BSidesRDU 2022 - SBOM + VEX + CSAF = The Future of Vulnerability Management - Panel

so um I'm not going to introduce everybody with their bios we're going to let them introduce themselves but we have Diane Morris here who's going to be leading the panel uh Omar Santos uh Josh dimbling and Lisa Bradley we had one panelist unfortunately couldn't make it here this morning art vanyan so um yeah unfortunately he was not able to get out but fortunately we have the rest of the folks here and I'm going to turn it over and let me take all right

all right good morning everybody my name is Diane Morris I work at Cisco I am a content manager on Cisco's product security incident response team so we are the folks who are in charge of putting out security advisories uh my team within the p13 is in charge of editing and Publishing those advisories um before I let our panelists introduce themselves I want to introduce our acronyms of the day uh so our title is s-bomb plus X plus C sap equals the future of vulnerability management so s-bomb is your software bill of materials so that is a list of ingredients that is in any piece of software all the different components that go into making um a product

Vex is the vulnerability exploitability exchange and that was created by the national telecommunications and Information Administration as a framework for security advisories that let manufacturers both uh say when their product is affected and when it is not affected and csap is the common security advisory framework which is a framework for creating machine readable security advisories I hope that helps okay now I'm going to ask the panelists to introduce themselves as Omar why don't you start well thank you ladies first Lisa Elise Bradley I'm using the senior director at Dell on the product notification security team so I have um an oversee piece cert our open source component management our s-bomb Initiative for Dell security Champion security training

program and our bug Bounty program Texas I'm Josh dembling I'm senior director at Intel I run the product security incident Response Team the bug Bounty program uh security working artifacts team where we look at industry Trends and and new regulations and legislation and how that changes the industry um and uh work to educate both the community as well as Insight Intel on good product security practices I'm from The Cisco pizza team I work with Diane along with a few others that I see over there and I'm also the chair of the common security advisory framework which is one of the acronyms in there and I am actually the founder of besides RDU a long time ago thank you

okay so let's start with just just um s-bombs and how your companies are um prioritizing the development of let me start so um I'm very lucky in Zell that we are prioritizing it all the way up the executive chain so we have a lot of support um as soon as the executive order went out uh we put a team together and uh figured out um where we were good and where are we behind um as mom was one of the ones that we needed to catch up on and we put together a phase one approach where all of our EO critical products uh which was fun in itself to figure out what those were um we went and drove to get us bombs so

we utilized black duck um to uh pull together our s-bombs and our inventory for open source but even with uh having a software composition analysis tool it still took us a significant amount of time and scripting work because we wanted to have what we considered a Dell customer facing us bomb so um you know we had I think maybe one third of our product portfolio that we now have us bombs that we can give to our customers but there's still a long journey to go in uh in in this matter and to to clarify for folks um the executive order that went out regarding s-bombs came out uh was it earlier this year or last year

late last year late last year um that basically said that companies that are going to be selling to the federal government have to have software Bill security of materials rather um with their when they uh with their products or their products yeah and I think that's a good segue I want to take a moment and step back because some of you may not even know what software Building Material means think about like the interest of anything that you consume a product right whether it's a hardware-based product you know a software that is made up of third-party components in most cases and those third-party components in many cases open source so what the industry is trying to put together

is a for a long long time but now it's been been part of you know more legal documents like the executive order but we're trying to put our heads together is what is the most effective way to know what we're running to know what we're consuming and it's an ecosystem and it's not so much of a single vendor creating an asthma you're done if not that that vendor like in my case I also consume Technologies from other vendors so it's very nested so one of the so going back to your question one of the things that you know we're looking into is not only how to produce this artifact that my customers can consume but how

can we also require our vendors to have that level of consistency for us to consume that and then accelerate that so it will be instead of you know from from a from a software composition analysis tool which is after the fact how can I put this in my development practices even from the moment that I hit commit or I even decide to use a specific third party or not so so that's what or you know just what what basically an esperant this effort is all about you're right though like a lot of the Tori like when you're you know you're developing to making sure that you're paying attention to what you're consuming um because oftentimes we get to the end

point and then it's hard to go back and figure out what you put in there because developers leave and your build environment change so um you know how do you get it within your typical developer ready platform activities and and and know that inventory from the beginning and and have those the the composition analysis tools start earlier on in the process because you know my good buddy Ellen Friedman um uh he will say Hey You Get Enough Bomb by just pushing the button it it's really just not that easy um I mean one of our product teams took six weeks just to create the US bomb um because of the complexity of it and then we have vendors like like Intel

here where now we're putting the pressure on to having a Spam also yeah and our journey started similar to Lisa's journey and with the EO um even a bit before that I mean we all knew this was coming Apple started to work on this within our respective companies but the challenges are um not just um how you put it together but to what depth and to what using what format and making sure that when we do put it together we can communicate with each other share it with each other effectively as needed right and so it's it is definitely a shift left Journey but it's got to start more on the surface right taking what you've got and

putting it together yeah and the journey doesn't stop to figure out how are you going to give it to your customers what customers are you going to give it to how do you make sure that you protect that information so um you know our journey is still continuing on with the s-bomb because uh for for me right now unless you have um some kind of contract with me or or most likely waving some kind of big money in front of me I'm I'm not willingly to give it yet because we're still maturing our processes with it um so we'll we'll continue to grow on that journey and eventually we will open it up to all customers but until we

really understand how it's going to be used by our customers what you know are we even delivering the the right format to them um we even had a customer that asked us for a certain naming Convention of that can you imagine if all your customers ask for a different file name of the US bomb uh that you know that that's just a lot of work so how do we educate the customer at the same time of what we're going to deliver to them in a standard way so a lot of activity we've had to worry about now of course one of the things about uh s balance is that was all these uh third-party software is tends to be where most of

the vulnerabilities that we have to deal with why right so um let's talk a little bit about how s-bomb connects to security advisories and um csap I guess I can probably take that one so so csaf the common security advisory framework is only one of the components that is in this ecosystem it doesn't need an s-bomb to function basically we've been doing this for a long time in the industry most vendors hopefully right they will have a piece or team like ours and then they will disclose up only the executive vulnerabilities that they have they do that in a security advisory some people call their bulletin some people are noticed it's the same thing it's a historically it's a human

readable document that that we publish and somebody actually will have to read and say okay my program is affected by these I have to upgrade and then you know move on I used to have a joke in my company and this has been recorded this stream I'm actually streaming it up there but I always say that if a human is really my security advisor is I should be fired right and I still say that because we have to do this at machine speed there's so many vulnerabilities out there so many vulnerabilities that actually do not affect you and it's a way of so we have to put our heads together on how to do this in a machine readable format a

long time ago when the Galaxy is far far away we were also participant in a forum called icacic that is now actually part of first we I want to say we a whole bunch of vendors including Microsoft Intel and so on and we had a multilateral ndas to exchange vulnerable information and we wanted to do this in a machine speed and we created this thing called the common vulnerability repairing framework so it's basically a machine readable advisory that's what csav basically replaced now instead of in in this form that was a little bit more closed it's part of a an organization called Oasis So within csap um you have different profiles you have the normal security advisory that we all

know and then whenever it comes a little bit more pertinent to the s-bomb conversation is this thing called vex so Vex which stands for the vulnerability exploitability Exchange can be a little profile within an s-bomb document and there's two major standards that the industry is focusing on right now in s-bombs spdx and Cyclone DX So within an s-bomb at the moment that you create it you can actually say you know this vulnerabilities don't affect me or affect me or under investigation the challenge with that is that two minutes after I publish that information becomes obsolete because that vulnerabilities are under investigation that may be not affected or a new vulnerability comes in right so it makes

that document and that status completely obsolete after you create the s-com where csap comes into play with that Vex profile is that you have if you think about it an automatic security advisory being generated for you basically it's a response to whatever the status of that vulnerability is in time so you can query these you know essentially with apis or any other methods in a little bit more intelligent way and as you go through the vulnerability management process from obtaining the the report of that third-party software vulnerability all the way to the disposition of fixing it or I'm not affected you actually can query you know any system and get that status and that's what

affects it's all about so hopefully that makes a little bit of sense for folks that I haven't been exposed to that yeah I think Bax is interesting because again it it's not just our our product teams done to to figure out their impact as soon as possible because our customers have our response and the last thing I want is to have 15 to 50 to 100 who knows how many customers constantly asking every time there's a new open SSL vulnerability so you know but all of that work to get that Vex to get that you know that that working it is a lot you have to figure out how do you tie it in to your

ticketing system that you have for your product security ticketing system right now for vulnerabilities how do you make that impact statement be done by your teens earlier on and understand the importance of why they need to do it quickly how do you let that engineer team understand that pain that's going to potentially come from our customers if we don't get this information out to them and how do you make sure it's accurate and up-to-date and consistent I mean there's a lot of work that we're having to do in this no it's an amazing journey that we're on um but you know uh the the the the pressure that I feel is is that you know

there's a lot of people talking about how quickly it could be done but you know this is a lot of process coding people uh money uh to make to make it happen it's not just about you know the technology of implementing it it's about changing the culture of a company in the way that they think in the way that they operate the way they develop products and it can affect Innovation so you have to do this in a bit of a systematic way this while it's a ship left Journey again you have to start with what you have and integrate yourself into the business very carefully so that you don't disrupt the business revenue and

the higher you are up in the food chain the the technology ecosystem the more important it is that you are on this journey because everybody that you feed down uh is going to be relying on this because like Omar pointed out there everybody's gonna get flooded with all these advisories all these reports of security vulnerabilities and they're going to need to be able to make decisions faster and faster at the speed of a machine and that's why this is so important yes matter of fact you brought an amazing point at both of you and I'm trying to look for things that are controversial so I don't actually agree with a thousand percent with them like a friend of mine always says

everything in a PowerPoint orchestrates and works perfectly right in practice is a lot different it's a Monumental task especially whenever you have 1200 products in my case and you guys are pretty much in the same issues yeah and getting the culture in place getting the tools in place getting um the customers educated as you mentioned it is it is a Monumental task it's not going to be like these acronyms are just you know machine readable documents uh I'm not gonna diminish the work that we have done in sisa you know because it's been tremendous but you know we can come up with a specification like that you know no time put on it to work right is

significant you bring up a really good point that it's uh you have to have real support from the the company that you're with like like we all have to be able to uh be involved in involving these kinds of Technologies these methodologies uh like Omar said I mean this has been years in the making the kind of interaction collaboration that we've had for more than a decade on on getting to this point has been critical for the success of our companies but but they've allowed us the opportunity to be a part of this they've embraced this and uh without that I think it's hard to be successful I do think though the executive order is as much as it's

a trigger right I mean it wanted to do and have a journey for that would have took a long time now we we had a hard fact document that the company had to follow or they would lose business and uh you know when you speak uh those kind of terms to the right people things will happen um and I I think there you know as much as it's been a lot of work I I am grateful for the executive board I'm I'm not grateful for the amount of regulatory acts that are coming down on top of that um but I'm grateful for the first step of the executive order yeah it's a it's a trigger the executive

order in the US is a trigger but also has triggered other governments too so it's not only about being compliant or being able to sell to the federal government but right now Anisa and some improve a concept with with them they're looking into s-bombs as one of the components but also even predisclosure of vulnerabilities which is a conversation for another day we can really have another three panels on that yeah so it is going to take a lot of effort from vendors from the consumers from the government from the industry to actually get you educated because it's a face approach what Lisa mentioned about software composition analysis tool that's the first step we're in the same

shoes from pretty much every the whole cup the whole industry whether they tell you otherwise or not you know it's pretty much in the same shoes right um you you're reacting into this looking into what is in your source code or in a binary right and then there's no magic bullet that you can just press a button and say I'm gonna put this into my cicd Pipeline and then tomorrow I'm gonna have s-p-box and you know all the acronyms in the world that is not an assist right now hopefully we'll move to that in five ten years hopefully right hopefully I'll be alive by then but uh but it's gonna take us a significant amount of time so the call for Action is

that we all get educated and we all try to actually solve this together right because it's an ecosystem yeah um talk a little bit about why the executive order came down what is the implication for National Security with response I'm gonna actually say I think this has got more to do with the trend that you're seeing with government agencies and even within the industry it's it's really finding a way to push people to disclose vulnerabilities faster to be more responsive to security vulnerabilities to have processes and standards that they follow consistently in how to handle security vulnerabilities and then bring people together so that we communicate it from vendor to vendor and I think that that I

mean that was a culmination of the trigger that that launched that but there's so many other decent legislation yes I think solarwinds was one of the major major triggers that the government will say because the solo wins but there also was you know the pipeline uh you know um and and everything in supply chain has just always been an issue but I mean the executive order has a lot more than just s-bomb and to to be honest if if your company uh feels that just having enough mom is the answer it's they're all there's just so much more to it having you know sdl practices having you know contracts with your with your vendors having a good vulnerability

response uh program the the I think everybody's been focusing on usbomb because it's a trendy name and then backs came along is another trending name so it's a lot of fun to focus on that but but there's so much more that you need to have in order to be successful in the space and even when you're one of the best in it you still can easily fail um I mean every day there's new vulnerabilities I'm sure just as we're speaking there was you know hundreds probably came out uh you know and and that that part is is there's a lot of work ahead which is great because we're in these fields I think we could

do good job security but we've made that before we see the solution the the even though you mentioned Alan Freeman is is a good friend of all of ours um he led an effort in the ntia of s-bombs and even before him a lot of companies that's the reason that black talks and the white source and a whole bunch of other companies assist they want to help individuals to see what they're consuming think about and this is an analogy that I think Alan or Josh Corman actually used um think about that you're actually consuming something you know that you're eating and most of us we actually look at the list of ingredients does this have too much

sugar for me you know I'm probably diabetic and blah blah so the same thing that comes with software or Hardware um having knowing what you're running it is essential right if you don't know where you're running then how in the world you're going to be able to determine what vulnerabilities affect you or not now how these s-bombs and all these inserts started was because of other legal compliance and Licensing like you know you're using open source so I'm going to disclose what open source packages I have and for years we have been doing that in PDF documents and then says you know you use an open SSL I mean the next kernel but it doesn't go into the originality of

saying this is a version of Linux kernel or this is how I'm using it and for you to determine a vulnerability If You're vulnerable or not you have to know not only the version am I actually compiling this into the way that actually affects my product and a good friend of ours too from Oracle he actually did a study and most of their vulnerabilities that they actually face don't affect them they're not exploitable right and if you look at that you know through many other vendors and that's one of the reasons that we actually you know trying to put our against our heads together with Vex and the standard is to also allow for you to

know what are false positives and the real in the perfect world will be that somebody you know instead of actually running a scanner and then calling support and say are you really affected by this you know vulnerability like qualities are not tenable or you know whoever tells you that you have and you have to get that person to talk to one of my guys and one of my guys talk to engineering and then engineering look into their code if you can automate that in the future that's of course the perfect world scenario it is right but that's what that's what the main purpose of this efforts are I have a different perfect world

but we all know that it's really expensive to do that which is why we take the time to do the analysis to indicate if we're affected or not because half the time when we bring in open source we write a lot of code around it we have wrappers and so it's very expensive and it don't even get me on the OS updates and how expensive they are um so in a perfect world though where I think we will eventually get it says that every release which will hopefully be a consistent and only security update release that's why I always talk about my in my company um will you know a customer will always know when they're getting that next

update and they will always know that they had the latest and greatest or maybe it's just a continuous update that that's constantly going on um although that is scary when you simmer and I really pay deploying this update or is it going to break something so there's a whole other Journey that goes on around it where I think we we need to we need to go my perfect role is accommodation too I think that it's important to recognize that what we're really doing is helping customers assess risk so by eliminating some of the the challenges that customers would have right ensuring we're updating to the latest version is important I think that's important for many reasons the

stability of your product and keeping up with the um with the changes that are made in the components that you're integrating into your technology but it's also important to be able to give people a better understanding of how exposed they really are because as Omar pointed out today it's a very manual effort it's a it's an ad hoc discussion that happens between Engineers rather than something that people can look at and make a split second decision on and say yeah I understand what they what the vulnerabilities and how it affects that product I know on my risk although the severity of the vulnerability may be high my risk is much lower in my implementation but today that's that's

there's more that's more of a subjective decision using anecdotal information rather than an objective well and it also takes customers understanding and being okay with receiving that yes I mean a lot of our customers if they have a scan and it's indicating you have a vulnerability even though you have a whole documentation of why you're not affected some of them have rules so like I'm sorry we have to chat our program you know our them down if we scan and see something so um you know I think there's a lot of Education that needs to happen to our customers and to those exacts uh you know that say you need to be on this like log4j was a really good example we

had customers saying you need to be on that 2.17.1 I'm like no like eventually yes I want to get to that but you really need to be on that 2.16 and and and you know but that education and understanding were very far from Estelle it um looking at your Ideal World sounds like customers maybe aren't ready there I mean how are your customers dealing with are they prepared to deal with F-bomb and Bex and csap are they ready to consume that and make sense of it so as my customers right being able to feed you my information again I have to partner with my customers on the formats and the approach that we would take so that

they're able to consume it I have to understand what they were looking for so there's a it's a bit of a Chicken and the Egg experience I think that it if you ask five people you're gonna get 20 answers in the customer site the reason that I said that is because depending on the amount of resources that you have whether you have aspects or not you know they have a different way of in you know ingesting executive vulnerabilities that's a reason that I said you know the perfect world is not introducing the vulnerability from the beginning right that's another effort but how you're gonna see this probably in the industries that some customers are not

going to have the infrastructure in place to even know what what am I gonna do with this thousand you know lines in here am I gonna even ask the right questions you know is the vulnerable in the Linux kernel more you know impactful than openssl right so you see a lot of even companies now as a matter of fact we have one outside uh with Stern security they are digesting s-bombs to provide risk information to to an S to a to a customer the other thing is that um even if you look at s-bombs or backs this is a continuous thing right more vulnerabilities will come in Mobile motorways will will be remediated or will be determined they're false

positive if you think about the way that historically we have put things in our networks or in the cloud that you have to go into a certification process or this product cannot have any vulnerabilities on it and you work with the customer for six months and then you know they point fingers to my team or you just publish another vulnerability well we have the public we have to be you know trans transparent if you look at open source vulnerabilities as Lisa and Josh they're coming as we speak somebody's actually finding one right now so there are constant state of not being compliant is that we have to educate the whole industry and the consumers because they will never I can

guarantee you there will never be a single product in the whole world that will be vulnerability free ever is the matter of us actually being able to ingest this information so we can make decisions and to help protect it you know how to remediate it and you know how to prioritize this stuff there will never be whoever sells you that I have a vulnerability free product just turn around and just you know buy something else or a system for developing products free it's just you know I remember having this discussion at a conference once and somebody asked me what's the single what's the single mode biggest risk to our products today and I said it's anybody that's sitting

down to write code it's not it's not the technology it's how we design it now we write it how we build it and it's not to say to those people that do it are bad or flawed or uneducated it's just a fact of life we you know security has evolved over the decades how we develop products has evolved the technology that we had 30 years ago is outdated so the methodologies are also outdated and we've learned from that so we're continuing to grow and evolve and mature and that's what makes this a journey and not a destination how are we doing on time we still have I mean we're about 12 minutes I just want to do one more question

before we turn to the audience um so the response I hear so often when we get into a conversation about s-spons and Vex is aren't you giving the hackers a blueprint how do you guys respond to that I can think go ahead so um I was presenting with a few other folks in that that kind of around the same topic at the policy desk and it was kcle Academy Story you know a whole bunch of more intelligent people than me but we were all talking about the the expectation that some attacker threat actor can be a criminal can be a national state uh organization that they will be running they probably have a better Aspen than you that's the number

one thing right so the the way of us thinking that no I'm you know this is a big problem because I'm going to publish it out and somebody's gonna share it and then that's going to be taken advantage of yeah you can you can accelerate that but they can buy the black docks of the world as a matter of fact they are buying you know this type of things to do the software composition analysis and actually know what they're running right so it is time for us that we're trying to protect to know about that however what we have to do is not so much of can we put it in repositories and that's a technical

nerd fights that I you know have to deal with right because I'm a nerd but where to put profile information in machine readable format so I can predict where you put you know this information right that's what the things that we're trying to do in the standard but in the real world how you're gonna probably see this is that originally it's going to be on a high request type of transaction right and your customer that's going over and certifying your product and put it into a into some process to acquire and they're probably going to ask that as a checklist right and you're going to see that a lot because they're probably not even gonna know what they're asking for

but they're actually just asking for this thing and you provide to them and you know in the perfect world will be of course that you have it in a specific repository that the product itself actually has some type of manifest that it tells you that and then you can query there's another protocol that we didn't put in there it's called Mud and where the actual product itself can tell you where you put your security advisories uh information on and so on so that's you know the futuristic type of it but we're seeing it at Cisco is it more in a transactional place yet and even for vex we you don't need an s-com for vex

That's my kind of joke it's a question somebody's going to ask you what is your status of cbe12345 in your products so that's what Vex starts for you know we we do have those mechanisms right now sometimes it's like phone calls sometimes it's an API call sometimes it's an advisory right but that's why you can assume you know kind of baby steps in up there sorry yeah no I I actually was thinking about it and I my concern is it's not that we're giving more information but will people understand what to do with the information that we're giving them um so that's where my head goes at with it I I want to protect it uh as much as

I can right now because there's so much more maturity with doing dependency management now that we have the US bombs how do we know about the vulnerabilities how do I make sure that all my product teams like if there's an open SSL vulnerability then I'm I'm instantly scanning those s-bombs know what products they're consuming it making sure they know it about that vulnerability and that we're ahead of the game and we're not having our customers saying hey you have this vulnerability in this because we have your s-bomb um so that's why for me I'm a little bit hesitant but it's more because I want to make sure I have everything else in the background working really well so that

you know my customers aren't telling me something I should already know um the other thing and I just want to mention it because I feel like we missed it um in it and I'm thinking about it is that one of the biggest things with us bomb like we're all having a little difficulty is that there's no common naming so you were talking about in the past and in my past company we had all the licensing but some would say Apache struts another person would say struts another person say Apache struts version one like so there's so much inconsistency in in the naming convention and us in the industry haven't attached to one thing and I

think that because of that we're all struggling and so if my ass bomb is near us bomb uses a different name for shots I mean like what is our customer going to do like they have to code for all these different naming things so that I feel like is still a huge gap that we we haven't figured out and I don't feel like anyone's actually taken a stance to say hey this is what we should use we're all sort of you know we use black duck so I'm going to use a lot of black ducks but if the all the black dots of the world don't talk to each other then they're all going to have different

naming conventions yeah no and back to Omar's point though I don't I'm not worried about as much about the painting uh clear path to the malicious actors of the world I think their reverse engineering or technology and they understand it probably just as well as they need to be able to do what they do at the same time I don't necessarily want to make it any easier than I have to so I want to provide enough information to our customers all beyond the chain so they can make the right risk of decisions and they understand what they mean how they need to fix their environment but that's less of a concern of learning with this model yeah

all right let's see do we have Germany yeah okay so you guys are here representing

all these things based on open source projects by that one guy who maintains those music what about those guys there's some other private Partnerships that's a great yeah it's a really great point you know I'm sorry repeat the question you were talking about um how are we helping that that Joe schmoe who's writing the open source code so open ssf the open source software security Foundation do they say that right yeah yeah um so uh there has been a big initiative and and a significant amount of big companies have poured money in into it to to and the focus there's a lot of focus on it um one of the focuses though is to try

to figure out how do we make the open source more secure in the first place how do we do that grading of of the open source so that you know um a product team when they're choosing they pick one that maybe is more secure um so you're exactly right though we need to figure out how do we if we're using these open source how do we pour the money back into it to make them more secure in the first place so that you know we don't have a log project issue happening on a Friday uh you know type of type of thing um so there's a big effort if you don't know about it you should look into it

but I know I know my company I'm assuming you're both of yours are contributing into it um to to be able to help the whole ecosystem of Open Source but I think even Beyond openss and being a part of that as a company if you're using open source you should be looking to invest in I mean Intel has got a big effort around that around not just investing in the industry uh groups that are supporting the idea but then if you're going to use that technology let's make sure that we're we're either contributing to it or a maintainer of it we're somehow influencing it we're communicating with the maintainers in any way that they're willing to

communicate with us because some maintainers don't want to and that helps for the big ones but I mean there's even but even though thousands of Open Source right but well you have to start with the ones yeah that's right you start with the ones that you're using and make sure you're investing in those that you're supporting those which are like being used by others so I have two examples so I agree a thousand percent what they said I also agree a thousand percent and one with the last comment of anybody can actually make an open source project and somebody can consume it and even though as a vendor software producer consumer we have to get better on determining

what is good infrastructure of Open Source that I should be consuming and what should be potentially outside of you know so so going back to your question about the investment I give you an example after heartbeat forget about log projected long time ago right horribly was kind of a wake-up call oh my God you know people are using open SSL and that's two-thirds of the internet uh we have to pay pay attention to security uh Cisco we looked at okay what are the things that are critical infrastructure uh is it a kernel well that's people giving money to that is it X Y and Z and then you know we're spoiled because we have money and we give you know to these

efforts right and we said what about time what about ntp and if ntp fails you know certificates fail and everything else so we started a little project with an organization called Asic and Talos and you know and University and we look at ntpd and nobody had looked at vulnerabilities ever right not even a static analysis because we're looking for vulnerabilities and it was like free you know CBS out there right so um so whenever it comes to that we probably have to collectively say okay what are the top you know consume critical infrastructure opens the open source components and that's what opens the self is actually trying to do and the lineage Foundation of many other folks second what can we

invest and more importantly why we should not be consuming some things that probably are not supported anymore but we are using it in critical infrastructure products that we actually sell right so so that's one of the things that we have to also look in this ecosystem and it's not as easy as an s-pomorph X it's actually a whole development shift yeah that's a whole journey so yeah any other questions out there win back

[Music]

yeah so the question is about cease has been um publishing actively exploited vulnerabilities um and making uh the rest of the industry aware that they know that exploits are happening um they did it because they wanted um their own government agencies to address vulnerabilities at a certain speed so they actually said hey this is being actively exploited this is how quickly you should fix it um I I haven't tied it in with past bomb yet um although I will with the full dependency management but where I tied it in is more into my high profile process so um when uh vulnerability is being actively exploited we typically call it a high profile especially if it's rampant and utilizing a lot of

products so I've been utilizing that information to help hey is this something that Dell is using and are you know what a re-widespread effective or not and we need to then faster do it but the is this is Dell actually using it is where usbomb comes into play if you have your s-bombs you could quickly know that you're utilizing that that open source or or a lot of them aren't even vendor issues um and then you can quickly notify those product teams so it certainly will play in the picture as we continue to mature our processes I think that's okay all right thank you very much everybody foreign foreign foreign foreign