IATC - QuadBlockQuiz - Supply Chain Sandbox Edition

hey this next talk is going to be a really exciting one uh duncan sparrow who goes by s fractal is going to talk about a game that he made that helps teach people about supply chain topics i know i know it sounds boring but wait until you see it if you've ever played a game like tetris you'll pretty quickly get into this and it can become pretty addictive so stay tuned stick around for that one and if you are so inclined hop into the discord channel the i am the cavalry channel in there and you'll be able to ask questions of duncan um and get some answers compare your scores on the quad block quiz with other

people and generally have a lot of fun hello i'm duncan and i'm going to be talking about quad block quiz here let me let me draw in the in the logo it's a game that hopefully you'll have some fun while learning some supply chain cyber security i'm going to model this talk like a james michener novel michener was a best-selling author back in the third quarter of the last century he wrote lengthy novels covering many generations and perspectives about one locale now this particular book centennial was written in 1974 just prior to the us bicentennial and it's about a colorado tom named after the u.s centennial 100 years earlier than that now the centennial book jacket says

while he fascinates and engrosses michener also educates hopefully my talk will as well centennial like many of mister's books starts with a lengthy chapter in the present day to set the scope then goes back millions of years and does the history of centennial to the present day i'll do something similar setting the stage describing how to play the game info about the b-sides contest then i'll provide some history that led to the game being developed and i'll show both the educational concepts and the cyber security concepts of the game and i'll talk about developing the game the game is quad block quiz save the tetrominos world from supply chain vulnerabilities to win pragmatic real world prizes like

custom cocktail instructions from a superlative mixologist quad blocks quiz is live right now at quadboxquiz.org colon4000 now the game is a mashup of quad blocks and a trivia quiz with some cyber attacks licensing lawsuits and cyber security thrown in as i said the game is live at quadblocksquiz.org right now and you can play to win prizes in two different contests that are going on right now during b-sides contest started at the beginning of my talk and runs until about midway through the question and answer session when we'll pick the winners live now prizes include an abstinent tutorial over zoom from chantel a world-renowned cocktail mixologist other prizes include custom cocktail recipes from chantel here's a picture of chantelle from her

website cocktails for the end times a previous contest was held at rsa conference earlier this year in the supply chain village here are some quotes from previous prize winners the contest was a big success the game was a big success now another prize will be a book that i'm going to discuss later in the talk now the second contest which is also going right the which is also going on right now gives you more time it'll go until the end of b-sides now the grand prize for that contest will be a private zoom session with chantelle for you and your friends where she'll instruct you in making some designer cocktails that she'll create just for you based on

input that you provide now quad box quiz starts off as a typical falling bricks game you use your right and left arrows to guide the falling of a brick use your up arrow to rotate the brick and you get points for each falling brick and you get points for completing rows looks like i'm about to complete a row wait what happened there what a block changed color just like in the real world vulnerabilities can appear vulnerabilities are indicated by the yellow gray block a row is not complete unless it's free from vulnerabilities and some other troublesome bricks that we'll discuss in a minute the other problem with vulnerabilities is they lead to attacks in quad block grizz five vulnerabilities

will result in a cyber attack as is shown here now i should also note your score leaks away while you're under attack just like you lose money in real life when you're under attack now licensing issues can also crop up they're shown as gray and brown blocks and they lead to lawsuits now what can we do just like in real life there are actions you can take to both prevent these from happening and to mitigate them when they do when in doubt hit the space bar this pauses the game and causes this pop-up to appear now you can resume the game by clicking on continue or you can click on the categories to answer questions and collect

useful power ups as well as get points note the questions do not require you to already know about supply chain security reading the page should provide you the answer to on everything except the bonus questions now the bonus questions you require to be listening to this talk right now the answer to the first bonus question will actually be on the next slide now besides points getting the s bomb question correct wins me the delete block power up which can be used to blow up those pesky vulnerabilities and licensing issues now you get a correct answer to the automation questions and you win the move block up if you get a correct answer to a phoenix question

you get to clear the board power up which is really useful if you're attacked etc so let's look at the game board by the way the answer to the first bonus question is one two four three write that down and save that number for either if you're playing now go ahead and use it but write it down for when you play again because it gets you a lot of points on the right side of the screen there are some hints on how to play as the game progresses more hints will appear on the left side of the board is your score and some info about how you're doing remember one two four three is your score

also happens to be the answer to the first bonus question note some of the power ups are for speeding up or slowing down the game to get this particular contrived example i slowed the game down to a sedate speed it accumulates points more slowly but gives me time to react you'll also see later i went as slow with lessargic to set up one of the other scenarios now besides speed the sidebar contains how many questions you've answered how many blocks have dropped and how many rows you have cleared now the brickyard in the middle of this particular game is in a precarious state there are many vulnerabilities many licensing issues as well as a bunch of unfilled in rows

what to do hit the space bar the space bar pauses the game and displays a pop-up you can click continue and you continue or you can end the game at this point record your score if you're under attack and you don't want all your points to leak away or you can answer questions to get more power-ups or you can use one of the power-ups you already have which are shown this game particular has some ups right above the end game there if you hover over a power up it'll show you what it does now for vulnerabilities and licensing issues on the main board you can fix them with things like the screwdriver or the wrench or the hammer

or you can delete them and for holes and to fill out a row you can either add blocks using the the plus sign or you can move blocks using the the multi-arrow sign to fill in the holes now a really useful power-up especially if you're attacked is the eraser that clears the whole board which is what you might want to do if you got in a situation shown on the board here which is about to end as it's about to fill up or on this one where you're actually under attack the yellow bar in the middle is an attack um but let's go back to that one we were looking at a little while ago that was it was pretty ugly

with a lot of vulnerabilities and liability and uh licensing issues but if you make use of the deleted blocks and the ad blocks and the move blocks and the fixed issues and the fix vulnerabilities then you can do all that while you're paused i actually did that on that previous game and filled in most of the rows there's a couple vulnerabilities still sitting there but this allows me to show the exponential nature of clearing rows if i just cleared one row down at the bottom it would get me 200 points two rows would get me 400 points three rows would give me 800 points not the exponential increase and let's look at this particular score one three three six

when that block right there touches it's going to clear a bunch of rows so watch the score jump when that block touches boom one three four three two four five four three thirty two hundred points for clearing five rows at once so hopefully you can see the value of answering the quiz questions so that's the game you can keep playing while i'm talking another bonus answer will be coming up in a minute now let's discuss how this game came about now that i've set the stage in the present just like michener i'm going to jump back into history i'm not going to go quite as far back as he did i'm not going to go back several

geological ages and then and then finally get around to first-person dinosaur i'm only going to go back to the romans there's sort of two points i want to make about the romans most military historians credit the roman army with revolutionizing military logistics they understood how to disrupt their enemy supply chain and they understood how important it was to protect their own supply chains now the second point i want to make is something most people don't realize is that this is why the romans invented engineering for 2 000 years up until about 150 years from ago that i'll talk about in a second engineering meant military engineering engineers built forts to camp at night they built roads to move the army around

quickly and they built bridges to get the army quickly and safely over rivers the word engineer is actually derived from the word that means a designer and constructor of fortifications and weapons so now let's fast forward to the early 1800s by the way the answer to bonus question number two is rensselaer that's one word with a capital r copy the spelling off the sheet there um you know capital r lowercase rest of letters write that down and remember it now rensselaer was a rich landowner in albany new york he served as a major general of the new york militia and he was soundly trounced by the british in the war of 1812 at the battle of queenston heights that

was the first major battle of the war of 1812. now he lost it mainly due to supply chain and logistics issues now later in life he founded my alma mater rensselaer polytechnic institute or rpi for quote the application of science and technology to the common purposes of life end quote so in particular to apply engineering to civil uses as opposed to the traditional military uses and it turns out rpi granted the first degree in civil engineering so now let's jump forward another 100 plus years to a particular civil engineer my father charles sparrow my father was a civil engineer whose first job was designing bridges for the state of maine like the one shown here and

signing bridges you design them to be safe so i'm gonna shout out here to josh corman because i'm going to paraphrase some of his work in cyber and tie it to my father's bridge career what if bridges were designed using the facebook mantra of move fast and break things or worse yet the linkedin mantra about you should be embarrassed by what you put it out because you put it out so early that would not be the best way to design bridges most bridges would be unsafe now my father designed safe bridges he didn't design this particular bridge show waving and about to break here now to design a bridge you need to be a licensed professional engineer

which meant you had both schooling and practical experience and that others in your field vouched for your work and that you certified design with your professional stamp which was an actual raised embossed stamp that you put on a document now my father was a licensed engineer and so was i but let's get back to my father so early his career he left his job with the state of maine to take a job with the liberty mutual insurance company loss prevention department let's parse that insurance company loss prevention department why do insurance companies have lost prevention departments well i'll use an example one of my father's projects was the building of the st louis arch he didn't design it he didn't

build it his job was to prevent on-the-job accidents during its construction safe construction means less injuries less casualties which is a win for the workforce win for the construction company and it's less insurance claims and that's a win for the insurance company it's a win-win now my father took this particular picture while the arch was being built on that same day he took this picture from inside one of the one side of the unfinished arch now those segments being hauled up weighed 50 tons apiece they had to be placed within 1 16 of an inch accuracy while the wind was blowing and like any arch the arch wasn't stable until it was complete translation a potential safety nightmare

now this is an article about the construction it explains the changes made at the insurance company's request to improve safety i.e the changes my father suggested and it touched the safety record that the actual accidents were less than 20 of what would have been predicted for a project like this so win-win fewer accidents fewer insurance claims why because the economics of insurance and set effort in loss prevention now my father was not only a licensed professional engineer he was actually a safety specialist and a member of the american society of safety engineers besides construction site safety he worked in earthquake safety and also in automobile safety which i'll spend a moment on now back when i was a kid in the 50s and

60s cars were not designed for safety they did not have seat belts no shoulder straps no collapsing steering wheels they didn't even have tinted glass which most people don't realize is a safety feature reduces accidents now my father didn't invent any of those things but he is in the henry ford museum automotive hall of fame because it's part of the team that convinced the federal government and the automotive industry of the economics of putting them in cars the economics of loss prevention now this particular paper shown here is a paper in the journal of the asme on something called survival card 2. so first survival car 1 was a concept car where they did studies with crash

test dummies in the 50s this is where literally crash test dummies were invented but it was just a concept car and neither the government nor the automotive industry bought it so the insurance company did a second round called survival car 2 okay where they took four of the best-selling cars right off the lot they added these features in and then they did those same studies and i'll let walter conkeit and my father tell you in their own words from beyond the grave courtesy of this video from liberty mutual and the ford museum which is allowed to be used for research purposes research scientists are trying to find new ways of protecting you when you're involved in an automobile

accident exploring new approaches to this very serious crap nobody helped provide that there was a need to make the automobile safe they talked about training and driving they talked about building broad roads but the mobile industry would not do the research to show how cars would be [Music] this was the first time that crash research had been done to see the impact in the other real companies and so drought you know it's very interesting but this is not a real car fire came back to boston and decided he would take i could take an automobile right out of his showroom and incorporate as many ideas as he could from survival car run there were four survival car twos yeah

well a lot of features which would uh seemingly by themselves [Music] do not radical but put out together and consider the fact that they have never been used on a an honorary plastic card they've really made a great difference so it took a few years but most of the safety devices in collision car 2 are now in most passenger cars today now i believe similar will happen in cyber now like michener i've taken a while to get almost to the present day a little bit about me obviously i was shaped by the history i just provided i graduated from rpi with bachelor's master's degrees electrical engineering and went to work for bell telephone laboratories designing processors for

telephone switches quickly switched over to software where i spent most of my career which quickly morphed into a cyber security when in 1990 i was part of a military cyber attack team as part of the first gulf war i helped quote prepare the battlefield end quote i.e hack into iraqi air defense now this opened my eyes to the glass house that we lived in back at 18 t and prompted start at the starting of att cyber security efforts i retired in 2013 as 18th chief security architect now spent most of my time doing pro bono work and cyber security standards and cyber safety

now my pro bono work includes organizations like i am the calvary which is a grassroots organization focused on the intersection of digital security public safety and human life they have several pithy sayings that i really relate to and they've created some valuable awareness programs like the hippocratic oath for connected medical devices or the five-star automotive cyber safety program now either the calvary was founded here in besides las vegas eight years ago now i'm not a founding member i joined at the second meeting which was a couple months after that first meeting and i proceeded to bend everybody's ears on one of my passions something called s bombs so let me take a slight detour into software bill of materials or

s-bomb it's been a consuming passion of mine for many years now there's a really lot of good information about s-bombs at ntia.gov s-bomb but i'll confess i'm biased i was part of the group that created that content now it's received even more attention lately since on may 12th president biden explicitly called for s-bombs in his executive order on securing supply chains so what's an spot well let me digress further from my digression for a moment and discuss the origins origins of a common english expression don't buy a pig in a poke this does not this is not talking about buying pork in asian lunch bowls a poke is a burlap bag one of the earliest scams

was selling cats in the bag as opposed to pigs just go catch the cat for free and pigs were expensive to raise in other words you shouldn't buy a pig in a poke you should open the bag and look what's inside meaning you shouldn't buy most software since most people including the software developers don't know all the components in their software an s-bom is just a listing of all those components if you produce software you should know what is in the software including the components you get from third parties and they get from further down the line if you purchase or use software you should require your suppliers to know the components in their software

if you go to nti.gov s-bomb or if you play the game you'll learn more now people may argue that it's not economical to create s-bombs now they may be right but i'll argue that in the vast majority of cases it would be more economical to produce the s-bombs if you did your math correctly so this is from the movie jerry maguire show me the money now for most business decisions including on security money is a good metric but only if you do the math correctly so not yellow green red charts you actually have to do quantitative risk analysis which i'm going to talk about i highly recommend reading this book i'm even giving away e-copies of it as

contest process it's a textbook the authors can get a little repetitive at times but it's worth reading because it has a lot of very useful concepts on how to quantitatively measure risk the authors validly point out that cyber security is not the only field that has massive risk minimal data and chaotic actors in fact they reference both the insurance company and the financial fields recall my earlier discussion on how insurance companies led the way to safer automobiles now for both s-bomb naysayers but even for s-bomb evangelists the right answer to deciding if you need supply chain cyber security is to quantitatively estimate the financial risks both with and without a supply chain risk program and then decide

if the cost is worth the risk reduction i maintain it will prove in in almost all cases especially once more and more supply chains start creating them because s-bombs are a write once read many enterprise lend themselves very well to volunteer crowdsourcing for open source now another aspect that's in the book is something called lost exceedance curves this is where you actually quantitatively show the risk and it could be done in either dollars or deaths this is unfortunately going to become more prevalent in our field as bits and bytes meets flesh and blood much more often in the internet of things now this chart shows the risk of financial loss as a probability disco distribution

now this is the language that financial quants speak like your cfo so to read this chart it shows a very high probability of a near you're you're almost certainly going to lose at least a thousand dollars in cyber security over a time period say the next year okay most likely in this particular case the most likely loss is you're gonna lose five million dollars note it's a long scale prices go up a lot as you move over okay and there's a three percent chance you'll lose you know 400 million dollars that three percent chance is low enough of a catastrophic loss you're probably really willing to willing to roll those dice that's within your what's called

risk appetite or risk tolerance now where elasticities curves are best or for comparative purposes you don't have to get everything right you just got to get the bait you just got to get the differences right and the focus is on that difference in this particular case the orange line is the base case it's what you're doing today and the blue line is putting in a supply chain security program now the program costs 100 000 so there's a five percent chance you're spending this money for no reason that's the upper left-hand part of the curve there but most likely the 50-50 point on the curve it's gonna save you four million dollars of that five million if you was the same

chart from before so a hundred thousand dollars to save four million that's a that's a pretty good deal okay and it reduces a catastrophic loss and this on this particular curve the catastrophic loss was was ten percent a chance of a four hundred million dollar loss that's probably not within your risk tolerance however by doing uh these particular things you reduce it down to three percent which is within your risk tolerance so again the point of these charts is is to help you make a binary decision of should you do something or not now let me go through another historical digression on the way to the game and that's cyber security automation and the standards that help enable it

the work shown here was done at the johns hopkins applied physics lab i.e the guys who build nuclear weapons okay now they showed that ottoman automatic automation resulted in a two-order magnitude reduction to the time the attackers were in the system i reduced from weeks to hours you can do a whole lot less damaging hours than they could do in weeks now how did they accomplish this well developers develop software hopefully creating s-bombs as they're doing it like all software it might contain vulnerabilities and for now i'm going to assume that the vulnerabilities get found by hacker before they get by a bad guy a threat actor before they get found by by a good hacker security researcher

now fortunately these attacks generate indicators of compromise those intermediar indicators are compromised can be shared between both between equipment between devices but also between teams okay so that everybody can learn one from from any given person what any given thing that happens everything else can learn from it now security teams can then develop courses of action which can be shared via cacao cacao sticks taxi these are all oasis standards now part of the course of action might be to instruct firewalls or sandboxes or intrusion detection to do something okay that can be done with openc2 another oasis specification and you can describe the impact of the vulnerability using a standard called csaf and create something called a vex

document which tells you the exploitability of the vulnerability now the defenders discover the vulnerability first you can skip all the attacker stuff and go right to creating the casf sending the open commands to open c2 commands to your devices but also you can go ahead and patch your software and update your your spot and that can can all be done automatically so that's how you get the automation to get the risk reduction that apl got now full disclosure i participate in s bomb csaf vex stixx taxi and i actually chair openc2 so obviously i'm biased towards these automation solutions but recall my father's clip mentioned that it was a combination of many things that made

cars safer and i feel that same way about cyber security it's going to take sort of all of these things working together one final historical digression before we get back to the game i help a high school friend of mine with open one planet education network open helps connect underserved communities that have little or no internet they bring the internet to these communities and then they use project-based learning and distance learning to teach stem and to build bridges between the cultures with the students sharing knowledge across borders they nominally teach sustainable agriculture to help ensure food security but they use a sustainable agriculture project to also teach science the internet programming data analysis cyber security

and many other topics all the while learning about each other's cultures and how to work together shown here are students in a classroom and a farm in the congo and another shot is a class in malawi george the founders requested that i help him with some of the cyber security modules and that was another um kickstarter to help me develop the game so back to i am the cavalry in the game i'm the calvary organized the supply chain sandbox at rsa two two ago and it was in person and they organized it again for the most recent rsa conference which was all virtual so they were looking for internet games that showed supply chain concepts so i matched up several of my

passions and decided to create quad block quiz basically i matched up all the concepts i've just went over and gamified them and included in the game we did it both at rsa the rsa conference that we're doing obviously now as part of b-sides las vegas and in the future we'll be using it as part of the open course their open cyber security course now by the way the answer to that third bonus question is sandbox all one word all lower case it's an easy thousand points for just paying attention go go play the game if you're not playing now let's look at quad box quad block quiz from the perspective of an educator now there's two aspects to education the

concepts that you're teaching that you want your students to learn and the methods you use to teach them so i've covered many of the supply chain cyber security concepts in the historical section earlier but there are obviously more that are included in the game itself what i'm going to focus on here is the techniques and methods to teach the concepts now one technique is trial by fire if you play the game and you just play the quad blocks portion without playing the quiz then you're hampered by vulnerabilities licensing issues cyber attacks and lawsuits just like in real life if you don't pay attention to supply chain security now another educational technique is just classic reading comprehension

so the trivia part of the game each question has a background and the background actually contains the answer so you don't need to know the answers ahead of time you just have to read it and you'll learn it as part of the game and to incent you to actually answer the questions and and learn these things there are points and power-ups that you're incented by if you get the question correct now the third technique that the games uses is that the power-ups are correlated with the cyber security concepts so for example answering s-bomb questions correctly lets you delete vulnerabilities so now let's talk about making the game the game is a mashup of several of my

passions one of the passions is cyber security obviously supply chain security s bombs quantitative risk management openc2 cacao etc okay but another passion is the erlang ecosystem the erlang ecosystem consists of the elixir programming language the erlang programming language the beam virtual machine and most importantly something called otp so availability was the goal when erickson designed their online programming language back in the 1980s they were building telephone switches and back then telephones had to work so to get that five nines availability they ran erlang on a beam virtual machine with a bunch of libraries they called otp so the time stood for open telecom platform but now it stands for one tough platform if you haven't already

heard it i recommend listening to sunil u's talk on die distributed immutable of pheromone of thermal sunil introduces them as good solutions to meet the security triad of cia confidentiality integrity and availability now erickson discovered the die concepts back in the 1980s and built them into otp they built them in mainly for availability but confidentiality integrity come along for the ride so otp is built on a let it fail concept one of the failures is i can't spell as you'll see by the spelling of the word parallel now the system works in the presence of both hardware and software errors and it does this by being distributed immutable and a formal ah i can't say that word

erlang now erlang is a 1980s language um so elixir was invented more recently to contain many concepts of newer programming languages and that's what the game will be programmed in runs on the beam and it takes advantage of otp so this is a very long-winded way of saying i wanted to write the game in elixir to take advantage of these concepts there is an easy to use elixir web server known as phoenix scales really well makes use of elixir lightweight processes so it actually gives each user their own web server on each transaction i particularly like this because it drastically reduces the attack surface now because this is a volunteer effort i also like that phoenix is known for its

simplicity and it's decreasing the cognitive load on developers which is a really fancy way of saying even i can program it and write maintainable software so i went a step further and started with an open source quad blocks project by grocks.io proxdio is bruce tate's company bruce teaches software development and uses the quad blocks repo to teach several different courses including elixir including phoenix so i just forked that particular repo and added the quiz and the cyber security aspects so it can be used in future cyber security courses such as with one planet education network so if i talk this talk on all these concepts then my software should walk the walk on all these concepts

so the code is distributed immutable and a thermal um the software is open source it's on github it's usable by anyone under the mit license which is the most permissive license there is an s-bom for the game software there's a software bill of materials for the software it's accessible from the game website and it's actually used in the game we do try to patch vulnerabilities as we become aware of them um quadbox quiz is dependent on phoenix and phoenix is dependent on some drops mostly in elixir but it depends on some javascript libraries that are used to control the game in your browser there's been no patches yet for elixir erlang or otp but we have way too much experience with

patching javascript we've probably had 10 patches so far this year on the javascript for this game for actually fairly large much more than 10 number of cves vulnerabilities that went with with the javascript uh we're also trying to protect the website with automated cyber security using openc2 sticks cacao csaf etc but that's still a work in progress now this is all possible because of our sponsors as fractal i think that's me old retired guy provides the cyber security expertise designed the game and developed some of the software and i fund the rest of the development pony a kenyan software development term also develops the software briarcutter a tech writing firm helped with the documentation in the marketing

and google donated the cloud resources that the game actually runs on so thank you one and all several things i'd like you to take away from this talk but the main one is there are no silver bullets in supply chain cyber security but neither are we fighting mythical creatures called werewolves we're a bunch of well-meaning defenders equipped with night sticks and fighting off a mob throwing rocks and bottles how do you control riders with riot cuts instead of silver bullets we need shotguns shotguns are way too maligned we need a shot we need shotguns shotguns have many little pellets they have gun powder to shoot the pellets out and they're held together with a case

our pellets are s-bombs patching openc2 cacao csa effects sticks and all our cyber tools our gunpowder is automation and the shell holding it all together is cooperation and sharing among the defenders so what should you do now you should go play the game a reviewer speaking of mr said while he fascinates and engrosses michener also educates i hope my talk has fascinated you i hope the game engrosses you i hope that both teach you something about supply chain security i'll close quoting dan gear there is never enough time thank you for yours we're now ready for questions

so uh duncan while we wait for questions to come in i've got a few of my own in watching the talk uh wonderful you know i guess the first is i mean given everything that you said and you know just common sense it seems like s-bomb is is a no-brainer i guess you know what resistance have you seen to actually doing this well it's a no-brainer from a logic sense it is actually a lot of work even doing the s-bomb for this game i discovered it's much more work than even i thought it was and i'm a huge advocate of it um it is nice because it's a sort of right once issue once you do it for any

component then everybody else benefits from that but the problem is basically no one's been doing it so software has thousands of components in it and you sit down and go oh i gotta do a thousand of these now and it takes time and effort um i think any good risk analysis that did actually the quantitative risk analysis turned back into money you'd see that it would actually pay for itself over over the life of the product but that initial sort of start is just you know a lump people got to get over and i think it's now coming around people coming around people are understanding that the value of it yep now well i i hope they i hope they

do like i said it makes a ton of sense um and uh hopefully there'll be some more tools to uh overcome some of the challenges that you you just mentioned it seems like there are so we've got a question here um from sushi dude um duncan do you think that cyber security will ever get to ground truth like they say uh like say bridge engineering has what are the biggest obstacles obstacles to get to that point well first bridge has been being built for thousands of years software's only been you know software didn't exist when i was born it's just a it's just a recent thing so give us a little bit of time to be fair and to be honest that little

picture i showed of the of the bridge waving there was a real bridge designed by real engineers and they still made mistakes so it's not it's not perfect yet in civil engineering but it's way better than cyber security obviously so i do think software will get there i actually think the recent president's executive order is a really large step because because the the government using its power of the purse to at least get its suppliers to start doing something we'll start we'll start getting all that initial remember that you asked me the question before i said there's just that initial hump you gotta get over it'll start getting a lot of that um already done

as well as once businesses start looking at it they'll go oh wait a second why should i buy this from vendor a when they make mistakes every other week and when i got this other choices vendor b is a teeny bit more expensive but their stuff never has problems so i i can afford that little bit of extra up front because it's going to save me in the long run once more and more start doing that i think they'll even get to the better case of the look at hey it's really just a software quality issue let's build the software at the quality we need some things need it more than others safety critical things need it

more than i don't know my webcam or my powerpoint slides or whatever um but more and more things are becoming safety critical and we're sort of still too much in the powerpoint slide mentality and but i think we'll get there great um well we're waiting for others to come in here um in terms of the adoption so you highlighted it a minute ago but what industry would you say has done the best job so far when it comes to software bill materials uh financial i i think that's sort of a hands down um they haven't been as public on it as i guess i wish they would have been but they've actually been requiring it

for a long time and they they again tend to keep them to themselves as opposed to sharing them but among the financial industry they share it so at least in my experience there's some other pockets that do it really well i was involved and actually in some nuclear armament work um a number of years ago and they do it pretty well and i'm glad they do it really well unless they're talking about nuclear weapons um but uh um but we're it's beginning to get further and further out and that the ones i'd like to give the most recent kudos to is the healthcare industry healthcare industry is not known for its adoption of software and and being

uh techie oriented um but because of some work that was done by the cavalry with the um fda sort of raised the awareness a lot and there's some really good work going on in the healthcare industry now and they're beginning to both both sides both the suppliers and the and the medical providers the purchasers of the of the medical gear are both starting to see the value of that so i think that's a big success story worth touting as well yeah absolutely and i guess on that point what have you seen so certainly there's the issue of producing an s-bomb you know what have you seen in terms of ways that customers are actually consuming the s-bomb and using it in

their vulnerability management programs well so one using it in their vulnerability management programs and it's actually there's actually more of it out there than people realize an awful lot of build tools actually create them and most people throw them away not even realizing what's going on and an awful lot of the services you buy on vulnerability management are basically doing the s-bombs you know sort of for you under the hood and again they're not necessarily publishing them but they're they're still creating them um so i think there's um more going on than realizes but one a couple things to point out is that's not the only use case uh licensing is a big use case

like in fact spdx one of the one of the formats was created you know a decade ago probably um just for the purposes of keeping track of licensing and again the legal and and um side of the house really has found the value again not just in the hey i got to do it to check the box it's the value of doing it in the hey it reduces future maintenance where you have to go back and correct stuff because somebody comes in and points something out you want to catch those problems early on and there was some i think i think it was carnegie mellon i'm not positive that did a study um on just knowing the ingredients what

knowing what's there any engineer looks at and goes oh that's stupid why do i have six copies of something or why do i have two different versions of the same thing that sort of once you see it you actually clean it up and it actually reduces your your software development costs and your maintenance costs well i have two different teams doing two different things when you could have one team doing the same thing etc so i think that the other benefits of it will eventually come through not just vulnerability obviously i'm a security geek i do it for the for the vulnerability but um but i think some of those other values are going to

are going to be very valuable also yeah absolutely what's the fourth bonus point so if people are playing in the background it turns out the fourth question is worth 2 000 points so you really should be asking all right and the answer is elixir eli xir the programming language this was used in or if you've seen any of alan friedman's cocktail drinks there's there's lots of elixirs there too we will need to wrap up the contest in probably a couple of minutes too so if you're playing all right get in there and finish up and if you're not i was playing go play um so uh yeah i guess back to topic um when you think about an s-bomb you

know what you mentioned healthcare and fda and one of the questions that i've heard in those forums is really about the depth of an s-bomb and what are your thoughts in terms of how far should it go down to be useful in other words is it just major components or frameworks so you think about things like oh this this has a sql server it has you know uses java or does it really need to go down to the library level you know this has a statically compiled open ssl version x right or this leverages this you know commercial um library but what have you seen in terms of best practices there so you ask the question what should it

do and what are best practices and then there's what's practical to do and they aren't necessarily the same answer so so first i want to point out that it's even if you don't do everything if you only do that first order it's still valuable however it's more valuable the deeper you go so you you mentioned the ssl example before um there's lots of web servers still with the you know heart bleed accessible to them because again they haven't patched yet because they don't really know that's what they have buried in their guts so so a complete s-bomb is better but but no one's gonna start out with a complete s-bomb if you actually look at the

s-bomb for my game and again amazing stuff you'll discover it it only goes down to sort of my stuff it i mean it goes down to elixir and a lot of the libraries i use but it doesn't go down you can't actually look at and say which open ssl library do i use and i do think you need to get to that um particularly for a security geeks you need you need to get to the that level or am i affected by the cve if you don't have a complete if you have an incomplete one and you look and you see you have that ingredient then that's valuable however if you have an incomplete one

and you look and you don't see that ingredient you still don't know that you don't have it so if you have a complete s bomb you can look and and and go oh great i don't i don't have to worry about that thing that just came out um there was a great talk um uh in one of the s-bomb meetings i think it's on a video somewhere um of how basically how much money was saved by the company that had made the s-bombs when a couple fairly critical cvs came out that they said oh great i i don't have to spend hours figuring out date weeks staff weeks figuring out what's up i just look at

the s bomb and say yep it's not in any of them or it's only in this one and i got to go worry about that so so yeah but anything is good absolutely so we have a question here from the uh the discord you know do you think the work from github and get lab around dependency mapping and tracking is a good start where can we go from there it's an excellent start um i actually make use of it in the game i unfortunately got some depend about alerts this morning that i have to go click because i do use some javascript it seems like there's new javascript cvs every week but um but yes i do i do

think their dependency work is good i i think that a lot of the open source world is starting to come around to doing s bombs and again it's because it's alright once read many just as every little get one gets done there's some great work going on in the linux foundation about putting it basically the operating systems come out with the s-bomb and that really is a lot of the core of it so you get into it some there are some issues there oh there's lots of corner cases on all these things because again compile time options matter and stuff like that so there's there's different ways to do that spam you can do it based on the

source code which is particularly good for licensing specifically good for when the developers assigning whether you should use a or b um there's doing it during build time that's one i like best particularly for vulnerability because you actually get what actually you used you take into account the compile time options um but it's also good to do it after the fact there's a lot of scanning tools to look at afterwards and you have to you know solar winds you know if somebody's taking over your build chain the only way you're gonna catch that is after the fact um and so i think all three have their uses i think all three are valuable and i'm gonna have to go go uh go click

on the uh stop the game so let me go stop the one hour game there are two contests going on um i think i might have a bug in my code because of that um but the one hour contest with the one set of prizes i just i just closed so wherever everyone was if you were playing you probably just got kicked out um but the the 24-hour contest is still going to keep going it'll go until this time sometime around this time uh tomorrow and there are again two different sets of prizes and i was going to live figure it out i don't know if i can do that in time but i will get if you think you

won get back to me and there is a little bit of um well i'm looking at the scoreboard and i think there might be i think my software might have a bug in it because i see a mix of i see different answers for the second contest than the first and all the people in the second contest should still have been in the first so i think i'm going to have to do a little bit of a sort but it does let me look at both of them uh it does look like jeremy is going to win here well let me make sure that yeah he's a leader on both of them so uh looks like

jeremy will be winning the um the grand prize uh which is a um designer uh cocktail party that you get to contribute the what you'd like the cocktails to be about um then again you can read about on the contact prices page um for the second prize is a is that book i mentioned along with a one custom cocktail recipe and that looks like it's going to be the swap windows here all right i'll get back to the people if you think you want to get get a hold of me on discord or send me an email or tweet or whatever and i'll make sure i get the prizes to the winners and like i said if um there's still

plenty of time to play to win that second round of prizes so i encourage everyone to do that great well thank you so much for uh the time that you invested in uh both with us today here as well as this game which is is fantastic and you know i've been playing it off and on and uh it's a it's a really great idea um and it's fun to see the s bomb language in that context so so kudos to you on that and um yeah we'll have a great rest of your uh your conference and um looking forward to seeing seeing you in person maybe someday at a future conference hopefully take care everyone