November 14, 2023 • 45 mins
Aditi Sharma joins Matt, Izar, and Chris around the Security Table to discuss Software Bill of Materials (SBOMs). The team discusses potential advantages as well as challenges of SBOMs in different contexts such as SaaS solutions, physical products, and internal procedures. The episode also explores the importance of knowing what software components a company is consuming and the significance of SBOM for vulnerability management and risk posture. The team concludes by stressing that while SBOM has great potential value, the value realization is still a work in progress.
Links:
Chris' LinkedIn post about the SBOM cycle: https://www.linkedin.com/posts/securityjourney_where-is-the-part-where-the-vulnerabilities-activity-7128757968740777986-0PQV
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Chris Romeo (00:09):
Oh, what a way to start with a bunch of people
laughing.
So, hey folks, welcome toanother episode of the Security
Table.
Uh, it's probably not asurprise.
We're actually having fun beforewe hit record.
Then we hit record and wecontinue having fun.
We're recording this on Friday,November 10th, which is Veterans
Day observed here in the UnitedStates.
(00:30):
And so we just want to say thankyou to all of the veterans out
there.
We know we have a lot of folksin our community that are
veterans.
We appreciate you.
We thank you for your serviceand, uh, just, just wanted to
recognize you right off from thestart here.
And so we're going to talk abouta lot of different things today.
Like we always do, like I wishwe had one topic, but you know,
that's not really what the tableis about.
(00:52):
The table's about having aconversation about security
things.
And sometimes other things popin.
But we do have a special guesthere, Aditi has joined us.
And so Aditi, if you could justgive our audience just a high
level background on you.
Like, what's been your cybersecurity background story,
(01:13):
experience, kind of, what's yourperspective, where you're coming
from.
That'd really be great for us tohear.
Aditi Sharma (01:21):
Yeah, of course, thanks, Chris, for having me
here today.
Um, I love all your podcasts,first of all.
Um, so just about me, I had anapp happy accident of getting
into security almost five yearsback when I was working for, um,
a customer, you know, for someonline application, I, my.
My background is mostly around,you know, product manage,
(01:43):
product management and businessanalysis, data analysis.
So, I started my journey fromautomotive, telecommunications,
and now I'm into security.
So, just a happy accidentworking through different
software solutions, and now justleading some.
Uh, new software solutions intosecurity.
Chris Romeo (02:03):
Okay, so kind of your current focus then is on
AppSec, product security,integrating security into
basically into software, that'skind of your primary focus now?
Aditi Sharma (02:19):
My primary focus is, uh, mostly around best
practices, um, and productsecurity, compliance, uh,
attestations and all of that.
Chris Romeo (02:31):
Okay, very cool.
That helps the audience just tohave a little bit of a frame of
reference of where you're comingfrom.
You know, when you start yellingat Izar, like everybody else is
going to do, um, they'll atleast know why.
They'll have some idea as towhy, uh, but we don't really
yell at Izar.
No, we just, this is, this is afun, a fun space, maybe a little
bit.
Um, so we're going to go somedifferent directions, but I put
(02:55):
this.
This picture on LinkedIn that Iwant to, I want to start with
because I found this thing inthe, uh, the new SBOM
consumption guide that just cameout and it was an SBOM lifecycle
picture and we'll put the linkto the post in the show notes
just so you can see what it was,but the, the challenging thing
about it is I found it didn'thave any place where
(03:18):
vulnerabilities are being fixed.
And so I'll just describe thepicture since I don't have a
vision, a view of it up.
It's SBOM delivery, it's, thedoc, the document's called
Securing the Software SupplyChain Recommending Practices for
Software Bill of MaterialsConsumption.
It has a life cycle, figure two,SBOM delivery, acceptance and
validation, ingestion andparsing, extraction
transformation and loading, andmapping and asset management.
(03:42):
And I sat here and I said, Iconsider myself to be mildly
intelligent.
Where do we fix the problems inthis life cycle?
And then it kind of hit me,like, this has been the thing
I've been railing against forthe whole time I've been on my
soapbox about SBOM.
(04:02):
The fact that there is...
No focus on actually fixinganything.
And so I bring that to thesecurity table.
I throw the virtual piece ofpaper down and I can tell
there's already people are, Ican see it in everybody's eyes.
They're already ready to, uh, tolet me have it.
So Matt, you were shaking yourhead first.
(04:23):
So what, uh, what are yourthoughts on my conclusion here?
Matt Coles (04:29):
Well, I, I think your conclusion is actually, is
good in that there isn't a focuson it.
Uh, and maybe that's, that,that's the missing part, right.
Is the, is the focus on.
What, so what SBOM is for, andwe really should let, you know,
Aditi give the definition ofwhat SBOM is because that's,
that's, that's her, that's herarea of expertise here.
(04:52):
But, uh, having, not having afocus on, on the outcome of why
an SBOM exists, um, is, is, It'sunfortunate.
I'll just, I'll just start withthat.
Um, but before we dive into thatactually, so Aditi, can you sort
of give us in your own words, wedo, we love to work with
(05:15):
definitions here.
We start out with definitions.
That way we level set for ouraudience.
Can you help our audienceunderstand what an SBOM is?
Aditi Sharma (05:22):
Yeah, yeah, of course.
So SBOM, aka Software Bill ofMaterials, is, uh, is basically
the inventory of your product.
Um, and the inventory of thisproduct can have, you know, open
source software, any commercialdependencies that That you're
using and even the proprietaryinformation that you know,
(05:45):
you're, you're coding in house.
So NSBOM is basically, um, you,you have heard the analogy with
the food ingredients list thatgoes behind any, you know,
whatever food item you'rebuying.
The analogy goes with that a lotin the industry today.
But it's, it's basically just,you know, um.
(06:06):
The inventory of what yourproduct is made of and it can
have a level of depth to it.
It could be just the top level.
You could go beyond it.
You know, second level, thirdlevel depends what level of
vulnerability management youwant for your organization,
because ultimately the main useof SBOM is for vulnerability
(06:28):
management.
So that's, that's
Matt Coles (06:30):
Okay, and so, and so in that,
Aditi Sharma (06:32):
Matt.
Matt Coles (06:33):
in that Correct me if I'm wrong here, but in that
the SBOM gives a set of, a setof things with a bunch of, with
potentially withvulnerabilities.
That's not the end of it, right?
That's not what, that's not theend goal, right?
It's not just a list, correct?
So so to Chris's
Aditi Sharma (06:52):
no.
So it's.
Matt Coles (06:55):
go ahead, go ahead.
Aditi Sharma (07:00):
You can use the, it's, it's about having that
information and then how you usethat information.
Having that information isreally important, so that first
of all, you know what you'reconsuming, because as you're
increasing the size of yourorganizations, the asset
management piece comes intopicture.
And for that, you need to haveyour basic infrastructure ready.
(07:22):
So once that is all set, as youhave vulnerabilities coming in,
as you want to know, where am Iimpacted?
It's easier to find your wayinto that system.
So...
Think of, think of, um, having,um, to find, uh, you know, an
issue into, like, for example,the peanuts, you know, peanuts
(07:45):
allergy.
Unless and until you won't knowthere is peanuts in your
software, oh, not software, inyour food.
Uh, how would, how would youknow?
So you just got to know what'sin your software.
So it's, it's just about that.
It's, it's a, it's a, I just, Ialways be like, it's a driver
for something, something more.
It's a static document that iscreated for every release, but
(08:08):
how you actually make use of itwill actually serve its purpose
internally or for yourcustomers.
Chris Romeo (08:16):
So I'm tracking with you so far.
I'm tracking.
Go ahead, Izar.
Izar Tarandach (08:19):
But if it's a static document and we live in
an era that I think that I cansafely say most of what people
use every day is SaaS I don'tsee the significance of that
static document for SaaS
Chris Romeo (08:41):
So, hold on, I just want to confirm.
You said SaaS, software as aservice, not
Matt Coles (08:46):
SAST,
Chris Romeo (08:48):
Right.
SaaS, software as
Matt Coles (08:49):
SAST
Izar Tarandach (08:50):
Yeah.
Yeah.
That's the other one.
No, no, not, not even bymistake.
That's, but, uh, No, no, no, so,uh, yeah, so what I'm trying to
understand here is first thepractice, the, the, the use, the
usability of the thing for thepublic at large.
So are, are we, here's where my,my biggest fear lies at this
(09:15):
point.
Are we creating yet anotherindustry that we are going to
feed?
And that's going to be athousand different startups.
And that's going to be athousand different standards.
And it's going to be a thousanddifferent solutions.
And we still can't look at itand say, Oh, this is what I do?
I mean, I recognize that it'sgood to know if there are
(09:36):
peanuts in the salad.
That's awesome.
But, where Devalogy breaks forme is, it's not even that
there's a lot of people who areallergic to it, there's a lot of
people who are not even eatingit.
Who are not consuming it.
Chris Romeo (09:55):
Well, if you keep pulling on the thread of that
analogy, right, where it breaksdown when you bring it to a
software context is, I look at alist of ingredients, I see
there's peanuts in it, I'mallergic to it, I throw the
salad away.
I'm done.
That's the end of the con that'sthe end of the transaction
though, right?
Like, and my whole point herewith this, and I started to go
(10:15):
the same direction, Izar, youdid, when we think about
software as a service, you can'tjust shut it down because you
got a bad SBOM result coming in.
From, so you have a vendor,let's just, go ahead.
Aditi Sharma (10:29):
In
Izar Tarandach (10:29):
But if you're in a position that you are a SaaS
user, you're not even going tofix that thing.
So you just got a piece ofinformation that's absolutely
not useful for you,
Aditi Sharma (10:39):
in the end, now, the second piece
Izar Tarandach (10:43):
don't remember if we are going into it today or
not, but now you have VEX thatcan explain to you, hey, why
it's not so bad.
So that has more of a, uh,usefulness to me than the SBOM
itself.
So now as part of thatecosystem, we are creating other
documents that help clarify thatecosystem.
Matt Coles (11:03):
so before we get into VEX, let me ask
Aditi Sharma (11:05):
And that could be true.
Matt Coles (11:08):
ahead, go ahead.
Aditya.
We run over each
Aditi Sharma (11:10):
No, go ahead, Matt.
No, go ahead.
Izar Tarandach (11:12):
no, no, I'm the only one that speak over people
here.
Yeah.
Matt Coles (11:15):
Uh, so...
So, Izar called out having anSBOM for a SaaS service, and
how, uh, you know, there's noaction for the user.
If they look at the SBOM for aSaaS service, they're like, ah,
you got peanuts in there.
And then, they can't doanything, because either they
throw away the SAS, they eitherstop using the SaaS service, or
(11:37):
they wait for the vendor to takeaction.
There's nothing they can do.
So, first off, is SBOM, is SBOMeven a valid option in...
For, for, for providers of SaaSservices, or does SBOM really
come into its own when we'retalking about on prem products,
package software, things thatget delivered to customers, um,
(12:01):
and, and where the customerswould then have actions that
they could take based on whatthey see in that, you know, they
could, they could throw away thesalad, so to speak, or they
could pick out, pick out thepeanuts.
Aditi Sharma (12:18):
Yeah.
If you, if you look at the, ifyou look at the, um, the
executive order that came in,it, it also focuses mostly on on
premise.
Um, it focuses on products morethan applications.
It focuses more on, you know,actions which a customer can
take in their own environmentfor, for, you know, um, if there
(12:43):
is an action that has to betaken, if a patch has to be
deployed and what not.
With SAS, it's a, I, I feel likeit's maturing, that space is
maturing and what is notapplicable in a SaaS
environment, it's not.
Not everyone has to consume it.
It has to have, it has to workfor your business.
I, I really see SBOM.
(13:05):
it is a compliance and all ofthat.
But what is right for yourbusiness?
What is right for your product?
And a lot of companies haveapplications who are products,
right?
For example, there are so manyCRM Um, products, which, which
are literally applications, butthey are a product for a
company.
So how do they want to managetheir internal vulnerability
(13:27):
management by understanding thesoftware they're consuming?
So this is more around what,where do you want to take your
own security posture?
How do you want to trackeverything within your systems?
So
Chris Romeo (13:42):
That's what I
Aditi Sharma (13:43):
if you want to make use of, use of it, you
should.
Chris Romeo (13:48):
On the topic of SBOM and understanding kind of
the usability behind it, I had achance to catch up with Steve
Springett via LinkedIn thread.
I've been trying to get hisopinion on this as far as the
usability of SBOMs in thecontext we're talking about,
where you're receiving SBOMsfrom an outside source and then
(14:08):
trying to gain value from it.
And he admitted as well that thethe sharing nature of Uh, or
value from sharing those thingsis limited at this point.
So that was kind of, I guess,some of the conclusions I was
hoping to, to get to is, I didwant to go in another direction
here because we did talk aboutSaaS, but let's reframe this in
(14:31):
the context of just a physicalproduct.
Okay.
Cause I think you have the sameproblem in a physical product
that we described in the SaaS,but I want to bounce this off
the table.
Um, so imagine that we have aproduct that I've purchased.
I'm the consumer, I'm thecustomer, and I'm getting an
SBOM, set of SBOM sent to me viathis life cycle we're talking
(14:52):
about.
I have the same problem though,if there's a big issue that the
SBOM identifies.
Because like, I can't, if Ibought a network device, I can't
just turn the device off.
So yes, I have better visibilityfrom a risk management
perspective, but I can't reallydo anything.
I'm still at the mercy of thevendor.
And so, or does that change thegame?
(15:13):
Does the game change in the twoscenarios we've been working
from?
A product versus a SaaSsolution,
Aditi Sharma (15:23):
So, it depends, um, if you are on the customer
side or you're on the vendorside, um, so your actions would
depend on, um, if you are acustomer, you can go to that,
you know, you can go to thatvendor who is providing you that
solution, right, that, okay.
(15:47):
We have identified this issue.
What are you doing at your endto get it fixed?
But, but if I am the consumer,or you know, vice versa, it's
just about knowing what is theissue and then where you go
about it.
Maybe it's an internal issuebecause that way you can even
find out if something going oninternally is wrong.
(16:08):
And if you want to talkinternally with your product
teams and all those businessunits.
You just take an actionaccordingly.
So really depends on theperspective of what, which side
of the chair you're sitting.
That's just my
Matt Coles (16:20):
so if, if I could, if I could, so what it sounds,
what this sounds like then is,um, to Chris, to where you're
going with this is if we talkabout package software, a
product, whatever, um, where thevendor doesn't give, uh,
capability to the customers toapply their own patches.
(16:40):
Um, from upstream.
So let's just say we, for amoment, we're talking about
software that embeds Java, youknow, log4j, for example, right?
And because everyone loves thebeat on log4j, uh, there's no
other components that exist thathave vulnerabilities.
Never, ever open a cell.
Uh, so if you have a, if youhave a system has a, you know,
(17:01):
log4j, but you don't give theability for the customer to go
and apply a log4j patch as soonas it's available, then really
the SBOM is telling you, Oh, youhave, there's a, there's a
component in here, it's calledlog4j, and oh, by the way, you
can go look at itsvulnerabilities, and you don't
know if the vulnerabilityactually impacts the product at
(17:22):
that point, using just the SBOM,but you can then say, Well,
maybe this becomes more risky.
I want to take it out of my DMZ,and I want to put it more into a
closed network, or I want tochange its network properties.
I can add, apply mitigations toit.
Chris Romeo (17:36):
I need clarification on something you
said because I may notunderstand how the world works
and that could be part of theproblem here.
Matt Coles (17:43):
do we ever understand how the
Chris Romeo (17:44):
You described a scenario where I can buy a
product.
But yet, I can patch libraryversions of that product itself.
I can patch the, I can patch thelibrary myself, even though it's
a packaged piece of software Ibought from somebody else.
Is that a thing that I justdon't know about in the world?
Matt Coles (18:05):
I don't think it's common.
Certainly, I don't think that'sa common thing.
I'm thinking about, so,certainly if you buy Linux.
or acquire a Linux version fromsomewhere, you could potentially
patch that, right?
Chris Romeo (18:20):
Sure.
Of
Matt Coles (18:21):
Say you buy it, say you buy a Chromebook, right?
That Chromebook has applicationsthat come with it.
You can independently updatethose things, potentially
yourself.
You can side, you could sideload if you want, right?
Android does, or Chrome, youknow, provide those, those
options.
Um, you could potentially applypatches from an upstream
provider yourself.
Um, there's a host of thingsyou.
(18:42):
could do.
I don't think it's common, so Iwasn't describing sort of a
common thing that, you know, ifa product is based on Linux,
that it, that you get directaccess to a shell to be able to,
and a, and a, and access to therepository to be able to add
components or modify componentsyourself.
Although I imagine that doesexist.
Chris Romeo (19:00):
Yeah, because I think of, I think of products in
the closed category.
Meaning I get a metal box, ithas a piece of software that
includes software, firmware, andeverything, but I don't have an
interface to even really profilewhat software is there.
I definitely don't have theability to update the software.
Because I started thinking aboutthe QA challenges that exist
(19:24):
there.
If I update, we know whathappens, and that's one of the
big challenges in supply chain,right?
I update a package.
And it breaks 27 other things,other features that we don't
even know why it's breaking.
It doesn't make any sense thatthat thing over there is
breaking.
But we updated the package,apparently there's a dependency
to it, and some new versionbroke the API, broke the library
(19:44):
calls, and now that thingdoesn't work either.
So, um,
Matt Coles (19:48):
So you're,
Chris Romeo (19:49):
glimpse though, Matt, I thought you had solved
my problem.
I was like, maybe there'ssomething I just didn't
understand.
But I
Matt Coles (19:55):
yeah, not as far as I know.
So really what you're looking, Ithink what you're looking at is
you look at the SBOM, you go,oh, that, this has a component,
this component has avulnerability.
The vendor hasn't supplied mewith the ability to update that
yet, and I can't do it myself,so I really have to take
mitigating, you know, have toput in compensation controls or
mitigating techniques to reducethe impact of that
(20:15):
vulnerability.
And that's the, the benefit ofSBOM is really visibility so
that you can make proper riskmanagement.
Not perfect, certainly, but it'sa start.
I think
Chris Romeo (20:27):
You're onto
Matt Coles (20:27):
a value there.
Chris Romeo (20:29):
You're onto something here that I was
missing.
The SBOM as a driver forcompensate other compensating
controls.
That may allow me to getvisibility to, whereas in the
past I might not have as muchcontext.
I might know that there's agiant OpenSSL vulnerability
(20:51):
about to hit, but I don't havethe context to know where I need
the compensating control to go,right?
I might be, I might be having abreakthrough here, but Izar's
gonna break, he's gonna crash itfor me.
Izar Tarandach (21:03):
no, it's, it's, it's, okay, it's, it's like
this.
So, you, you had Steve in yourthread saying that, yes,
something is still missing.
And it was something prettybasic, right?
On the other hand, I, I, I havehad the pleasure of, of speaking
with Steve on other occasions,and, and learning from him, and
understanding that the SBOMuniverse is being, Expanded to
(21:26):
cover all kinds of things thatwe didn't think we...
Some even thought about a threatmodeling SBOM, and reachability
And I keep going to thinking, wehaven't figured out yet even the
basic, how to consume thisthing.
(21:48):
And we are already talking aboutthe new generation, next
version, warp core, going ahead,
Chris Romeo (21:55):
Ha
Matt Coles (21:57):
Where's my sign?
HBOM is a thing, right?
Izar Tarandach (22:00):
Right, so you know to just bring me back to
the basics, you know, just justgive me some value value the
hype for me right now I mean, Idon't want anybody to
misunderstand me and I thinkthat you guys agree with me We
see huge value in this thing,but so far it is future value It
hasn't been realized yet andthere's this huge momentum
(22:24):
behind building this thing Yeah,let's get all the ducks in a
row, then let's know whatversion the ducks are and what
color the ducks are and wherethe ducks are coming from.
Now
Matt Coles (22:34):
And now what?
Izar Tarandach (22:36):
just put them in a pond and forget them because I
don't know what to do with theducks.
Heheheheh.
Chris Romeo (22:43):
All right, so Aditi, you've been listening for
a while here now, like, what'syour take on this as far as this
mini breakthrough I may havejust had, plus Izar's, uh,
pinpointing the fact that we dothink SBOM is good, but it is a
future value challenge.
Aditi Sharma (23:01):
So, um I have seen in so many, you know, in my past
five years journey of security,you will not get a benefit of
security immediately.
You will get the benefit of somesecurity related actions when
the time comes.
So, since we brought Log4j, sayyou identify there's a Log4j
(23:25):
vulnerability and you have tofind out what all...
Assets in my company areaffected.
What are you going to do aboutit?
You will just go to it.
So I always say SBOM is like thefinal name, but in the back of
it, the engine is all yourinventory management, whatever
tools you're using, right?
(23:46):
You just go back there and thenyou can do a simple search.
Okay.
What are my key products whichare impacted?
It's so first of all, it's a wayto find the impact area.
Second of all, When you connectthe information with the CVEs
which are available, then youcan have a proper dashboard in
front of you, where these arethe components, these are the
(24:09):
vulnerabilities, what is mystatus.
So it's Alone, it will tell you,it will help you do your asset
management together combinedwith CVE, you can do
vulnerability management.
So, it's a couple of process,it's not that straight forward,
how people say it's a push of abutton.
It takes a lot of work behindthe scenes to actually get that.
(24:31):
Quality SBOM, quality inventoryin place, because it's, it's not
going to happen day one, it's aprocess and a lot of it's, you
know, it's manual, then you goto automation.
And so it's, it's not thatstraightforward, but its value
is only when you try to see whatis working in your application.
(24:53):
Thank you.
Um, in your ecosystem, how canyou make use of it?
Izar Tarandach (25:00):
So, I I totally get what you're saying, sorry.
I I totally get what you'resaying, Aditi, and and don't
don't see this as a personalthing, it's just me
Aditi Sharma (25:08):
I'm not.
Yeah.
Izar Tarandach (25:10):
Once you have an SBOM, and you have a CVE, and
you know the package is...
impacted.
It's going to take like, what, afive line bash script to grab
through your SBOMs and figureout where the CVE lives.
And instead we have this hugeindustry shaping up.
(25:32):
And I think that we all havebeen brought up and educated on
the notions of small incrementsand showing the use as those
increments go.
And I go back to, okay, I getthe use, I get the solution, we
have a way to do the SBOMs, wehave a way to consume it.
(25:55):
But there are huge incrementshappening in this industry, and
I'm not seeing those small leapsin usefulness.
I'm just seeing, yeah, we gotthat case.
We know how to read, how to grabSBOMs for things that have log4j
in them.
Aditi Sharma (26:12):
Yeah, it's, it's
Izar Tarandach (26:14):
is the future?
Aditi Sharma (26:17):
also think, so from government perspective,
what I think, and this is justmy personal opinion.
When, whenever solar, you know,I think it was solar attacks,
when, you know, aftereventually, then Lock4J and
SolarWinds, sorry, SolarWinds,and then Lock4J, and then
eventually this came out.
How I see it is, Um, sometimes,um, they want to know what open
(26:42):
source you're using.
Where is it coming from?
Which country is it coming from?
So, in the grand view, um, it'snot just about vulnerability,
but also, where is that softwarecoming from?
So that, so that, if you look atthe executive order, what
they're saying is, Hey, we willdo the purchase from you only if
(27:03):
you let us know what's in.
What is in the, in the productthat you're selling us?
So it's, it's a nationalsecurity issue at that point of
time for them.
So, so that's their business,right?
That's what I'm saying.
What works for you as abusiness, because that's what is
working for them.
And then to just make it workfor everyone.
Um, also there are so manytooling companies now coming up.
(27:27):
It's, it's all also helping,helping it as a business for
them.
So.
All the sound because everyonewants to innovate in this field.
Everyone wants to be ahead ofeach other.
So now it's a competitionsomewhere.
Chris Romeo (27:41):
Here's, here's my, I want a business, I got a
business idea though.
I want to, this, this could bethe solution, Izar, to what you
just described as the problem.
It's going to require AI though,okay?
Izar Tarandach (27:53):
God.
Matt Coles (27:54):
Why
Chris Romeo (27:55):
No, no, no, stay with me here, stay with me here.
Aditi Sharma (27:57):
AI bomb!
Chris Romeo (27:58):
I think I, I think I can wrap blockchain into this
too, hold on.
AI, blockchain, and SBOMtogether, okay?
Izar Tarandach (28:04):
Only if you DAST it at the end.
Chris Romeo (28:07):
not doing that.
I refuse to do that.
I will not add that into this inthis.
Okay, so follow me here.
Okay, we've got SBOMs.
I as a customer am saying I wantSBOMs, okay, for the piece of
software that I'm buying.
Between what this, what this newsolution from this vendor
provides is, I enter into asmart contract using blockchain
(28:29):
between myself as the customerand the vendor that says what
the terms of fix are going tobe.
And then they use my AI agent toactually patch the
vulnerabilities according to thesmart contract that we've agreed
upon with timelines anddeadlines for when things have
to be patched.
So, I mean, I think we got abusiness idea here.
(28:50):
Let's start a company.
Let me call my legal team andsee if we can get a company.
Izar Tarandach (28:54):
let's call it Know Your Business Inc.
Matt Coles (28:58):
Why does it even need, why does it need ai?
That's,
Chris Romeo (29:02):
Well, because you can't patch fast enough.
Right?
You can't, you're not going tobe, that's the challenge, right?
Is like vendors always can'tpatch fast enough to keep up
with whatever the acceptedcontract.
So like, if you could give me apatch and a patched version an
hour after I, after the SBOM hitthat showed I had the issue, of
course then I probably don'tneed the SBOM
Izar Tarandach (29:23):
I feel
Chris Romeo (29:24):
to make SBOM clear.
Izar Tarandach (29:26):
I feel like I am in a beehive for the amount of
buzz around here.
Matt Coles (29:29):
You're, you're, you're more, you're more, uh.
Chris Romeo (29:32):
in.
I did the blockchain
Izar Tarandach (29:33):
no, no, no, no, listen, listen, listen, no, no,
no, that the blockchain I caneven somehow accept.
Not the way that you put it,right?
But you know what?
I, I, I, I think, I think thatwe all agree that SBOMs need
some kind of verification, andnowadays I understand, nowadays.
A couple of months ago when welast checked, I think that
(29:55):
people weren't even having tosign SBOMs.
But I could see some blockchainthing going in there to, you
know, validate and see thatthere were no changes to the
SBOM and this and that to theother one,
Chris Romeo (30:07):
the SBOMs on the blockchain.
That's another business idea.
I didn't even think of that.
SBOM on
Izar Tarandach (30:11):
AI,
Chris Romeo (30:11):
blockchain.
Yes!
Matt Coles (30:13):
Somebody mute him.
Izar Tarandach (30:15):
I'm going to show out of the window.
Happily.
But, again, it comes down to, itcomes down to what problem are
we trying to fix, and, and,Aditi, for example, you
mentioned provenance, okay, for,uh, for the, the, the, for
verifying ITAR, for example.
(30:35):
Again, it comes back to a pointwhere I can write on SBOM
whatever I want.
The fact that I have an SBOdoesn't say that, that actually
reflects what's out there.
Uh, sorry.
In there, I mean, we even hadpeople telling us that manually
created that SBOs are betterthan automatically generated
(30:56):
ones.
So Yeah.
I went there.
So you know,
Chris Romeo (31:02):
That's a good point though, you can't validate the
SBOM, there's nothing thatvalidates
Izar Tarandach (31:06):
validate the format.
Chris Romeo (31:08):
Yeah, but I, yeah, but I, my point is I can't, I
can't run an SBOM checkeragainst a running product to
generate an SBOM and compare itwith what you told me.
I'm fully
Izar Tarandach (31:18):
there is no third party.
There's no third party labthat's going to run a separate
test That's going to tell methat the SBOM that I got from
the vendor is actually the SBOMof the product that I'm using
That's
Chris Romeo (31:29):
a whole other,
Izar Tarandach (31:30):
Now, you can put, you can put blockchain in
there, I think.
Somebody kills, uh, somebodycalls Zoe,
Matt Coles (31:35):
So I would, I would be careful, I would be careful
with that statement.
Chris Romeo (31:38):
I got to work digital transformation in here
real quick.
No, I'm
Matt Coles (31:41):
Oh, my God.
I would, I would be very carefulwith that blanket statement of I
can't verify an SBOM.
The components that show up inan SBOM, remember, there's a
hierarchy, right?
So if my system contains two toplevel things and that...
So each of those things containfour other things.
Those components may be presentin multiple ways, right?
They may be present as codethat's compiled in, either
(32:04):
snippets or whole modules, orthey could be independent things
on disk, right?
And so, in theory, You could,you could potentially, uh,
validate the entire SBOM if youhad detection capabilities.
Of course, if you could do that,you don't really need the SBOM
in the first place.
(32:24):
Except for, except for, exceptfor to prove, except for to
prove that the system that youbought wasn't modified.
In other words, no newfunctionality was added or
functionality was removedinappropriately.
At least from a, at least froma, at least from a,
Izar Tarandach (32:41):
that's one, that's one signature away You
just
Chris Romeo (32:44):
Yeah, that's one signature tells me if
Izar Tarandach (32:46):
the components and check.
You don't need an SBOM for that.
Matt Coles (32:50):
You don't need an SBOM for that, except you do
need to know that the whole, youhave to know that if, I mean, if
you rely on, if you rely onsignatures alone, right, we know
that, we know that, we knowthat, we know that digital
signing certificates getcompromised, right, either they
get issued inappropriately orthey get stolen, and so it
(33:11):
provides a level of assurance,an additional check that you can
do.
I'm not saying
Izar Tarandach (33:15):
are not even signed! What am I comparing
with?
Matt Coles (33:18):
well,
Izar Tarandach (33:20):
Matt, before I publish the SBOM, I do VISBOM
and I change the versions towhatever I want.
Now you're telling me that onthe recipient side, they have to
have the ability of rebuildingthe SBOM, just for the sake of
comparing with what they got
Chris Romeo (33:33):
This is why we need the blockchain
Izar Tarandach (33:36):
get?
I'm going to block that chain.
Right now.
Chris Romeo (33:42):
you're gonna add that to my, the list of things
I'm not allowed to say, but I,I, we're, we're, we're
Matt Coles (33:46):
what's in your threat
Chris Romeo (33:47):
really, we're all over the place here, but any,
any thought be the voice ofreason here.
We've needed a voice of reasonfor a long time on this show.
Matt Coles (33:56):
We have no voice or
Chris Romeo (33:57):
can you bring a voice of reason to any of the
things that we've just beentossing all over the place here?
So,
Aditi Sharma (34:04):
So I'm, I'm trying to think, um,
Izar Tarandach (34:07):
I try that all the time, nothing happens.
Aditi Sharma (34:11):
I think that I'm getting that effect, Izar, um,
but I think with, with SBOMs,what's happening is there's a
way now suddenly there's aEureka, oh my gosh, my, you have
your SBOM, I have my SBOM andnow everyone can know.
(34:33):
You know, what's in there, andlet's be transparent and all
that, but That's not practical,right?
Because, um, literally, uh, SBOMis a secret source of your
product somewhere, right?
Because how your product iscreated is you have everything
in there.
Yes, and not, you know, you'renot sharing the exact code,
(34:53):
but...
You have all the components, allthe recipe ingredients over
there.
So, there are trade secrets, um,you may not, there is also an
impact on your own vulnerabilityresponse teams, if you think
about it.
Because, if you start having ablockchain and having, you know,
everyone's information intoyours and...
Then the customer is going to beconfused.
(35:15):
Where do I go?
You know, so it, it has to be,it has to be a step by step
process.
And Izar, I cannot change yourview whether, whether SBOM is
useful or not.
Izar Tarandach (35:28):
Oh, you can, you
Aditi Sharma (35:28):
At
Izar Tarandach (35:28):
totally, I'm open.
Aditi Sharma (35:31):
the end of the day, you have to see what is
your risk posture and howyou're, how you're managing your
vulnerabilities.
Do you care about...
What components your developersare, you know, using, what open
source your developers are usingin your product, because if you
don't know that, if you don'thave a manifest in place, if you
(35:52):
don't have a filter somewhere,you know, because this is
eventually helping in so manythings, right, this whole
process, it's also helping yoube more cautious of what you're
doing.
What you want to have in yourproduct.
More cautious of taking steps ofletting everyone know, Hey, you
cannot just use anything thatyou like.
You have to have, you know, youhave to abide by the manifest
(36:14):
approved within your company orwhatever it is.
So SBOM is kind of a driver inengaging these further, further
discussions.
I just feel like it's, it's adriver, it's an enabler.
And then rest is on you, how youwant to How do you, how you want
to use that information
Matt Coles (36:35):
I'm confused though, Aditi.
I'm confused, Aditi, by the usecase that you're highlighting.
So, I've always been under theimpression that an SBOM is
primarily to communicateinformation from supplier to
consumer.
But what you're, I think whatyou're highlighting here is that
an SBOM may be used supplierwith internal, internally to the
(36:57):
supplier.
As well.
Aditi Sharma (37:00):
Absolutely.
So say I have close partners,right?
And I work on, you know,vulnerability response for all
these things with them.
There can be a code of actionwhere you also share SBOMs
between each other, right?
Just to understand, just to havethat view of where, what are the
(37:22):
components?
What could happen next?
about having that, that relationwith the suppliers as well,
internally, not everyone has toshare everything outside, but
for your internal, uh, for yourown product, what all you are
consuming, you have to keep aneye on what, what you're
consuming because you have like10 vendors.
(37:44):
within your product as well.
Izar Tarandach (37:46):
So now you touched on something that I can
totally stand behind, and theanalogy is another industry that
I think that we constantly reachout to learn from, which is
aviation.
And if you ever look at theanalysis of an aviation
accident, they are able to knowevery single screw in that
(38:07):
plane, where it came from andwhen, which batch, which lot,
whatever, right?
But then it falls back into thematurity of the SBOM universe
today, and the way that I am, Iwon't say criticizing, but
questioning it.
is that we are moving very fastin this direction of SBOM all
(38:27):
the things, while we lack thefoundation work that would give
me the ability to trust an SBOMto reflect every single screw
that goes into my software.
You know what I mean?
So I, I totally get theinternal, the, the internal side
that you, that you put out, the,the external side.
(38:49):
To me, it's starting to rub itthe wrong way because we are
saying, oh, whomever gets thatproduct and gets that SBOM, they
have to now rebuild the SBOM sothat it compare with the SBOM
that was given to themfirsthand.
And
Aditi Sharma (39:03):
That's, that's hard.
Izar Tarandach (39:06):
You know, I'm thinking everybody's talking
about this shift left thing, andthere couldn't be anything more
shift right than this.
Matt Coles (39:12):
I wasn't suggesting we should be validating the SBOM
Chris Romeo (39:15):
left, please, please, please.
Matt Coles (39:17):
way, Azar, I think
Izar Tarandach (39:18):
I'm fainting.
I'm fainting left.
I'm fainting left.
Matt Coles (39:20):
I think you confu, I think you confuse my statement
with you can versus you should,right?
You could, if your SBOM is, ifyour, if your SBOM is val, if
your SBOM is signed, you canprove integrity and
Izar Tarandach (39:32):
If it's signed.
Matt Coles (39:33):
If it's signed, right?
But if it's not signed, or ifyou want to do an independent
validation, for whatever reason,it is probably possible for some
percentage of those components.
I'm not saying that you willhave to, but you
Chris Romeo (39:45):
I just want to piggyback on that, if it's
signed, it's the same thing as acontract at that point.
Like if somebody did, like it's,if somebody was to create an
SBOM and maliciously change iton purpose.
There'd be a liability case forme as a customer.
I could sue whoever gave me thatsoftware if they modified it.
If there was some materialbreach or something that
(40:08):
occurred on my, I lost money asa result of that breach and
turns out they lied to me.
That's where everybody's afraidSBOM could go though, is the
liability side.
Because that, that, we know howlong it takes liability to work
out the courts to...
Decide, try them, get a, youknow, a body of record so we
know what the, the answer'sgonna be.
(40:30):
Um,
Matt Coles (40:30):
And we're making the assumption that the SBOM is
complete.
In addition to being accurate,and that's where the liability
comes in.
Izar Tarandach (40:40):
then you can always get told you could have
checked it by yourself,
Chris Romeo (40:45):
Well, I'm saying.
Izar Tarandach (40:45):
the software.
Chris Romeo (40:46):
The malicious case, I'm trying to, I'm trying to
work around the malicious casewhere somebody just, like you
said, they open VI and they justchange the version numbers.
That would, that's fraud, right?
Like we have, we have rules andlaws and whatnot in the United
States that define what fraud isand, and that would be a pretty
clear cut case of fraud if yougave me that SBOM and we had a
(41:08):
contractual requirement for youto provide SBOMs and you just
blatantly changed it and gave mesomething different.
Um, I think that would be aneasier, be an easier thing to
get around.
Aditi Sharma (41:19):
I don't see it that way.
So yes, there could berepercussions, but This whole,
this SBOM is maturing and you'renot going to get it right the
day one.
And that's where, you know, thelegal helps, right?
In having all those.
This is, this is what we know atthe best at this time.
(41:40):
And it can change the, as Isaid, there is a level of depth
to SBOM.
It can, for some products, Log4jwas a level 6th or 8th.
Like you cannot even find itwith your basic top level
dependencies.
So, and that.
That can happen with, I don'tknow.
Um, but that's a good point thatyou raise.
(42:02):
Yeah.
Chris Romeo (42:06):
All right.
We were going to talk about VEX,but I'm vexed by the fact that
we don't have enough time.
talk about VEX.
we'll have to have anotherconversation about VEX because
we're, we're just at about our,our time
Izar Tarandach (42:18):
You want a vex it..
Chris Romeo (42:19):
emphasis.
I'm an anti VEX ter apparently.
Actually I'm not, I don't evenunder, like I said at the
beginning, I don't even reallyunderstand VEX yet.
And so I do need to definitelylearn about that.
But let's do, um, let's, let'sclose it out.
Let's kind of give some, let'sdo some final, a final, uh,
statement slash.
Thoughts, but not an argumentbecause that will then turn
(42:40):
around another iteration ofminutes of recording time.
But Matt, go ahead and go first.
What's your, like, give ussomething to take away from this
conversation.
Matt Coles (42:51):
All right, so you start, we started this episode
with I, with I, you postedsomething on LinkedIn and, and
caused a farfuffle and, uh,around SBOM.
And I think your, your originalpremise was, was good, was
accurate that the flow that wasdescribed in the white paper.
The guidance documents,recommended practices for SBOM
(43:14):
consumption missed the key pointby, by not explicitly calling
out, oh, by the way, use thisfor understanding, you know,
patching and, and whatnot.
But I think I will also extendthat to general risk management
p and configuration managementpractices using the knowledge in
the SBOM to understand that youneed to patch.
(43:35):
And, and, or thinking about nowI need to provide mitigations
and potentially change mynetwork architecture or other
mitigating techniques.
That's the true outcome that youget from, from SBOM, in my
opinion.
Chris Romeo (43:48):
And that was a lesson learned for me.
Like that's, that's somethingy'all taught me on this, this
episode.
So Aditi, let's, uh, why don'tyou go ahead and give us a final
thought next.
Aditi Sharma (43:57):
Uh, well, if you want to just keep an eye on, you
know, what your product has,what you're consuming, open
source, commercial, anything,and In turn, use the APIs
available for having, you know,all the CVEs that are out there.
And if you want to compare, doyou have any components which
(44:18):
are affected with the databasethat is available publicly?
Um, you can actually see whereyou are standing in your
security posture.
So, give it a try.
Chris Romeo (44:28):
Okay, thank you.
Izar, what about you?
Izar Tarandach (44:33):
SBOM will be great.
SBOM is becoming great.
Today, SBOM is not great.
We are putting a lot of massbehind us, and it's building a
lot of momentum.
And I think that it's going tobecome something that's very
(44:53):
central to the whole industry.
But right now, the valueproposition is there, the value
realization is not.
Chris Romeo (45:01):
Wow, and Because I'm kind of the impromptu host
of this show.
I don't have to follow my ownrules And so I'm not gonna give
you a takeaway.
Thanks for joining us on thesecurity table folks and We look
forward to having anotherconversation with Aditi in the
future to learn about VEX.
Aditi Thanks for joining us onyour first ever podcast
appearance
Izar Tarandach (45:21):
You survived!
Chris Romeo (45:22):
here.
Aditi Sharma (45:23):
Thank you for having me.
Chris Romeo (45:24):
it
Aditi Sharma (45:26):
No, this was great.
Thank you so much for having me.
Oh, what a way to start with a bunch of people
laughing.
So, hey folks, welcome toanother episode of the Security
Table.
Uh, it's probably not asurprise.
We're actually having fun beforewe hit record.
Then we hit record and wecontinue having fun.
We're recording this on Friday,November 10th, which is Veterans
Day observed here in the UnitedStates.
(00:30):
And so we just want to say thankyou to all of the veterans out
there.
We know we have a lot of folksin our community that are
veterans.
We appreciate you.
We thank you for your serviceand, uh, just, just wanted to
recognize you right off from thestart here.
And so we're going to talk abouta lot of different things today.
Like we always do, like I wishwe had one topic, but you know,
that's not really what the tableis about.
(00:52):
The table's about having aconversation about security
things.
And sometimes other things popin.
But we do have a special guesthere, Aditi has joined us.
And so Aditi, if you could justgive our audience just a high
level background on you.
Like, what's been your cybersecurity background story,
(01:13):
experience, kind of, what's yourperspective, where you're coming
from.
That'd really be great for us tohear.
Aditi Sharma (01:21):
Yeah, of course, thanks, Chris, for having me
here today.
Um, I love all your podcasts,first of all.
Um, so just about me, I had anapp happy accident of getting
into security almost five yearsback when I was working for, um,
a customer, you know, for someonline application, I, my.
My background is mostly around,you know, product manage,
(01:43):
product management and businessanalysis, data analysis.
So, I started my journey fromautomotive, telecommunications,
and now I'm into security.
So, just a happy accidentworking through different
software solutions, and now justleading some.
Uh, new software solutions intosecurity.
Chris Romeo (02:03):
Okay, so kind of your current focus then is on
AppSec, product security,integrating security into
basically into software, that'skind of your primary focus now?
Aditi Sharma (02:19):
My primary focus is, uh, mostly around best
practices, um, and productsecurity, compliance, uh,
attestations and all of that.
Chris Romeo (02:31):
Okay, very cool.
That helps the audience just tohave a little bit of a frame of
reference of where you're comingfrom.
You know, when you start yellingat Izar, like everybody else is
going to do, um, they'll atleast know why.
They'll have some idea as towhy, uh, but we don't really
yell at Izar.
No, we just, this is, this is afun, a fun space, maybe a little
bit.
Um, so we're going to go somedifferent directions, but I put
(02:55):
this.
This picture on LinkedIn that Iwant to, I want to start with
because I found this thing inthe, uh, the new SBOM
consumption guide that just cameout and it was an SBOM lifecycle
picture and we'll put the linkto the post in the show notes
just so you can see what it was,but the, the challenging thing
about it is I found it didn'thave any place where
(03:18):
vulnerabilities are being fixed.
And so I'll just describe thepicture since I don't have a
vision, a view of it up.
It's SBOM delivery, it's, thedoc, the document's called
Securing the Software SupplyChain Recommending Practices for
Software Bill of MaterialsConsumption.
It has a life cycle, figure two,SBOM delivery, acceptance and
validation, ingestion andparsing, extraction
transformation and loading, andmapping and asset management.
(03:42):
And I sat here and I said, Iconsider myself to be mildly
intelligent.
Where do we fix the problems inthis life cycle?
And then it kind of hit me,like, this has been the thing
I've been railing against forthe whole time I've been on my
soapbox about SBOM.
(04:02):
The fact that there is...
No focus on actually fixinganything.
And so I bring that to thesecurity table.
I throw the virtual piece ofpaper down and I can tell
there's already people are, Ican see it in everybody's eyes.
They're already ready to, uh, tolet me have it.
So Matt, you were shaking yourhead first.
(04:23):
So what, uh, what are yourthoughts on my conclusion here?
Matt Coles (04:29):
Well, I, I think your conclusion is actually, is
good in that there isn't a focuson it.
Uh, and maybe that's, that,that's the missing part, right.
Is the, is the focus on.
What, so what SBOM is for, andwe really should let, you know,
Aditi give the definition ofwhat SBOM is because that's,
that's, that's her, that's herarea of expertise here.
(04:52):
But, uh, having, not having afocus on, on the outcome of why
an SBOM exists, um, is, is, It'sunfortunate.
I'll just, I'll just start withthat.
Um, but before we dive into thatactually, so Aditi, can you sort
of give us in your own words, wedo, we love to work with
(05:15):
definitions here.
We start out with definitions.
That way we level set for ouraudience.
Can you help our audienceunderstand what an SBOM is?
Aditi Sharma (05:22):
Yeah, yeah, of course.
So SBOM, aka Software Bill ofMaterials, is, uh, is basically
the inventory of your product.
Um, and the inventory of thisproduct can have, you know, open
source software, any commercialdependencies that That you're
using and even the proprietaryinformation that you know,
(05:45):
you're, you're coding in house.
So NSBOM is basically, um, you,you have heard the analogy with
the food ingredients list thatgoes behind any, you know,
whatever food item you'rebuying.
The analogy goes with that a lotin the industry today.
But it's, it's basically just,you know, um.
(06:06):
The inventory of what yourproduct is made of and it can
have a level of depth to it.
It could be just the top level.
You could go beyond it.
You know, second level, thirdlevel depends what level of
vulnerability management youwant for your organization,
because ultimately the main useof SBOM is for vulnerability
(06:28):
management.
So that's, that's
Matt Coles (06:30):
Okay, and so, and so in that,
Aditi Sharma (06:32):
Matt.
Matt Coles (06:33):
in that Correct me if I'm wrong here, but in that
the SBOM gives a set of, a setof things with a bunch of, with
potentially withvulnerabilities.
That's not the end of it, right?
That's not what, that's not theend goal, right?
It's not just a list, correct?
So so to Chris's
Aditi Sharma (06:52):
no.
So it's.
Matt Coles (06:55):
go ahead, go ahead.
Aditi Sharma (07:00):
You can use the, it's, it's about having that
information and then how you usethat information.
Having that information isreally important, so that first
of all, you know what you'reconsuming, because as you're
increasing the size of yourorganizations, the asset
management piece comes intopicture.
And for that, you need to haveyour basic infrastructure ready.
(07:22):
So once that is all set, as youhave vulnerabilities coming in,
as you want to know, where am Iimpacted?
It's easier to find your wayinto that system.
So...
Think of, think of, um, having,um, to find, uh, you know, an
issue into, like, for example,the peanuts, you know, peanuts
(07:45):
allergy.
Unless and until you won't knowthere is peanuts in your
software, oh, not software, inyour food.
Uh, how would, how would youknow?
So you just got to know what'sin your software.
So it's, it's just about that.
It's, it's a, it's a, I just, Ialways be like, it's a driver
for something, something more.
It's a static document that iscreated for every release, but
(08:08):
how you actually make use of itwill actually serve its purpose
internally or for yourcustomers.
Chris Romeo (08:16):
So I'm tracking with you so far.
I'm tracking.
Go ahead, Izar.
Izar Tarandach (08:19):
But if it's a static document and we live in
an era that I think that I cansafely say most of what people
use every day is SaaS I don'tsee the significance of that
static document for SaaS
Chris Romeo (08:41):
So, hold on, I just want to confirm.
You said SaaS, software as aservice, not
Matt Coles (08:46):
SAST,
Chris Romeo (08:48):
Right.
SaaS, software as
Matt Coles (08:49):
SAST
Izar Tarandach (08:50):
Yeah.
Yeah.
That's the other one.
No, no, not, not even bymistake.
That's, but, uh, No, no, no, so,uh, yeah, so what I'm trying to
understand here is first thepractice, the, the, the use, the
usability of the thing for thepublic at large.
So are, are we, here's where my,my biggest fear lies at this
(09:15):
point.
Are we creating yet anotherindustry that we are going to
feed?
And that's going to be athousand different startups.
And that's going to be athousand different standards.
And it's going to be a thousanddifferent solutions.
And we still can't look at itand say, Oh, this is what I do?
I mean, I recognize that it'sgood to know if there are
(09:36):
peanuts in the salad.
That's awesome.
But, where Devalogy breaks forme is, it's not even that
there's a lot of people who areallergic to it, there's a lot of
people who are not even eatingit.
Who are not consuming it.
Chris Romeo (09:55):
Well, if you keep pulling on the thread of that
analogy, right, where it breaksdown when you bring it to a
software context is, I look at alist of ingredients, I see
there's peanuts in it, I'mallergic to it, I throw the
salad away.
I'm done.
That's the end of the con that'sthe end of the transaction
though, right?
Like, and my whole point herewith this, and I started to go
(10:15):
the same direction, Izar, youdid, when we think about
software as a service, you can'tjust shut it down because you
got a bad SBOM result coming in.
From, so you have a vendor,let's just, go ahead.
Aditi Sharma (10:29):
In
Izar Tarandach (10:29):
But if you're in a position that you are a SaaS
user, you're not even going tofix that thing.
So you just got a piece ofinformation that's absolutely
not useful for you,
Aditi Sharma (10:39):
in the end, now, the second piece
Izar Tarandach (10:43):
don't remember if we are going into it today or
not, but now you have VEX thatcan explain to you, hey, why
it's not so bad.
So that has more of a, uh,usefulness to me than the SBOM
itself.
So now as part of thatecosystem, we are creating other
documents that help clarify thatecosystem.
Matt Coles (11:03):
so before we get into VEX, let me ask
Aditi Sharma (11:05):
And that could be true.
Matt Coles (11:08):
ahead, go ahead.
Aditya.
We run over each
Aditi Sharma (11:10):
No, go ahead, Matt.
No, go ahead.
Izar Tarandach (11:12):
no, no, I'm the only one that speak over people
here.
Yeah.
Matt Coles (11:15):
Uh, so...
So, Izar called out having anSBOM for a SaaS service, and
how, uh, you know, there's noaction for the user.
If they look at the SBOM for aSaaS service, they're like, ah,
you got peanuts in there.
And then, they can't doanything, because either they
throw away the SAS, they eitherstop using the SaaS service, or
(11:37):
they wait for the vendor to takeaction.
There's nothing they can do.
So, first off, is SBOM, is SBOMeven a valid option in...
For, for, for providers of SaaSservices, or does SBOM really
come into its own when we'retalking about on prem products,
package software, things thatget delivered to customers, um,
(12:01):
and, and where the customerswould then have actions that
they could take based on whatthey see in that, you know, they
could, they could throw away thesalad, so to speak, or they
could pick out, pick out thepeanuts.
Aditi Sharma (12:18):
Yeah.
If you, if you look at the, ifyou look at the, um, the
executive order that came in,it, it also focuses mostly on on
premise.
Um, it focuses on products morethan applications.
It focuses more on, you know,actions which a customer can
take in their own environmentfor, for, you know, um, if there
(12:43):
is an action that has to betaken, if a patch has to be
deployed and what not.
With SAS, it's a, I, I feel likeit's maturing, that space is
maturing and what is notapplicable in a SaaS
environment, it's not.
Not everyone has to consume it.
It has to have, it has to workfor your business.
I, I really see SBOM.
(13:05):
it is a compliance and all ofthat.
But what is right for yourbusiness?
What is right for your product?
And a lot of companies haveapplications who are products,
right?
For example, there are so manyCRM Um, products, which, which
are literally applications, butthey are a product for a
company.
So how do they want to managetheir internal vulnerability
(13:27):
management by understanding thesoftware they're consuming?
So this is more around what,where do you want to take your
own security posture?
How do you want to trackeverything within your systems?
So
Chris Romeo (13:42):
That's what I
Aditi Sharma (13:43):
if you want to make use of, use of it, you
should.
Chris Romeo (13:48):
On the topic of SBOM and understanding kind of
the usability behind it, I had achance to catch up with Steve
Springett via LinkedIn thread.
I've been trying to get hisopinion on this as far as the
usability of SBOMs in thecontext we're talking about,
where you're receiving SBOMsfrom an outside source and then
(14:08):
trying to gain value from it.
And he admitted as well that thethe sharing nature of Uh, or
value from sharing those thingsis limited at this point.
So that was kind of, I guess,some of the conclusions I was
hoping to, to get to is, I didwant to go in another direction
here because we did talk aboutSaaS, but let's reframe this in
(14:31):
the context of just a physicalproduct.
Okay.
Cause I think you have the sameproblem in a physical product
that we described in the SaaS,but I want to bounce this off
the table.
Um, so imagine that we have aproduct that I've purchased.
I'm the consumer, I'm thecustomer, and I'm getting an
SBOM, set of SBOM sent to me viathis life cycle we're talking
(14:52):
about.
I have the same problem though,if there's a big issue that the
SBOM identifies.
Because like, I can't, if Ibought a network device, I can't
just turn the device off.
So yes, I have better visibilityfrom a risk management
perspective, but I can't reallydo anything.
I'm still at the mercy of thevendor.
And so, or does that change thegame?
(15:13):
Does the game change in the twoscenarios we've been working
from?
A product versus a SaaSsolution,
Aditi Sharma (15:23):
So, it depends, um, if you are on the customer
side or you're on the vendorside, um, so your actions would
depend on, um, if you are acustomer, you can go to that,
you know, you can go to thatvendor who is providing you that
solution, right, that, okay.
(15:47):
We have identified this issue.
What are you doing at your endto get it fixed?
But, but if I am the consumer,or you know, vice versa, it's
just about knowing what is theissue and then where you go
about it.
Maybe it's an internal issuebecause that way you can even
find out if something going oninternally is wrong.
(16:08):
And if you want to talkinternally with your product
teams and all those businessunits.
You just take an actionaccordingly.
So really depends on theperspective of what, which side
of the chair you're sitting.
That's just my
Matt Coles (16:20):
so if, if I could, if I could, so what it sounds,
what this sounds like then is,um, to Chris, to where you're
going with this is if we talkabout package software, a
product, whatever, um, where thevendor doesn't give, uh,
capability to the customers toapply their own patches.
(16:40):
Um, from upstream.
So let's just say we, for amoment, we're talking about
software that embeds Java, youknow, log4j, for example, right?
And because everyone loves thebeat on log4j, uh, there's no
other components that exist thathave vulnerabilities.
Never, ever open a cell.
Uh, so if you have a, if youhave a system has a, you know,
(17:01):
log4j, but you don't give theability for the customer to go
and apply a log4j patch as soonas it's available, then really
the SBOM is telling you, Oh, youhave, there's a, there's a
component in here, it's calledlog4j, and oh, by the way, you
can go look at itsvulnerabilities, and you don't
know if the vulnerabilityactually impacts the product at
(17:22):
that point, using just the SBOM,but you can then say, Well,
maybe this becomes more risky.
I want to take it out of my DMZ,and I want to put it more into a
closed network, or I want tochange its network properties.
I can add, apply mitigations toit.
Chris Romeo (17:36):
I need clarification on something you
said because I may notunderstand how the world works
and that could be part of theproblem here.
Matt Coles (17:43):
do we ever understand how the
Chris Romeo (17:44):
You described a scenario where I can buy a
product.
But yet, I can patch libraryversions of that product itself.
I can patch the, I can patch thelibrary myself, even though it's
a packaged piece of software Ibought from somebody else.
Is that a thing that I justdon't know about in the world?
Matt Coles (18:05):
I don't think it's common.
Certainly, I don't think that'sa common thing.
I'm thinking about, so,certainly if you buy Linux.
or acquire a Linux version fromsomewhere, you could potentially
patch that, right?
Chris Romeo (18:20):
Sure.
Of
Matt Coles (18:21):
Say you buy it, say you buy a Chromebook, right?
That Chromebook has applicationsthat come with it.
You can independently updatethose things, potentially
yourself.
You can side, you could sideload if you want, right?
Android does, or Chrome, youknow, provide those, those
options.
Um, you could potentially applypatches from an upstream
provider yourself.
Um, there's a host of thingsyou.
(18:42):
could do.
I don't think it's common, so Iwasn't describing sort of a
common thing that, you know, ifa product is based on Linux,
that it, that you get directaccess to a shell to be able to,
and a, and a, and access to therepository to be able to add
components or modify componentsyourself.
Although I imagine that doesexist.
Chris Romeo (19:00):
Yeah, because I think of, I think of products in
the closed category.
Meaning I get a metal box, ithas a piece of software that
includes software, firmware, andeverything, but I don't have an
interface to even really profilewhat software is there.
I definitely don't have theability to update the software.
Because I started thinking aboutthe QA challenges that exist
(19:24):
there.
If I update, we know whathappens, and that's one of the
big challenges in supply chain,right?
I update a package.
And it breaks 27 other things,other features that we don't
even know why it's breaking.
It doesn't make any sense thatthat thing over there is
breaking.
But we updated the package,apparently there's a dependency
to it, and some new versionbroke the API, broke the library
(19:44):
calls, and now that thingdoesn't work either.
So, um,
Matt Coles (19:48):
So you're,
Chris Romeo (19:49):
glimpse though, Matt, I thought you had solved
my problem.
I was like, maybe there'ssomething I just didn't
understand.
But I
Matt Coles (19:55):
yeah, not as far as I know.
So really what you're looking, Ithink what you're looking at is
you look at the SBOM, you go,oh, that, this has a component,
this component has avulnerability.
The vendor hasn't supplied mewith the ability to update that
yet, and I can't do it myself,so I really have to take
mitigating, you know, have toput in compensation controls or
mitigating techniques to reducethe impact of that
(20:15):
vulnerability.
And that's the, the benefit ofSBOM is really visibility so
that you can make proper riskmanagement.
Not perfect, certainly, but it'sa start.
I think
Chris Romeo (20:27):
You're onto
Matt Coles (20:27):
a value there.
Chris Romeo (20:29):
You're onto something here that I was
missing.
The SBOM as a driver forcompensate other compensating
controls.
That may allow me to getvisibility to, whereas in the
past I might not have as muchcontext.
I might know that there's agiant OpenSSL vulnerability
(20:51):
about to hit, but I don't havethe context to know where I need
the compensating control to go,right?
I might be, I might be having abreakthrough here, but Izar's
gonna break, he's gonna crash itfor me.
Izar Tarandach (21:03):
no, it's, it's, it's, okay, it's, it's like
this.
So, you, you had Steve in yourthread saying that, yes,
something is still missing.
And it was something prettybasic, right?
On the other hand, I, I, I havehad the pleasure of, of speaking
with Steve on other occasions,and, and learning from him, and
understanding that the SBOMuniverse is being, Expanded to
(21:26):
cover all kinds of things thatwe didn't think we...
Some even thought about a threatmodeling SBOM, and reachability
And I keep going to thinking, wehaven't figured out yet even the
basic, how to consume thisthing.
(21:48):
And we are already talking aboutthe new generation, next
version, warp core, going ahead,
Chris Romeo (21:55):
Ha
Matt Coles (21:57):
Where's my sign?
HBOM is a thing, right?
Izar Tarandach (22:00):
Right, so you know to just bring me back to
the basics, you know, just justgive me some value value the
hype for me right now I mean, Idon't want anybody to
misunderstand me and I thinkthat you guys agree with me We
see huge value in this thing,but so far it is future value It
hasn't been realized yet andthere's this huge momentum
(22:24):
behind building this thing Yeah,let's get all the ducks in a
row, then let's know whatversion the ducks are and what
color the ducks are and wherethe ducks are coming from.
Now
Matt Coles (22:34):
And now what?
Izar Tarandach (22:36):
just put them in a pond and forget them because I
don't know what to do with theducks.
Heheheheh.
Chris Romeo (22:43):
All right, so Aditi, you've been listening for
a while here now, like, what'syour take on this as far as this
mini breakthrough I may havejust had, plus Izar's, uh,
pinpointing the fact that we dothink SBOM is good, but it is a
future value challenge.
Aditi Sharma (23:01):
So, um I have seen in so many, you know, in my past
five years journey of security,you will not get a benefit of
security immediately.
You will get the benefit of somesecurity related actions when
the time comes.
So, since we brought Log4j, sayyou identify there's a Log4j
(23:25):
vulnerability and you have tofind out what all...
Assets in my company areaffected.
What are you going to do aboutit?
You will just go to it.
So I always say SBOM is like thefinal name, but in the back of
it, the engine is all yourinventory management, whatever
tools you're using, right?
(23:46):
You just go back there and thenyou can do a simple search.
Okay.
What are my key products whichare impacted?
It's so first of all, it's a wayto find the impact area.
Second of all, When you connectthe information with the CVEs
which are available, then youcan have a proper dashboard in
front of you, where these arethe components, these are the
(24:09):
vulnerabilities, what is mystatus.
So it's Alone, it will tell you,it will help you do your asset
management together combinedwith CVE, you can do
vulnerability management.
So, it's a couple of process,it's not that straight forward,
how people say it's a push of abutton.
It takes a lot of work behindthe scenes to actually get that.
(24:31):
Quality SBOM, quality inventoryin place, because it's, it's not
going to happen day one, it's aprocess and a lot of it's, you
know, it's manual, then you goto automation.
And so it's, it's not thatstraightforward, but its value
is only when you try to see whatis working in your application.
(24:53):
Thank you.
Um, in your ecosystem, how canyou make use of it?
Izar Tarandach (25:00):
So, I I totally get what you're saying, sorry.
I I totally get what you'resaying, Aditi, and and don't
don't see this as a personalthing, it's just me
Aditi Sharma (25:08):
I'm not.
Yeah.
Izar Tarandach (25:10):
Once you have an SBOM, and you have a CVE, and
you know the package is...
impacted.
It's going to take like, what, afive line bash script to grab
through your SBOMs and figureout where the CVE lives.
And instead we have this hugeindustry shaping up.
(25:32):
And I think that we all havebeen brought up and educated on
the notions of small incrementsand showing the use as those
increments go.
And I go back to, okay, I getthe use, I get the solution, we
have a way to do the SBOMs, wehave a way to consume it.
(25:55):
But there are huge incrementshappening in this industry, and
I'm not seeing those small leapsin usefulness.
I'm just seeing, yeah, we gotthat case.
We know how to read, how to grabSBOMs for things that have log4j
in them.
Aditi Sharma (26:12):
Yeah, it's, it's
Izar Tarandach (26:14):
is the future?
Aditi Sharma (26:17):
also think, so from government perspective,
what I think, and this is justmy personal opinion.
When, whenever solar, you know,I think it was solar attacks,
when, you know, aftereventually, then Lock4J and
SolarWinds, sorry, SolarWinds,and then Lock4J, and then
eventually this came out.
How I see it is, Um, sometimes,um, they want to know what open
(26:42):
source you're using.
Where is it coming from?
Which country is it coming from?
So, in the grand view, um, it'snot just about vulnerability,
but also, where is that softwarecoming from?
So that, so that, if you look atthe executive order, what
they're saying is, Hey, we willdo the purchase from you only if
(27:03):
you let us know what's in.
What is in the, in the productthat you're selling us?
So it's, it's a nationalsecurity issue at that point of
time for them.
So, so that's their business,right?
That's what I'm saying.
What works for you as abusiness, because that's what is
working for them.
And then to just make it workfor everyone.
Um, also there are so manytooling companies now coming up.
(27:27):
It's, it's all also helping,helping it as a business for
them.
So.
All the sound because everyonewants to innovate in this field.
Everyone wants to be ahead ofeach other.
So now it's a competitionsomewhere.
Chris Romeo (27:41):
Here's, here's my, I want a business, I got a
business idea though.
I want to, this, this could bethe solution, Izar, to what you
just described as the problem.
It's going to require AI though,okay?
Izar Tarandach (27:53):
God.
Matt Coles (27:54):
Why
Chris Romeo (27:55):
No, no, no, stay with me here, stay with me here.
Aditi Sharma (27:57):
AI bomb!
Chris Romeo (27:58):
I think I, I think I can wrap blockchain into this
too, hold on.
AI, blockchain, and SBOMtogether, okay?
Izar Tarandach (28:04):
Only if you DAST it at the end.
Chris Romeo (28:07):
not doing that.
I refuse to do that.
I will not add that into this inthis.
Okay, so follow me here.
Okay, we've got SBOMs.
I as a customer am saying I wantSBOMs, okay, for the piece of
software that I'm buying.
Between what this, what this newsolution from this vendor
provides is, I enter into asmart contract using blockchain
(28:29):
between myself as the customerand the vendor that says what
the terms of fix are going tobe.
And then they use my AI agent toactually patch the
vulnerabilities according to thesmart contract that we've agreed
upon with timelines anddeadlines for when things have
to be patched.
So, I mean, I think we got abusiness idea here.
(28:50):
Let's start a company.
Let me call my legal team andsee if we can get a company.
Izar Tarandach (28:54):
let's call it Know Your Business Inc.
Matt Coles (28:58):
Why does it even need, why does it need ai?
That's,
Chris Romeo (29:02):
Well, because you can't patch fast enough.
Right?
You can't, you're not going tobe, that's the challenge, right?
Is like vendors always can'tpatch fast enough to keep up
with whatever the acceptedcontract.
So like, if you could give me apatch and a patched version an
hour after I, after the SBOM hitthat showed I had the issue, of
course then I probably don'tneed the SBOM
Izar Tarandach (29:23):
I feel
Chris Romeo (29:24):
to make SBOM clear.
Izar Tarandach (29:26):
I feel like I am in a beehive for the amount of
buzz around here.
Matt Coles (29:29):
You're, you're, you're more, you're more, uh.
Chris Romeo (29:32):
in.
I did the blockchain
Izar Tarandach (29:33):
no, no, no, no, listen, listen, listen, no, no,
no, that the blockchain I caneven somehow accept.
Not the way that you put it,right?
But you know what?
I, I, I, I think, I think thatwe all agree that SBOMs need
some kind of verification, andnowadays I understand, nowadays.
A couple of months ago when welast checked, I think that
(29:55):
people weren't even having tosign SBOMs.
But I could see some blockchainthing going in there to, you
know, validate and see thatthere were no changes to the
SBOM and this and that to theother one,
Chris Romeo (30:07):
the SBOMs on the blockchain.
That's another business idea.
I didn't even think of that.
SBOM on
Izar Tarandach (30:11):
AI,
Chris Romeo (30:11):
blockchain.
Yes!
Matt Coles (30:13):
Somebody mute him.
Izar Tarandach (30:15):
I'm going to show out of the window.
Happily.
But, again, it comes down to, itcomes down to what problem are
we trying to fix, and, and,Aditi, for example, you
mentioned provenance, okay, for,uh, for the, the, the, for
verifying ITAR, for example.
(30:35):
Again, it comes back to a pointwhere I can write on SBOM
whatever I want.
The fact that I have an SBOdoesn't say that, that actually
reflects what's out there.
Uh, sorry.
In there, I mean, we even hadpeople telling us that manually
created that SBOs are betterthan automatically generated
(30:56):
ones.
So Yeah.
I went there.
So you know,
Chris Romeo (31:02):
That's a good point though, you can't validate the
SBOM, there's nothing thatvalidates
Izar Tarandach (31:06):
validate the format.
Chris Romeo (31:08):
Yeah, but I, yeah, but I, my point is I can't, I
can't run an SBOM checkeragainst a running product to
generate an SBOM and compare itwith what you told me.
I'm fully
Izar Tarandach (31:18):
there is no third party.
There's no third party labthat's going to run a separate
test That's going to tell methat the SBOM that I got from
the vendor is actually the SBOMof the product that I'm using
That's
Chris Romeo (31:29):
a whole other,
Izar Tarandach (31:30):
Now, you can put, you can put blockchain in
there, I think.
Somebody kills, uh, somebodycalls Zoe,
Matt Coles (31:35):
So I would, I would be careful, I would be careful
with that statement.
Chris Romeo (31:38):
I got to work digital transformation in here
real quick.
No, I'm
Matt Coles (31:41):
Oh, my God.
I would, I would be very carefulwith that blanket statement of I
can't verify an SBOM.
The components that show up inan SBOM, remember, there's a
hierarchy, right?
So if my system contains two toplevel things and that...
So each of those things containfour other things.
Those components may be presentin multiple ways, right?
They may be present as codethat's compiled in, either
(32:04):
snippets or whole modules, orthey could be independent things
on disk, right?
And so, in theory, You could,you could potentially, uh,
validate the entire SBOM if youhad detection capabilities.
Of course, if you could do that,you don't really need the SBOM
in the first place.
(32:24):
Except for, except for, exceptfor to prove, except for to
prove that the system that youbought wasn't modified.
In other words, no newfunctionality was added or
functionality was removedinappropriately.
At least from a, at least froma, at least from a,
Izar Tarandach (32:41):
that's one, that's one signature away You
just
Chris Romeo (32:44):
Yeah, that's one signature tells me if
Izar Tarandach (32:46):
the components and check.
You don't need an SBOM for that.
Matt Coles (32:50):
You don't need an SBOM for that, except you do
need to know that the whole, youhave to know that if, I mean, if
you rely on, if you rely onsignatures alone, right, we know
that, we know that, we knowthat, we know that digital
signing certificates getcompromised, right, either they
get issued inappropriately orthey get stolen, and so it
(33:11):
provides a level of assurance,an additional check that you can
do.
I'm not saying
Izar Tarandach (33:15):
are not even signed! What am I comparing
with?
Matt Coles (33:18):
well,
Izar Tarandach (33:20):
Matt, before I publish the SBOM, I do VISBOM
and I change the versions towhatever I want.
Now you're telling me that onthe recipient side, they have to
have the ability of rebuildingthe SBOM, just for the sake of
comparing with what they got
Chris Romeo (33:33):
This is why we need the blockchain
Izar Tarandach (33:36):
get?
I'm going to block that chain.
Right now.
Chris Romeo (33:42):
you're gonna add that to my, the list of things
I'm not allowed to say, but I,I, we're, we're, we're
Matt Coles (33:46):
what's in your threat
Chris Romeo (33:47):
really, we're all over the place here, but any,
any thought be the voice ofreason here.
We've needed a voice of reasonfor a long time on this show.
Matt Coles (33:56):
We have no voice or
Chris Romeo (33:57):
can you bring a voice of reason to any of the
things that we've just beentossing all over the place here?
So,
Aditi Sharma (34:04):
So I'm, I'm trying to think, um,
Izar Tarandach (34:07):
I try that all the time, nothing happens.
Aditi Sharma (34:11):
I think that I'm getting that effect, Izar, um,
but I think with, with SBOMs,what's happening is there's a
way now suddenly there's aEureka, oh my gosh, my, you have
your SBOM, I have my SBOM andnow everyone can know.
(34:33):
You know, what's in there, andlet's be transparent and all
that, but That's not practical,right?
Because, um, literally, uh, SBOMis a secret source of your
product somewhere, right?
Because how your product iscreated is you have everything
in there.
Yes, and not, you know, you'renot sharing the exact code,
(34:53):
but...
You have all the components, allthe recipe ingredients over
there.
So, there are trade secrets, um,you may not, there is also an
impact on your own vulnerabilityresponse teams, if you think
about it.
Because, if you start having ablockchain and having, you know,
everyone's information intoyours and...
Then the customer is going to beconfused.
(35:15):
Where do I go?
You know, so it, it has to be,it has to be a step by step
process.
And Izar, I cannot change yourview whether, whether SBOM is
useful or not.
Izar Tarandach (35:28):
Oh, you can, you
Aditi Sharma (35:28):
At
Izar Tarandach (35:28):
totally, I'm open.
Aditi Sharma (35:31):
the end of the day, you have to see what is
your risk posture and howyou're, how you're managing your
vulnerabilities.
Do you care about...
What components your developersare, you know, using, what open
source your developers are usingin your product, because if you
don't know that, if you don'thave a manifest in place, if you
(35:52):
don't have a filter somewhere,you know, because this is
eventually helping in so manythings, right, this whole
process, it's also helping yoube more cautious of what you're
doing.
What you want to have in yourproduct.
More cautious of taking steps ofletting everyone know, Hey, you
cannot just use anything thatyou like.
You have to have, you know, youhave to abide by the manifest
(36:14):
approved within your company orwhatever it is.
So SBOM is kind of a driver inengaging these further, further
discussions.
I just feel like it's, it's adriver, it's an enabler.
And then rest is on you, how youwant to How do you, how you want
to use that information
Matt Coles (36:35):
I'm confused though, Aditi.
I'm confused, Aditi, by the usecase that you're highlighting.
So, I've always been under theimpression that an SBOM is
primarily to communicateinformation from supplier to
consumer.
But what you're, I think whatyou're highlighting here is that
an SBOM may be used supplierwith internal, internally to the
(36:57):
supplier.
As well.
Aditi Sharma (37:00):
Absolutely.
So say I have close partners,right?
And I work on, you know,vulnerability response for all
these things with them.
There can be a code of actionwhere you also share SBOMs
between each other, right?
Just to understand, just to havethat view of where, what are the
(37:22):
components?
What could happen next?
about having that, that relationwith the suppliers as well,
internally, not everyone has toshare everything outside, but
for your internal, uh, for yourown product, what all you are
consuming, you have to keep aneye on what, what you're
consuming because you have like10 vendors.
(37:44):
within your product as well.
Izar Tarandach (37:46):
So now you touched on something that I can
totally stand behind, and theanalogy is another industry that
I think that we constantly reachout to learn from, which is
aviation.
And if you ever look at theanalysis of an aviation
accident, they are able to knowevery single screw in that
(38:07):
plane, where it came from andwhen, which batch, which lot,
whatever, right?
But then it falls back into thematurity of the SBOM universe
today, and the way that I am, Iwon't say criticizing, but
questioning it.
is that we are moving very fastin this direction of SBOM all
(38:27):
the things, while we lack thefoundation work that would give
me the ability to trust an SBOMto reflect every single screw
that goes into my software.
You know what I mean?
So I, I totally get theinternal, the, the internal side
that you, that you put out, the,the external side.
(38:49):
To me, it's starting to rub itthe wrong way because we are
saying, oh, whomever gets thatproduct and gets that SBOM, they
have to now rebuild the SBOM sothat it compare with the SBOM
that was given to themfirsthand.
And
Aditi Sharma (39:03):
That's, that's hard.
Izar Tarandach (39:06):
You know, I'm thinking everybody's talking
about this shift left thing, andthere couldn't be anything more
shift right than this.
Matt Coles (39:12):
I wasn't suggesting we should be validating the SBOM
Chris Romeo (39:15):
left, please, please, please.
Matt Coles (39:17):
way, Azar, I think
Izar Tarandach (39:18):
I'm fainting.
I'm fainting left.
I'm fainting left.
Matt Coles (39:20):
I think you confu, I think you confuse my statement
with you can versus you should,right?
You could, if your SBOM is, ifyour, if your SBOM is val, if
your SBOM is signed, you canprove integrity and
Izar Tarandach (39:32):
If it's signed.
Matt Coles (39:33):
If it's signed, right?
But if it's not signed, or ifyou want to do an independent
validation, for whatever reason,it is probably possible for some
percentage of those components.
I'm not saying that you willhave to, but you
Chris Romeo (39:45):
I just want to piggyback on that, if it's
signed, it's the same thing as acontract at that point.
Like if somebody did, like it's,if somebody was to create an
SBOM and maliciously change iton purpose.
There'd be a liability case forme as a customer.
I could sue whoever gave me thatsoftware if they modified it.
If there was some materialbreach or something that
(40:08):
occurred on my, I lost money asa result of that breach and
turns out they lied to me.
That's where everybody's afraidSBOM could go though, is the
liability side.
Because that, that, we know howlong it takes liability to work
out the courts to...
Decide, try them, get a, youknow, a body of record so we
know what the, the answer'sgonna be.
(40:30):
Um,
Matt Coles (40:30):
And we're making the assumption that the SBOM is
complete.
In addition to being accurate,and that's where the liability
comes in.
Izar Tarandach (40:40):
then you can always get told you could have
checked it by yourself,
Chris Romeo (40:45):
Well, I'm saying.
Izar Tarandach (40:45):
the software.
Chris Romeo (40:46):
The malicious case, I'm trying to, I'm trying to
work around the malicious casewhere somebody just, like you
said, they open VI and they justchange the version numbers.
That would, that's fraud, right?
Like we have, we have rules andlaws and whatnot in the United
States that define what fraud isand, and that would be a pretty
clear cut case of fraud if yougave me that SBOM and we had a
(41:08):
contractual requirement for youto provide SBOMs and you just
blatantly changed it and gave mesomething different.
Um, I think that would be aneasier, be an easier thing to
get around.
Aditi Sharma (41:19):
I don't see it that way.
So yes, there could berepercussions, but This whole,
this SBOM is maturing and you'renot going to get it right the
day one.
And that's where, you know, thelegal helps, right?
In having all those.
This is, this is what we know atthe best at this time.
(41:40):
And it can change the, as Isaid, there is a level of depth
to SBOM.
It can, for some products, Log4jwas a level 6th or 8th.
Like you cannot even find itwith your basic top level
dependencies.
So, and that.
That can happen with, I don'tknow.
Um, but that's a good point thatyou raise.
(42:02):
Yeah.
Chris Romeo (42:06):
All right.
We were going to talk about VEX,but I'm vexed by the fact that
we don't have enough time.
talk about VEX.
we'll have to have anotherconversation about VEX because
we're, we're just at about our,our time
Izar Tarandach (42:18):
You want a vex it..
Chris Romeo (42:19):
emphasis.
I'm an anti VEX ter apparently.
Actually I'm not, I don't evenunder, like I said at the
beginning, I don't even reallyunderstand VEX yet.
And so I do need to definitelylearn about that.
But let's do, um, let's, let'sclose it out.
Let's kind of give some, let'sdo some final, a final, uh,
statement slash.
Thoughts, but not an argumentbecause that will then turn
(42:40):
around another iteration ofminutes of recording time.
But Matt, go ahead and go first.
What's your, like, give ussomething to take away from this
conversation.
Matt Coles (42:51):
All right, so you start, we started this episode
with I, with I, you postedsomething on LinkedIn and, and
caused a farfuffle and, uh,around SBOM.
And I think your, your originalpremise was, was good, was
accurate that the flow that wasdescribed in the white paper.
The guidance documents,recommended practices for SBOM
(43:14):
consumption missed the key pointby, by not explicitly calling
out, oh, by the way, use thisfor understanding, you know,
patching and, and whatnot.
But I think I will also extendthat to general risk management
p and configuration managementpractices using the knowledge in
the SBOM to understand that youneed to patch.
(43:35):
And, and, or thinking about nowI need to provide mitigations
and potentially change mynetwork architecture or other
mitigating techniques.
That's the true outcome that youget from, from SBOM, in my
opinion.
Chris Romeo (43:48):
And that was a lesson learned for me.
Like that's, that's somethingy'all taught me on this, this
episode.
So Aditi, let's, uh, why don'tyou go ahead and give us a final
thought next.
Aditi Sharma (43:57):
Uh, well, if you want to just keep an eye on, you
know, what your product has,what you're consuming, open
source, commercial, anything,and In turn, use the APIs
available for having, you know,all the CVEs that are out there.
And if you want to compare, doyou have any components which
(44:18):
are affected with the databasethat is available publicly?
Um, you can actually see whereyou are standing in your
security posture.
So, give it a try.
Chris Romeo (44:28):
Okay, thank you.
Izar, what about you?
Izar Tarandach (44:33):
SBOM will be great.
SBOM is becoming great.
Today, SBOM is not great.
We are putting a lot of massbehind us, and it's building a
lot of momentum.
And I think that it's going tobecome something that's very
(44:53):
central to the whole industry.
But right now, the valueproposition is there, the value
realization is not.
Chris Romeo (45:01):
Wow, and Because I'm kind of the impromptu host
of this show.
I don't have to follow my ownrules And so I'm not gonna give
you a takeaway.
Thanks for joining us on thesecurity table folks and We look
forward to having anotherconversation with Aditi in the
future to learn about VEX.
Aditi Thanks for joining us onyour first ever podcast
appearance
Izar Tarandach (45:21):
You survived!
Chris Romeo (45:22):
here.
Aditi Sharma (45:23):
Thank you for having me.
Chris Romeo (45:24):
it
Aditi Sharma (45:26):
No, this was great.
Thank you so much for having me.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.