Security BSides Delaware 2021 - SBOM’s and CBOM’s – why bills of materials matter to hackers?

so first there's my uh you can still see it right it paused it on my on my discord but uh okay so this is me in in the fastest bio i think i've ever tried to do i'm a founder of a new startup called mgm growth we actually take small tech companies and teach them how to do sales and marketing because most tech companies suck at sales and marketing and rando's probably over there laughing because he's been an evangelist for i don't even know how many years and uh and most companies just suck at sales and marketing they don't understand how to get the word out so we started i started a company to do that

i've got some amazing people that i work with i've also started a non-profit the risk management information sharing analysis organization the rm iso i'm the co-executive director uh i'm the one of the co-hosts of paul security weekly over on the cyber risk alliance and security weekly family i'm also an ins faculty member i'm a dad i'm a husband i'm halfway decent at those couple of roles and uh i have a fascinating and fun life there's a lot of other stuff i'm not even mentioning here i swear to god so uh that's me anyway what's a bill of materials so this is interesting what is in your software your hardware your firmware your security your compliance whatever doesn't matter

what's in the truck let's start there what's in the truck what do you mean let's assume you've got an 18-wheeler coming down the road okay cool i got an 18-wheeler what's in it well i mean there there's stuff in it could you be a little more clarifying here and the idea is is that every truck driver has a manifest okay and he hands over the manifest and the the person at the weigh station goes okay you've got 10 000 toilets or whatever the hell it is 40 000 widgets and you're you're a little overweight so we're gonna have to ask you to offload something and the the bill of materials the manifest is used to say okay well

i'll have another truck come and pick up 20 toilets that'll put me under weight perfect we're good that's fine okay the bill of materials is used to determine where things go what things are on the truck what are what's part of the load that you have in the truck and the idea here is is that we build software the same way back in the day and i mean like literally 100 200 years ago when you unloaded a ship they literally would spread a net down and you'd put boxes on the net then the crane operator would pick up the corners of the net move it over to the up the receiving area pull drop the net they'd pick box by box

by box longshoremen that's what they used to be called i think they're still called that dock workers would literally pick up a box at a time and go load a truck with them now we have containers okay the containers have crap tons of stuff in it and one crane picks up a container drops it on a truck chassis and the truck drives off okay and we literally call it the same thing kubernetes and and docker they build what's that oh containers because back in the day 20 30 40 years ago all code was written by hand you know randa would sit at a table and a desk with a with a pack a stack of punch cards in front of

him and he'd literally punch the punch cards to put the instructions into the computer and not that he's that old i'm not saying he's that old he's no older than 70. okay but um but the idea is that you as a programmer wrote every piece of your program that's not true anymore these days programmers do a lot of coding i'm not dissing or imputing programming in any way but programming is more like lego block building than it is like calligraphy okay you take oh i want that library i i need to encrypt uh uh you know some some rail stuff okay there's a there's a library for encrypting rail stuff i need to you know drop a

a a a form the results of a google form into an s3 bucket there's probably a library for that or a chunk of code or stack overflow has some code for that okay but you didn't write that code you didn't write that library you didn't write that whatever so the idea here is well where'd you get all these pieces where'd you get all these lego blocks and bills of material will tell you that but that's software why do i have software hardware firmware security blah blah blah blah oh we'll get into that now you might know uh what's the name of the company blackguck they were they're they're fairly famous they keep track of open

source software so if you have open source software in your systems then they will keep track of it and tell you hey there's a new vulnerability hey there's a problem you're doing great you're up to you're up to date are you using version blah blah yes okay then you're fine are you using version blah blah blah minus two well yeah that actually is oh critical vulnerability here you go here's your patch okay so there's there's entire companies that are massive that are tracking chunks of software and making lots of money off you by doing it okay that makes sense that's cool yeah but what about the things you don't know about josh what do you mean

well when you get a piece of software an application whether it's a sas application a shrink wrap application whatever do you know what's inside of it i promise you it's all lego blocked okay it is not that they wrote 50 million lines of custom code there's lego blocks in there there's libraries there's dlls there's there's chunks of code from stack overflow and 14 other places do you know what's in there because if you don't you've just introduced potential vulnerabilities that either you don't know about or the manufacturer doesn't know about or both what do you mean that the manufacturer doesn't know about oh right because every developer logs every place that they got a chunk of code from stack

overflow and puts it in the uh in the notes sure absolutely i i mean of course don't don't don't yours so you've introduced vulnerabilities or potential vulnerabilities into your the application that's running god knows what in your in your enterprise this is a problem so the idea here is that if i can mandate getting from the manufacturer of every application that i use as an enterprise a software bill of materials okay that's the software bill of materials then i can keep track of the vulnerabilities well how do i do that well i mean they're services like black duck and i think there was white force which was a hilarious fact that they named it that but i'm not even going

there uh that will keep track of software for you so you go hey i've got these 70 libraries that i use and by the way there's thousands of libraries that you use if you're at a company of any size there's thousands and thousands and thousands of libraries modules chunks of code whatever that you as a company use in the software that you buy and rent and lease and subscribe to and in the software that you build and churn out to feed to your customers thousands of them guaranteed so if you can keep track of all of those or a third party can keep track of them for you and keep track of the vulnerabilities affiliated with those

because again a vulnerability scanner is great but if it scans my application but the vulnerability is so far deep buried inside maybe it's a magic parameter maybe it's a you get the idea so software builds and materials actually are starting to have vulnerability bills of materials uh sort of plug-in you know as a plug-in to them it's really kind of cool so that's software and i've been i've been harping on software forgive me but there's also hardware what do you mean hardware this is really cool i don't mean literally like like like computer hardware i mean like crap do i have something on my table i mean like hardware like components okay and and and and

you know uh uh pieces of metal that you that you install in your house what what the hell are you talking about josh we'll get into that this is really cool but then there's firmware same idea that's kind of software of a sorts right okay iot uh a firmware uh the firmware on your phone the firmware on your devices the fact that your x-ray machine is probably one running windows seven don't even get me started on that and then you've got security and compliance what does a bill of material have to do with security and compliance this is fun what if i can take all of the security compensating controls that's where compliance comes in

and i can take all the vulnerabilities and i don't know if you can hear it but there's a fire engine going by if it's loud i apologize um that's really that if you can take all of the compensating controls if you can take all of the different pieces of your security and your compliance and put them in a list and appropriately formatted we'll get into that in a second but you can put them in a list and you can say here's everything i do for security and here are the results here are the metrics hear all the pieces i get that from splunk i get that from my seam no no you don't you get whatever you program into your

scene and actually i mean hell i'll i'll invite discussion i mean randa you worked at splunk uh currently unless i don't know something oh are you still there i followed i didn't know that i lost track i apologize i have friends working you know what it's very easy with me could be quite honest but i mean so splunk keeps track of a lot of your security and compliance pieces i absolutely am on board with that i'm not impugning splunk or any of the the seams that are out there they do great work but they only do what you feed into them they only track what you feed them okay uh so if you feed them logs from only

this half of your industry or this half of your enterprise they don't feed they don't track the stuff from the other side basically correct yes okay so with a bill of materials you manually go out there or with a compliance automation system or or with your seam or with a lot of different things you can collate a lot of different information about your security and compliance and have basically a list of what you do how you do it why you do it what it helps what the results are et cetera okay i i've harped on this slide forever and i apologize let me show you a few examples what's a nice slide though oh well thank you well i've actually

been trying recently this is a little weird but slidewear i've been trying for much simpler slides and doing more talking rather than showing if that makes sense much simpler slides and this circular graphic is anything about that well this is meant to be not something you read i just wanted to point out that this is from the ntia um and they they're the ones that with alan friedman who's awesome awesome dude allen is amazing and he's actually moved over to cesa yeah with jen easterly he's now over there it sees it doing still software builder materials for the us government but this was from ntia when he was there and this is where the software life

cycle goes and the bill of materials assembly line and like it gets crazy and i'll send this to anybody that wants to it's in a public report of theirs but the idea is that you can build a software bill of materials as you're as part of your ci cd pipeline as part of your build process that's the only thing i wanted that graph to be there for okay just to be clear but i mean when i talked about hardware there's actually a company right now who's using bill of materials okay to keep track of all the lighting fixtures that they put on billboards because and here's the kicker every time they put they get a new batch of

lighting fixtures from their supplier they get put on 50 different billboards like these big huge batches of lighting stuff because they do a lot of billboards if they get one that falls off a billboard it could kill somebody you could hurt a car kill somebody whatever i mean these are big freaking lighting fixtures they're like this like hundreds of pounds because they're meant to last forever basically so they want to track if one of them ever cracks breaks falls off whatever we want to know which batch it came from because we're immediately going to go check every single other one in that batch we want to know which installer installed it because if it turns out if it breaks

off that's one thing but if the the nuts weren't screwed down enough and the whole thing just shakes loose from the wind and everything and it's the same installer for 20 of them we want to go check the other 19. okay so they're using bill of materials as a tracking mechanism to determine where things went if that makes sense and it's the same idea with vegetables you might have seen the ibm commercial we're tracking tomatoes now through blockchain okay cool that's nice uh same idea we want to track provenance we want to track attribution and we're not talking attribution dice they always say north korea or iran we want to talk about provenance of where things have come from and where

they've gone and who is using them and that's that whole library of software lighting fixtures whatever it doesn't matter okay and then what about with pen test reports and i just stole i blatantly stole offensive security's illustration of a pen test report but with the pen test report or with the systems that it's reporting on can i take the artifacts from the pen test can i put them in as a bill of materials as a piece of evidence about my security absolutely why not okay can i use it as a metric well the pen test found 15 criticals 70 mediums and 4 000 informationals we thought that was a little weird yeah those are metrics those are

artifacts those are things we can measure so they should be in a bill of materials why well if a customer goes hey i want to see your security bill of materials here and i've actually weighed and i i would love feedback by the way i've weighed calling them either compliance bill materials c-bombs or risk bill of materials because i can separate that out into security and compliance the r-bombs and uh c-bombs better do you really because our bomb doesn't roll off the the the tongue is easily because c and the s and this is just an alliteration thing for me it's just me c bombs like it begins and ends with the same s interesting it's sort of the same sound

thing and i like that r bombs just it just doesn't have the same ring to it so i'm going to lean heavily towards c-bombs thank you no i like it i like it i like it i like it and uh i i i it's cool and i'm gonna i'm asking for feedback by the way i'd love feedback from people at the end of this i think there's a i've got an email address on the last slide please email me or join us here in the classroom and we're happy to have you here to talk about it all right so uh let's talk about how people do these things so right now there's a few different

methods for s-bombs those are the first three and it's spd-x squid tags and cyclone dx let me explain the differences real quick i'm not going to go horribly deep but i want to explain just a few differences i'll actually start in the middle there squid tags are very very simple they're literally tags that you you tag a piece of software think of it like an rfid tag it's not physical but boom done i've tagged it what is it oh that's sas that's it's just a pieces of information you tag software with to make it easy to classify or or or differentiate that's it okay but that's what they were designed for and that's fine they do a great job they're nice

people actually cyclone dx is a way to try to take other uh s-bombs and and enrich it uh unfortunately recently they've they've started doing some things that as i understand it or a little uh uh not playing well with others we'll leave it at that uh i am involved personally with the spdx project and the spdx project is uh open source it's part of the linux foundation and uh it has a full iso standard for the spdx protocol xpdx was a software packet data exchange it was originally designed as just a license bomb so i could tell of all the pieces in this piece of software and all 14 licenses that are in the 14 libraries i can keep

track of them all because again that's another thing what if i take a piece of software and embed it in something i build for commercial use oops it's got a gpl license or an mit license or whatever we've just done very bad things to our legal team and they hate us now and legal teams that hate you bad okay so what we need to do is we need to keep track of all these licenses that's actually what this was originally intended to do just for licenses okay that's where the software builder material started was just licenses everybody's like and if you're on a startup you've seen this like okay i need a library to do

this here you go and then five minutes later oh can i can i use that license well let's talk about licenses and and because your legal team for your startup is a that guy you met over dinner the other night and b they're really expensive okay so if we can keep track of the licenses it's it's incredibly helpful now spdx is uh 2.4 right now uh and i'm probably saying that wrong but they're moving to version three and version three has plug-in capabilities so it's going to be not just what the software is not just the license for the software but there's also going to be things like the vulnerabilities affiliated with that software associated with that piece of

software that library that whatever it's going to be compliance we're actually the working group that i'm starting is actually working with spdx 3.0 project to build out a bill of materials for compliance for c-bombs and um it's fascinating that that is the case so spdx is an iso standard it's a linux foundation project there's hundreds of people working on it and it's effectively a system of tuples so if you're familiar with uh data and name value pairs that's all it really is and i'll show you how they work in a minute uh there's also some companies that are working on it uh d-bomb is the distributed bill of materials that's a unisys product and if you know chris

blask he was heavily affiliated with that he left unisys a little while ago a few months ago i think but the d-bomb is a blockchain-based system where they have their own little sort of mini internet and uh you can transfer s-bombs back and forth securely across the d-bomb network kind of cool uh secure who is one of the sponsors of b-sides delaware 2021 uh is building out a system to do federated trust where you can allow people access to information while still controlling it and so that's kind of the idea of transferring s-bombs back and forth so secure is helping with that as well and then there's binary beacon i won't talk about that right now

that's actually a company that's in stealth that i'm involved with all right so there's a there this by the way is and there's psy beats which pers blast is now at they can actually i just found out about them you can actu this is really cool if a company gives you an s bomb for their software how do you know it's right like how do you know what's right what if they're like oh no no no we're we use open ssl isn't heartbleed there i'm making it you know like it's fixed now but we use the vulnerable version of openssl and we can't update that should not be in our s-bomb uh let's not let's

beats actually generates s-bombs off of the binaries so you can check the one they give you and the one that sidebeats gives you and go yeah no it's not cool let's sit down and talk okay it's fascinating stuff like this is a whole universe of information that's opening up but we'll get to that let me go into a little bit of more about what they are by the way there's the spdx iso standard it's a 5962-2021 if you want some examples there's a github link and this i just wanted to show the name value pairs okay this is a very simple stupid spdx document it basically comes across the documents json json documents uh you can even do it in

text as i have it here it's just a name value pair which version 2.1 data license ccl package name foo okay the other one would be bar of course uh package originator etc etc etc and this came out of his github the spdx tutorial right there all most of these s-bombs and bombs in general are our name value pairs oh so i can transfer them using json easy api no problem any kind of document management system absolutely how secure does it have to be oh we'll talk about that in a second but realistically all the and by the way all of the different standards are very similar i i i know spdx i work with it i'm a member

of the project but i just so this is what i use but they're all very similar name value pairs tuples is what they're called uh uh it's easy i mean if you know json like duh okay and it makes it so simple to work with the we have a set of fields and we have values now there are ore and ands and some boolean operators and things like that because there are things you can have a piece of software that you might be under two or three different licenses so maybe there's some ores in there for a particular piece of software you might be under any of these licenses we don't know unless we manually select so there is some things

that are not just a straight up tuple okay just to be clear but it's straight up boolean operators it operators it's not that strange if that makes sense you can script things about this quite easily and building on modules and plugins to extract or enrich information from these well that that shouldn't be a problem it's really designed to be very simple to work with spdx has spent a lot of time i will tell you that the tech mailing list for spdx wow we talk edge cases so much it's not even funny and the reason is is we want to make sure that we're as flexible as possible while still remaining very powerful okay and that it's easy to work

with i i can't tell you the amount of discussions that go across that mailing list that are mind-blowing mind-bogglingly nitpicky to make sure that we've we've ironed out all the wrinkles uh it's not all nitpicking i mean there's there's lovely people but anyway so like okay josh you've explained s-bombs you've explained bills and materials you've explained how they work and what they do and why people use them why do i care as a as a pick your infosec topic all right let's talk about red teams um if you have an s bomb from a company you have every library you have every vulnerability you have literally entire 100 coverage passive recon that's it done next

you now know exactly which vulnerabilities to give it a shot with because you know everything they're using in this piece of software or this software library that they have okay libraries of software i should say you can do full passive recon by the way this is why we control s-bombs pretty carefully okay if you have a compliance bill of materials a c-bomb we're just gonna change that you've got all their compensating controls laid out you've got every measurement every metric you've got all their security controls their compliance controls you got it all man if you can't be a red team or when somebody hands you their freaking playbook you got problems okay and and conversely

conversely if you as a blue teamer look at that and go i could break it in ten minutes we got things to work on now don't we okay so for a red teamer this is an incredible reconnaissance opportunity this is an incredible piece or set of information that you can use to really really really do recon that's just clean i mean clean recon they don't even know you're looking at their stuff because you're not even looking at their stuff you're looking at the documents about their stuff okay this is a way to understand not just probe probe oh look it got through oh crap we got blocked all right probe probe probe oh that one got through

to line up all the holes in the swiss cheese to chain exploits together this is your best friend okay oh that means we should never do s-bombs because they're dangerous no that would that would that would say something like we should ever use a lot because people can pick them you know it's like no this is an incredibly useful thing let's go a little farther a blue teamer cares about this because we've got a centralized location for listing all of the potential volumes and no it's not i can run nurses and get the same thing no no you can't because nasa scans programs but it doesn't know every library that's inside of them it doesn't it knows what

vulnerabilities have been found it doesn't know what vulnerabilities are sitting waiting like a snake coiled up in a package that's a horrible vision where did that come from dear god it's hanging out with you rando um it probably came from that stupid bagel you posted earlier that's true we'll show that that's a very inside back back office joke but we'll talk about that i had a ques i have a question right now do you want to field it right now go for it man what's up as so you had just mentioned which which occurred to me briefly about it being weaponized and things like that could could an s-bomb or something like this also be used so we had a great table top

thing earlier from kelly uh at uh yeah well i was trying to think of her as at gwydon yeah um lawyer right uh in in the law could you then use this in a legal sense if you say provide us with an s-bomb and they say here you go but like you mentioned earlier they intentionally left something out that they knew was in there something gets popped down the line and you say listen you sobs you gave us this s-bomb but you intentionally left it out oh totally and here's the thing it is it is making companies responsible and and and uh what's the word like like uh you're holding them accountable thank you they're

accountable to what thank you so much they're accountable to what they're saying you you're not they can't just go oh it's secure try again there's nothing that is secure okay there's nothing that is 100 secure and if anybody tells you that something it's 100 secure ask them how if they go well it's turned off crushed melted hit with a blowtorch and then at the bottom of mine shaft all right we're good other than that throw them out of your damn office okay because that's the truth but if somebody tells me here is all i can now give you a picture of your attack surface i can work with information i can't work when you're just giving me vague

assurances that have nothing behind them okay and so if you go hey i need the s-bomb for the software you're selling us and by the way as per an executive order from may i think may of this year uh every piece of software that the federal government buys must have an s-bom affiliated with it that's a lot of software everybody because if you look at a gsa schedule that's the schedule of everything that is offered to the government it's like four million pages long okay so basically every piece of software out there pretty close now has s bombs or we'll have s bombs in the next say year okay which means that as buyers we can request those s-bombs

when those s-bombs are given to us if those best bombs are accurate correct up-to-date proper and it shows that the software and the chunks of software in the libraries are up to date proper et cetera patched blah blah blah hey that just increased my confidence in the manufacture and the company didn't it if it shows that there's problems we need to talk and if god forbid something happens and that s-bomb was a lie like like you said oh liability just came off me it's not my fault it's their fault they lied so the manufacturers of software that provide inaccurate s-bombs yeah your cyber insurance has got to be very very high because remember you didn't manufacture

it for me you manufacture it for your thousand clients ten thousand clients hundred thousand clients and as soon as my s-bomb is wrong and i got popped from it do you know what that's called that's called a supply chain attack children can you say supply chain attack i knew you're good because as soon as i get popped your 999 other clients are going to get popped about three minutes later and then your company's going out of business so but if you provide proper s-bombs even if they get popped you have some defensibility you are open and honest about the attack surface okay as well think of it this way if you provide a proper s-bomb

your nine thousand ten thousand clients whatever it is somebody's gonna go hey i think there's a problem here or they're gonna have a pen test with a proper pen test company who's gonna say there's a problem here the s-bomb shows it we were able to exploit it here's how guess what you're gonna be able to patch it and then issue an updated s-bomb and life is good use your customer base to actually improve your software i know crazy thought right okay if you don't you're not gonna be able to do that so i i hope that answered your question i hope i didn't go too far i tend to rant about that no no and the fact that

you were able to put that very positive spin on it at the end that's one of the reasons i love hearing you talk like wouldn't that be nice somebody using all of these things for a good purpose and working together and full disclosure and and all of this and i was like ah that would be nice and you know what in a proper environment where we weren't hiding everything for fear of somebody finding out that's what would happen and that's and it's interesting and i know i'm going a little off topic forgive me but that the open source model the open source model is here's my code if you find something that's screwed up let me know or fix it yourself

and if you fix it and do a good job i'll merge it in and list you as a as a contributor okay and and life is good and yes there are problems open ssl heartbleed i know and and there's you know ridiculous amounts of problems and if you know uh zero if you're listening you know pen two has problems all the time no i'm just kidding but uh no but the point is if you find a problem the people that are responsible fix the damn problems and that's one of the reasons i love the open source community they know there's problems they're not going oh we're perfect they're like oh if you spot something let me know i'm not perfect i may not

have seen everything that's the attitude i wish more software manufacturers had okay and and look let's be honest how many commercial products out there have open source code badly hidden at its core okay oh let's take this open source code and put a wrapper on it and sell it for 14 gazillion dollars that's not cool dude i mean it's fine but as long as you contribute back as long as you are part of the community and this will force people to be parts of the community that they're taking from i like that as well this this provides if done properly this model this idea this s-bomb and bill of materials provides the incentive to actually

become an actual community with closed source and open source and to help each other out i love that i'm a big fan of community so we'll see what happens anyway like i said you know the federal government if they get a bad s-bomb i think they're going to come down well the false claims act i think it is would would cover them there and they would they would take that company and well they'd take him out behind the woodshed and beat him okay that would be not cool all right that that that would be old yeller moment or whatever you know um because you just don't do that that's not cool all right uh so blue team

so red team loves passive recon i mean come on what red team or doesn't love here here's information about your target you don't even have to send a packet their way but for blue team asset management for software oh my god i actually know all the software packages we run and all of the sub packages and libraries and and chunks of code i can have a i can has list okay you now have a list of everything you're running all right so and versions and everything else all right great uh oh wow that's way out of date well we don't maintain that that's part of a package an application that we get from vendor y

all right jimmy call vendor y tell them updated or it's coming off our network or we're going to segment it off into something well no it needs 15 different connections then they better get their ass in gear and patch it shouldn't they not my problem it gives you ammunition as a defender to say that piece of software is outdated it doesn't meet our standards compliance compliance like lock it off it doesn't meet our standards segment it it goes in the same network segment that the winxp computers are still in okay because you've got three of those no no really you do you didn't know that yeah they're down in the basement the generators and some of the you know the badging systems

use those the security and facilities people i'm joking please don't have windows xp it's not cool but segment them off if you have them and all of the metrics for security and compliance are in one place why well if you have a c-bomb a compliance bill of materials you not only have the controls you have the results you have the artifacts so i can look up my pen test from 10 years ago five years ago three years ago and i can see if we're getting better i can see if we're getting worse i don't have to manually compare them it's all done as part of the the bills of materials and the and the system that they're held in

oh that's kind of cool isn't that nice i can tell what's happening and for executives and managers you know for the procurement management for the compliance and security you get centralized locations to see your assets procurement loves that oh we've already bought that we already bought this yeah it was for this other division oh hey if we expand the license it's half the cost of buying a new license we don't care that sounds good to us okay great procurement loves this idea compliance and security see all the scores all the artifacts all the metrics all the everything in one place how do we need to spend our budget well look we found we've got this class you

know a cluster of vulnerabilities is there a name for a group of vulnerabilities like a murder of crows or a you know a gaggle of hackers we need to come up with a name for that sorry i just thought of that anyway um so uh we all of sudden have this cluster of vulnerabilities the last six months and it's all roughly the same thing it's all about these two applications that we use for manufacturing well guess what we best spend our budget and segmenting off our factory floor we best spend our budget in pressuring the manufacturer to update them we best spend our budget like it helps you understand where to spend your budget this is incredibly

useful well i'm a hacker i don't care about that yes you do if you don't care about where the budget is spent you're not hacking what do you mean no no seriously if you don't care about where the budget is spent you're not hacking because part of that budget is your salary so you may be a hacker but you're not getting paid to hack by that company if the budget goes the wrong way let's be clear and if you want to pay your mortgage you probably should care well yeah but i mean i get paid no matter what not if the mortgage not if the budget goes to all automated tools so this is actually relevant

you know and if you're a blue teamer well yeah but i mean i just i use what they give me yeah but don't you want influence on what they give you don't you want to tell them hey the tools that we need are these class of tools i don't care which kind you know i don't care which one you get i would recommend these or these or these but the classes of tools that we need these the class of tools that we need to do our job better prove it let me improve it show me i'm trying to give people the tools that they need to justify the budget to do their job that's what this is all about okay

now we talked about protecting them the bills and materials should you yeah hell yeah your red team report your pen test report do you just give that out on the corner no i mean i know rando does but most people don't okay i'm just kidding i open up my trench coat and say look what i got it's not free candy van it's the free pen test report man kids okay so um and there's might here so we you give them out but you came out with an nda part of your customer agreement it's here's an nda or or some protective language let your legal deal with that but you've signed it great here's your bomb okay you don't just hand them out

or have them manually or sorry automatically available on the website you just literally hand them out as you would a sock to a red team report with an nda under proper protective legal measures okay how else can they be secured well i mentioned d-bomb unisys is working on this system to do it under blockchain so it was secure secure talked yesterday you can encrypt it okay encrypt it because encryption is perfect until the quantum encryption wavecles of doom show up okay that was a joke relax uh actually you just use a word called wavicles yeah that's an actual word i believe why okay uh there's articles there's waves and then somebody came up with waveakol

a while back it sounded like you made it up i just i'm wondering i honestly could have i thought i read it somewhere but i was doing this presentation about two hours ago so i could have totally made it up i don't know anyway um i didn't really give myself time to write this anyway uh but you know you can encrypt it you can lock it down in a blockchain you have legal cover nda that the legal paperwork that kind of thing but you have to secure the bombs you just don't hand them out just to be clear so as a red teamer how do you get them well normally as a red teamer you go look assume that there's

insider threat give me a bomb okay as a blue teamer you should have access to every bomb from every manufacturer you get software from and i don't care whether it's sas whether it's pass is i i don't care i don't care if it's shrink wrap i don't give a crap whatever you're using because even in a people like well passing ios you're not actually getting software you're installing your own stuff in the infrastructure that they give you you're right except that how about the audit and control and management plane and everything else i want bombs on every piece of software my company interacts with period end of story next okay so uh oh we've got somebody joining us

uh if you have any questions just unmute and pipe up totally cool so um how do i get that well as a blue tumor i should be going hey compliance procurement procurement especially do me a favor i want bombs from everybody we talk to every piece of hardware we get or install like those uh lighting fixtures for every piece of software we buy for all of our compliance we should be generating c-bombs all that got all security same thing okay and we should be locking them down they're not right on the public website okay how is this going to happen how is this actually going to spread well i mentioned the executive order okay that was back in may if i remember

correctly every single piece of software that was the same one as uh if you remember the one everybody got all freaked out about zero trust that's that same uh executive order okay and uh every piece of software that goes to the federal government is going to have an s-bomb i think it's within the next year i'd have to check with alan friedman over that's is a check but if you've got a piece of software that the federal government also buys which is most of them just ask for the bomb if they refuse to give it to you go away why what do you mean why why are you not giving it to me okay so you as buyers putting pressure

on manufacturers is definitely going to be a piece of how this happens but along the way the linux foundation which runs the spdx project miter which is building a supply chain security uh initiative and is on the sbdx project dr bob martin is is an awesome awesome awesome dude i can't tell you how awesome he is he's so freaking smart like i i love hanging out with him because i learn every time i talk to that dude um the spdx project the spdx official podcast which is something that i'm doing and we're going to be we're putting episodes in the can now we'll be starting to put them out in another couple of weeks uh risk adversity which

is the podcast of the rmi so it's the nonprofit i started we're also putting those in the can and we're going to be putting those out in the next few weeks uh because you want to give a backlog because otherwise you having a buffer is great because otherwise you can't do this thing called take a vacation right danny and uh i'm sorry i don't that i don't understand that word what what is that word time is it dutch i don't understand that don't even get me started uh but there's a lot of groups and and companies and there's an unnamed i actually named them earlier binary beacon but that's still in stealth mode there's there's other companies secure

is helping with some of the the bomb stuff there's a lot of groups and non-profits and organizations out there helping uh and and going and working very hard to make it happen for various reasons the ice house is working to make a bombs happen because we think being able to sort of collect your compliance uh information in one spot is going to be great for the smb market why because the smb market con subcontracts to larger companies and if you can just go i've already collected that thunk i don't need to fill out your damned questionnaire because how many smbs have time manpower person power to fill out all the questionnaires oh my god they're a

nightmare 400 questions later you're like great well now you can join our prime association here's the questionnaire for that kill me now okay so if i have c-bombs compliance bombs here i'm done next i'm not filling out your questionnaire here's all the information you could possibly need have a nice day okay so the rmi sound my non-profit is designed to help small and medium businesses become and successfully stay federal contractors and contractors to other larger businesses so that's why we're involved with this and all the rest of them i think i've gone over those and then of course there's the wonderful thing of how can you help join up help volunteer where well there's the spdx project they're always

looking for people to really explore the edge cases of software and we're going to be starting a working group there for c-bombs uh because aranda actually you convinced me c-bomb is better but um we're going to be starting a working group there to help to work with c-bombs and building out the structure and all the fields because we need all the fields for a c-bomb i mentioned i mentioned the name value pairs well those fields those field names we need to come up with an entire set of those for compliance an entire set of them for security and a complete set how would you build a complete set of fields for security i i'm really curious because i'm

starting to do it i'd love your help okay so tell me what interests you and i'll tell you where to go to help honest not a problem happy to give you that information and if you want to do that just yell there's my twitter handle uh and there's my an email address that reaches me and uh i guess we'll stop here and go questions um hold on i gotta i gotta change one thing real quick uh so while i went i didn't see any questions right now but i did take it upon myself to go on twitter and you had asked do we have a name for a group of vulnerabilities and i have answers for you oh really oh my god

seriously go hold on let's go uh oh wow there's some really good i was literally on the spur of the moment i had not just like we don't have a name for that do we so um we have from viking sec a dumpster fire of vulnerabilities we have the obvious ones okay like we we do have the obvious ones um well greg young says i believe the collective noun is a show of vulnerabilities um safe sex says uh can we call it a fleet i say fleet a fleet of vulnerabilities i don't know escape that's a fleet enema that's what they're talking about uh a skid uh as in a skid of zero days um

i like that the collective noun for voms uh is a quilt or patchwork uh that's actually really good i i like this one from a um adam orton an opportunity uh winchester says opportunity opportunities um a brace i guess as embrace yourself yeah uh well no it's no it's an old word for two i i i i shot two rabbits you shot a brace of rabbits oh okay literally what that means sorry good and uh did i think this one might win from uh barry doran's is always funny uh what would we call a group of vulnerabilities in nso group right but that's very timely and therefore it'll age whereas not if you make it a

thing it'll never age out if you institute it so i think we should have an nso of vulnerabilities yeah uh and of course the go to a cluster f is something that somebody else said uh i like i like an opportunity and uh a um nso group is what i i have to admit a dumpster fire vulnerabilities dumpsters but we use dumpster fire for everything every though i know i know i know that's the only reason i would be like yeah because we just it's so overused but uh let me check in the chat uh opportunity of volumes that is good i do like that yeah opportunity of vaults uh xenophage i don't know who the hell

that is said uh a group of vulnerabilities isn't that an oh moment that's an all one word or moment and osm no sm an osmo you know with some of the bulbs i really like opportunity i'm really leaning towards opportunity uh i think i think we'll have to put that out there on twitter as a poll you know like pick two or three of them and then put it out there's a pull you should do there we go that's okay i i will do that but other than that i don't see a whole lot of other questions we did have somebody join us and they left uh yes in the chat um although i do really like this version

of giving virtual talks to put it in like a classroom situation so we can i'm i i would enjoy this much more than than than just trevor bryant says uh adobe gonna call it click flash a flash of ohms a flash oh okay that's definitely gonna be in the poll later uh all right well i'm i'm gonna keep running that um like i said i don't have any other questions but as always uh besides uh quadling of course being one of the organizers he knows these rules he's gonna be uh wandering around in the q a channel later if you have any questions for him and again give us all your ideas of what we call a group of

vulnerabilities uh next uh who do we have next next up we have uh i gotta look at my list i'm not usually talking right now uh uh a software security engineering learning from the past to fix the future that is up next at 3 p.m and quadling thank you sir absolute pleasure thank you so much i hope this was useful and interesting at very least interesting to people i really think this is the future in a lot of ways and i think it's going to change how we see reconnaissance to a certain extent and how we deal with manufacturers of software and i think that's fat and and vendors of compliance and security tools they better be able to provide me with

the chunk of c-bomb that i need from them for my for my usage and i think that's going to provide a lot more power back to the customers

you