An SBOM Fable

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Chris Romeo (00:09):
I can hear the Muppet theme song right now.

Izar Tarandach (00:12):
sensational, international, and it's gonna
start the security table.

to...
What a way to start! With alittle rendition from the
Muppets.
So, I don't even know how toexplain the Muppets, so I won't
try.
Just Google it, read theWikipedia entry if you don't
know what we're speaking about.
It's from many years ago, butit's

Matt Coles (00:32):
Manamana.
You can find it streamingsomewhere.

Yes, I should find it.
I would love to watch thoseshows again.
Alright, well, um, the three ofus were coming off a visit to
our nation's capital,Washington, D.
C., where we hosted the firstever threat modeling conference,
and I don't know about you guys,but I'm just, uh, running on
fumes today.

(00:55):
But, uh, luckily, I still havesnark available even when I'm
running on fumes, so that willIt may even get worse, so just,
uh, you know, parental warning,there may be a higher level of
snarkiness in this, so we've gota special topic, too.
So it's kind of like a perfectstorm, where everything's
everything's coming together forthe storm of the century, right
here.

(01:15):
So, we want to take a look at anarticle, and I'm

Matt Coles (01:19):
You're just going to unload on this topic, aren't
you?

Me?
I may, I may.
I've been unloading on thistopic for the last month or two,
if you might remember,

Month or two?

Okay, longer.
So, the title of the article isfrom Forbes, and it is 20 Tech
Experts Share Essential Detailsto Look for in an SBOM, and this
is a expert panel from theForbes Council's member, Forbes
Technology Council, and so

Fee based.

Yeah, so that's a good thing to, yeah, it is a, it
does say membership fee based.
When all we're doing isreporting the news here, it does
say that in the byline of thisparticular item.
And so I know as we were goingthrough this and looking at the
various things, uh, wedefinitely had some questions.
So let me just read off thefirst one that we want to
comment on.

(02:10):
An open source dependency tree.
Number one on their list.
Because components and pieces ofcode are often dependent on
others, one of the most complexchallenges in application
security is open sourcedependency management.
SBOM should include an opensource dependency tree so users
can see the core components ofan application and where they
come from to help engineersquickly identify and manage
dependencies in the code.

(02:31):
This one seems like it's prettygood.
It seems to be relatively...

Matt Coles (02:35):
It's literally the definition of an SBOM.
Yeah.
Yeah, I mean,

should always start with the definition, though, for

Matt Coles (02:40):
no, but an SBOM,

detail to look for.

Matt Coles (02:43):
yeah, an SBOM shouldn't include it, an SBOM
does include it.

Okay, but it is a detail you should look for.
Like, you should look, I mean,if an SBOM didn't have an open
source dependency tree...

Have this.

Would it be anything?
It's not even SBOM.

it would be text.

Matt Coles (03:00):
well, so here's an interesting question.
Uh, let, let's just, I wannatease out two parts to this.
There's a notion of top levelcomponents versus transient
components, right?
So what you have, what you embedactually what you have, what
you, what those things embed andwhat, what those things embed
and the hierarchy can

or transitive?

transitive.

Matt Coles (03:20):
the, yes.
Sorry, not transitive, Well,transient would be if they came
and came and went, buttransitive,

whole new category you just invented of open source
packet.
They're transient.
So, you know, they just, theycome into the packet, they come
into the app, and then they justleave whenever they

at the package go!

Matt Coles (03:35):
Actually, actually, I will say that we, we actually
see, we probably see thesepretty commonly right where if
you have suites of tools wheresome tool, some of those things
are optional, you may havetransient components in runtime,
not necessarily at deploy timeor, or, you know, package time.
Uh, I mean, Linux distros arethe same way if you think about
it.

(03:56):
So

that gets downloaded at runtime.

Matt Coles (03:58):
that's right.
So, so that's not unreasonable.

of all my nightmares is what you just, you
just keep feeding into these aremy nightmares.
Okay, but get us, get us to the,get us to the,

Matt Coles (04:09):
so, so the one part, the one part I, the one issue I
have with this, and this is justme, is, probably just me, is the
dependence, is the, theinsistence that SBOM is only for
open source.
Certainly open source code is...
Considered risky for somereason.

(04:29):
Uh, you know, not without, notwithout reason.
Uh, and, but commercialcomponents or non-open source
components are likewise.
necessary to be tracked.
So SBOM helps with trackingthose components, understanding
what's in.
Commercial components justoperate under a different
license, so why rely solely on,on open source here?

(04:52):
Why, why focus solely on opensource?

Right.

So let's move on to number two.
Let's get some, let's have somefun here.
So this one says a library withversion numbers.
Make sure that vendors includeopen source packages and
libraries with clearly markedversion numbers, delivered in a
machine readable format soyou're able to check
vulnerabilities and those ofnested dependencies.
Having an SBOM at the start of acontract is good, but having one

(05:16):
that is up to date and includesa live data feed is best.
Rather than point in timesecurity, you have continuous
assurance.

So this is reasonable, it goes a bit more
into the definition, but to tellyou the truth, the live data
feed threw me.

Matt Coles (05:35):
That's right, it's a, SBOM doesn't, SBOM doesn't do
that

wait, you want to put an RSS feed in an SBOM?
Hey, this is the SBOM today, butif you want more details in a
continuous way, follow thisfeed! And don't forget to
subscribe.

you invented an RSSBOM.

Matt Coles (05:52):
I, yeah, I think, I think that's what

RS-SBOM.

Matt Coles (05:55):
if you, if, if your SBOM was posted as a, as an XML
feed that you could get regularupdates from first.
So let's just take a step backabout what an SBOM is
describing, right?
An SBOM is describing point intime, a system and what
components it includes.
Now let's say for a moment, thisis a product that you ship or
it's a software application thatyou're providing to somebody.

(06:19):
you ship that, it's not going tochange.
Right?
It's going to be pretty set instone at that point in time.
When you deliver SP1, it willchange.
But then you'll have an SBOM forSP1, not an SBOM for pre SP1.

I, I'm going to give you the, the benefit of the
doubt and say that this isduring development.
So you do your SBOM in thebeginning and he's saying Don't,
don't keep that one, right?
So continuously update your SBOMas you build.
But at delivery time, that'swhat Matt said.
It goes out, it goes out frozenin time.

(06:56):
Hopefully signed.

Matt Coles (06:58):
I'll

I had I'm softening on the first statement here
because when I originally readthis about making sure you have
libraries that are clearlymarked with version numbers, I
was like, who has a package thatisn't labeled with a version
number?
But then I started thinkingabout it, though, if you're
building software, if you'rebuilding packages internally,
for inclusion in yourapplications that are not in

(07:20):
NPM.
They're not in the variouspublic, you know, Maven or
public repositories.
You could not have properversioning.
So you could violate thatconstraint.
So I've softened on that firstthing.
We've got to unpack what theheck is continuous assurance?

Matt Coles (07:37):
Oh my god.

no.
No, no, no, no.
It's, it's, it's, it's, it's,it's, it's, it's a very rare
thing in our industry.
It's called a buzzword.

Oh, I'm

no meaning

Matt Coles (07:51):
All right.
All right.
I'm going to be, I'm going to bepositive here with, with, with
Elliot's, uh, suggestion ofyou'll, you will, I would read
it differently.
I would have, well, people willgo read the article and see who
the person is.
So, I think what it should havesaid is, you can have continuous
assurance, not that you, youknow, imply you will have.

It

Matt Coles (08:14):
And, and,

too,

Matt Coles (08:15):
well, it allows you, it allows you to, the SBOM gives
you the ability to then hook itup to some sort of engine that
goes, yes, a tool of some sortthat goes and looks.
This component, these set ofcomponents have these versions,
do these versions now havevulnerabilities?

Yep.
So

Matt Coles (08:32):
I wouldn't call it assurance.
I wouldn't call it assurancethough.
I would call it continuousmonitoring or continuous
management.

That's true, but it could be interpreted as I am
looking for continual assurance.
By doing the monitoring.
So it's aspirational.

assurance is different than continuous
assurance.

Matt Coles (08:53):
If you're running this in a CI/CD pipe, if you're
running this in a CI/CD pipelineand your SBOM, if your SBOM is
consumed by the CI/CD, it coulddo the checking on a continuous
basis, right?
CI/CD, continual delivery,continual integration.
Why not continual validation ofpatches from embedded
components?

So again, I think that we can agree that two
is more in the building side ofthings than in the delivery side
of things.
Right?
But, but it's the basicfunctionality of,

Matt Coles (09:23):
I mean, you could, you could,

agree, it's the basic functionality of an SBOM.

Matt Coles (09:26):
you could continue it into run time, I think.
In other words, if you had amonitoring tool that could
consume those components andvalidate them against NVD on a
regular basis, then, then thatsupports some level of
assurance.

Okay.

All right.
Let's, uh, let's go to five.

Five?
You don't wanna do, uh, what'sit?
Okay, yeah, five.

Matt Coles (09:50):
Well, it's three, three and four.
Well, four especially is, again,definition of SBOM,

is the same thing, yeah.

Yeah.
I felt like that wasn't addinganything for, into the debate
for us, but

But, but three sort of trips me a bit.

which one,

Right?
Three.
Because it asks, an SBOM shouldhave clear language as to how
the software is updated andsupported.
I'm sorry, the SBOM doesn'tcontain any information about
the process.
The SBOM just is.

Matt Coles (10:18):
You could give metadata

You can put the Bible in metadata, but should
you?
I mean, it's not a contract onhow you're going to do upgrade,
uh, updating.
It's not, uh, it's not drivingany kind of, uh, automation.
So.

hold on.
I got a great idea.
Let's create something newcalled Process-BOMs.

You remember what started, uh, what happened
in the beginning of this weekwhen we started creating Bones,
right?
It did not go well!

Yep.

Matt Coles (10:49):
And I will also highlight, go take a look at
Cyclone DX sometime.
Because Cyclone DX has a lot ofcapability.

But, again, you know, I, I, I've, I've...
Spoken with Steve a number oftimes, I, I, I had interviews
with him and Cyclone DX is, is,is getting big and it's
encompassing a lot of things.
And I love that, but it's aformal, formalize, formal, it's
making formal a lot of, a lot ofinformation that we have out

(11:20):
there to drive pipelines.
But that doesn't mean thatthere's a consumer on the site,
that there may be data in there,but nothing is listening and
using it yet.

and for those playing along at home, the Steve
Izar is referring to is SteveSpringett, the project lead for
Cyclone DX, Dependency Track,and recent Global Board of
Directors Was how was elected tothe global board.
So

Electee?
No, Elec yeah.
But, Inductee, Inductee.
But, uh, just to point out, tome, Steve is like, personally,
just me.
Steve, to me, is the ultimatesource of all that is SBOM
related.

True, true.
We can get into that later.
I mean, I, uh, on a LinkedInpost, I was trolling SBOMs again
for the fourth time,

My threat model is cooler than your SBOM?

Matt Coles (12:15):
DAST.

that was nice.
Yeah.
Yeah.
My threat model, definitely Izaris responsible for that.
My threat model is, is coolerthan your SBOM statement and
sticker that you could get, um,but Steve finally weighed in and
like I told him when I saw him,I was like, I've been waiting.
Oh, look at that.
We

Matt Coles (12:29):
Remember this from like,

Oh yeah,

Matt Coles (12:31):
long ago was this from?

Yeah, that's true.
That was early in SecurityTable, but, but, um, yeah,

and still current.

yeah, but it was good to see Steve weighed in on
that topic and finally confirmedfor me, because I'm the same
way, like, if Steve says itabout SBOM, I'm pretty much
gonna believe in it, like, he'sin the middle of this, he's
driving this thing, and he evensaid, like, yeah, you know what,
the whole sharing thing, eh, Idon't know that I see it either,
and that was my whole point, soI'm like, okay, if Steve sees it
that way, then maybe I'm on tosomething, but we got to keep

(13:00):
going here.

Matt Coles (13:01):
yeah, I just wanna, I just wanna call out for those
again, also following along athome.
SPDX is the, is the other formatfor SBOM So you have Cyclone dx,
and SPDX is the two competingstandards for, for SBOM

All right, so, you know, I'm gonna skip over number
five.
It just doesn't look as good asnumber eight, which I think is
gonna start a fight between youguys.
And I just want to watch thathappen, so.
Um, number eight says whetherthe SBOB is generated
dynamically or manually.
And so, I forget what side ofthis issue you guys are on.
So, who's the dynamic generationand who's the manual generation?

I do the dynamic, but with the caveat
that I need a better definitionof what the manual is.
Like, is the manual justclicking a button and starting a
process?
Or is it, I'm gonna go look forthe versions and write them down
in

Matt was arguing that man, not necessarily that
he does them manually, but forthe ability Right.
To be able to, so let's ask himwhat, like when you, if you're
gonna argue the point, you gottabe able to define define what
the thing is.

Matt Coles (14:03):
So I think the danger of solely relying on man
on dynamic.
So, uh, I wanna be careful.
I, there's, there's parts toSBOM creation.
Some of which deserve to bemanual, some deserve to be, I
think, deserve to be automatic.
So, you need inventory, you needinventory first, you have to do
discovery.

(14:24):
And we know that discovery ischallenging, right?
There are tools out there, I'mnot going to go into them, uh,
we shouldn't, uh, for better orfor a lot of worse, uh, that
discovery of components is hard,especially when we're talking
about transitive dependencies.
Right, so when you have a toplevel, you may have a bill of

(14:46):
materials as part of your, aspart of your build process.
You may or may not know whatpackages are included, and it
depends on a host of things.
What language you're in, uh,what type of system, what
technology you're building.
And so, um, you may miss thingsif you rely entirely on
automated discovery.

(15:07):
So building your inventory mayrequire some manual effort.
Once you have an inventory,dynamic generation is
absolutely, uh, essential.
Right, you should be able totake a spreadsheet or take a,
uh, a flat file or some, a CSVor whatever of, uh, of a
component inventory and producean SBOM using code.

(15:30):
That I 100 percent agree with.
And that's, that's, so that'swhen I say dynamic, I mean,
dynamically, uh, uh, consideringthat dynamic discovery is error
prone, but dynamic generation ofthe actual SBOM content is a
requirement.

Isn't manualness of this?
And either, I want you to, tocome in on this, but I'm just, I
want to get this thought outbecause I wanna get Matt's take
on this before we switch to thedynamic side.
Isn't manualness of SBOMgeneration a lack of maturity?

Matt Coles (16:03):
I think, I would say yes, aside from the fact that
who in their right mind wants todeal with handwriting JSON?
Uh, I mean, yeah, it's an easylanguage for, for, or structure,
data structure for, for, youknow, for people to read, but
you can easily get it wrong bywhen you're doing it by hand or,
or.
Plethora of tools out there forbuilding JSON content.

(16:25):
Auto manual, right?
Uh, and so, again, the discoverypart is the hard part for me.
Always has been, right?
The, once I have an inventory,putting it in SBOM format, why
not automate that?
Are we, Izar, now on the samepage, or are we still at

(16:47):
loggerheads here?

No, no, no, I mean, you put the manual thing
into context.
But where I'm going to sort ofdisagree with you is that...
And...
It's just disclosure.
My first startup 30 years agowas all about opening RPMs and
DEBs and whatnots and findingout the dependencies.

(17:15):
I don't think that as a rule thepackage managers and package
inventories have gone muchbetter than they were at that
time, right?
But they are still able to atleast give you a good tree of
things that depend on thingsthat depend on things.
And we do have more toolsavailable nowadays to cover

(17:35):
those things that don't come aspart of a package manager.
Where I have a problem withmanual stuff is that at the end
of the day even if we considerthe Boundaries and the defects
of these tools that generateinventories, I think that they

(17:58):
are bound to, over time, as partof a process, generate less
errors than a person invested inthose processes.
So the person writing, theperson discovering, the person
figuring out, I think that thereis just a higher chance of error

(18:19):
over time.
Then a process that you mightrefine and end up figuring out
what is missing and just fixingthat specific problem.

Matt Coles (18:29):
I think, I think we're on the same page.
It goes back to that, thatnotion of tool assisted, right?
We, so we know that many ofthose tools will misreport
components that they discovereither.
It can't figure out what versionit is.
It reports multiple versions.
Maybe it reports multiplelicenses and SBOM, you know,
obviously licensing is importanthere.

(18:50):
And so.
It needs to be tool assisted.
I will highlight or justreiterate the fact that, you
know, there are some thingslike, you know, statically
linked code modules and, and orpieces of source code that get
included, which are components,but they're written, you know,
taken in source form that arebuilt in that won't show up in

(19:12):
package managers, right?
That does require some sort ofhuman intelligence, at least
today, to figure out thatthey're there.
Thank you.
or to properly interpret theresults that come from the tools
that do the automatic discovery.
So I think we're on the samepage in that, in that regard.
The other part of number eight,I think, I think here is about
time sensitivity.

(19:32):
And absolutely, that's a greatcall out for the reason that we
said, when you ship something,you know, you'll fix the SBOM in
time.
So obviously whatever processyou have has to run in whatever
time you have between inclusionand packaging and release.

Definitely.

Okay, well I was hoping for a lot more spirited
debate on

We're tired.

Yeah, that's true, that's true.
You're unable to raise the level

Matt Coles (20:02):
wait, but when we go to nine.
Why don't we start with nine?

Oh my goodness.

What's wrong with nine?

Matt Coles (20:11):
Uh, does that, what, what does SBOM have, uh, related
to, uh, which protocols you'rerunning?

I think there's a crypto-BOM

Matt Coles (20:20):
There is a crypto-BOM, but it's not an
SBOM,

bump.
Yeah.

Matt Coles (20:23):
not an SBOM.

Aren't all BOMs SBOMs?
Yeah,

Matt Coles (20:26):
No, SBOMs are software bill materials.
Crypto-BOMs are crypto

a generic term.
Yeah.
Yeah.
Yeah.

Matt Coles (20:32):
Has it?
Are you sure?

so.
I'm afraid it has.

Matt Coles (20:35):
Oh great, so HBOM is covered then.

I think so.

Matt Coles (20:39):
So hardware and software are the same thing?

the general population talks, that has heard
of a SBOM, I don't think thegeneral population has
perspective on all the varioustypes of BOMs that we do because
we've looked at the issue.

Matt Coles (20:55):
Only Cyclone DX has different types of BOMs though,
right?
SPDX only has SBOM.
And when you talk to CISA, Ithink when you look at CISA,
they specifically, specifically,explicitly call out software
bill of materials.

Okay,

Matt Coles (21:08):
So when people are talking SBOM, In the, in the
attestation space, I thinkthey're only looking at SBOM.

so this, I mean, this number nine specifically
says SBOMs with deprecatedalgorithms will soon be obsolete
and costly to upgrade.
So it doesn't say CBOM orcrypto-BOM or anything like
that.
So is this just a, a twisting

Matt Coles (21:34):
I think it's a language problem, right?
Like, having, having adeprecated OpenSSL version?
I don't, so first off, an SBOMthat contains an OpenSSL version
that's deprecated means thepackage that the SBOM is for has
a deprecated OpenSSL version.
I absolutely could see that thatwould be a costly, you know, a
costly problem to upgrade.

(21:55):
But.
the, I don't believe, and maybeyou guys know, but I don't
believe that the SBOM formatitself actually describes what
functionality those componentshave, meaning it's a component,
a component version, licensing,and potentially other metadata,

(22:16):
but not directly what functionsyou're calling or whether you're
using, you know, X, Y, and Zalgorithm from it.

I'm looking at this one still, number nine, and I'm
like, is this just a way toanswer the question to promote
what it is that you do?

Mm.

that sounds slightly mean, but like, does
this have any, I don't, I don'tget, this doesn't have anything
to do with SBOM.
This is like, it's calling forcrypto agile software that's
crypto agile.

Matt Coles (22:46):
an SBOM can't tell you.
I

quantum safe standards.
Like, this sounds like thismight be a recommendation that I
should use somebody's product.
Kind

Matt Coles (22:55):
mean, it's a, it's a great design.
It's a great design pattern,right?
You should design crypto agilityinto your system.
Absolutely.
You should definitely design inthe use of quantum safe
algorithms.
Absolutely.
Do you have the ability to storethat in an SBOM and transmit
that to consumers?

It's a it's a different message Yeah, it's the
wrong.
It's a message that's just beenput into this squeezed into an
SBOM-sized box When in fact itis a crypto-sized rectangle.
I'm stretching.
I mean, this is a real stretch.
Let's look at number 10 becauseI just I did a little research
about number 10 because I wantedto make sure what we....

(23:36):
.I want to be careful.

Okay.

So number 10 talks about data residency and how we
should look at data residency,um, because it affects how and
where data is stored.
Different countries and regionshave different laws, laws can
impact data owners, controllers.
I searched the Cyclone DXstandard, which is a public
document, I can't find anythingabout data residency in the

(24:03):
standard itself.
So does this have anything to dowith SBOM or what's it, what are
you concluding?

Matt Coles (24:10):
I think it's like, it's like nine.
It may be, it may be optionalextra data that could be encoded
in the SBOM, but it's notstandard as part of a part of
the specification.

Yep.

Matt Coles (24:22):
You have metadata.
You can store a ton of stuff inmetadata.

You can put whatever you want in there.

Matt Coles (24:26):
Yeah, but, but so I guess what, uh, this author is,
uh, is calling out is thereshould be information that you
encode in the SBOM, and I guessit may depend on what the SBOM
is representing.
If the SBOM is representing adesktop application, really
there's no, that's, somebody caninstall it, they can run it

(24:48):
locally, maybe it talks to adatabase locally, even maybe it
talks to a database within alocal network, you don't really
have a data residency problem.
If that SBOM is representativeof a SAS service, however, or a
cloud enabled, you know, multisite cloud enabled thing, then
data residency obviously wouldmatter, and you may want to

(25:08):
encode that information.
I don't know that SBOM, though,is the right place to put it.
Like, a datasheet, or, or, youknow, other, you know, an admin
guide or something might be abetter place for that.

Yeah, I mean, the worst thing you could do is try
to squeeze everything into anSBOM.
Like, an SBOM is not the singleformat to rule all formats
that's going to containeverything.
Well, you need to put everythingabout your product into the
SBOM.
Well, the SBOM is 12.
7 terabytes.
Let me just send it over to youso you can process it,

Matt Coles (25:39):
Oh, by the way, it's, by the way, it's text.

Yeah, it's text, it's not encrypted, so it's,
it's a lot of, you got a lot ofwork to go with it.
Alright, I think we got enoughout of that one, so, how about,
let's take a look at 16.
How many and which functions areenabled?
These days, most softwareproducts are consumed as
software, uh huh, with multiplefunctions that can be charged

(26:02):
separately, so we're talkingabout functions like
capabilities or things that youcould be charging, so like
features almost.
Per user, per device.
One item businesses shouldthoroughly check is how off, how
many of these functions areenabled, used, and leveraged.
Enterprises often use multipleproducts with redundant
functions, eliminatingredundancies can result in
massive savings.

(26:22):
I think that's a true statement.

Matt Coles (26:23):
True statement, not an SBOM thing.

What a, what the heck does it have to do with
SBOM?

Look, again, it's the kitchen sink.
Right?
So I,

Matt Coles (26:33):
Yeah.

I think that people are interpreting SBOMs
really, uh, uh, aspirationally,like somebody told them, this is
going to solve all theirproblems.
So people are like projectingall their problems into the
SBOM.
But again, we, we go into the,there is nothing on the other
side consuming this stuff.

Yeah,

Matt Coles (26:54):
mean, what would that look, what would that even
look like?
So first off, You, you producean SBOM for a single for
products, right?
And so if you have multipleproducts, you'd have multiple
SBOMs and what you're gonna lookacross'em and go, oh, both of
them are using open SSLI.
Therefore one of them must beredundant.

That is an astute assessment of this challenging
statement.
All right, I think we're enoughon that one.
I think we've, we've,

Matt Coles (27:23):
can we go back to 13 for a moment?

I mean, we can, we can go anywhere we want.

Matt Coles (27:26):
Let's go back to thir thir, let's go back to a 13
for a moment because.

This one kind of ties into 12 though.
This is kind of the...
The name, how long it takes toreceive the SBOM is not
indicative of the actual contentof what was stated here.
Cause I get what he's saying.
Like his point is if somebodycan't put together an SBOM, and

(27:50):
I heard this from somebody atthe conference in the last week,
if somebody can't put togetheran SBOM, that could be an
indicator that they're reallybad at security and software,
building software,

Matt Coles (28:00):
or they don't have automation in place.

which in this day and age, if you tell me you
don't have a build pipeline fora piece of software, I ain't
buying it.
I'm sorry.
I'm not taking something thatyou're compiling on some
developer's machine.
If you don't have that, becauseit's, it's not hard to do that.
You can, I mean, pipelines areeverywhere.
Like you can get a free licenseto a pipeline SaaS provider and

(28:27):
you can wire up your buildprocess in an afternoon.
So there's no excuse to say,well, we just don't have the
ability to do automation.
Well, then you don't have theability to receive my money.

So what I'm hearing is that the automated
way is better.

Matt Coles (28:40):
For the construction of the SBOM?
Perhaps, yes.
We 100 percent agree.

for building software in a standard way.
Yes, of course, automated isalways going to be better
because it's a standard set ofsteps.
You want it to do the same thingin the same order every time.

Matt Coles (28:57):
Now,

Verses the developer going,"Oh, you know
what I forgot, Matt?
I forgot to run the SASTscanner.
That's what it was?
Oh, that's why we gotcompromised.
I knew it.
I knew there was a reason."

Matt Coles (29:09):
Or I forgot to include OpenSSL.
I mean,

Yeah.
Oh, you needed OpenSSL?
Come on.
I didn't.
I had an old version.
I just went with what I had onmy laptop.

Matt Coles (29:17):
Yeah, exactly.
So, the other, the other piece Iwant to pick up, pick out of
this actually is, is kind ofinteresting.
You know, the very last sentenceis, if it's a ladder, so if it,
if it's, uh, If they'rescrambling to produce it on
demand, you should scrutinizethe accuracy and quality of the
dependencies.
And I think this is a littlebit, misses the mark, but it
does raise another, anotherquestion.

(29:37):
So if you have a softwarepackage and you are trying,
trying to put together top leveldependencies, that's, that's one
problem, right?
The, the producer of thesoftware.
owns those dependencies, managesthose dependencies.
What might be missing though isif you're looking for
transitive, uh, the transitiveinformation and those don't have

(29:58):
SBOMs from those vendors.
And as a software producer, youshould be looking at your supply
chain and getting SBOMs fromthem, as opposed to trying to
piece one together yourself forthe components that you embed.
Then I could definitely seelooking at that and go, hmm,
this software includescomponents that has a

(30:19):
questionable supply chain.

Alright, let's, we're gonna, we're gonna pick up
18, 19, and 20, so let's, let'sfocus in here.
And I know 19 is one that we,that Matt, you have expressed is
something that you think is thebest part of the advice, but we
gotta deal with 18 first, I'msorry.

sometimes, no, no, no, no, no, no, I

The delivery address.
I'm just going to read thisverbatim because sometimes truth
is stranger than fiction.
A key item to look for whenrequesting a software bill of
materials is the deliveryaddress.
This could have a large impacton how taxes are applied or
excluded from the bill.

Matt Coles (30:55):
Oh my god, Kitchen Sink,

Yeah, I'm speechless.

parsed this with somebody that we valued, and uh,
18 and 20, we parsed ittogether, and we got a

Matt Coles (31:10):
oh the final price,

we got a theory on the, the thought behind it.
Software bill of materials canalso be interpreted as a bill of
materials for someone who boughtsoftware.
So we are talking here aboutpeople who think of shrink
wrapped boxes of CDs beingdelivered somewhere, and those

(31:32):
are listed in a bill ofmaterials.
And because what's beingdelivered is a software, then
it's a software bill ofmaterials.
So,

this a, isn't this, hold on, let me go back to, I'm
sorry, I'm gonna have to scrollback to the top.
Just give me a

no, no, no, no, no, no, no, no, no, wait, wait,
wait, what happened here is

20, no, no, no, no, no, no, 20, 20 tech experts
share essential details to lookfor in an SBOM,

yeah, but they don't say experts in what?

Okay.
Touche.
To

Matt Coles (32:07):
so right, I mean obviously there are bills of
material that can containsoftware today.
We, we, hardware bills of materiHardwa...
.Bills of material for systemsdo exist, and they can contain
line items that includesoftware.
But that's not what we'retalking about here.

Look, the main question here is, who is this
Bill and what materials did hebuy?

the

Matt Coles (32:29):
where, which, and where did he buy, where did he
buy them?
Because apparently that mattersfor tax.
Uh,

All right.
So 20 was just talking about thefinal price, which kind of plays
into this whole thing with the,it's like, it's like these folks
are just not talking about thesame thing that we think of as
SBOMs.

Now, I have to, I have to, uh, to be honest
here, the first time that I readthis article, I had to take a
moment and go, am I missingwhat's happening here?
I mean, these guys are experts.
I'm not, I'm not.
There's a lot going on on theSBOM world that I have no idea.

Matt Coles (33:09):
The second sentence, the second sentence on the final
price, number 20.
Then, work your way up.
SBOMs will have line items thatline, that list changes if the
final figure is

No, no, wait, wait, I think that we have to
read the whole thing.

Matt Coles (33:21):
Oh, okay.
Always check on the final priceto make sure there are no
figures that are higher than theoriginal expectations and
statement.
Let's stop there.
We can just stop there.
Remember, an SBOM contains...

Do not pay for open source software more than
they are asking for.

So, is there an invoice inside of the SBOM that
I'm not available, that I'm notaware of?

There's certainly a voice inside
something...

Alright, we gotta end on a high note here, okay?
Because Matt Love, no, we can'tjust be the guys from The Muppet
Show that are up in the balconythrowing down just snark and
comments and...

I'm sorry, we definitely can, we just won't.

We can't, but we have the ability.

Matt Coles (34:08):
have been a good Halloween costume.

That is 100 percent true and I think I'm gonna...

I did my bit.

Alright, so let's read number 19 because Matt read
number 19 and he was just gagaabout this.
So 19 says a VEX document, whichstands for Vulnerability
Exploitability Exchange.
An SBOM is only an inventory.
When requesting an SBOM,

Matt Coles (34:34):
That's the statement.

You also, that's it?
No, requesting, when requestingan SBOM, you also want to
request a VEX, or aVulnerability Exploitability
Exchange document.
A VEX document is a companion toan SBOM that lists the actual
vulnerabilities present in thesoftware, whereas an SBOM only
lists the components.
With both items in hand, you canbegin to better understand the
risk posed by using a vendor'ssoftware.

Matt Coles (34:58):
I want to give kudos to Lee for this.
He did a great, he or she did agreat job on this.
An SBOM is only an inventory.
If you look at an SBOM, you'regoing to get component and
component version.
You can go out to NVD and lookfor vulnerabilities, and that's
great on its own.
With VEX, you can communicateadditional information.
As the vendor, you cancommunicate additional

(35:18):
information to the consumer.
When you see this component andthis version in your SBOM, and
you go out to NVD and you findthis vulnerability, Maybe we
have an issue, not an issue,maybe we have information that
says, well, that's not reallyexploitable.
Or maybe we have additionalinformation to provide that can
help you with your riskmanagement discussions.

Yep,

Matt Coles (35:38):
They go hand in hand.
This is an awesome, in my, in myopinion, this is an awesome, uh,
awesome statement.

I think that this is one of the best values
that comes out of the whole SBOMmovement, right?
At some point somebody said,hey, you know what, everybody is
going to get this big list ofpackages and versions, and
they're going to run in circlesto figure out if something is
actually exploitable or not.
How cool would it be if thevendor had a machine readable

(36:05):
way of explaining that out apartfrom their usual advisories and
everything, that people couldconsume quickly and actually
apply to their environment andsay, hey, you know what, it's a
CVSS 10, but actually for me,no, it's not.
So I agree with Matt, like ifthere is one thing to take out
of this article, uh, it's that.

Let's end on a high note.
It's all about the VEX document.
That's the the guidance that wereally loved coming out of this.
And uh, yeah, read the article,people.
Read it for yourself.
Draw your own conclusions.
Don't just believe what we say,but the article is out there.
It'll be in the show notes.
You can listen, or you can readit.
You can then compare it to what

Matt Coles (36:50):
You can laugh hysterically.
Just

but draw your own conclusions.
Your mileage may vary.
Past performance is noindication of future gain.
And all the other Things weshould put as caveats to this
podcast.
Thanks

Matt Coles (37:03):
Just keep in mind where you're going to do tax.

Table Podcast.

All Episodes

Episode Transcript

Popular Podcasts

Dateline NBC

24/7 News: The Latest

Therapy Gecko

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}An SBOM Fable

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Dateline NBC

24/7 News: The Latest

Therapy Gecko

All Episodes

An SBOM Fable

Dateline NBC