And when you eventually need to upgrade those, first of all, now they have.
[31:21] Steve Springett
Now that nation state adversary has a complete list of not only the stuff that you have in your s bomb, but all the stuff that you use for testing, unit testing, integration testing, all the other things that you rely on that is not in your s bomb.
[31:37] Steve Springett
So first and foremost, right.
[31:40] Steve Springett
But when you eventually need to upgrade your components, when you upgrade that component, now it becomes a challenge.
[31:50] Steve Springett
They've got you.
[31:51] Steve Springett
So knowing where you actually get an artifact from is highly important.
[31:58] Viktor Petersson
Interesting.
[31:58] Viktor Petersson
Okay, that's an interesting attack vector.
[32:00] Viktor Petersson
Yeah, I haven't thought of that.
[32:01] Viktor Petersson
Yeah, that's fair enough.
[32:02] Viktor Petersson
Yeah.
[32:04] Viktor Petersson
And going back to what you said before about knowing what you have, and we kind of getting into service discovery, which is, I know, it's like Wally Gartner's buzzword they used, like a few years ago, like everything was about service discovery, blah.
[32:19] Viktor Petersson
And I feel like this has a potential to become like the future of service discovery, right?
[32:26] Viktor Petersson
A standardized, like, if SaaS bombs become a thing that the industry kind of backs, and I guess Cod native foundation, all those guys back get behind and support, then it could become like the de facto service discovery mechanism that describes all your classes, all your services, including external services, right?
[32:50] Steve Springett
Yeah, absolutely.
[32:51] Viktor Petersson
That's an interesting prospect, right?
[32:53] Viktor Petersson
Because then you tie it together to your s pumps, and now you start to have this, like, really beautiful map of what actually goes into your deliverables, right?
[33:01] Steve Springett
Yeah.
[33:02] Steve Springett
I think as an industry, we, the s bombs, a lot of the NTIA, and now the CISA framing for s bombs is really about sharing files.
[33:12] Steve Springett
But when we start talking about O bombs and SAS bombs and all these very dynamic things, right, my SAS bomb could change 50 times a day because maybe that's how many times I deployed to production, right?
[33:23] Steve Springett
These are very dynamic things.
[33:25] Steve Springett
So a file based approach is not what you want.
[33:30] Steve Springett
You actually want more of an API for these types of things.
[33:34] Viktor Petersson
100%.
[33:35] Viktor Petersson
That was one of the earliest beefs I had when I started getting to the world of sboms, where people really treated s bombs like as static elements.
[33:43] Viktor Petersson
And they are static in the sense, like, they are static for that particular revision of whatever you're doing.
[33:48] Viktor Petersson
But it's like, if you're a modern company, you can Google deploy, what, 10,000 times a day?
[33:57] Viktor Petersson
You got to email that file 10,000 times to your customers.
[34:02] Viktor Petersson
It doesn't work.
[34:02] Steve Springett
Right.
[34:02] Viktor Petersson
It's just completely unrealistic.
[34:04] Steve Springett
Right, right.
[34:05] Viktor Petersson
So getting into the whole, like, collaboration part of sboms, like, that was one of the most obvious things that I figured out when I started actually doing sboms at squidling in the real world, it's like, cool.
[34:19] Viktor Petersson
But if my customer asked for an S bomb, like, how am I going to share it with them?
[34:23] Viktor Petersson
Like the S bomb sharing primer from scisha.
[34:25] Viktor Petersson
Like, they call this out, what, two years ago?
[34:28] Viktor Petersson
And it's like.
[34:30] Viktor Petersson
And that has been very much reflected in conversation I have with cisos around the world.
[34:35] Viktor Petersson
Like, people are like, well, yeah, my vendors sent me sboms.
[34:37] Viktor Petersson
I chucked them into sharepoint.
[34:39] Viktor Petersson
Cool.
[34:41] Viktor Petersson
Now what?
[34:44] Viktor Petersson
So I think that gives us a really good transition into Project Wala, or the transparency exchange API, which you and Ola has been working on for quite some time that I'm kind of newcomer to, but I really like the idea of the project.
[34:57] Viktor Petersson
So maybe give a kind of a big primer or a little bit of a primer on what's project Walla and how does it solve the whole discovery and sharing element?
[35:05] Steve Springett
Yeah.
[35:06] Steve Springett
So Project Koala, which is also called the transparency exchange API, by the way, interesting fact.
[35:13] Steve Springett
Chris Gates.
[35:14] Steve Springett
Christopher Gates, who's big in the sbom world from the medical device.
[35:18] Viktor Petersson
Yeah.
[35:19] Steve Springett
Perspective.
[35:19] Steve Springett
Right?
[35:21] Steve Springett
We have this group within Cyclone DX called the Industry Working Group.
[35:24] Steve Springett
We've got a bunch of different working groups, right?
[35:26] Steve Springett
We've got feature working groups, a core working group, but we have an industry working group, and they're the ones that sometimes we get some really lofty ideas, and they're the ones that's, like, no ranging back, you know, they provide a lot of guardrails for us in some way.
[35:43] Viktor Petersson
Right.
[35:44] Steve Springett
They also provide us some opportunities, like, what kinds of things are they seeing in the real world?
[35:48] Steve Springett
So they provide feedback to us a lot.
[35:50] Steve Springett
And it was Christopher Gates who actually coined the term Project Koala, like, a couple of years ago, and it just kind of stuck.
[36:00] Steve Springett
He didn't think I would actually go forward and, like, actually do it, but now.
[36:04] Steve Springett
Now it's just kind of there.
[36:06] Steve Springett
It's cute.
[36:07] Steve Springett
It's.
[36:07] Steve Springett
Well, for the people who actually don't know Koalas in person, it's cute.
[36:13] Steve Springett
But it's essentially this effort.
[36:16] Steve Springett
It started initially for a Cyclone DX.
[36:20] Steve Springett
I don't want to say Cyclone DX only, but it was certainly geared more towards Cyclone.
[36:25] Steve Springett
And it was really intended to focus on that last mile.
[36:30] Steve Springett
I have an S bomb now.
[36:32] Steve Springett
What?
[36:33] Steve Springett
Because logging into 10,000 support portals in different ways to get S bombs for different versions of different software, that's not scalable, right.
[36:42] Steve Springett
If I have to hire an army of interns to do that.
[36:46] Steve Springett
We failed as an industry 100%.
[36:48] Viktor Petersson
Yeah, absolutely.
[36:50] Steve Springett
We're trying to work on that whole last mile.
[36:53] Steve Springett
How do we publish, how do we search, how do we retrieve these s bombs in a standardized way?
[37:02] Steve Springett
It has over the last couple of years that idea, which has been kind of percolating in our GitHub repository, which has largely remained unused until more recently.
[37:16] Steve Springett
We've been primarily working in Google Docs, but we've expanded that scope and our approach to that over the years.
[37:28] Steve Springett
We are, we recognize that.
[37:31] Steve Springett
And this kind of goes, I guess, with the evolution of cyclone itself.
[37:36] Steve Springett
Right?
[37:36] Steve Springett
Cyclone was never a NS bomb format.
[37:39] Steve Springett
Never was, never will be.
[37:41] Steve Springett
It was a full stack bills of materials format, but is now kind of morphing into a format for, or a way to represent software and system transparency.
[38:00] Steve Springett
That's really what it is.
[38:01] Steve Springett
It's a transparency expression language.
[38:04] Steve Springett
If you look at the capabilities of Cyclone DX, there is probably, if I had to guess, 60% of its capabilities actually have nothing to do with bills and materials.
[38:16] Steve Springett
And a lot of the stuff that we're doing in the next version also have nothing to do with bills and materials.
[38:23] Steve Springett
It's really about transparency.
[38:26] Steve Springett
And we wanted the API to be able to support these artifacts that kind of represent transparency, whether they're s bombs or different types of attestations, like legal attestations, not like the in total kind, but all these different types of things that you might want to share out with customers in a.
[38:49] Steve Springett
In a standardized kind of way where you can search and you can publish and search and retrieve these things not just automatically, but autonomously.
[39:01] Steve Springett
Because if we want to scale, right, if I'm a company and I have 10,000 vendors that I do business with, plugging in even the URL's 10,000 times, that's also a failure.
[39:14] Steve Springett
So we needed it to be as autonomous as humanly possible.
[39:19] Steve Springett
The other aspect of this is, and I'll probably get a lot of flack from, you know, maybe the federal government, whatever, but when you actually talk to organizations, either the software producers that are delivering bills and materials or the organizations that want to retrieve this type of information.
[39:41] Steve Springett
What they actually want has nothing to do with bills and materials, and nor do they want them, nor do they want to share them.
[39:51] Steve Springett
What we see in the market when I talk to companies is that they want very specific types of questions answered.
[40:00] Steve Springett
And if you think about, you brought up Vex earlier.
[40:02] Steve Springett
Right?
[40:03] Steve Springett
Well, think about how Vex works.
[40:05] Steve Springett
And for the folks that are listening to this who have what's Vex?
[40:09] Steve Springett
I'm vexed.
[40:14] Steve Springett
I'm going to give Alan so much heat for that.
[40:19] Steve Springett
I love Alan, but, yeah, horrible name for a thing.
[40:24] Steve Springett
But think about what you have to do for Vex, right?
[40:28] Steve Springett
You have to consume an S bomb.
[40:31] Steve Springett
You have to process it, then you have to, and that's going to turn on a bunch of lights.
[40:37] Steve Springett
And then you have to process this other thing that nobody is giving you today, nobody even has called a vex, which then turns the lights off.
[40:47] Steve Springett
And all the customers from all the different software vendors basically have to do the exact same thing over and over again.
[40:57] Steve Springett
That's also a failure in my mind.
[40:59] Steve Springett
Right.
[41:00] Steve Springett
Because now you have to have really complex tools on the consumption end and you have to have this additional level of transparency provided by the vendors just to be able to make ANy sense out of it.
[41:14] Steve Springett
What organizations really want is to ask questions such as, hey, are you using a vulnerable version of log four j?
[41:22] Steve Springett
Great.
[41:24] Steve Springett
Since I know that you're vulnerable.
[41:26] Steve Springett
What kind of things do I need to do as a workaround, right.
[41:29] Steve Springett
Or where I should need an sbom or a vex to do that?
[41:33] Steve Springett
So we've built in this concept into koala called insights, which allows for this limited transparency option.
[41:42] Steve Springett
So if you want to, for example, provide a list of inventory, but maybe not the full inventory, or if you want to provide vulnerability information, but not all of it.
[41:58] Steve Springett
This is a way for organizations to do this limited transparency use case.
[42:04] Steve Springett
It makes asking and answering the questions much more useful, much more expedient.
[42:12] Steve Springett
You can automate this stuff all day and it ultimately makes the lawyers happy, which they, I mean, let's face it, they have a, many organizations have a problem with s bombs today.
[42:24] Steve Springett
And when it comes to Vex, here's my besides all the technical issues that we have with Vex today, including like, including even the, including some of the cost effects because nobody's really talking about the cost of that today.
[42:47] Steve Springett
You have some challenges in terms of now your development team, who's sitting close to that code, is now responsible for essentially doing the type of messaging out to customers that historically a p Cert team would do.
[43:06] Steve Springett
If I'm auditing my code base and I'm saying, oh, that's not exploitable because of this.
[43:10] Viktor Petersson
Yes.
[43:12] Steve Springett
Those types of statements from your development team now go out to your customers, which usually involve legal, usually involve PCERT.
[43:20] Steve Springett
And now you're introducing some process into these organizations that they've never had before, which is a challenge.
[43:29] Viktor Petersson
But I think that, yeah, there's even a bigger one there, which is by, I think, I've had a conversation with cisos and people industry around their sports that I think one of the biggest reasons why many organizations are reluctant to s bombs is because they can no longer plead ignorant to the fact that they have security vulnerabilities.
[43:47] Viktor Petersson
Right.
[43:50] Viktor Petersson
As long as you have no hard evidence for the fact that, you know, you have vulnerabilities in your codebase, you can like, oh, I didn't know that as a SISo, the second you have an s bomb for your entire organization.
[44:00] Viktor Petersson
Kind of hard to.
[44:03] Steve Springett
Right.
[44:05] Steve Springett
Absolutely.
[44:05] Steve Springett
Yeah, I think that's kind of the point.
[44:09] Steve Springett
You know, if I had to guess why s bombs became a thing, it was.
[44:14] Steve Springett
It's probably because of breach fatigue.
[44:18] Steve Springett
Right.
[44:19] Steve Springett
People were JuST tired of libraries being vulnerable, not being updated.
[44:24] Steve Springett
This was a way to kind of force the industry to kind of grow uP.
[44:28] Viktor Petersson
Yes.
[44:28] Steve Springett
Which, you know, it has some growing pains, but, you know, some of the most challenging things about s bomb actually have nothing to do with, like, even vulnerabilities.
[44:43] Steve Springett
It really comes down to what the lawyers want to do BecauSE I've seen some really interesting perspectives from legal teams at different organizations.
[44:55] Viktor Petersson
I bet because you're exposing yourself to love of legal risk.
[45:00] Steve Springett
Right.
[45:00] Viktor Petersson
The second you expose that.
[45:02] Steve Springett
Right, exactly.
[45:04] Viktor Petersson
So I want to go back to, like, protocol in general because I think that's really interesting because I stumbled across protocol after I had kind of built Spotify for the same kind of solution, really.
[45:15] Viktor Petersson
And it was just a good mAp.
[45:18] Viktor Petersson
Like, we've BaSicallY come up with the same, I guess, not everything, but kind of the same building blocks, called them different things.
[45:25] Viktor Petersson
And I'm like, I aspire to become compatible with Project Koala because I think it's great to have it open.
[45:31] Viktor Petersson
But one thing you mentioned that you consider probably quality.
[45:34] Viktor Petersson
The last mile.
[45:35] Viktor Petersson
I don't think it's the last mile.
[45:36] Viktor Petersson
I think it's the building block in the middle.
[45:38] Viktor Petersson
It's the middleman.
[45:39] Viktor Petersson
It's the distribution transportation layer that is then consumed by the last piece, which is the analysis part.
[45:47] Viktor Petersson
So that could be dependence track that can be guac or insert blank proprietary analysis tool.
[45:56] Viktor Petersson
Right.
[45:57] Viktor Petersson
And so I think that by standardizing a framework around that, it will make communication.
[46:04] Viktor Petersson
I think in the SaISA documents they call it transportation, I think is the la, the word they use for it.
[46:09] Viktor Petersson
But having a standardized framework for that is a key building block for being able to actually execute the greater vision without this manual work.
[46:18] Viktor Petersson
Right.
[46:18] Viktor Petersson
So I think that's fantastic.
[46:20] Steve Springett
Yeah, exactly.
[46:21] Steve Springett
So we've, you know, we're taking an approach that's very, very similar to how we, you know, develop cyclone.
[46:28] Steve Springett
So for cyclone, basically we have, we spin up feature working groups that work on major features of whatever it is that we're trying to build.
[46:38] Steve Springett
Right now we've got three and.
[46:40] Steve Springett
No, actually we've got four feature working groups for Cyclone DX 1.7.
[46:44] Steve Springett
And they basically are essentially task groups.
[46:47] Steve Springett
They work on this big piece of work and they disband and we work on something else.
[46:55] Steve Springett
And ultimately it's all community driven.
[46:59] Steve Springett
And that eventually gets approved by a core working group, which are essentially the stewards of the specification.
[47:07] Steve Springett
I'm one of five now.
[47:10] Steve Springett
And then that gets promoted up to TC 54 within ECMA International, we're taking the exact same approach with Project Koala.
[47:19] Steve Springett
All the community work is happening now.
[47:22] Steve Springett
It's free for anyone to join.
[47:26] Steve Springett
Maybe we can post a link to that in the show notes.
[47:31] Steve Springett
So free for open for folks to join that community work will then feed into the efforts going for a TC 54 TG one, which is task group one within ECMA International, which there's a path to standardization.
[47:51] Steve Springett
And that's exactly what we're going for.
[47:53] Steve Springett
Because when I attend these things, I'm kind of wearing my OWasp hat, but I'm also wearing a little bit of my employer's hat as well, because commercial enterprise y type stuff.
[48:06] Steve Springett
Lots of different ways that we can share this information and trying to figure out ways that we can get like all these disparate systems, dependency track s bomify, you know, all these different things.
[48:19] Steve Springett
To ultimately communicate autonomously in the future is kind of the end reason.
[48:25] Steve Springett
That's where we want to, that's where we want to be, right?
[48:28] Viktor Petersson
Absolutely.
[48:29] Viktor Petersson
Do you see a world where the big cloud vendors would just adopt the standard as part of their, like, is it the new s three, like for block story?
[48:37] Viktor Petersson
Like is how do you like now?
[48:39] Viktor Petersson
Because that would be like one big play, right, of actually having mainstream option there if it's an open standard.
[48:45] Viktor Petersson
now that's that's really cool.
[48:48] Viktor Petersson
Like one thing I think is interesting, kind of going with a way from the price quality, but going into something I just remember that you mentioned earlier is the whole thing of like separation of responsibilities in sboms.
[49:01] Viktor Petersson
And I'm probably considered kind of a purist in the sense of deciding sbons.
[49:07] Viktor Petersson
You see a lot of people doing an SBOM for an entire thing.
[49:10] Viktor Petersson
Here's my service, and it has one sbom.
[49:12] Viktor Petersson
But in the concept, in Cyclone DX, you have a concept of different types of sboms.
[49:19] Viktor Petersson
Like you have a container SBOM, you have an application SBom, and they can't be combined into one document.
[49:25] Viktor Petersson
So they are, even in a very small deployment, you end up with many S bombs.
[49:30] Viktor Petersson
Right.
[49:30] Viktor Petersson
Like how, what triggered that thought was what you're saying about the Java application.
[49:35] Viktor Petersson
Like you have one for a runtime, one for the actual application.
[49:41] Viktor Petersson
How do you see the best practice around that today?
[49:47] Steve Springett
Whatever is the simplest way to produce and consume those, should I be used?
[49:56] Steve Springett
Cyclone DX has this concept of life cycles, and it's built into the specification and lifecycles in Cyclone DX very closely represent both SDLC and software asset management lifecycles.
[50:16] Steve Springett
So these are things that either development shops or I enterprise it organizations use today, right?
[50:26] Steve Springett
We didn't invent a new kind of thing, so it mixes well with the vocabulary that developers and folks in ITAM and SAm already use.
[50:40] Steve Springett
And I view Cyclone DX.
[50:44] Steve Springett
Cyclone DX can represent all kinds of things, hardware, software, containers, services, it can represent it all.
[50:54] Steve Springett
And if you want to put all of that into a single bomb, fine.
[50:58] Steve Springett
There's plenty of organizations that do that.
[51:01] Steve Springett
If it's easier for you to separate it out and make everything linkable, fine.
[51:07] Steve Springett
You can do that as well.
[51:09] Steve Springett
On the consumption side, it makes things a little bit more challenging when you do that.
[51:15] Steve Springett
On the creation side, it's usually a little bit easier.
[51:19] Steve Springett
But if you take a few steps, if you take those additional steps, you can get an entire deployment represented in a single bills of materials.
[51:31] Steve Springett
It's not only difficult to do.
[51:34] Steve Springett
What you probably shouldn't do is represent all of your like SAS bomb type stuff or all of your services and your interdependencies of services along with the inventory of those services.
[51:48] Steve Springett
That's kind of, that's crossing the line in my view, not just from a idealistic perspective, but ultimately you're going to want to share this information.
[52:04] Steve Springett
And if I'm a cloud vendor, I am not going to give you the inventory of things that are in my microservices, it's not going to happen because that micro service that I have, maybe it gets stock quotes, maybe that's the service.
[52:21] Steve Springett
I've got ten different versions of that thing in production at any given time.
[52:26] Steve Springett
Which version would you like?
[52:27] Steve Springett
Because I have no idea what version you're going to hit.
[52:31] Steve Springett
That's the reality of cloud.
[52:32] Steve Springett
I'm never going to give you that, but I will give you the services that are outwardly exposed to the consumers.
[52:43] Steve Springett
These things you need to, I think, understand maybe, and draw the line on what you're going to share and what you're not going to share.
[52:52] Steve Springett
So that kind of is the same approach that I take to operational bills and materials as well.
[53:00] Steve Springett
Here's my software.
[53:01] Steve Springett
This doesn't change.
[53:02] Steve Springett
I'm going to share that with you.
[53:04] Steve Springett
Here's my operational stuff on the back end, and you're not getting it.
[53:08] Viktor Petersson
So on that note, secure by design is another one of these initiatives that driving transparency in the supply chain.
[53:16] Viktor Petersson
And they are called for radical transparency, I think is the terminology that use in their document.
[53:23] Viktor Petersson
And you can interpret that in many ways.
[53:27] Viktor Petersson
One interpretation is, well, it should be including everything, including my internals, not just the firmware that goes on my device.
[53:37] Viktor Petersson
I saw my customer, but also what's sitting on the back end and what supported that back and even is not publicly exposed.
[53:43] Steve Springett
Right.
[53:44] Viktor Petersson
So how do you see that?
[53:46] Viktor Petersson
Because I feel like there is a push in the industry to kind of like take it all the way and have like, well, tell me everything that sits in your cluster, essentially.
[53:58] Steve Springett
I think that's a horrible idea, in my opinion.
[54:00] Steve Springett
I'm all for transparency.
[54:02] Steve Springett
Right.
[54:02] Steve Springett
I work in a standards body.
[54:04] Steve Springett
I develop standards.
[54:05] Steve Springett
We're open all the time.
[54:07] Steve Springett
We record meetings all the time.
[54:08] Steve Springett
I'm a big fan of transparency, but not at the expense of helping my adversaries do whatever it is that they want to do.
[54:17] Steve Springett
And ultimately, if you're too transparent, you are basically giving them the.
[54:23] Steve Springett
You're giving your adversaries the keys to the car along with a map on how to get there.
[54:32] Steve Springett
No, I think lawyers and everyone else will just say no.
[54:38] Steve Springett
And if the industry pushes too far and too hard in that approach, I think it's going to backfire on us.
[54:47] Steve Springett
Right.
[54:47] Steve Springett
We're going to, you know, we're going to have be set back quite a bit in terms of our transparency efforts.
[54:54] Steve Springett
If that idealistic view, you know, keeps on, you know, if they keep on beating their drum because it's.
[55:01] Steve Springett
It's going to be a big setback.
[55:03] Steve Springett
For us, there's some things that we just don't want to be transparent about and.
[55:10] Viktor Petersson
Yeah, how do you, I mean, executive order is another one that, I mean, for those not familiar, essentially if you're selling software to the government, you need to provide an S bomb.
[55:18] Viktor Petersson
It's the TL doctor.
[55:19] Viktor Petersson
But that's also a bit ambiguous.
[55:22] Viktor Petersson
Right.
[55:22] Viktor Petersson
Like what if I'm selling a SaaS service to the government?
[55:26] Viktor Petersson
What's their spom there?
[55:27] Viktor Petersson
Is it, where do you draw the line there?
[55:29] Viktor Petersson
Because it's kind of the same argument, but I'm not sure if you've seen anything, debates around that in the industry, like where do people draw the line?
[55:36] Viktor Petersson
And like, and also, I guess on the other side, like where would the government be happy?
[55:40] Viktor Petersson
Withdraw the line?
[55:41] Viktor Petersson
I'm not sure if you have any insights on that.
[55:44] Steve Springett
There was, for a little while, there was a services s bomb working group, and I don't think we, I mean, you can read the papers from CISA, they talk a little bit about services.
[55:59] Steve Springett
They talk a little bit about, there was one group that focused on including services in a traditional s bomb, which, yes, of course you should.
[56:10] Steve Springett
And then there was another group that was talking about just services, just like cloud native type of things.
[56:17] Steve Springett
And it started getting really complex because we started discussing things like, well, this is only available in this region because this customer is, it gets really complex.
[56:28] Steve Springett
What does an Sbom look like from a pure cloud perspective?
[56:32] Steve Springett
And I encourage folks to read the paper, but essentially we don't really have a clear, definitive thing where you can point to some resource and say, I want that.
[56:50] Steve Springett
We don't have a minimum elements for SAS bombs.
[56:54] Steve Springett
It doesn't exist.
[56:57] Steve Springett
There's obviously a lot of complexity.
[56:59] Steve Springett
The dynamicism of cloud, you know, adds to that complexity.
[57:05] Steve Springett
The fact that I might have canary builds and maybe ten different versions of some thing in production adds to that.
[57:13] Steve Springett
What version of that thing would you like?
[57:15] Steve Springett
Do you want all ten of them?
[57:18] Steve Springett
And when do you want the updates?
[57:20] Steve Springett
Do you want them 10,000 times a day?
[57:23] Steve Springett
Because something in my environment of 100 microservices, those things are, you know, all that are going to be updated all the time.
[57:32] Steve Springett
So I'm not going to give you 10,000 files a day.
[57:35] Viktor Petersson
Yeah.
[57:36] Steve Springett
So I don't know.
[57:38] Steve Springett
From my personal perspective, I believe that the industry should move forward with this concept of essentially tracking the outward bound services that these services that as a consumer I can directly interact with along with the data.
[58:03] Steve Springett
Now here's the thing about Sbom s Bom is s bomb became a thing because ultimately, it's your environment that you need to protect.
[58:14] Steve Springett
And in order to protect that environment, you kind of need to know what's running in it.
[58:19] Steve Springett
So if I've got a vulnerable version of, like, log four shell again, right, if I know that this thing has a vulnerable version of log four j, and I also know that maybe it connects to LDAP, well, now I can deploy some very specific WAF rules and put a WAF in that service with a WAF temporarily to reduce my risk while that vendor actually replaced.
[58:43] Steve Springett
So that s Bom provides me a lot of things that I can do to protect my organization and its data because it's running in my environment.
[58:53] Steve Springett
Now, when we talk about the cloud, that's not my environment, that's somebody else's.
[59:00] Steve Springett
And as a consumer of a cloud service, let's go back to a stock quotes example.
[59:06] Steve Springett
Maybe it's a thing where not only are you getting public stock quotes, but maybe you're getting all kinds of other personally identifyable financial information, right?
[59:16] Steve Springett
Maybe it's a whole suite of different services that I get, and ultimately, it's the outbound services that I consume, and it's the data that I care about, not necessarily the environment.
[59:27] Steve Springett
So the things that I care about dramatically change.
[59:31] Steve Springett
And in my opinion, that's kind of the conversation that, as an industry, we probably need to have, because it's the data that's most important.
[59:39] Steve Springett
Like what types of data are going to what services that way, if I know if that vendor has a breach, I have a pretty clear idea on what that impact is going to be, and especially as it relates to the type of data that I care about.
[59:57] Viktor Petersson
That's an interesting approach.
[59:58] Viktor Petersson
Yeah, definitely a lot more murky when you're talking about SaaS services rather than deploying on prem or like a hardware device.
[01:00:05] Viktor Petersson
Right.
[01:00:06] Viktor Petersson
And we kind of coming back to service discovery again and SBOM discovery almost full circle.
[01:00:13] Viktor Petersson
And one thing that I did find rather clever in Project Quad is the discovery process.
[01:00:21] Viktor Petersson
Right.
[01:00:21] Viktor Petersson
And mapping kind of like skews to our URL to DNS patterns, essentially.
[01:00:27] Viktor Petersson
So you could do discovery that way.
[01:00:28] Viktor Petersson
And I really like that example because it's like, I think Alan used the example of in the podcast I had Nomis.
[01:00:35] Viktor Petersson
Like, does he describe sbos like a recipe list for a physical product?
[01:00:39] Viktor Petersson
And that fits well into the analogy here, right?
[01:00:43] Viktor Petersson
Like, if you buy, like, here's a screening box, right?
[01:00:48] Viktor Petersson
Like, you can buy these and resellers, like they have a barcode, right?
[01:00:52] Viktor Petersson
If I scan that barcode, getting that spam is a pretty natural thing to do, right?
[01:00:58] Viktor Petersson
So I like that discovery because it's like it's tapping into something already exists.
[01:01:03] Viktor Petersson
Like everybody who does physical boxes, they have some kind of skew or some kind of like identifier.
[01:01:09] Viktor Petersson
Because I mean, if you do retail, you have to have that anyways.
[01:01:12] Viktor Petersson
So how you map it towards cloud is different.
[01:01:17] Viktor Petersson
Like aws, they have skews.
[01:01:18] Viktor Petersson
I guess in cloud managers, they have skews on the products.
[01:01:20] Viktor Petersson
I'm not sure there is a mapping there conversations around that have you thought about that at all?
[01:01:25] Steve Springett
Or.
[01:01:26] Steve Springett
That was one of the challenges that we had when were taught, when were, when we had that CISA working group for cloud is what is the identity of the services?
[01:01:34] Steve Springett
I mean, a URL is not identity because again, my URL might be a load balancer and there might be ten different versions of that microservices behind that load balancer URL, is not it.
[01:01:47] Steve Springett
So what is the identifier?
[01:01:48] Steve Springett
It's not package URL, it's not CPE, it's what is it?
[01:01:51] Steve Springett
I don't know.
[01:01:53] Viktor Petersson
It's hard.
[01:01:54] Steve Springett
So I don't have answer for that.
[01:01:56] Viktor Petersson
Yeah, no, it is one interesting one to make that work at scale.
[01:02:02] Viktor Petersson
All right, let's kind of running out of time, but I want to last kind of finish off with the state of dependency track today because I think next to Guac, which is like a new entry in the audit space, dependency track is kind of the OG in that space.
[01:02:17] Viktor Petersson
Maybe people who are not familiar with dependent track give them kind of like a state of affairs today.
[01:02:24] Viktor Petersson
How can it be used?
[01:02:25] Viktor Petersson
Why does it matter?
[01:02:26] Viktor Petersson
And how you see that?
[01:02:27] Steve Springett
Yeah, sure.
[01:02:29] Steve Springett
So dependency track is essentially almost like the reference implementation for how all the other entries in this market are kind of compared to essentially dependency track consumes and analyzes bills and materials and VACs VDRs.
[01:02:47] Steve Springett
It is used by tens of thousands of organizations, you know, some of the largest organizations in the world, governments of the world.
[01:02:57] Steve Springett
You rely on dependency track on a daily basis.
[01:03:01] Steve Springett
And it is, it connects to a lot of different sources of vulnerability intelligence.
[01:03:07] Steve Springett
You know, the free ones like the National Vulnerability Database, the freely available ones like OSB and OSS index.
[01:03:16] Steve Springett
And then it supports a few different commercial sources of vulnerability intelligence as well.
[01:03:22] Steve Springett
So you consume and analyze bills and materials.
[01:03:27] Steve Springett
It supports licensing and EPSS scores and a bunch of other things that you would need as either a development team to track, you know, your s bombs and the, the risk of that inventory over time, as well as in procurement.
[01:03:44] Steve Springett
Right.
[01:03:45] Steve Springett
If you're procuring software, you know, getting, you know, getting.
[01:03:50] Steve Springett
If you get an S bomb from, you know, a vendor, you know, put it in dependency track.
[01:03:55] Steve Springett
We did an informal poll.
[01:03:57] Steve Springett
Roughly 30% of users were using it for procurement use cases.
[01:04:01] Steve Springett
The other 70% were using it for purely development purposes.
[01:04:07] Steve Springett
The current state is that dependency track is old.
[01:04:12] Steve Springett
It is eleven years old, and it predates the executive order.
[01:04:16] Steve Springett
It predates s bomb being a thing.
[01:04:19] Steve Springett
Right.
[01:04:19] Steve Springett
It wasn't designed for s bomb.
[01:04:21] Steve Springett
It was designed for full stack inventory.
[01:04:24] Steve Springett
And it was designed so in a way where it's a monolith, it wasn't designed to scale.
[01:04:32] Steve Springett
So a lot of the work, and again, there's tens of thousands of organizations using it in production, but we are running into situations where some of the adopters, they want 100,000, we've got one that wants a million, we've got another one that wants 10 million s bombs.
[01:04:52] Steve Springett
This is the type of scale that we're trying to redesign for.
[01:04:56] Steve Springett
So we are currently working on project hiatus, which is kind of a, it's a.
[01:05:03] Steve Springett
Not a rewrite, but it's certainly a major reorganization and refactor of how dependency track internals actually work.
[01:05:13] Steve Springett
So that is, it is much more horizontally scalable.
[01:05:17] Steve Springett
And we've got, you know, you can roll it out yourself and test it today, but we've got just some users in pension track community that have already tested it, kind of in their own little environments.
[01:05:30] Steve Springett
They're getting upwards of 20,000s bombs being consumed per hour, and it's going well over 100,000s bombs today.
[01:05:38] Steve Springett
So I don't know if we've actually tested it to a million.
[01:05:42] Steve Springett
Getting a million s bombs is hard.
[01:05:44] Steve Springett
I mean, there's 60,000s bombs on Maven Central, right?
[01:05:47] Steve Springett
We can get those, but getting, you know, getting a million s bombs is, and making them, you know, kind of different is kind of challenging, but that's basically where it's going.
[01:05:58] Steve Springett
So it's with all this enterprise use, lots of organizations are starting to contribute to it, which is great if people want to contribute to it.
[01:06:08] Steve Springett
Again, it's an open source project.
[01:06:10] Steve Springett
It's freely available, you know, come and, you know, provide, you know, GitHub issues, provide feedback, no contribution is too small.
[01:06:20] Steve Springett
Documentation, you know, changes.
[01:06:22] Steve Springett
Yeah, are highly encouraged.
[01:06:25] Steve Springett
We need to update our docs, but.
[01:06:27] Viktor Petersson
Yeah, they're not that bad.
[01:06:29] Viktor Petersson
I read through them, they're not that bad.
[01:06:30] Viktor Petersson
I've seen a lot worse.
[01:06:32] Steve Springett
Yeah, yeah.
[01:06:34] Steve Springett
But docs, that docs can be challenging for any open source.
[01:06:36] Viktor Petersson
Yeah, but, and when people use the vetture track, do they tend to consume it over an API or do they tend to consume it as a web interface?
[01:06:47] Steve Springett
No, most of its usage is over APIs.
[01:06:50] Steve Springett
Think about how your build server might interact with other things that it does.
[01:06:57] Steve Springett
When you release software, it automatically deploys it.
[01:07:00] Steve Springett
Well in our case it automatically pushes things to dependency track.
[01:07:05] Steve Springett
That's how most organizations use it.
[01:07:08] Steve Springett
Now for the procurement use case, I know that some organizations have actually built it into their CMDB's.
[01:07:14] Steve Springett
So when they do procurement.
[01:07:16] Steve Springett
Right.
[01:07:17] Steve Springett
They do have some API integration to depends track.
[01:07:20] Steve Springett
But honestly I think most of the procurement use cases are going to be manual because there is that manual use case, right.
[01:07:26] Steve Springett
You can upload manually the SBOM.
[01:07:28] Steve Springett
In fact, you can actually author.
[01:07:31] Steve Springett
Yes.
[01:07:32] Steve Springett
Bomb manually if you want to using dependency track because that was going back to the original use case back in 2012.
[01:07:40] Steve Springett
There was no file formats that did what I needed it to do.
[01:07:43] Steve Springett
So I basically had a web interface that allowed me to manually add components that use case still exists because there's still a need for that today.
[01:07:52] Steve Springett
Right.
[01:07:53] Viktor Petersson
Interesting last question I have for you is how do you think the future generation of compliance framework would look like?
[01:08:05] Viktor Petersson
We saw NIST 2.0 came out earlier this year.
[01:08:07] Viktor Petersson
Stop just try.
[01:08:08] Viktor Petersson
Of mandating s bombs.
[01:08:09] Viktor Petersson
They call for transparency.
[01:08:12] Viktor Petersson
How do you see this?
[01:08:13] Viktor Petersson
When do you think we will see SBOM hard requirements for compliance?
[01:08:19] Viktor Petersson
Will the next ISO update?
[01:08:21] Viktor Petersson
Or how do you see that changing and what's your timeline for that?
[01:08:27] Steve Springett
That is a great question.
[01:08:29] Steve Springett
If I could get out my crystal ball, I would likely say because there's a lot more conservative countries out there, I would guess that within the next three years you're going to see s bomb as kind of a hard requirement to do business either in most world, major world governments or as a regulation.
[01:08:58] Steve Springett
If you look at PCI, it doesn't specifically like PCI 401 for example.
[01:09:03] Steve Springett
It doesn't specifically say sbom I think, but it does say software and services.
[01:09:09] Steve Springett
So the inventory of your services are required for PCI 4.0.
[01:09:13] Steve Springett
Right.
[01:09:14] Steve Springett
So I think some specifications, some industries, we're slowly getting there and I think that's okay, right.
[01:09:23] Steve Springett
Because getting there too quickly is going to be too much change for many organizations.
[01:09:29] Steve Springett
But I do, I think commend the us government for, I know they're kind of the 800 pound gorilla, right.
[01:09:37] Steve Springett
But I do kind of commend them for trying to work with a lot of our allies.
[01:09:42] Steve Springett
If you look at like the Quad, which is the United States, Japan, Australia, India, they're trying to line those folks on SSDF.
[01:09:54] Steve Springett
Right.
[01:09:54] Steve Springett
And if you go to like the.
[01:09:56] Steve Springett
It's not the ASD website, it's one of the other australian websites, but they refer to SSDF as well because again, these are NIST standards.
[01:10:06] Steve Springett
Right?
[01:10:06] Viktor Petersson
Yeah.
[01:10:07] Steve Springett
And I think they've been doing a lot of harmonization because the last thing software vendors want is if I'm selling to this region, well, I need this standard.
[01:10:18] Steve Springett
If I'm selling into this other country, I've got this.
[01:10:20] Steve Springett
That's too much.
[01:10:22] Steve Springett
Right.
[01:10:22] Steve Springett
It becomes too costly.
[01:10:24] Steve Springett
Organizations will eventually say no.
[01:10:26] Steve Springett
So I think the us government has been doing a phenomenal job trying to harmonize and get everybody on the same page, which is phenomenal.
[01:10:33] Steve Springett
That's what we want, to keep costs down.
[01:10:35] Steve Springett
And as part of that slow roll, I think you're going to start seeing more and more, either industry or regional regulations requiring transparency and SBam specifically become more popular over the next three years would be like us.
[01:10:57] Viktor Petersson
I think that's a reasonable guess.
[01:10:59] Viktor Petersson
I would agree with that as well.
[01:11:00] Viktor Petersson
And it's.
[01:11:01] Viktor Petersson
Yeah.
[01:11:02] Viktor Petersson
And I'm really happy that it hopefully will spam span, suck to nist, all those things.
[01:11:07] Viktor Petersson
Like, you don't have to redo the effort.
[01:11:08] Steve Springett
Right.
[01:11:08] Viktor Petersson
I think that's the key.
[01:11:09] Viktor Petersson
Like it could tick so many boxes in an automated way.
[01:11:13] Steve Springett
Yeah, absolutely.
[01:11:15] Steve Springett
Keep on fighting the good fight.
[01:11:17] Viktor Petersson
Yeah, no, I think it's fantastic.
[01:11:19] Viktor Petersson
I think it's.
[01:11:20] Viktor Petersson
I'm very bullish in S bombs and I think we'll get there and there will be hiccups along the way and lost speed bumps, but at least we are moving the wrong right direction.
[01:11:30] Viktor Petersson
So that's very exciting.
[01:11:32] Steve Springett
And as long as we learn from those mistakes going forward.
[01:11:34] Steve Springett
Right.
[01:11:35] Viktor Petersson
And not being too theoretical about it, I think that's one of the issues.
[01:11:39] Viktor Petersson
There are a lot of white papers out there saying how you should do things, but as long if there are no tools out there that will actually do them, they're not worth the paper they're written on.
[01:11:49] Viktor Petersson
So I think that's something that is changing.
[01:11:53] Steve Springett
Good.
[01:11:53] Steve Springett
Awesome.
[01:11:54] Viktor Petersson
Perfect.
[01:11:55] Viktor Petersson
Thank you so much, Steve, for coming on the show.
[01:11:56] Viktor Petersson
Very much.
[01:11:57] Viktor Petersson
Appreciate it.
[01:11:57] Viktor Petersson
Have a good one.
[01:11:58] Steve Springett
Thanks so much.
[01:11:59] Steve Springett
Cheers.
[01:11:59] Viktor Petersson
Cheers.
[01:12:00] Steve Springett
Bye.

Found an error or typo? File PR against this file or the transcript.