Artwork

Innhold levert av Chris Swan and Nick Selby. Alt podcastinnhold, inkludert episoder, grafikk og podcastbeskrivelser, lastes opp og leveres direkte av Chris Swan and Nick Selby eller deres podcastplattformpartner. Hvis du tror at noen bruker det opphavsrettsbeskyttede verket ditt uten din tillatelse, kan du følge prosessen skissert her https://no.player.fm/legal.
Player FM - Podcast-app
Gå frakoblet med Player FM -appen!

Tech Debt Burndown Podcast Series 1 E11: Allan Friedman and SBOMs

 
Del
 

Manage episode 295471190 series 2939124
Innhold levert av Chris Swan and Nick Selby. Alt podcastinnhold, inkludert episoder, grafikk og podcastbeskrivelser, lastes opp og leveres direkte av Chris Swan and Nick Selby eller deres podcastplattformpartner. Hvis du tror at noen bruker det opphavsrettsbeskyttede verket ditt uten din tillatelse, kan du følge prosessen skissert her https://no.player.fm/legal.

Recording date: Jun 8, 2021

Download at Apple Podcasts, Google Podcasts, Spotify, iHeartRadio, Spreaker or wherever you get your podcasts.

“Having a list of ingredients doesn’t mean that you’ll eat healthy, but it’s very difficult to eat healthy if you don’t have that” - Allan Friedman

After introducing himself, and his role at the National Telecommunications and Information Administration (NTIA), Allan gives an overview of Software Bill of Materials (SBOM) using a ‘list of ingredients’ analogy.

The efforts around SBOM have been underway since 2018, and there was initially pushback from the software industry, in part because organisations didn’t have their open source licensing in order. As the NTIA has gone through the process of creating a consensus vision around SBOM, many of the original detractors have found that it provides a reason to clear up stuff that needed doing anyway.

Allan goes on to provide an example of how an SBOM gets used as a proxy for understanding total cost of ownership for software, and how that can be used as a negotiating lever. Vulnerability management, and understanding how most modern software is composed (largely from open source) rather than created from scratch is a central part of the utility of SBOM, so that software users can understand where weaknesses originate from.

We then go on to discuss the positioning for proprietary software, touching on the ‘black box’ problems that arise, particularly in environments that demand high levels of accreditation like healthcare.

Allan talks about the list of ingredients not meaning that anybody can replicate something, which reminds Chris of the UK TV show Snackmasters where celebrity chefs struggle to reproduce popular snacks. This leads Allan into some description of the challenges dealing with a lack of a global namespace for software.

We then move to some discussion of the 12 May Executive Order on Improving the Nation’s Cybersecurity, which sets the ball rolling for SBOM implementation in Federal Government:

(f) Within 60 days of the date of this order, the Secretary of Commerce, in coordination with the Assistant Secretary for Communications and Information and the Administrator of the National Telecommunications and Information Administration, shall publish minimum elements for an SBOM.

After talking about the difference between ingredients labels and nutritional information labels the conversation turns to how difficult it is to understand what compilers will produce from source code. This is a familiar problem for Chris, who’s previously examined how compilers can produce startlingly different output for seemingly trivial and functionally identical source code The compiler will not save you.

Before we wrap up, Allan notes that there was a chicken and egg problem with SBOM and the tools to produce an SBOM, but that’s largely addressed now by new companies and products emerging to fill the need; along with existing products growing additional capabilities.

  continue reading

17 episoder

Artwork
iconDel
 
Manage episode 295471190 series 2939124
Innhold levert av Chris Swan and Nick Selby. Alt podcastinnhold, inkludert episoder, grafikk og podcastbeskrivelser, lastes opp og leveres direkte av Chris Swan and Nick Selby eller deres podcastplattformpartner. Hvis du tror at noen bruker det opphavsrettsbeskyttede verket ditt uten din tillatelse, kan du følge prosessen skissert her https://no.player.fm/legal.

Recording date: Jun 8, 2021

Download at Apple Podcasts, Google Podcasts, Spotify, iHeartRadio, Spreaker or wherever you get your podcasts.

“Having a list of ingredients doesn’t mean that you’ll eat healthy, but it’s very difficult to eat healthy if you don’t have that” - Allan Friedman

After introducing himself, and his role at the National Telecommunications and Information Administration (NTIA), Allan gives an overview of Software Bill of Materials (SBOM) using a ‘list of ingredients’ analogy.

The efforts around SBOM have been underway since 2018, and there was initially pushback from the software industry, in part because organisations didn’t have their open source licensing in order. As the NTIA has gone through the process of creating a consensus vision around SBOM, many of the original detractors have found that it provides a reason to clear up stuff that needed doing anyway.

Allan goes on to provide an example of how an SBOM gets used as a proxy for understanding total cost of ownership for software, and how that can be used as a negotiating lever. Vulnerability management, and understanding how most modern software is composed (largely from open source) rather than created from scratch is a central part of the utility of SBOM, so that software users can understand where weaknesses originate from.

We then go on to discuss the positioning for proprietary software, touching on the ‘black box’ problems that arise, particularly in environments that demand high levels of accreditation like healthcare.

Allan talks about the list of ingredients not meaning that anybody can replicate something, which reminds Chris of the UK TV show Snackmasters where celebrity chefs struggle to reproduce popular snacks. This leads Allan into some description of the challenges dealing with a lack of a global namespace for software.

We then move to some discussion of the 12 May Executive Order on Improving the Nation’s Cybersecurity, which sets the ball rolling for SBOM implementation in Federal Government:

(f) Within 60 days of the date of this order, the Secretary of Commerce, in coordination with the Assistant Secretary for Communications and Information and the Administrator of the National Telecommunications and Information Administration, shall publish minimum elements for an SBOM.

After talking about the difference between ingredients labels and nutritional information labels the conversation turns to how difficult it is to understand what compilers will produce from source code. This is a familiar problem for Chris, who’s previously examined how compilers can produce startlingly different output for seemingly trivial and functionally identical source code The compiler will not save you.

Before we wrap up, Allan notes that there was a chicken and egg problem with SBOM and the tools to produce an SBOM, but that’s largely addressed now by new companies and products emerging to fill the need; along with existing products growing additional capabilities.

  continue reading

17 episoder

Tous les épisodes

×
 
Loading …

Velkommen til Player FM!

Player FM scanner netter for høykvalitets podcaster som du kan nyte nå. Det er den beste podcastappen og fungerer på Android, iPhone og internett. Registrer deg for å synkronisere abonnement på flere enheter.

 

Hurtigreferanseguide

Copyright 2024 | Sitemap | Personvern | Vilkår for bruk | | opphavsrett