Transparency in the Software Supply Chain: Making SBOM a Reality

Presented at Black Hat USA 2019, Aug. 7, 2019, 5:05 p.m. (25 minutes)

We can't buy a piece of candy without knowing its ingredients, or design and sell a piece of machinery without accounting for each nut and bolt. Yet, even as supply chain uncertainty has emerged as a top information security risk, there is limited visibility into the third party components on the software running on our networks, and little market incentive for software suppliers to actually track their third party dependencies.

A "software bill of materials," or SBOM, can promote transparency of what code we're actually using across the entire software supply chain. Last summer, the US Department of Commerce launched a new "multistakeholder initiative" and convened experts to find consensus on the viability of this idea, and how we can make it a reality without government regulation. Participants from a range of sectors have spent the last year exploring this idea and its application in domains ranging from open source development to commercial DevOps to embedded medical devices.

This briefing will announce the initial results of that open, international, stakeholder-driven process. Participants found a shared vision of what an SBOM looks like, including sketching out a minimum viable product and optional extensions for different use cases. They conducted research across a range of sectors to identify existing practices and how different parts of the supply chain could be improved with the availability of SBOM data. Stakeholders also identified two existing and interoperable data formats (SWID and SPDX) that can be used to convey the SBOM data. A set of stakeholders even launched and documented a proof-of-concept exercise. We have collectively started to identify tools and formal processes to enable automation. Moving forward, we will need even greater participation and community buy-in to promote awareness and adoption, as well as identifying further challenges that we can tackle together.


Presenters:

  • Allan Friedman - Director, Cybersecurity, NTIA / US Dept of Commerce
    Allan Friedman is Director of Cybersecurity at National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA's multistakeholder processes on cybersecurity, focusing on addressing vulnerabilities in IoT and across the software world. Prior to joining the Federal Government, Friedman spent over 15 years as a noted InfoSec and tech policy scholar at Harvard's Computer Science Department, the Brookings Institution and George Washington University's Engineering School. He is the co-author of the popular text 'Cybersecurity and Cyberwar: What Everyone Needs to Know,' has a degree in computer science from Swarthmore College and a PhD in public policy from Harvard University, and is quite friendly for a failed professor-turned-technocrat.

Links:

Similar Presentations: