IATC - The Case for Software Bill of Materials - Allan Friedman

got Allen here he's going to entertain us for the next 55 minutes Oh God all right just want to shout out to our sponsors here for those under new critical stack in Vail Mel can't do it without them Amazon blackberry the National Security Agency silence Microsoft or Robin Hood secure code warrior and paranoid again from a sponsorship perspective we can't do it without him if you want a sponsor please feel free to talk to somebody and we'll definitely get you on board and we also have events that are over there at the decal next door make sure you're going there but no further ado the amazing not even a little further ado all right so

uh this is an image that my wife made for me last year it's water on the floor now that I just wanted to put up well I give you some background here which is software build materials is not a new idea in fact academically we've seen it going back into the mid 90s but it's also one of those great stories where some of those pesky security activists got involved in Washington a couple years ago and started poking and suggesting and it went out there it just got out into the world by these pesky security activists and then there was some pushback time wasn't ripe but eventually we managed to sort of start this ball rolling and so really this all this work

comes because of the hard work of folks in the Calvary in particular Josh and and Bo as well this is an idea that came there if you know if I can see far it's because I've stolen my ideas for my friends and put them in a fancy government suit and you know made them happen in Washington or try to make them happen so I'll tell you a little bit today about this crazy s bomb idea who is familiar with the term software Bill of Materials so we're going to dive into it it sounds like most of you are familiar with it I'm going to give you an update on how this process that's been happening at the Department of

Commerce has been going what's going to come next but what I'd like to do at the make sure that there's a chance that we can actually talk as a community around how we can continue to make progress because this is the sort of thing where we've got some inertia but it's going to require a lot of buy-in it's going to require a lot of ambassadors people who can go out into their sector into their corner into their open-source dev community and say hey this is change that we need because this is only going to work if we all work together so this is a Mercedes s-class even in a 2013 Mercedes s-class is probably outside the

price range of a humble government worker but that's not why I put that on the street I put that on the screen because one of my favorite tweets is from Mudge who observed that if you bought this Mercedes s-class your brand-new car came with lib tip one of the most vulnerable libraries out there netcat oh look we can move around the network pcap oh look we can exfil whatever we want so you're brand new Mercedes the punchline Mudge set us up for came pre-owned I said I'm pre-owned I don't think this is on all right this gives you an idea of the importance of knowing quite literally what's under the hood but I want to start with another motivating

story as well a lot of people think that the most important story in security last week the one that at all the headlines was the capital one breach we're seeing a little more attention in Washington around protecting data and that's great but I'm going to push back and say there was a far more important security story last week that didn't get nearly as much attention and I'm not talking about the fact that John McAfee is no longer in prison anyone know that logo sorry that logo thank you look ma no hands yes in the back vxworks made by a lovely company called Wind River what is VxWorks gentleman the back just about everything you touch

I got anyone in the satellite world pretty much every satellite comlink uses that to run their the control chain medical devices anyone in the medical device world so a lot of that stuff uh industrial control systems this stuff is everywhere and very few people are aware that they have it on their systems and that gets us to the core of what s bomb is about so important question it's the middle afternoon should you pay attention to this talk or is it time to get a snack so I'm gonna talk a little bit about transparency right I'm not coming to this I'm from the Department of Commerce we're filthy capitalists we want markets to work so we're not coming

at this to say hey please do this to make the world better no this is about making markets function better we're to talk about some of the different perspectives this is a supply chain issue it's going to answer the question hey if this is so obvious why aren't we doing this already I'm gonna tell you about a project that a number of UIC are already involved in that the US government has been convening and then we're going to talk about where we can go next and hopefully you can give us some better ideas so some analogies every piece of candy that you buy in the grocery store today has a list of ingredients now if you're like me maybe

you ignore it until there's someone in your life who's got a food restriction or food allergy and then it's really important that that data is available and accessible in a way that you can use it so this is not something that's magical we've dealt with this this has been part of me it didn't destroy for food people were still able to make food including things with all sorts of secret ingredients that we can't pronounce the market works even better because of this but it's not just in the consumer space if you run a factory and you get a pallet of 50 gallon drums each of those is going to come with what's called a safety data sheet that's

an ISO standard it's use around the world that says this is what's in the barrel the oh if you accidentally dunk your foot in it or you spill a bunch on some of your pesky workers it gives you the information that you need to understand what you're putting in your factory so it works in the commercial space as well and in fact the term a software bill of materials is based on the idea of a bill of materials one of the oldest concepts in modern manufacturing the notion that hey before you design a product you need to list all the parts that you're gonna need so you can understand what's coming into your factory when and when you deliver a

product you give your customer a bill of materials if you go out and buy a 10 ton diesel generator today the person who makes that is going to give you a list of every nut in every bolt so that you can understand your costs and your responsibilities now if you buy that generator today chances are that generator is going to be connected to the Internet and that's where the transparency ends because today we're not sharing what is the software that by the way is having this really important resilient part of my resiliency plan my big generator means I'm planning to keep my dairy farm running in a power outage so what is the risks if someone can come

in and tamper with it are we using the freshest ingredients or are we using stuff that is spoiled and going to put you and yours at risk so why don't we do this for software today um here's one reason oops sorry lost some slides okay so supply chain part of this has to be built around the idea that this isn't just something that is one party's responsibility software isn't hewn out of alabaster marble by tonsured monks on greek islands right it's rigged by people who are even when they're really good a little lazy the fundamental principle of designing software one of them is code reuse we have small libraries that are used in a bigger libraries that are used in a

bigger still components that are then maybe used by other manufacturers who are making things so this is a lovely design that was designed by someone in this room because I think it really captures hey there's this whole flow to say it goes into this final meant final item that were shipping and then it gets used by someone and it's important to understand if we're thinking about our supply chain for software how everyone along that chain both has a value from understanding transparency and also needs to communicate has an obligation for it so josh is a fan of astounding Deming was one of the pioneers of thinking about supply chain and Josh will tell you that Deming says we look

at good supply chain management is your supplier selection Who am i buying from Who am I getting my stuff from supply selection of this person when I get their cap again I'm looking through I don't have the best stuff that I buy and then finally how do I make sure that the stuff that is coming in is still high quality and that's a very powerful metaphor the community is sort of taking this and said we're gonna start with that but we're gonna actually look at three different perspectives they're the folks that produce software they're the folks that choose software and then the folks that operate or maintain software now a couple of key points here going

back to our supply chain issue most of people actually are doing more than one of these right these are hats that we all wear you're both selecting things and maintaining things as you move down the supply chain so one of the things that some of the participants and I'll dive more into the process in a little bit but what I like about this is we've used use cases to say what are the different approaches for producing software and one of them is the you know one that we all know and talk about is the idea that I can monitor for vulnerabilities if I'm writing software what am I actually producing can I make sure that I'm using

the best components dirty little secret I don't think that many companies around the world today can honestly say for everything that they're producing in software that they know about all the vulnerabilities that are leaving there things certainly not on a single pane of glass but one of the things that I love about this approach of think about in the supply chain is that it's not just about the vulnerabilities it makes it easier and cheaper to actually produce code there have been a bunch of reports of different types of products from ours global brand names and one thing that always you see over and over again is a single product will ship with four five seven different versions of the same

goddamn library because there was no way to think about how they were using it so it's not just a security issue it's an efficiency issue it's a code bloat issue you can better manage your code bloat license obligations I'm going to talk about licenses a little bit later but this is something that you need to know about it today and also by the way one of the great values for a nest bomb for producers by the way you can give it to your customers today I'm gonna argue it's a market feature tomorrow same Department of Commerce is a fan of this but it might be required by regulator we love our regulators so producing software but also choosing software so

this is not just people who buy software but people are selecting different open-source approaches so we use the term choose because again it's a big diverse software world and again there are a bunch of different values that you get from tracks I'm happy to dive into this and there's some documents on the web today that begin with the first thing drafter this but again I can look at two pieces of software and say this one has lots of vulnerability this one doesn't you think that should enter into your calculations will it completely determine them maybe not but it's going to start having that conversation one of the things we've learned is that there's a major hospital

one of the best hospitals in the world that today already asks for an S bomb and they'll get that bomb from medical device manufacturer and maybe it will have vulnerabilities now what they can't do today is say we're gonna cancel the sale because the doctor really wants this to save lives right after all this is about saving lives about patient health but what they can do is they can say we're gonna have a conversation between our security team and the product security team so that we understand exactly what are the risks that were putting on their network do you think that conversation happens in a day it does not they can take 1/4 2/4 3/4 anyone here ship products all right

what does it mean we find out that your big sale is delayed by 3/4 that actually starts to get to your bottom line in a big way end-of-life awareness is another thing that we don't think about enough all of these components have certain approaches to thinking about support and not just the famous windows example there are lots when you enter the device world there are lots of things that are built to say oh well we're based on single threaded processors well what happens when we stop using single threaded processors are you still going to be leave that library so you can start to have this conversation about the lifetime of it and of course there's

real help for operating software again vulnerabilities you can't defend what you don't know about if you don't know that you have vxworks on your network you can't begin to think about how you're going to defend it but the other lovely approach is hey guess there's a few can do other than waiting for a patch write a modern organization can do network segmentation you can tune your IDs there's a lot of things you can say where do you think I don't know if I'm vulnerable or not but it's still a risk it's still a potential threat so I can make an intelligent decision about how I'm going to try to defend myself so now we get to the fact question of why

aren't we doing this gosh Allen that sounds great why aren't we doing this here's one answer anyone know who that is that's Richard Stallman Richard Stallman is a fantastic man he has done an amazing amount for the field of software engineering for how we understand software as a culture for those who don't know he's the founder of the free software foundation he is the new and gnu/linux he created something called the GPL the general-purpose license the general-purpose license is an open-source license that says if use any GPL software in a project I'm getting side-eye from the lawyer so I'll try to be precise if you you BPL to code in a piece of software that piece of software

now falls under the GPL license fair the non-lawyer libs oh yeah thank you so I don't want it bad now Stallman what I want to point out is that this is an incredible risk for commercial software vendors if you're using code that's under that license you're at a risk for basically having failed to comply with license requirements and chances are you may have to buy him another house or his foundation a third retreat site up until a few years ago I don't know how many American companies could honestly say that they weren't shipping an eg pealed software and in fact we know that there are major lawsuits that were settled by big tech companies even a couple years

ago I would also argue that today you know that risk that's something that every corporate compliance officer is built into their process every startup in the world before they even think about exit that's one of the questions that they're going to get asked there are lots of tools that will help you look exactly for this some of my friends have gotten quite wealthy because they wrote those tools this is very popular so it's hard is another big approach I was just at the first conference the forum for instant response and security teams it's about half C cert has P sir there were three different talks from three global tech giants all about how they were trying to

just inside their company have a single dashboard that can help them track what versions were being used where this isn't something especially for giant companies that we can do at the drop of a hat and I want to make sure that I would acknowledge that change is going to take a little while what I love about this community is we're not willing to wait forever and so that's what I want is you think through think about this but what's one of the other problems that this is hard um what company is that that's Apache so there's a major conglomeration of some of 10 biggest tech companies in the world and they decided to learn about

their security processes they want to figure out how much can we actually solve this issue of worrying about vulnerabilities and so they said well let's start looking at names what do you call this on your system well these 10 companies that have been around for a long time they've got really good security programs inside their own companies five different names does your product use some ducks under OVA or kimura chol java well to a computer that's actually a big difference so one of the things that we need to solve and one reason why we hasn't done this already is naming is a very hard technical problem we've done it we've done global naming exactly once

in the entire history of the internet it's DNS and it requires a giant global nonprofit and tens of million dollars a year to maintain so it's not something we're going solve just like that but we're gonna make some progress so this is starting found like a market failure right no one's asking for this because no one's providing it no one provides it because no one asks for it it's a classic chicken and egg problem I am a meteor core engineer and a meteor core economist so wearing my economist hat when I see market failure I say gosh that sounds like a role for government I also happen to work for government so I'm happy to step in

because I think there is some real value that we can create here right helping to create a shared vision and helping all of us move together so what are the traditional roles of government right carrot and stick I don't have a stick Congress did not deign to give me any regulatory authority and in general like the Commerce Department goes around saying yay free markets cousin general the country's done pretty well by them so we don't regulate we sometimes work with our friends and regulators but we don't regulate and no one bothered to give me any money at all or a staff so I can't pay people to do things so if I can't beat people into submission and I

can't bribe people into submission what's the tool that we have we've got this lovely term of the multi-stakeholder model and if you kind of roll your eyes at this slide I'm the guy who's to say this like 18 times a day but I think there's some real value here the vision behind the multi-stakeholder model is that we bring the right people to the room and say we don't care what the solution is but we're all going to be better off if there is a solution and as conveners we can help you identify that and move forward together now anyone who's been involved in any government process or indeed any standards process knows that this isn't

always easy because the solution really ought to be no no we should do what I want but the problem is when you have a roomful of very smart people who all want slightly different things you got to do a little compromise the analogy I like is getting a bunch of kids to the pool right no one wants to be the first person to jump into the pool so again traditional of government we can bribe people to get in the pool we can run around and shove kids into the pool or we can say hey let's all hold hands count and jump together so that is our kumbaya message of how we're doing it what are we not doing this is where

ice is bye cya slide this is not regulation happy to talk about some of the regulator's waiting in the wings this is not source code oh sure the United States Department of Commerce does not believe in mandatory source code disclosure and it's not a standards development process standards are the domain of my commerce colleagues at the National Institute for Standards and Technology or NIST and they do great work this is not a standards process so some text that stakeholders have already developed we've got the problem supply chains are large they're complex one of the ways we can get a handle around it is understanding the composition a solution can help transfer and can really help as I talked about getting to

the core of what are the issue what are the vulnerabilities what do we know about suspicious software thinking about all the benefits that I've just talked about the goals for our process start off by saying harmonize let's find out what we're doing already and make sure that we're on the same page let's amplify what works and make it a routine 5 any fans of the theory of the firm organizations exist to turn complex thought into simple action and so the goal is to say let's make this less of this big deal and make it something that just is ordinary because at the end of the day this is something that really should be built into our muscle memory

of how we make software how we buy software how we use software and then of course we want to extend it and foster innovation think back to C V E right all CBE's is a way of numbering vulnerabilities think about how many of those companies out on the black hat expo floor have a product that is dependent on that shared vision the fact that we all use the same language to talk about vulnerabilities our vision is say let's carry it a step further and think about components so we've made some progress we started last summer a year is pretty short in government time and we've made some pretty amazing progress like this used to be a revolutionary idea I have a

hunch that far fewer of you would have understood my t-shirt even a year ago s bomb is not a new term for many of you and I'm really happy about that where we made progress we're focusing on to use one of my favorite terms from Josh crawl walk run let's not get ahead of ourselves let's focus on the basics and also let's make sure that what we're setting up we're setting up for an automatable solution so we are there are four different tracks inside this I'm going to give you a very brief summary of what they are it's the what the why the how and then screw it let's do it live so what is an S Bob turns out this

was actually a little bit of a challenge a whole bunch of smart people got into a room and when it came down to actually whiteboarding what it was realized we kind of have a vague vision but we need to figure out which edge cases we're looking at which ones we're ignoring and so at its core at its core we wanted to start with the basics at its core and s bomb is about a software component right so here is a unit of software you say what is a unit of software well it has an identity and the goal here is to make sure that when I say I'm using this component it can be sufficiently

uniquely identifiable so we talked about supplier we talked component name talking about version number of course hash is really helpful because now I can validate that I'm using one from an approved repo it's not some random thing that I downloaded that maybe got back doored at the beginning we don't fuse all of them because that's not gonna be perfect remember I talked about names also hashes are tricky right if I download a piece of software and maybe my organization has a thing where I put in a couple comments saying downloaded and entered in the repo vile and freedman well maybe I've changed the hash now so we're still going to have an evolutionary process to make sure that

we can identify them but at its core again still a component that I can label it's a component in a relationship so what's the core here the relationship is X includes Y there are a lot of different relationships that we may want to ultimately get to the benefit of starting with include is now we're sort of freed from that very both over specified and under specify term of depends on includes is top-down so it's one directional down our graph and it allows us to be very specific because even if you don't use the code it's still present and so that's why saying we're using the act of inclusion because that's about the attack surface that

we're focusing on one real question is how many levels deep do I go in my tree ideally we want all the turtles all the way down I had one person say I want to know what's in my device down to the sand it's a lovely vision it's a lovely vision I don't think we're going to get there yet and in fact if you insist on a very deep complete s bomb from the start you're going to pose a very high cost on early adopters you're gonna get a lot of pushback so rather than going to all the turtles our vision is to look at from a recursive perspective a minimum viable s bomb has my top level includes

now if each of my upstream suppliers has a minimum viable s bomb it will have their top level includes and so we can recurse our way down the other thing we want to do is be clear about opacity draw a distinction between this has no inclusions vs o because it's important to know whether you are at the top of a potentially dark tree or you know for a fact that you're at a leaf in your tree because now you can make a risk decision based on your tolerance exact ANSI that this component that I don't know anything about is an operating system I can go and get it from here or yeah I trust that it's fine it comes from this

community and I know they do a good job so I can put my attention my scarce resources someplace else so that's the what maleeh or not that actually took nine months to come up with that basics and there's still some more details working around that we're going to talk about about who does what exactly so for example where do you sign things if we want more integrity in this we're still working this out ideally we'll have drafts by September first number fifth which is coming up awful soon so why should we do it got the what's why I've already walked you through those three perspectives those came out of this working group that did a great job

actually interviewing people across the ecosystem and I shamelessly stole this slide from that working group because I think they want to say hey how are we using it what works today what could work what probably won't work and I think there's some real value there to sort of say that all of this is based on both very real perspectives we have anecdotal data right it's the qualitative they were actually fairly structured interviews and they have that perspective from these three different roles so we can carry this to anyone in the supply chain and say hey whatever your role is there's some benefits for you so we got the what we got the why how do we ask Bob

remember all I am NOT a standards development organization so the goal here isn't to create something new the good news is that we have at least one standard that can do this today the bad news is that we have two standards that can do this today remember at its core an S bomb is about describing a component and its relationships turns out lots of other things need this too and in particular licensing is about identifying precisely a component of software and how it relates to other things and there are two standards out there in the world that do this today one is called SP DX software package data exchange developed by the Linux Foundation it was developed to keep

track of licenses because even open source people kind of hate Stallman sometimes I joke it's but I think there is a real need to track what you're using right you've got a nice little project someone submit commit some code it's under a different license what do you do I like the analogy that the open source community is sort of like the dog that caught the car there suddenly woke up and realized oh we won the software world but now everyone is starting to worry about the quality of their underlying code and we don't have much in the way of formal structure that we can offer to provide the assurance farther down the supply chain for

communications equipment medical devices industrial defense etc so this is something that the Linux is developed to keep track of them we can use it for s bomb there's also something that comes out of the commercial software world called swig eggs software ID tags it is the benefit of being an ISO standard which means everyone in the commercial world can sort of look at it and say yeah I get it it is the downside of being an ISO standard where everyone in the open stores world says no way in hell am i paying seven nine hundred and seventy francs to read a piece of paper but the good news here is there's a lot of open source

details on this this was developed by the licensing world imagine you're a giant global company you've got 15,000 different Adobe products on your network how do you keep track of which one is licensed to go where for how long by whom well they made a little data standard built on XML that again talks about here's a software component here's how it relates to other things that's all we need to do the s-bahn so again XML we have the ability I can sort of we've talked about how do we make them cross and compatible because our goal here is to be Canada we're going to be a bilingual world the government's not in the business of picking winners and

losers we want to make sure that we can translate we're aware that in different regions there are going to be very strong proponents for one standard to the other that's fine we want to make sure that what you get your s BOM data in you can choose to output it again back down that supply chain the way you want to so there's also a fantastic proof-of-concept in the healthcare world this grew out of the first meeting that we had last summer where a bunch of people showed up very skeptical oh why are we doing this thank you and there are people complaining oh we shouldn't do this as a waste of time people get confused too

much data roadmap to be attackers I'll talk about those things later and eventually a couple of people from the medical device community got sick of it they're like this is ridiculous we can do this today we want to show that we could it's a because we need this not just because a regulators told them they have to do it but because they realized that having that visibility down the supply chain especially for a blinking box that you don't want to scan is going to be apps the key for all the security benefits that I talked about so they said we're gonna do it they quickly developed we're gonna do this exercise with a set of use

cases we're gonna test it against this set of use cases we're gonna share data a handful of medical device manufacturers got together with a handful of hospitals and said let's do this let's actually pull together the information on the medical device manufacturer side share it with the hospitals and the hospitals would use that data for these set use cases the thing that actually took the longest was getting the lawyers to okay it see lawyers are usually very helpful but every so often they slow things down a little bit B so they they actually did this exercise at the end of the day it only took them about a month and a half when they did it live some really

interesting preliminary lessons because they weren't building it on all the stuff we talked about they designed this without having this slightly standardized form so what they found was one very few of the medical device manufacturers could actually do this completely automatically today their build processes didn't have the natural point where you could export this data now it's interesting to note that if you're writing your own software and you're using github it'll do this today there are tools right you're using Eclipse using visual studios you can actually extract this data because essentially you're running mate with a couple of extra commands a couple of flags to pull out the data the more complex your build chain is and the more

different ecosystems right if you're not just pulling everything from node it gets a little more complicated not impossible but a little more complicated similarly but they so everyone was able to do it just took them a little bit and that's helped organizations learn how they can make it easier faster cheaper to do it it's gonna be a learning process similarly the hospitals today they pulled the data in and they were said yes every single use case they were at least able to partly succeed was it turnkey now why because we don't the tools that are built to do this today so there's still some issues with naming again if you're looking for abilities you have your vulnerability

source right CVE list their national hold ability database and you've got your list of components so you need to make sure you can do that mapping if the names a little different you're gonna have a bad time and by the way if you try to use the fuzzy mapping then you're gonna have way over matching so it's gonna be equally problematic so two things that we learned from this proof-of-concept one we can do it today too we need to learn how to do it better today and the folks involved were so enthusiastic that they've already resolved to say we're going to do another proof of concept we want to learn from our mistakes let's iterate

this is classic disparen tation guys this is science you try it you test it you see what works you see what does it you try to get so I'm really happy with the progress that's been made there's still open questions there's still things that we're trying to figure out at the basic level and some more the advanced level so one thing that we don't really know is in general what are the obstacles to getting this data in some environments this can be pretty easy right in node everything's already there right if you're if you if you have any package manager well that's the whole point of a package manager it helps keep things together all their

areas are going to be a lot more diffuse you're using software from different communities there are different maintenance practices you're using multiple different layers of technology so you need to figure out how to place it all in one context today we don't have really global visibility of what that landscape looks like where are the valleys where it's nice and easy where the peaks were it's really hard that's something we're gonna have to learn by experience that's where we need ambassadors we don't have a clean idea of what the act of transparency looks like I've talked about what vendors need to do to generate the data and the benefits I've talked about how it can help customers people who are using the

data the act of transparency gets a little tricky sometimes so in some cases it's gonna be easy so a swing tag is metadata that sits next to the binary super easy that's lovely but for an embedded device well maybe it's xml takes up a lot of room needs to be really whatever there's a software update and maybe you don't really want to keep your metadata on a prod device where you don't want your scanner continuing the cycle there are going to be communities where they're like we'll share it internally for now we're not comfortable making it truly public so what is you know I I'm all for a complete decentralization but they're gonna be areas where they're giving

communities that want to do some centralization we're going to figure this out over time what would be biggest stumbling blocks is the question of vulnerability versus exploit ability right the vulnerability is the superset of all the things that you need to potentially worry about often you're not going to have to worry about it right there are depending on how you count them between 600 and a thousand function calls you can make in the OpenSSL family of libraries how many of them are heartbleed able to as I count them so someone says oh I can't use this product you're using give me open SSL old dot old heartbleed heartbleed well I'm only using the random number generator so how

do we enable that kind of communication because if we are just doing a simple library mapping we're going to have a very expensive process with a lot of what might call false positives as vulnerability management the automatic tooling starts up we need to find some way of making this a little more automated so the next steps you've got this lovely little process the US government is running that anyone can join we've had folks from big companies we've had folks from small companies we've got academics we've got hackers anyone can join this I'm begging you come talk to me we'll bring up the speed you could participate this is a chance where you can actually help write the

documents that the entire world is going to be using for this we hope so we want to have this baseline approach we're not stop there though the goal is not just to hey here's a document whoo I know that all of you regularly read the MTI website and everyone sort of does the daily check-in with a Federal Register notice I understand but not everyone is quite as well-informed as you are so we need to make sure that we can take these out into the world we want to extend the model the baseline is essentially about keeping honest people honest the software vendor says I'm using this it was like great this will help me understand my risk on the network

what about active intentional attacks on the supply chain what about attempts for people to intercept the bump so they can try to change it on the fly what about all their security issues that you're worried about compiler details are you actually using the spec that you say you are we're going to have to think about more high assurance use cases tooling it's the second next big important piece if you're doing this by hand if you're doing this in PDFs you're doing it wrong it's got to be automatically built automatically consumed different parts of those will be easier than others we're going to need some folks from the vulnerability management solution space we've already talked to a couple of them

I see tenable --zz in the room there's right this is the goal here is to make sure that everyone understands the importance of this and can figure out how we can help customers that this should be part of our balanced breakfast for thing about vulnerability management solution so you've got extending the model we've got tooling and the final piece is awareness and adoption this is something that is not an American project this is a global project it's one big internet out there and so but different sectors have different needs have different terms have different words we need champions who can go and take this and say how can this fit in this small sub sector in this open

source community what's the merits that we can offer so that people can use our code how do we make sure that we're not sort of left out of that open source software supply chain so we're going to need a lot of champions we're going to need some real strategy for thinking about how this happened I don't think we can get snap your fingers and have the entire world do this I think that we can actually make a case that very few people should be ignoring this completely so as I said this is a supply chain issue and I love this graph because the supply chain is big it's complex it's scary there are lots of risks out there s bomb is not

going to solve every supply chain risk but it is part of the complete breakfast that we need and it is going to be a transparency is going to be part of every solution that we want to build on so we really need your help I think that transparency is about the lightest lift that we can ask in the industry but we still need some people to help us move the ball along so I'd love some some of your perspectives on what we can do I think we still have some time and here is how to get in touch with me I hope you come and enjoy

yes we have a roving mic somewhere or I'll just repeat the question if we are there examples that are sizable of I'll call them early adopters recognizing you'd want to endorse anybody nor you know can you or should you but it's it's just very helpful for purchasers when they're having a hard conversation with the vendor and the vendor says ooh don't do that for lots of reasons to say I get it you don't want to do that I just want you to know vendor a B and C are doing stuff in this space that's a phenomenal question that's the great news is that we actually have some folks that are doing this today so one of my favorite

stories on the purchaser side of things is my friend Sunil from the Bank of America so he's asking for this I'm just going to so Sunil's asking for this today and he understands if the manufacturers can't provide it but his perspective is if you have a good development cost process this shouldn't be a heavy lift to generate and so if you can't visit me and he's only looking at enterprise financial software it's a little different understand but this should give you a fun idea for your purchasing he knows based on experience that someone who doesn't have a good development process is going to cost them more to maintain and so he will take five to ten percent off the top of

the asking price five to ten percent less net for any of these suppliers that can't generate in this block because that's just the quality signal that he sees in us so that's wonderful which is to Lydia get it can you build it it's gonna cost me more to maintain so I need you to come off come down with the price so that's happening today um there are a number of vendors that are doing this and are doing it more and more in different places I don't want to call anyone out on camera at the moment but Josh might be well before it was required by medical device makers and doing it in a not machine readable

format Philips medical started publishing theirs which got a bunch of more device manufacturers to say maybe we could do this in the MDS 2 forms and concurrent with all that one of our task force recommendations Congress asks HHS can you please require software build materials for medical technologies which the regulator for that space is now asking for in the pre-market guidance so what was voluntary from a couple that we're doing it in providing real benefit to very large hospitals is now pursuing this in a very narrow sense in the medical device community and because sometimes governments work together I believe the language is something like if Alan's process produces something useful in time they'll use it so but

yeah Philips started this voluntarily and now we're trying to harmonize how each of them do it I feel like walking through the Cabaret tables is very appropriate in this jacket so government organizations have been doing this DISA has done this for protecting DoD computers NSA has done this for Intel us-cert has done this for critical infrastructure have any of them published any of their standards or would they contribute anything that would help kick this off because we've been doing this for a long time so I would love to chat more than that I hadn't heard about the US side of things have had a lot of conversations with some disavow and usually it's framed in

the upcoming proposed regulation that by the way we need to see the passport of everyone who's ever touched any of the code that your sub sub sub is using right oh that's gonna break software what I like about the s bomb and what I have not heard and I've had a lot of conversations with the senior folks at dis side maybe I need to go down into the ranks is making appreciate you know you don't need to know everything about it what you need to do is know all of the components and then set up the appropriate surveillance of the open-source loggers just frankly if there's a stable library like left pad that you know has only been touched by

the same six people once a month for two years and then gets a bunch of commits from behind a tor node that should set off alarm bells and the best way to do that in my mind is to centralize the data and empower the world's best counterintelligence organization to actually focus on it rather than having a spoke decentralized way that at best is going to quadruple the price of taxpayer funded software and at worst is going to lead to a lot of people lying to the government and breaking software but let's follow up after this sure

where can I get that shirt oh I'll post a link to the design turns out there's no government ethics rule against making your own shirt so I just decided to make one to encourage it if someone wants to go and make them and sell them um so for if you're using software projects that you yourself have patched or pulled out of tree patches or modified substantially how do you deal with that because for long-running services this can be like you can have a substantially different built off of the same version but a very different set of source I have you know Allen's Fork of open code library right I just pull it in and I changed something and now

that's no longer third-party code that is you're responsible for maintaining there's still the risk though right and that's where we don't have a clear answer for that other than stop doing that the right and be transparent if you are but there are organizations that have a lot of the big switch manufacturers for example have their own shadow parallel version of the large crypto libraries where they've tweaked them to make them efficient based on their hardware but the underlying code is the same and so do we want to call that you know label it's still it's not the same but we don't have a good way to talk about the other thing that we don't know about and we don't have a good

response to yet is bat morning this is one of the few good criticisms that came out of the initial wave of outrage by some of the hacker community so I buy a piece of software by a company it's got a lot of old software in it and rather than just updating everything because I've got to do a whole lot of variable factoring I go to the thing the security issue that anyone would care about and I just fix it in the source code so it still is either version old old beast or its Milan brand-new version today we don't have a good way of talking about it there are tools that can identify it so

if someone tries to include in their code and one of the downstream partners is using an SD a tool it's going to get flagged and a responsible risk manager is going to ask some questions I'm getting the red light that says stop so thank you all for your time I'm incredibly grateful I strongly urge to get involved [Applause]