Unraveling SBOM Challenges: AI, Transparency and Policy Perspectives in Software Security

Tech Transforms

Nov 15 2023 • 46 mins

Meet the man on a mission to make software bill of materials (SBOMs) boring. In this So What? episode, Tracy Bannon and Carolyn Ford sit down with Allan Friedman the Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency (CISA). Allan tells us about how he is working to change how all software on the planet is made and sold, no big deal right? Join us as we dive into the world of SBOMs, xBoMs, and Secure by Design.

Key Topics

  • 03:59 Track open source licenses, establish shared vision.
  • 08:47 Discussing US government requirements, diversity in software.
  • 12:07 Framework helps organizations with secure software development.
  • 13:49 Organizations unaffected, prepare for impending software changes.
  • 17:40 Concerns about sharing software with potential security risks.
  • 20:59 Concerns about network security and regulatory pushback.
  • 24:14 Enhanced security measures save thousands of hours.
  • 27:53 Applying AI and data bombs in conversation.
  • 32:38 Discusses the importance of SBOM in cybersecurity.
  • 36:29 Rewriting global code is a complex task.
  • 39:39 At RSA, little focus on secure design.
  • 41:53 Organization's need for SBOM, call to action.
  • 43:55 Cooking for diverse family, diverse food requirements.

Challenges and Implementation of SBOMs

Self-Attestation for SBOMs

Allan Friedman explained that there is currently a self-attestation model for SBOMs, where companies can sign a form stating that they have implemented SBOMs, rather than providing the actual SBOM data. This allows flexibility for organizations that are not yet ready to fully comply. However, it means buyers have to trust the attestation rather than seeing the SBOM details directly.

Secure Software Development Model Compliance: "The challenge there is turning the framework back into a compliance model. Because, again, at the end of the day, everyone wants to think about things. Right? Understand your risk, but you still need to make that yes or no decision."— Allan Friedman

Tracy Bannon noted some companies have concerns about sharing their SBOM data with customers, worrying that the customer may not have secure enough practices to properly protect the SBOM. Allan Friedman explained SBOMs do not need to be public - they can be shared privately between supplier and customer. Known unknowns in the SBOM can also help address concerns about revealing proprietary information.

Debate About the Risk of Sharing SBOMs as a Road Map for Attackers

Allan Friedman argued that sophisticated attackers likely do not need the SBOM, as they have other ways to analyze and reverse engineer software. Automated attacks also do not leverage SBOMs. He noted defenders actually need the visibility an SBOM provides into components and dependencies. There may be some risk of exposing attack surface, but the benefits seem to outweigh that.

The Importance of SBOM for Product Security: "If we had this, we had SBOM across our products today, it would save us thousands of hours a year Because whenever the next Log4j comes out, if you have a centralized machine readable, scannable system, It's not that hard." — Allan Friedman

Allan Friedman noted there has been some lobbyist pushback against SBOM mandates, often coming from trade associations funded by companies already implementing SBOMs. He said while healthy debate is good, many of the lobbyist complaints seem misguided or overblown.

The Potential Role of AI in Creating SBOMs and Its Implications for Security

Carolyn Ford asked whether AI could help automate SBOM creation, especially for legacy systems. Tracy Bannon cautioned that AI is not yet at the point where it can reliably generate code or understand large complex...

You Might Like

The Daily
The Daily
The New York Times
The Dan Bongino Show
The Dan Bongino Show
Cumulus Podcast Network | Dan Bongino
Pod Save America
Pod Save America
Crooked Media
WSJ What’s News
WSJ What’s News
The Wall Street Journal
The Ben Shapiro Show
The Ben Shapiro Show
The Daily Wire
Morning Joe
Morning Joe
Joe Scarborough and Mika Brzezinski, MSNBC
The Tucker Carlson Show
The Tucker Carlson Show
Tucker Carlson Network
The Glenn Beck Program
The Glenn Beck Program
Blaze Podcast Network
The Fox News Rundown
The Fox News Rundown
FOX News Radio
Mark Levin Podcast
Mark Levin Podcast
Cumulus Podcast Network
The Rachel Maddow Show
The Rachel Maddow Show
Rachel Maddow, MSNBC
The Headlines
The Headlines
The New York Times
Morning Wire
Morning Wire
The Daily Wire