Recording date: Jun 8, 2021
After introducing himself, and his role at the National Telecommunications and Information Administration (NTIA), Allan gives an overview of Software Bill of Materials (SBOM) using a ‘list of ingredients’ analogy.
The efforts around SBOM have been underway since 2018, and there was initially pushback from the software industry, in part because organisations didn’t have their open source licensing in order. As the NTIA has gone through the process of creating a consensus vision around SBOM, many of the original detractors have found that it provides a reason to clear up stuff that needed doing anyway.
Allan goes on to provide an example of how an SBOM gets used as a proxy for understanding total cost of ownership for software, and how that can be used as a negotiating lever. Vulnerability management, and understanding how most modern software is composed (largely from open source) rather than created from scratch is a central part of the utility of SBOM, so that software users can understand where weaknesses originate from.
We then go on to discuss the positioning for proprietary software, touching on the ‘black box’ problems that arise, particularly in environments that demand high levels of accreditation like healthcare.
Allan talks about the list of ingredients not meaning that anybody can replicate something, which reminds Chris of the UK TV show Snackmasters where celebrity chefs struggle to reproduce popular snacks. This leads Allan into some description of the challenges dealing with a lack of a global namespace for software.
We then move to some discussion of the 12 May Executive Order on Improving the Nation’s Cybersecurity, which sets the ball rolling for SBOM implementation in Federal Government:
(f) Within 60 days of the date of this order, the Secretary of Commerce, in coordination with the Assistant Secretary for Communications and Information and the Administrator of the National Telecommunications and Information Administration, shall publish minimum elements for an SBOM.
After talking about the difference between ingredients labels and nutritional information labels the conversation turns to how difficult it is to understand what compilers will produce from source code. This is a familiar problem for Chris, who’s previously examined how compilers can produce startlingly different output for seemingly trivial and functionally identical source code The compiler will not save you.
Before we wrap up, Allan notes that there was a chicken and egg problem with SBOM and the tools to produce an SBOM, but that’s largely addressed now by new companies and products emerging to fill the need; along with existing products growing additional capabilities.
Allan Friedman is the Director of Cybersecurity Initiatives at National Telecommunications and Information Administration in the US Department of Commerce.
Prior to joining the Federal government, Friedman was a noted cybersecurity and technology policy researcher. Wearing the hats of both a technologist and a policy scholar, his work spans computer science, public policy and the social sciences, and has addressed a wide range of policy issues, from privacy to telecommunications. Friedman has over a decade of experience in cybersecurity research, with a particular focus on economic, market, and trade issues. He is the coauthor of Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford University Press, 2014).
Chris is a frequent speaker on topics such as serverless, DevOps, cloud, containers, security, networking and the Internet of Things. He’s also a cloud editor for InfoQ and a contributor to open source projects such as Docker, CoreOS and DXC’s Online DevOps Dojo.
Nick is Chief Security Officer at a financial technology firm, and was formerly an NYPD Intelligence Bureau apparatchik. He is co-author of many books, including Cyber Attack Survival Manual; In Context: Understanding Police Killings of Unarmed Civilians and Blackhatonomics: An Inside Look at the Economics of Cybercrime.