Tech Debt Burndown Podcast Series 1 E11: Allan Friedman and SBOMs

Posted on Sunday, Jun 20, 2021
Allan Friedman of the National Telecommunications and Information Administration (NTIA) has long been one of the world’s leading proponents of Software Bill of Materials, or SBOM. With the President’s Executive Order on Improving the Nation’s Cybersecurity, SBOM has begun to receive the wider attention it deserves, and Allan joins Chris and Nick to discuss SBOM and how it can help with tech debt burndown.

Show Notes

Recording date: Jun 8, 2021

Download at Apple Podcasts, Google Podcasts, Spotify, iHeartRadio, Spreaker or wherever you get your podcasts.

“Having a list of ingredients doesn’t mean that you’ll eat healthy, but it’s very difficult to eat healthy if you don’t have that” - Allan Friedman

After introducing himself, and his role at the National Telecommunications and Information Administration (NTIA), Allan gives an overview of Software Bill of Materials (SBOM) using a ‘list of ingredients’ analogy.

The efforts around SBOM have been underway since 2018, and there was initially pushback from the software industry, in part because organisations didn’t have their open source licensing in order. As the NTIA has gone through the process of creating a consensus vision around SBOM, many of the original detractors have found that it provides a reason to clear up stuff that needed doing anyway.

Allan goes on to provide an example of how an SBOM gets used as a proxy for understanding total cost of ownership for software, and how that can be used as a negotiating lever. Vulnerability management, and understanding how most modern software is composed (largely from open source) rather than created from scratch is a central part of the utility of SBOM, so that software users can understand where weaknesses originate from.

We then go on to discuss the positioning for proprietary software, touching on the ‘black box’ problems that arise, particularly in environments that demand high levels of accreditation like healthcare.

Allan talks about the list of ingredients not meaning that anybody can replicate something, which reminds Chris of the UK TV show Snackmasters where celebrity chefs struggle to reproduce popular snacks. This leads Allan into some description of the challenges dealing with a lack of a global namespace for software.

We then move to some discussion of the 12 May Executive Order on Improving the Nation’s Cybersecurity, which sets the ball rolling for SBOM implementation in Federal Government:

(f) Within 60 days of the date of this order, the Secretary of Commerce, in coordination with the Assistant Secretary for Communications and Information and the Administrator of the National Telecommunications and Information Administration, shall publish minimum elements for an SBOM.

After talking about the difference between ingredients labels and nutritional information labels the conversation turns to how difficult it is to understand what compilers will produce from source code. This is a familiar problem for Chris, who’s previously examined how compilers can produce startlingly different output for seemingly trivial and functionally identical source code The compiler will not save you.

Before we wrap up, Allan notes that there was a chicken and egg problem with SBOM and the tools to produce an SBOM, but that’s largely addressed now by new companies and products emerging to fill the need; along with existing products growing additional capabilities.

Guests

Allan Friedman

Allan Friedman

Allan Friedman is the Director of Cybersecurity Initiatives at National Telecommunications and Information Administration in the US Department of Commerce.

Prior to joining the Federal government, Friedman was a noted cybersecurity and technology policy researcher. Wearing the hats of both a technologist and a policy scholar, his work spans computer science, public policy and the social sciences, and has addressed a wide range of policy issues, from privacy to telecommunications. Friedman has over a decade of experience in cybersecurity research, with a particular focus on economic, market, and trade issues. He is the coauthor of Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford University Press, 2014).

Hosts

Chris Swan

Chris Swan

Chris is a frequent speaker on topics such as serverless, DevOps, cloud, containers, security, networking and the Internet of Things. He’s also a cloud editor for InfoQ and a contributor to open source projects such as Docker, CoreOS and DXC’s Online DevOps Dojo.

Nick Selby

Nick Selby

Nick provides information security, disaster- and cyber incident-readiness assessments at Fuzz Technology, a subsidiary of EPSD, Inc. From 2021 to 2023, Nick served as VP of the Software Assurance Practice at Trail of Bits (where he was the voice and executive producer of its podcast), and from 2019 to 2021 as Chief Security Officer at Paxos Trust Company.

From 2018 to 2020, Nick served as Director of Cyber Intelligence and Investigations at the NYPD Intelligence Bureau, where he helped the department understand how it investigates online, and how Cyber Enabled crime affects New Yorkers.

In 2005 he founded the information security practice at industry analyst firm 451 Research, (now S&P Global Market Intelligence) where he served until 2009 as 451’s Vice President, Research Operations.