Tech Debt Burndown Podcast Series 1 E11: Allan Friedman and SBOMs
Posted on Sunday, Jun 20, 2021
Show Notes
Recording date: Jun 8, 2021
Download at Apple Podcasts, Google Podcasts, Spotify, iHeartRadio, Spreaker or wherever you get your podcasts.
“Having a list of ingredients doesn’t mean that you’ll eat healthy, but it’s very difficult to eat healthy if you don’t have that” - Allan Friedman
After introducing himself, and his role at the National Telecommunications and Information Administration (NTIA), Allan gives an overview of Software Bill of Materials (SBOM) using a ’list of ingredients’ analogy.
The efforts around SBOM have been underway since 2018, and there was initially pushback from the software industry, in part because organisations didn’t have their open source licensing in order. As the NTIA has gone through the process of creating a consensus vision around SBOM, many of the original detractors have found that it provides a reason to clear up stuff that needed doing anyway.
Allan goes on to provide an example of how an SBOM gets used as a proxy for understanding total cost of ownership for software, and how that can be used as a negotiating lever. Vulnerability management, and understanding how most modern software is composed (largely from open source) rather than created from scratch is a central part of the utility of SBOM, so that software users can understand where weaknesses originate from.
We then go on to discuss the positioning for proprietary software, touching on the ‘black box’ problems that arise, particularly in environments that demand high levels of accreditation like healthcare.
Allan talks about the list of ingredients not meaning that anybody can replicate something, which reminds Chris of the UK TV show Snackmasters where celebrity chefs struggle to reproduce popular snacks. This leads Allan into some description of the challenges dealing with a lack of a global namespace for software.
We then move to some discussion of the 12 May Executive Order on Improving the Nation’s Cybersecurity, which sets the ball rolling for SBOM implementation in Federal Government:
(f) Within 60 days of the date of this order, the Secretary of Commerce, in coordination with the Assistant Secretary for Communications and Information and the Administrator of the National Telecommunications and Information Administration, shall publish minimum elements for an SBOM.
After talking about the difference between ingredients labels and nutritional information labels the conversation turns to how difficult it is to understand what compilers will produce from source code. This is a familiar problem for Chris, who’s previously examined how compilers can produce startlingly different output for seemingly trivial and functionally identical source code The compiler will not save you.
Before we wrap up, Allan notes that there was a chicken and egg problem with SBOM and the tools to produce an SBOM, but that’s largely addressed now by new companies and products emerging to fill the need; along with existing products growing additional capabilities.
Guests
Allan Friedman
Allan Friedman is the Director of Cybersecurity Initiatives at National Telecommunications and Information Administration in the US Department of Commerce.
Prior to joining the Federal government, Friedman was a noted cybersecurity and technology policy researcher. Wearing the hats of both a technologist and a policy scholar, his work spans computer science, public policy and the social sciences, and has addressed a wide range of policy issues, from privacy to telecommunications. Friedman has over a decade of experience in cybersecurity research, with a particular focus on economic, market, and trade issues. He is the coauthor of Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford University Press, 2014).
Hosts
Chris Swan
Chris Swan is an Engineer at Atsign, building the Atsign Platform, an open source networking platform that is putting people in control of their data and removing the frictions and surveillance associated with today’s Internet.
He was previously a Fellow at DXC Technology where he held various CTO roles. Before that he held CTO and Director of R&D roles at Cohesive Networks, UBS, Capital SCF and Credit Suisse, where he worked on app servers, compute grids, security, mobile, cloud, networking and containers.
Chris is an InfoQ Editor writing about cloud, DevOps and security, and is a Dart Google Developer Expert (GDE). He’s a frequent speaking on supply chain security (SBOMs, SLSA and OpenSSF Scorecards), the Dart programming language and AI.
Nick Selby
Nick Selby is the founder and Managing Partner of EPSD, with a career spanning technology leadership, not-for-profit leadership, law enforcement, and cybersecurity. He serves on the board of directors of the National Child Protection Task Force, and the advisory board of Sightline Security.
He has held key executive roles at Evertas, Trail of Bits, 451 Research (now S&P Global Intelligence), and Paxos Trust. He served as Director of Cyber Intelligence and Investigations at the NYPD, and as both paid and reserve Texas police detective specializing in investigations of child sexual abuse material and online investigations.
He is co-author of several books, including Cyber Attack Survival Manual, Blackhatonomics: An Inside Look at the Economics of Cybercrime, and In Context: Understanding Police Killings of Unarmed Civilians; he was technical editor of Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace.