I will thank you for joining us here for defending the software supply chain Integrity uh my name is Mike roie I'm the deputy siso for service now focused on the US federal government environments specifically our GCC cloud and National Security cloud and joining me we've got Dr Alan fredman and I will go ahead and give a a nice introduction for Alan so Dr Alan fredman the senior adviser and strategist at the cyber security and infrastructure Security Agency he coordinates the global cross- sector Community efforts around software build materials he was previously the director of cyber security initiatives at ntia leading pioneering work on vulnerability disclosure esbon and other security topics prior to joining the federal government alen spent over a decade as a noted information security and Technology policy scholar at Harvard's computer science department The Brookings institution and George Washington University's engineering school he is also the co-author of popular text cyber security and cyber War what everyone needs to know and he holds a CS degree from Swarthmore College and a PhD from Harvard University Alan welcome to the stage thanks so much for having me I appreciate you joining us so uh today we're going to really have a focus on espon and software building materials and essentially uh you know I would describe an esom as an inventory of components that make up the software products that agencies use today um I like to liken it to a list of ingredients of you know the the food that you buy you want to know what it what this is what is contained in this in the software that you're using and then you can make solid sound decisions based on what's included in the software SEC security teams can leverage es boms to enhance cyber security by gaining visibility in into the components and dependencies of their software specific areas of security that are impacted by this and that in esal assists uh Security Professionals is around vulnerability management risk assessment compliance incident response supplier accountability and continuous monitoring so with that kind of highlevel description Ellen what would you say uh you know would be the current state of modern digital infrastructure and how es bombs play a pivotal role in this space uh great question just first safe to assume that everyone has come across the idea of es bomb before so we can sort of a little bit okay so we'll we'll sort of talk a little bit about some of the background as well uh and really the core of the idea along with I think a lot of the idea behind devops the software World stole from heavy industry I've always found that delightfully ironic that like all of our modern visions of modern digital infrastructure we kind of just ripped off from aluminum uh and that world has had this notion that you cannot manufacture something without knowing what's going into it and then once you're using it you need to be able to track that a bill of materials uh and then we sort of pulled that from it into software which is and if there's one takeaway I offer you should all just remember that it's insane that we don't know what is in our software today like I still people don't appreciate how crazy it is that the software that runs our government systems our national security systems our critical infrastructure the buyers and operators don't know and sometimes the people who make it don't know so that's me getting into my rant mode is like you should take Umbridge at the idea that someone may want you to buy software or use software and they don't know what it is they're actually asking you to use okay that's angry Allen let's go back to sort of the digital infrastructure space because a lot of the early discussion around it really focused on localized shipped software things that were on my network and so there it is really clear that we need to know what is in it because you cannot defend what you don't know about this is cyber security 101 it's phase one of the cybercity framework Etc um as we pivot to sort of a more modern world there are a couple of things that make this a little less important and a few things that make it a little more important a little less important is if it's my network work maybe it's not running on that so maybe and we'll talk about sort of the cloud and SAS thing in a little bit but where it's more important is our velocity of code is a lot faster uh and what we consider code has gotten a lot broader but that means it's even more important to have a clear way of tracking what it is so that's where data really becomes important and and the need to manage that data becomes important so as we think about modern digital infrastructure one all the old stuff that you're using that right you know your Cobalt systems and the blinking Bots that's keeping Grandma alive and the computer that's in the giant SUV that's driving around the prime minister of France there's software that we should all be aware of but also the more modern side of things um because it's so Dynamic we need to do a better job of tracking absolutely absolutely and yeah the the speed of change and the velocity of application development is is exponentially faster than what we've ever seen before what would you say are some of the common misperceptions about sbom and what are what are ways that organizations should look to try to embrace an esom sbom adoption sure so um some of you may know that in Washington DC there are lobbyists and lobbyists really don't like it when government has new ideas uh and and here is where I always have a host I love it when I get to work with companies like service now but I also get to point out that service now pays some of these lobbying organizations which go around saying's too hard so first misconception it's oh my God it's too hard uh and we have a couple respones for that which is know it bloody well isn't lots of people are doing it already and we can sort of list which type of organizations and it depends on what you do but you know if Microsoft and Cisco can do it the giant tech companies can do it you can if the tiny startups that are producing really cool new applications can do it you can do it there's a tool in Docker called esbon so command you know what happens when you type sbom your Docker prompt you get an sbom B right so right there are lots of ways that this is pretty straightforward so that's the first misconception now I also want to be honest the other misconception might be this is a solved problem this is easy this is mature technology and it is not uh there are still lots of challenges especially as we think about the flow of data down the supply chain so if you want if you're a developer your developer team they should definitely be able to create an s bomb especially if they're using a modern tool chain so that part is pretty straightforward where it gets a little complicated is when you start to track code that's developed here that's used by this team and then it's used by a different organization that turn is used by a different organization and then it goes to the user of the software and they want to integrate it into all of the tools that you described at the beginning their risk analysis their supply chain risk management their vulnerability management their Asset Management their cmdbs all of those tools um are just beginning to integrate espon dat So and I've got two more quick misconceptions so these are so some of the security people say well I'm worried that we're going to make things easier for the attacker and aren't you giving a road map to the attacker hear that all the time and right that that is good that we are thinking about the world like an attacker would but you know what it's 2024 we don't just wave our hands about hackers we threat model so let's think about an advanced adversary anyone who wants to know what your is in your software or software that you're using who is determined to know what is in your software we'll find out the NSA made jedra free eight years ago jedra is probably the most powerful reverse engineering technology out there and they teach it in software engineering classes around the world someone who wants to know what's in your software whether it's a foreign adversary or a corporate competitor will be able to find it now at the other end of the threat Spectrum we've got automated mware right this is the looking for tow holds for ransomware spray and prey crypto Miners and these aren't targeted at all they're just looking for anything they can see in an exposed Network and then running packages of known vulnerabilities some of you may know about sisa's known exploited vulnerability list this is why we have it is because it's very important for every Defender to know what attackers are using today and so Nest bom isn't helpful because they don't need a road map they're just broadcasting you know who needs the road map The Defenders right the people who say okay yes I've got a piece of software that's only used by 50 other users in the world right got specific or maybe just specialized technology right it's a lab equipment or something like that well there's probably not going to be a cve against a specialized piece of lab equipment but that lab equipment is probably using some outdated software libraries or maybe it's got a giant flaw in its password authentication library and so the defender is the one that needs the road map to figure out where do I need to strengthen my defend so that's my long rant on uh why the road map the attacker argument isn't quite as valid as everyone thinks it is this a very good point and some very interesting points around lobbyists we'll make sure to uh take a look at that as we uh as we engage moving forward but no I think I think you made some fantastic points there around really understanding what you need to protect right like yes there there's that argument that hey we're giving everybody our secret sauce our recipes but in reality it it will help you as a software provider really understand okay these are the areas I need to I need to prioritize and and and get after and to to that end like what kind of guidance would you give to an organization that that is now falling under whether it's an fbom mandate the you know from the government or a new you're you're creating a new new software platform and you realize all right I've got this sbom task that I need to be considera of what kind of recommendations would you provide to avoid kind of being overwhelmed by such a daunting task sure um so a lot of it depends on what kind of hat you wear so some of us make software either we have an internal software Factory or we're selling to the government some of us choose software we buy things for procurement process we make a decision to start using a particular open- Source package or project and some of us operate software right it's on our networks our ageny data in it uh US citizens data are in it and we need to keep them safe we need to make sure everything's secure and by the way a lot of us wear all three of those hats at once it's quite the fashion State and quite the job description uh for each of those the just start makes sense so if you make software in your tool chains start thinking about what's there and and again this tool it depends a little bit on where you are and how you develop software but there are now plugins into GitHub that allow you to again automatically generate this kind of data there are plugins into cicd tools or Plugin a gitlab that will do this for you uh and you can start just by generating the data even if you just have it go into a folder thinking about how do you inject it into the process so that not onerous or burdensome to the developers themselves but it gives you a nice little feather in your hat for oh look we've integrated this new thing that people are talking about so it's I think it's one of those nice little tucks in an annual review that you can say oh in addition to all the things I was supposed to I spent half an hour looking up how to do it in the thing that I already do and now we can have es bomb capability there's a lot more work that you can do down the road but that's sort of the good starting um for procurement decisions the first thing is just to start asking can you have an espon uh now one of the things that I love to do is when you were talking to someone who provides software say can I have an esbon and they say no we can't do that yet that should be a giant red alert if someone cannot give you an es bomb it is very important to understand why they can't is it because their lawyers haven't figured out how to give it to you yet well okay that's reasonable guess what in your contract is the timeline six months this now gets in and don't let them Redline it out right six months is enough time for lawyers to do their thing uh and I say that charitably to lawyers by the way um and then and and by the way there's stages Right Step Zero is do you have an S fund is the person who is trying to give you the software you don't even have to have it you don't even have to get they don't have to give it to you you can just say please in this contract verify that you have one because that way your software supplier your SAS provider for example when the next log for Jay comes along they'll be able to respond a lot faster than they would if they don't have yeah yeah and then the last piece is what you do as an operator and this is where things get uh a little harder and we want to sort of acknowledge what the ecosystem doesn't have I love the fact that people all across the US government are now asking I have an s-bomb now what and the reason that question makes me really happy despite the fact that I don't have a great answer for it is is a year ago no one had an es bomb so no one was asking for that question and we're now at a level where we can do this it would be weird if an agency had already invested in an sbom consumption tool because that meant that two years ago someone would have said we need this without having the S bombs necessary so it's going to take a little while for sbom management and sbom consumption to be built into tool chains because that's where I'd like to see it happen is to say rather than getting you a brand new tool you already have certain data management tools one of them is provided by a certain very large vendor that has green and white logoing uh but there are others out there and there are even some really cool startups that are serf that are purpose Built For This prod uh and then integrating it in into your vul management your asset management your cmdb your data L and we're starting to see more and more of those vendors start to say yes we're going to take that data and actually make use of it because at the end of the day an sbom is just data it is not helpful any more than giving a vulnerability a CV cve identifier will protect a damn thing but that CV identifier sets up the entire tool chain that allows you to feel confident that you're not running vulnerable code on your network and so that's the role of the operator starting to track that do you envision a time where there will be kind of a centralized repository for all of government is that something that sisa would look at is that or is it more along the lines of agency by agency collecting for their own use in their own action and activity so um I I I'm guessing that a lot of us in this room are familiar with executive order 14028 from 2021 it was the administration's big cyber security executive order uh Biden cyber direct work uh and one of the things there were there were a number of cross-government public private conferences following that uh and and I helped moderate an event that M hosted uh and it was very interesting because the eson part in particular I remember because it's pretty hard to find people from industry who really like fed ramp or who are willing to say anything nice about fed ramp they should look at what compliance is for industry side right uh and the one thing that we heard is industry wanted to make sure that the big picture of compliance that executive order followed that right once Run Anywhere process uh and particularly for esoms they didn't want to keep having to share this data everywhere and in fact that's what we in the administration did we uh just sisa just announced uh the launch of our attestation and artifact repository where everyone who supplies the government can upload it to one repository and note that while today that is going to be used for the attestation form it is very intentionally called the attestation and artifact repository because where we are all heading and this is sort of a big picture approach where we are all heading is secure software development is not about forms signed by your lawyers it is going to be about artifacts generated by machines securely in an appr proven fashion and the easiest and most shovel ready of those artifacts today is an espon point now would you want to talk about Vex at all in this uh so again we're gonna we're do the audience participation uh anyone heard of Vex in this audience all right we got a few so Vex is kind of an interesting idea and it's a terrible name uh that's my fault it stands for uh the vulnerability exploitability exchange now this was a placeholder name that I came up with while we were workshopping the concept uh and some of you know that there's very little in the world that is as permanent as a temporary government idea and so we we got stuck with Vex the model behind it is it is just an attestation it's a Communication channel that allows you to say that technical the architecture terms it is a binding of a product or piece of software a vulnerability right some known Badness and a status of do I have to worry or not the term we use is effective not damn it Alan you're really effective what are you let know but it's the right it's the do you have to worry and the vision behind this is there are vulnerabilities sorry there's software that is going to be built into a product and that software will have a vulnerability but the vulnerability itself will not actually affect the security of the bigger product I'll give you guys an example right uh we remember open SSL and heart bleed right depending on how you measure it there are between 600 and a thousand different function calls you can make in openl o.9 the expected version two of them directly called the code that would allow an attacker to read randomly from the server's memory so if you are only using the pseudo random number generator open SSL then chances are your compiler has ripped out anything that is remotely about heart so Vex allows someone to say here's my esbon oh my God open a cell heart B heart B heart bad and here's a machine readable attestation that your system can say let's turn off that warning light because we trust whoever gave us that information so at its core just a communication Channel but what it really will allow us to do is Auto at our vulnerability ecosystem better and I'll give you one more example on the supply chain side of things because this is being used already in open source right um some of you may know that kernel.org right the linix Kel is now a cve numbering Authority may have heard about this um the Linux kernel is Far and Away the most widely used piece of software on the planet correction on the planets because the Linux kernel is on Mars which I a geek I think that's kind of cool um so when you find a security vulnerability in the Linux kernel or when you find a bug in the Linux kernel you don't know who that's going to affect because the Linux kernel is in a car and it's in your phone and it's in a fighter jet it's everywhere and most of the time many of the time most of the time that bug is not going to allow an attacker to do something but if the people who maintain the Linux kernel think that there's a risk you still need to make it a vulnerability and so Vex is really going to help us manage that tide of data that as we start to pay more attention to open source and we start to pay more attention to our closed Source supply chain it allows us to say I don't have to worry about each of the 35,000 cves that were created last year I can focus on the ones that are in my supply chain and I can focus on the ones that will actually affect me and my users and my agency so those are some great points and I feel like in the conversations I'm having with other software providers some of the biggest concerns there are around if I do provide Nest bomb it's going to open up this Pandora's Box and that's where I think the concept and the and of the Vex is going to be extremely helpful and it needs to be understood by all parties right like because if we give as a software provider you give an us bom and now all of a sudden you know my customers see that and they're going to come back and say what about this what about this what about this the Vex is going to be able to proactively address many of their questions and concerns agree I think that's actually one of the key drivers that we're hearing about from Big commercial software providers is oh my God this is going to save us so much on customer support and it's also going to help us those of us that use software right so um many of you lived through log for J right I spent log for J hunched over my travel laptop in my sister-in-law's house in Texas because it was Christmas and while everyone was out and about doing their holiday shopping I was busy as part of the sisa response to log for jet um imagine how easy it how much easier this would have been if every software provider could send a machine readable piece of Json that just said we are affected or we're not affect right heck just a machine readable thing that said my product's written in C there's no log for J here and because right it's transmitted and it's signed well now if it turns out someone was wrong every so often product security teams get things wrong you can basically say well you said this and so now we can talk about what your next contract is going to look like right all right well I'd be remiss if at this conference I didn't ask at least a single question around AI so uh there's been quite a bit of discussion in in the area and in government around AI bomb uh can you tell me a little bit about your thoughts on AI bomb and where you see that going in the future uh so there we we have the sort of simple answer and the more complex answer right the simple answer this is a blog post uh written by two of my colleagues at sisa uh Christine Li who's one of our AI experts and Dr Jon o spring who's one of our software Insurance experts uh that basically boils down to AI is software we have 20 years of thinking about software Assurance we don't get to ignore that just because AI right um and in fact if you've ever worked with a python developer it's probably even more important that we put good software Assurance practices into our AI systems uh and in fact this s a blog post that says this basically says this explicitly includes espon so you need the software build materials for your AI system where things get more complicated is of course we know that AI despite not being new is is more than just software and so now we start to get into very real supply chain issues around the data side and increasingly as models become portable and hot swappable the model itself uh and this is one of the areas where I see two conversations happening separately I see the people who have been spending time thinking about transparency of software having conversation over here and people who have been thinking about AI transparency as it relates to a number of other issues other than security uh so right we we talk about transparency for 15 years about the need for transparency for um uh bias for example and one of the things we are hoping to do is to bring those two communities together because there are some pieces from the AI world that are out there um hugging face has this idea of a data card the problem is it's not really machine readable um and uh there are model cards and then there are model representations so there are some tools out there but what we want to do is help people uh figure out how are we going to use that data to make risk decisions about supply chain at scale uh because again for an agency it says yes we're all in you may have heard the panel just on stage of all this great work that's happening about embracing I we still need to have a certain amount of accountability and step one of that accountability is transparency it's knowing what the heck we're dealing with for sure for sure well we got about five minutes left I wanted to open it up for see if there's questions in the audience here good sure this this is a great question which is sort of how do we think about sbom not for software that's actually on my network but software that's maintained uh and provided as a service uh the good news is that there is a community-led work group that sisa facilitates it that has wrapped up a white paper exactly on this question it'll be published in the next week or two government publishing takes a little while um but basically it amounts to First Step which is Sasa software we should think about it but also acknowledging that what you can do with that data is a little different um and uh so when you first we try to S scope out the application layer we're not talking about platform as a service um and we're not even talking about the services because we don't have a very good way scalably to describe third party Services uh this is a goal that we should all have which is how do I have transparency if my application is using a different application well then we should really have some visibility into that especially as we T talk we were talking earlier about data localization so that it's really important to say well this application is running in this country but now the data is going to a different service okay so but the there are still some very clear use cases which are especially pre-procurement risk analysis where it's just going to be a snapshot as people often say well SAS will have updates daily hourly minutely it's fine but a snapshot will give you some insight not just into security but into other types of risks one of the things that Mike and I were talking about is um just measuring Tech debt or end of life and end of support components where it's not about linking to known vulnerabilities but if you can get a snapshot in application saying my God this is based on a seven-year-old framework someone's gonna have to pay to do a complete code refactoring if I'm one of four customers what's my my total cost of ownership over the lifetime of this contract doesn't mean you have to stop anything but it gives you an idea of how to move forward je I think PR first first of all stra I'm was the baterial Lots right which you talked about seizing yes talk dictate Dom as you probably are aware are other Industries are now has or so while there's a secularized point that will be provide the government act as a proxy for the other industri expect s providers like sir other the other Industries on a one basis to everything El this is a great question and I don't want to keep everyone from their drinks short version is almost certainly not uh the US government filling that sort of massive data uh repository um there are some great starting points so for example in the healthcare sector which is the sector that is actually implementing uh es bombs today the FDA requires an sbom you cannot sell a new medical device without giving the S FDA an esom and now the hospitals also want this data as well uh and so the healthcare ISAC I love this example is stepped into to be that trust trusted third party to allow that Nexus um you've hit on one of the big gaps that we don't have in any part of supply chain which is there is no good decentralized way to move data around right now all the big companies that say customers can have an s bomb you got to use their portals now um I was a teenager in the 90s I love a lot of things from the 90s we don't need to bring back portals uh right the so we need better Solutions for what that scaling looks like especially for industries that don't have this uh a centralized point I think there's a business opportunity but then you have to trust and of course everyone wants to be the Sole Provider um it's it's going to be fun to play out we've one of our work streams at sisa is tackling this exact problem which is how do we share es bombs but it really applies to all kinds of metadata moving forward because we're going to need to know moving forward not just the es bomb but a lot more data about where our software comes from and how it was made and I know is there thought of sharing atation or regation process added yet for get five so to get a little into the weeds and I know we're over time so someone throws something at me or just leave and go start drinking um the vexes vexes probably have to be shared themselves because that contains enough data that is needed operationally for the sbom side of things it depends what you need and when you need it if you just want to say show that one existed at a certain time and I can go back and get it helpful uh there's a very new project in the ietf that is starting to move in that direction um as no as as the um so a lot of it does depend on what do I need and especially as we start talking about SAS products I think you're going to see a pivot towards an API model where if I need it I have some ability to get it again even that is always tricky because how do you control access to the API you don't want to have everyone every single uh employee in your customer organization to have that but I think that's one of the things that we're going to see is having some kind of query model for that got a couple more yeah all right I hate talking about es bomb and I certainly won't hang out here in just well thank you everybody for joining Alan thank you for coming up on thank you all for uh sticking around so long