Streamline Your Material Bill Format for Research and Development with airSlate SignNow

Material bill format for Research and Development

uh so good morning so good morning good afternoon and or good evening depending upon where you are i'm steve hendrick and i'll be moderating today's discussion about understanding the role of software billet materials in cyber security readiness now today we've gathered together s-bomb experts from the federal government and the linux foundation to provide insight into the growing momentum behind s-bombs and what needs to happen to ensure that this momentum persists so i'd also like to respond remind everybody listening that the linux foundation has today released a survey based on uh based on a survey-based report about s-bombs cyber security readiness and you can find the press release on the lnf homepage and it contains a link to the report and i think we'll also provide a link a link today so that to make a little easier for you so now i'd like to start by having each of the panelists introduce themselves in their orientation to s-palms starting with kate then jessica and finally alan it's okay sure thanks steven um so my name's kate stewart i'm a vp of dependable embedded systems here at the linux foundation and my perspective coming in on the s bomb side has started about 10 years ago when i was in the embedded space trying to figure out how we could summarize the information that was available in packages so that we all weren't looking at the same package this was the sort of the starting point of the spdx project and have continued working on that and in the last three years have been involved working closely with alan on the ntia efforts from there so trying to go being a co-lead on the formats and tooling working group to understand what the live land looked like and how we can start to get this operationalized great thanks jessica sure so i am jessica wilkerson i'm a senior cyber policy advisor with the food and drug administration and for those of you who've been following along uh fda has been a huge proponent of s-bomb for several years i believe it was 2017 that fda first announced its uh its interest in pursuing uh software bill materials particularly for medical device cyber security so this was coming on the heels of some cyber security incidents in the healthcare space where it became very clear uh where not knowing what uh software packages and other software components may exist within a device or a healthcare environment creates huge security risk so i am specifically thinking of wannacry for those of you who remember way back when so fda has been working on software bill materials referred to in some cases a cyber security bill of materials in some of fba's resources since the time and we continue to do so we you know we contributed to allen's process over at the ncia and continued to work um in other forms including with international partners on software bill materials and getting it adapted and integrated into the medical device ecosystem and the healthcare ecosystem thank you okay alan uh thank you and and thanks everyone for joining us uh alan friedman currently the cyber security and infrastructure security agency in the u.s government uh but was previously at uh ntia which is part of the us department of commerce and i want to sort of clarify also this is very much an international effort that just happens to be uh sort of catalyzed by the us government um and indeed that's a big part of why the u.s government got involved is because we wanted a solution to exist in the marketplace uh that didn't and he said the best way to do that is to bring together experts from across the different parts of the software world across different sectors uh across different interests across different parts of the marketplace and around the world to say how do we make this a reality uh and so first at ntia define the basics and now it's this a focusing on scaling and operationalization the vision is this uh what is an s bomb how do we move it forward uh and and also make sure that we understand it as a complex system right it's not just a technical aspect it's not just an operational aspect it's not just a business aspect we need to find a way to combine those and have a shared vision that pulls together all approaches okay austin thanks helen all right so let's start with questions um and i'm going to begin by saying that um when we're going to talk we're going to talk about s-bombs obviously and why s-bombs are being called a cornerstone of software supply chain security i've seen this over and over again in print and and also and why it's time to require s-bombs um so i'm going to start with a simple s-bomb definition which is that an s-bomb is a nested inventory of ingredients that makes a sulfur component and provides vital information about the software component itself so i mean there's a lot that's packed into that but let's let's look into the whole issue of what an s-bomb is by talking about why s-bombs are a cornerstone of software supply chain security and of course part of part of this is what it is that s bombs are doing that's so important so um why is it time to require at the production and consumption of s bombs i'm just going to let panelists respond as they may because some some may have more to say about this than others so so again why is it time to require the production and consumption of s pumps alan go for it you you've got the most rehearsed version of this well right so so first the the cornerstone model like why is this foundation and okay it's joking i keep a pack of twinkies behind me uh because you go to the store and you buy a nice non-biodegradable treat it comes with a list of ingredients why don't we expect that level of transparency in the software that's running our businesses our organizations our critical infrastructure right that's the bare minimum and really you know as a foundational cornerstone it is just that it is a foundation upon which we're going to build more things so our list of ingredients analogy it won't magically save you from allergies it won't magically if you have a plant-based diet uh keep you from accidentally eating something like that so for example twinkies have tallow in them now you have to know that talo is in fact be fat if you're going to take advantage of us so it's the starting point upon which we're going to build a lot of great other products great other services and great other tools okay anybody else want to answer that or should we should we i'll just say that you know to ellen's point completely it's it's the transparency and it's the summarizing in an effective fashion what is there okay um a lot of open source all the sources available okay great yeah fine or it may not be available in some cases but you know you're using it the challenge though is how can we get this to work at scale and so how do we have a common language for expressing this information so the automation can really come into play well the one thing that i'd like to probe a little further on and we'll probably get to this later as well but um so we're talking about informationally what an s-bahn is um and so there's obviously information in there about the license there's information about dependencies um but it seems like in the last three or four years since there's been a pivot with the addition of trying to understand vulnerabilities when it comes to when it comes to s-bombs so uh so and it doesn't feel as if anybody has has identified that yet as being you know one of the cornerstone reasons for why s-bombs are important so should we chat a little bit about this now or you want to wait until later i think this is where jessica's really had a good role here so yes well so so there's a couple of interesting parts of this right so on the one part and i i think it's very critical and i think allen and kate can even talk about this a little bit more cogently than i can but it is incredibly important in mine and fda's point of view that the s-bomb doesn't actually contain vulnerability information i think that that needs to be said that you know the s-bomb is a thing and it's a document it exists and it can be cross-referenced with vulnerability information but the vulnerability information should not be in the s-bomb but um i think the reason that kate sort of tagged me in this one is um the primary use case for fda that we've identified is vulnerability response you know we we have in the medical device sector and in the healthcare sector generally all the time people will approach manufacturers or the sda and essentially say hey we've found you know a vulnerability in uh an x product or sometimes it's you know vulnerability has been discovered in in y components and we're left sitting there a lot of the times we're like hmm does anybody know what medical devices contain why component because we don't and then if we don't know we don't know how to analyze what the patient's safety risks are we don't know what manufacturers we need to be contacting to ensure that they're actually responding to the vulnerability we can't do the things that we need to do in order to fulfill fda's statutory mission and so for us um you know s bomb is critically important just from the transparency measure and you know we can talk about some of the other things because one of the big use cases for me is actually s for procurement uh but that vulnerability management is is huge it's it's been the main driver of s vomit fca for a really long time and to add on to jessica's point that vulnerability management role really is something that follows the entire software life cycle so if you're writing software whether it's part of an open source project uh and you're sort of saying all right let's let's let's you know commit to this uh or commercially why would you not want to know what down on your dependency graph and of course there are some tools today uh right you can github flags this sort of thing for you um but having that in a machine readable format that scales that everyone is using across the board is gonna be very very helpful um when you're buying something are you about to buy something that has known bad in it right this is the right would you buy something uh don't you want the freshest healthiest ingredients or do you are you comfortable with something out of it you may say i'm comfortable with that but that should be an affirmative risk-based decision this is the best this is the thing that's going to save patient lives so it's okay that there's some outdated software in there because i can secure that on my network that's a that needs to be a conscious decision and then lastly and perhaps when we saw this in december um the world of vulnerabilities is a very dynamic world and i think that's one of the reasons why we want to make sure that we're not sort of locking we're mapping between s bomb and vulnerabilities rather than binding them um because they used to be secure and then one day we wake up and there's a front page headline and now we have to scramble and find out if we're effective uh and this is really hard if you don't have data that you can search through at scale ideally with tools and automation and so that is really one of those long-term things um to pick an open source project at random right knowing where log4j is could be very helpful uh and and that's one of the powers of this and i think this is why we've seen a lot of excitement around s-bomb in the highest levels of software and in the highest levels of government around the world i like the term excitement i think very good i'll also add in that um safety and critical infrastructure is uh on a lot of people's minds because vulnerabilities are being attacked in there so anything that potentially has to do with safety certification you need to know what's there and quite frankly the safety standards have been calling for it for a long time for the risk analysis so in the energy sector in the automotive sector any place where there's potentially safety you need to be secure in order to be safe and so the transparency is going to be very much useful in that space and so we have these things all sort of rising to the forefront is more and more was it open source and automation that we need to be looking at you know it's uh when it comes to asking the question you know why is it time now to require uh s-bombs both on production and consumption side i mean obviously it feels like um it's important from just the standpoint of the bill of materials uh you know the twinkie analogy um but also it feels to me like this idea of safety and the vulnerabilities is really a more pressing concern as we look at uh what's going on software today so so is is that what's driving the the federal requirement uh from an acquisition standpoint to uh to require response so alan i can take a stab at that first if you want so here's the way we've started to look at this we fda have started to look at this um i think everybody in security eventually wants to move from reactive risk management to proactive risk management and the journey of s-bomb for fca has been very similar to that we sort of started out reactively we're following wannacry and other incidents we're like we have to know where this stuff is because we have to be able to respond to it in efficient and timely manner i think as we've matured and we've watched the sector mature both specifically related to s bomb and just in general we actually want to move to a point where we're using s-bombs proactively because one of the biggest things that we face in healthcare is the legacy problem where we just have old stuff we have old stuff everywhere and it's unprotectable because it can't be updated it was never designed to be updated it's 30 years old but it still functions just fine and a hospital is not going to replace a 500 million dollar mri like you replace your iphone right that's that's not how that works so you know there's a lot of challenges with legacy and what we are starting to see and this is becoming more and more of a thing in healthcare is putting s-bombs as procurement tools to the point that alan was um was raising earlier about don't you want to know if you're acquiring something that's known bad and you know give people the ability to have affirmative risk decisions we're seeing a value of keeping bad stuff out of healthcare environments and unsafe stuff out of healthcare environments by essentially using the s-bomb as a procurement tool so we're we're you know looking at uh having manufacturers medical device manufacturers um produce when when a hospital or a healthcare delivery organization is you know comparing drug pumps uh you know they can sit down with the the s bombs of the various drug pump manufacturers and say okay uh pump a is better because it has you know less vulnerable components ing to its s-bomb then pump b so we're buying pump a and so we think there's huge value in them and that actually starts to move us from a reactive risk management standpoint for using s-bombs which is important um but to you know proactive is better and proactive risk management using s-bomb gives us that leg up and that ability to keep stuff out that we might not want in in the first place the in terms of why we want to compel right so seems very very interested in saying hey why is the government getting involved beyond just you know helping coordinate um so take a step back you know you say um the fact that we don't have it today is because this is a complex system uh right it's a there's it was very much a chicken and egg approach where no one was asking for this data so no one was supplying it no one was supplying it so no one was asking for it and so that means has been harder to create uh sort of the the market demand for open source tools and commercial tools to sort of help create s-bombs and help consume and so one of the reasons us government i think is getting involved is to say it's not just enough to sort of help shape this idea uh and help the community come together and define it but we're also going to start driving the market and so uh it's much easier and we want everyone to start asking for response uh when i talk to large organizations that produce software um a lot of them are a little reluctant to sort of share their s-bombs until you sort of frame it this way it's like wouldn't you like the s-bomb for your software that that you're using and it was oh yeah definitely that'd be really helpful we could do abc and so the vision here is to sort of prime the pump to start saying hey let's get everyone in the habit of asking for this that will further create s-bombs which in turn will drive an ecosystem for saying if we have this data what could we do with it uh there are so many amazing people in the open source space uh that are creating new things and candidly there's an awful lot of vc money out there for security especially for supply chain uh and so we're pretty confident that as there is as this data becomes more common and our assumptions about interoperability and scale are validated uh we're going to see a lot more tools and a lot more innovation to build on this and the the last analogy i'll share is uh for cve right common vulnerability enumeration nothing magical about giving a vulnerability a number doesn't fix anything at all it's still there still gotta fix it but by creating the common data plane now we're all have a similar point of reference and we can start to have common tools common processes uh common services that can help us so one and one thing that i don't disagree with anything that alan just said but i do need to clarify one thing um so fea uh i don't know how familiar people are with fda guidance but fda guidance is exactly that it's guidance about how industry can uh meet fda regulations it's not required um this is a little bit of a nuanced thing and if you spend any time in medical devices i can almost see your face uh as i'm saying all this but while fda we're not requiring s-bonds but we are recommending in guidance that you put them in there and we are recommending extremely strongly so just need to clarify that one bit and again to be slightly more precise thank you jessica um so what is the us government currently proposing uh under may uh executive order number 14028 uh that came from the white house they are going to ultimately require things that the u.s government buys have an s bomb uh now a couple of points in that from a policy perspective the u.s government buys a lot uh and so we think that we'll have an approach but it is not uh it is cert going to affect two actors in the private sector in the open source world uh other than just saying hey we know that there are going to be more interest in having this data around and it's going to have a much more broader effect of having people say oh that seems interesting maybe i want one of those too okay awesome listen i want to shift gears a little bit you know i just came off doing some uh s-bond quantitative research worldwide research and prior to landing at linux foundation i was an industry analyst for 30 years and i will tell you and i was driving a lot of research in application development and deployment and i never once heard the s bomb term come up in conversation with vendors um and this was was it was an eye-opener to me when i landed at the linux foundation um so a focus of the research that i did in the s bombs faced was to understand what the penetration rates were what adoption was and what projected adoption was going to be going forward uh so let me just give you a couple of numbers then i'm going to ask the panelists to kind of comment on whether this surprises them or not so we have 47 of the sample is using s-bombs today in some capacity now some capacity means they're using it in a few lines of business or some or many or they have adopted it as a as a standard across their company so it varies depending upon how much they're actually using s-bombs but they are using them in some capacity both on the production and on the consumption society we have 40 percent of this sample is not using s-bonds today but are planning to use s-bonds sometime in the next two years meaning 2022 and 2023 and when we look at the timeline based on when they said they were going to be adopting us bombs we end up with 66 growth in 2022 um that basically increases penetration from the 47 all the way up um to what was it 70 78 i think it was in 2022 and then growth's going to taper off in 2023 to be a 13 percent because we're already at a pretty high level of adoption and but yet uh 13 growth in across 2023 ends up i think at 88 penetration overall which is quite high um but i think a lot of the reasons it's high because of the executive order and similar kinds of activities around the globe so given all of this does this come as a surprise to you uh as a panelist um or is this expected based on the work that you've been doing behind the scenes here so um what do you guys think uh so i'm watching alan and kate not come off mute so i will i will take a shot um this is entirely expected i you know i can keep this answer short because at least in the medical device manufacturer realm fda has been saying for five years now that you know better get ready to be able to produce and consume s bombs so you know maybe maybe i'm you know a little too rosy of a perspective but i think the medical device manufacturers are like yeah we gotta do this yeah um i think the recent focus has really crystallized and got the bus over that hump of adoption because there's been people who've been wanting to do it in the embedded space and have been doing it quite frankly for you know eight nine years the challenge is it hasn't hit the mainstream mindshare and so um the fact that it is now starting to hit the mainstream mindshare is tremendously exciting and it also means that people have done the works and a lot of the work beforehand so it's there to be taken advantage of too so it's nothing you know it's building up on things yeah great ellen do you want to comment or do you want me to move on here because i've got to i've got to drill down the the the last thing i'll say uh just sort of highlighting on the sort of the you know what what's under the water is um this is a model that only works if we have a pretty common global understanding of what an s bomb is what an s bomb isn't what you know sort of following a certain model of crawl then walk then run and building a modular architecture making sure that hey there's a lot of stuff that's relevant to the s-bomb and we want to tie it to it but maybe we shouldn't build it straight into this approach uh so there's a lot of different moving pieces and i think the value is making sure that we're all on the similar page we're all using very similar software if not the same software further up our supply chain and so even though our sectors are different our technologies are different um the momentum has come from having a very common shared understanding so okay well given given this really strong interest in adopting s-bombs maybe we should try to talk a little bit more about what each of the following groups are going to be doing or or will be doing what's on their roadmap to help ensure s bomb adoption you know in this year and next year and i think we should look at this from the standpoint of the role of the government the role of the vendor community uh what should end users be doing and also potentially what should it you know industry organizations like linux foundation be doing so to somebody want to start i mean i think jessica you've already sort of mentioned you know what uh what's going on at fda but from an overall government perspective you know what should the government's role be now that we've got some momentum behind us bombs what should the government do to help perpetuate all of this momentum so i might defer the what can what should the government be doing question to allen who sits at a little of an organization that has a little bit of that broader view but um for fda you know we we're already doing it again for those involved in the medical device ecosystem i know everyone is waiting with baited breath for the updated draft of the pre-market cyber security guidance um it's not a secret assam's gonna be in there right like it is a recommendation an extremely strong recommendation has been for half a decade um for fda that you produce and consume s-bombs to uh to have better cyber security risk management um and we're going to continue pushing that you know and fda is going to continue in in the forums that we're involved in and in the conversations that we have uh essentially saying that you know bottom line we understand it's hard we understand the tooling is still being developed we understand the best practices are still being developed you need some and that's that's pretty much the uh the approach that we're taking so i see a couple of different roles for uh the federal government or the u.s federal government one is to help catalyze the community effort right this isn't something any one party should be driving because there are different equities right we need to sort of understand uh what's important for the open source world for the commercial world the proprietary world uh what's important for the tool vendors is gonna be different than what's important from the uh you know the the users of the tools uh and so trying to sort of build this model is gonna be important um moving forward we've identified a number of areas that we want to advance uh collectively including how do we think about s-bombs for cloud and sas it's a little different than on-prem or embedded uh and also how we're gonna move this data around what's the transport model look like uh because we don't really have some global ways of thinking about that especially if we don't if we want access control as a layer so there's an example that so one is just catalyzing that two is coordinating this effort as i mentioned this is something that really is a global effort we've partnered with our friends in the german government and the japanese government as well as companies around the world organizations around the world and so we want to uh make sure that this stays uh something that that is really built on collective effort and the last thing i sort of want to emphasize is if we're still talking about s-bomb as a unique novel thing in a few years i will have considered that a failure on on my part because the goal is to sort of make this just part of the vulnerability ecosystem right this shouldn't be seen as a unique idea this should just be seen as how we make software how we talk about software how we handle software how we evaluate software um and so the longer term you know the roles of government is to make sure that this is integrated into all those other parts of the vulnerability ecosystem that are happening around the world and i'll say it extends beyond the vulnerability ecosystem too it should just be how we make software period um from the standpoint of the vendor community and service providers is there something is there something that needs to go on there to uh to help be able to satisfy all of the growth that that's gonna that is projected to to happen in this year does anybody want to take a swing at you know what the vendor and service provider community should be should be thinking about i mean i think so the vendor and you know having commercial offerings out there and having consultants out there that people can work with for doing the analysis is going to be key for adoption um some people will want to do things and roll their own and work with open source tools and everything else there's a lot of other people that just say okay i just want to hit the button and it show up i really don't want to have to think about this hard i'm willing to pay you some money to help me and that makes a market opportunity for people to basically create new uh innovative business models as well as helping advance the transparency at the end of the day um so having the um capabilities there and being able to work with the open source communities who are trying to do this as well as help reinforce common understanding of what the semantics of the fields mean um these are things that i think we all can be working on with vendors as well as open source to really make it move forward because there's lots of different systems out there there's like you know there's lots of different vulnerability systems out there right and being able to link into all these different vulnerability systems is kind of key as well yeah and i'll say for what one thing that we've been very cognizant of um is for smaller manufacturers and for uh fda doesn't regulate hospitals but for the hospitals who we expect to be receiving this information we have heard concerns that they're like look we're already flooded with vulnerability data we're already flooded with all kinds of information that we have no idea what to do with and now you want to dump all of this additional information on it like we we don't we have no idea what we're supposed to do with this and so i will i would say that the the vendor tool community is actually going to be critical in uh actually operationalizing a lot of these things because you have organizations who are just like unless to kate's point they get the like press the button service then handing them a bunch of s bombs doesn't do any good and we don't go anywhere so um i expected the tool community to be a very critical part of this so building on that point there's two things to flag one just on the downstream user software completely there's always going to be a maturity model in all of security um that doesn't mean that we shouldn't work on advancing it we know that most things in security sort of follow a a trickle-down path of starts off with very elite organizations hiring world-class experts rolling their own tools and solutions and then we sort of fit into turnkey you know the example here is threat intelligence uh no one says hey because your small organization can't handle threat intelligence they're still doing you know the basics doesn't mean that we shouldn't build out new threat and tell tools uh or sec ops tools for development um the other thing to flag and something that's uh really a concern for a lot of us inside the us government is we're always worried about things that put small businesses at a disadvantage right we know that a lot of innovation comes from smaller organizations we don't want to give them these large heavy regulations that were sort of really motivated and had input from giant tech companies or giant contractors but didn't really have the small business in mind the great thing about s-bomb i think is for especially people are developing software this is often if not usually much easier and cheaper for smaller organizations i'm right if you have a modern development tool and a modern development pipeline there are tools out there that can spit out s-bombs in whichever data format you want uh and can write can be integrated into this this is something that is is beneficial if you have a modern thing it actually is harder if you're a legacy with legacy stovepipe pipelines okay um one thing i'll just add about the vendor community um the research that i just uh i just did on on s-bombs it shows that from a kind of a best practices standpoint end-user organizations are are really trying to understand which vendors are going to be providing s-bom tools out there and one of these tools going to be available so i think one of the things that communicates is that the vendor community needs to take a more proactive and visible stance in terms of driving up the visibility around what they're doing with us bones and also putting putting more into messaging from the standpoint of communicating to end users what their capabilities really are here so let's um let's talk briefly about s-bombs and this uh this whole issue of existing and emergent component vulnerabilities um i mean the first question is i mean i know that s-bombs don't contain information about vulnerabilities but they do potentially link to known existing and emerging vulnerabilities so one of the things i i guess let's just clarify you know what is the stance what do s-bombs do today and potentially tomorrow if they don't do it today what's the relationship between s-bombs and known vulnerabilities where are we with that at this point in time sure so um i'll kick us off and all i think allen's probably going to end up talking about vex and i will try to make uh as few faces as possible while that conversation is ongoing um so you know s-bombs and vulnerability management uh is a is a complicated marriage because right we've been saying all along we one of the major use cases for asphalt is vulnerability management um and i we we have heard the concern raised uh in the past and and still now that look if we give people an s-bomb they're gonna go to the cve database so they're gonna go to another vulnerability database and they're going to look up well here's all these components and here's all these vulnerabilities and now i'm going to go back to the vendor and the vendor must fix all these vulnerabilities and uh the vendor might be like well yeah the vulnerabilities are there and the components vulnerable but like you don't need to worry about it because compensating controls or you know whatever else it is that they're gonna um whatever else it is that they're gonna argue and look i'm being extremely dismissive of it and i'll admit that because this is this is something that i find extremely personally frustrating um log for j not vulnerable until it was right and we've seen that all the time where there's you have a vulnerability uh so it's vulnerable but it's really complicated to exploit except until somebody puts up the new poc that makes it really easy or until you start chaining them together with a bunch of other vulnerabilities that means that suddenly that's extremely exploitable and a huge problem so i will say from the fda perspective we have not necessarily been that receptive and in fact have pushed back very strongly on this idea of it's okay to have vulnerable components and you know we'll just wrap compensating controls and other things around them and somehow that completely mitigates the rest you know it's we it's going to take time and over time we'll get better at this but having vulnerable components uh within a device is just asking for trouble and the more and more that we keep integrating software into everything that we do and into critical infrastructure that just becomes less and less and less acceptable and i don't know why we would voluntarily do that if we have the information and we have the ability to not do it so that you know that's certainly where i think i'm coming from and where fda is coming from on sort of this this you know challenge between vulnerabilities and s bombs and so on go ahead and i'll so uh to coin a completely original phrase all good software is the same all bad software is bad and uniquely different ways uh and i totally understand uh jessica's perspective especially because as a government regulator she's been lying to in the past people have said you know hey there's some great stories where people say oh this doesn't affect us but they said it too soon and and and we've talked to lots of downstream software's and say i will never trust either this specific vector or need any vendor if they say something however i think there still is a large class of ways where someone may say um this is not as bad as it may appear just by looking at ability and mapping a vulnerability to an s uh now that's true for a couple reasons one we sort of have to acknowledge that resources are finite everywhere uh and right having someone implement a major fix or indeed a major feature might be more important than taking care of a low probability vulnerability uh who is the best who is the best position to make that risk decision is a tension between the supplier of the software open source or commercial uh open source proprietary and the user and there's gonna be different models obviously if you're in a very high assurance domain where you know you're regularly under active threat by adversaries you're going to have a different perspective than if you just want your stuff to work and you want it to be cheap um one of the things that we're working to develop in parallel to s4 is this forgive me this is probably the worst named project in all of software and it's all my fault uh vulnerability exploitability exchange or vex and i'll post a link in the chat for a one-page summary of it the vision here is it allows a software supplier again could be the open source project could be a proprietary supplier to say um this product and this vulnerability it is not affected by this vulnerability even if it contains it now there are many reasons it could be and we're working on sort of building out uh mach and the goal is to make it machine readable and so the vision here is to allow someone to say yes i'm using heartbleed 1.0.1 because i haven't had time to refactor my code but i'm only using the pseudo-random number generator and the heartbeat function isn't even in the product right the compiler did not include the software that puts that puts you at risk of random memory leaks from the heartbleed vulnerability here is how do we enable that to happen automated and of course no one has to trust this is a set of assertions and you can say you know what these vendors these suppliers totally trust they've got great product security teams these guys not a chance we're still gonna either you know we're still gonna treat it as if it's vulnerable and the the last thing i'll say is we can also there are things that we can do to supplement this with trust so this for me is a great example um i'm not always the world's biggest fan of bug bounties but this is a great example where a bug bounty can be very useful where someone can assert this product this vulnerability does not affect my product and to support that here's a hundred thousand dollar bounty if anyone can sort of figure out how to chain it or if anyone can figure out how to exploit it so that allows us to sort of build out further infrastructure again shouldn't these things these things as unique want to talk about how they all fit together on i'll build on that then because that takes me into the embedded space and um actually one of the problems we had with the zephyr project is when fnet amnesia 33 came back out and fnet was there um our lts had fnet in there however actually the version of zephyr never had the files that were affected at the source file level so we had no way of signaling to people that that version of zephyr was not affected and so we had to put a blog post out so having vex and having a way of summarizing this in an automated fashion is going to be very powerful for open source projects as well as vendors um and in fact you know some of the comments one of the common questions that sort of came in from the audience here was you know well this can't apply into embedded well actually yes it can and embed is leading the way in certain areas right now um in particular i'll call out like the octo project right now when you're doing builds in the octo project which is embedded all the way you have the access to full reproducibility of your packages which is one thing that helps with that long-term maintainability and you have the ability to generate a software bill of materials automatically and getting this automatic building of software build materials in the embedded space is going to be pretty much key to um having these devices that are showing up in critical infrastructure like medical and so forth being able to know that we've got a clear understanding of exactly what's in there because it's been as it was built you have the summary coming out the zephyr project has also added this capability in so that anytime you're doing a device it's really memory constrained you have that ability to come out with a file that summarizes all of this information and there's no reason this can't be scaled to everywhere else in the industry like i said we've got some proof points out there now open source projects doing the right thing automatically and making it easy for people and i think that's where we need to go for everyone hey awesome listen uh before we shift over to question and answer let me ask one more question here which this comes this is uh based on best practices that end user organizations want to see in the s-bomb space the survey data that i collected shows that 62 percent of organizations are looking for best devops practices for both producing and consuming s bombs number two at 58 was best ospo open source pro you know program office practices for integrating s bombs into governance risk and compliance and then you know understanding how s bombs are going to evolve over time came in at 53 and then finally uh knowing which vendors are going to provide s-bom tools was at 46 so given those sort of requests for what we should be doing to support the the user community around s-bombs is there anything else that sort of jumps to mind that you think is important that will help the end user community be more successful with the s with s bombs i love watching all the tools that are coming out um right that is sort of this has been s-bomb coordination and promotion has been my full-time job now for four years uh and and it's been fantastic to see every six months another wave of projects and of companies that have started on this so i think the short answer is i'm going to call back something kate said which is um we're working is sort of building out this sort of tool model um both the spdx community and the cyclone dx community have done a good job of sort of helping shepherd the tooling in their ecosystem and one of the things that we want to do down the road at cisa is sort of have more transparency to that marketplace so that folks can sort of understand how to compare tools and make sure that they are functionally equivalent uh and so that's one of our goals okay um well listen i think we should probably switch over to question and answer from the audience at this point um so let me uh what i'll do is i'll be i'll i'll identify the questions been asked by the audience and then we'll see you know who wants to or who wants to uh and to answer the question so the first question here um is how should we think about applying s-bombs to development and cicd processes and i think to that i'd also add maintenance um so you know any any uh recommendations on how best to sort of bring s-bomb tooling in and you know how to integrate that into some what what's happening inside of devops so i think i'll start then um putting plug-ins into the tooling there's a bunch of plug-in options out there that people can integrate i'd say start with that and then see where they're lacking and quite frankly contribute back upstream and help make these things robust and able to scale um so there are there's their starting points out there um the kubernetes community for instance has already you know incorporated some of this um so you know looking at that project you know looking at what they're doing um helping the you know as one generation if it's not doing exactly what you want help contribute make suggestions help improve because we need to get a whole community working together to get this to scale uh following on the heels of that we have a question which is i think related which is will s-bomb formats and content be standardized so we've i think done a decent job thus far from saying what's a baseline model this is something that the community worked on uh sort of having a initial vision in 2019 and then in 2021 uh sort of built out uh further uh here's all the different pieces that we want um i'll acknowledge that there are some spaces where we're still i think there's still some ambiguities uh so for example if we want a hash of a component pretty common part of software um both uh the data formats have some advice on how to implement that i don't think there's sort of global guidance on that so we're some tweaks around the edges because i think this is going to be something that is going to evolve the last thing i'll say on data formats uh is there are two widely used today uh spdx which is comes out of the linux foundation kate's been a great leader on that front cyclone dx comes into the os world they're both great projects they're both open anyone can get involved i encourage you if you're interested to think about them um our interest is to make sure that they're interoperable uh because we don't think that you know one is inherently going to win out over the other and that's okay um we can live in a world that has multiple data formats uh and i've been really pleased to see the communities uh work together to make sure that they're harmonized and so i just want to doff my cap to build the spdx and cyclone dx team for making progress on that front okay awesome so our next question here which is a really interesting one which is how do the panelists feel about the confidentiality of the s-bomb is this a blueprint for attackers no it's a blueprint for the defenders thank you very much the attackers know this stuff guys and uh what we're trying to do is give tools to the defenders to actually you know understand what's there yeah the right we know that security is a fool's game so uh and we know that jidra and reverse engineering tools are free anyone who wants to know what's in a piece of software can uh and the the caveat there i will also say is there's no need for them to necessarily be public and we know that they're going to be different sectors where they're going to say s bombs won't be public one need to make sure that we have a way of sharing them with uh downstream users right so customers are going to be asking for them uh and ultimately it is going to be up to both sectors and specifically to figure out what they're willing to share publicly versus confidentiality um the challenge there is right if you say i have this data and it's confidential well now we need some infrastructure to talk about how to share them so now it's not just about moving data and making sure that it's available timely in a timely fashion in access control layer on top so there are companies today that are creating their s-bombs and just sharing them publicly uh you know just a well-structured url organization dot blah blah blah slash s-bomb and making it public but there are also going to be folks that are saying hey you gotta go through our vendor portal or something like that see it that's okay too vendor portals just don't scale next question is can we achieve complete automation of security yes no we can achieve a lot of automation in security but you know there's always going to need to be and and this goes to some of the point of um you know a vulnerability might be different for different people right if my environment has different contextual risks than your environment then i might make a decision a different decision about how to respond to it than you um so i think automation can can help and start to help prioritize and contextualize a lot of that information but at the end of the day you have to have people who are sitting there who have the ability to make the the informed risk decision about how they're going to handle it because the other thing that i would add too um you know and this is critically important for fda and kate hit on this a little bit security isn't the only consideration right and i think alan mentioned this a little bit too right treating patients is why people make medical devices they don't make medical devices so that the medical device can be secure i mean if you you have to make the medical device or the medical device can be secure so that it can be safe but you're designing it to actually provide a health care service not or a treatment or whatever it is not security isn't the end goal so there are going to be circumstances and we do talk about this in the s1 space and in other spaces that sometimes you are going to be weighing the benefits uh or the risks of some security vulnerabilities against the potential benefits of whether or not that means you continue to use that device to continue to treat patients so you know you have to be able to make those kinds of decisions the next question here has to do with producing and consuming s-bombs and the question is are there security concerns with producing and consuming s-pumps and that was something that i thought about too which is you know i know the hash totals are very useful from the standpoint of being able to validate or reproducible build but um how trustworthy do west bombs how trustworthy rs bombs in light of the fact that there needs to be security around the creation and consumption of s-bombs so uh a phenomenal question and definitely where we should be thinking about from a security perspective but it's 2022 so we don't just talk about security we thread model uh and there is going to be different folks that are concerned about different things if you're worried about having a just a vulnerability on your network known vulnerability that someone can exploit an automated tool then getting the best faith best effort s-bomb uh is going to be you know the important thing um if you're worried about someone actively subverting your supply chain then we need to start layering in trust in integrity checks and the good news is uh there are some tools that are moving in that direction um want to uh complement uh you know the great folks at sig store uh who are sort of working on making sure that we have some trust inside of here and ultimately saying hey in addition to my s-bomb i want artifacts about the build process to build an environment who had access to it all of these are what we want to head ahead to is we're now getting into very domain specific and tool specific approaches that may not acceptable to ask for um you know your average mid-sized company that's software uh and so the goal here long term is to think about how do we integrate all of these layers in uh so that people who want this information know how to ask for it in a globally understood way and to sort of make sure that we can sort of follow a maturity approach where we have the basics or on things like integrity and trust and for metadata so i'm gonna i'm gonna jump in because i know we're running out of time and there's a number of questions that have come in that i wanted to sort of hit on all at once um so some of the questions are essentially around you know if we if we do s bonds in this way and the expectation is that all of these vulnerabilities have to be fixed and all these things well the price of software is going to shoot up and yeah no and or companies may not be willing to disclose vulnerabilities because it could have financial ramifications on them look you don't want to disclose vulnerabilities you can roll the device and where you can roll the dice and not disclose vulnerabilities but i can tell you for example in the medical device space we one there is an expectation or it's a strongly recommended uh procedure for fda that vulnerability disclosure and devices takes place and that's not it though fda regulations require that you have a safe device if you have a vulnerable device you might not have a safe device and if you don't have a safe device because you have a vulnerability device you might have to recall your device um and so you know if a company decides not to disclose a vulnerability and it comes out later anyway which let's be honest it always comes out later um then how much worse are the financial ramifications going to be then how much worse is the reputational damage going to be then if it looks like a company hit a vulnerability from the public um you know that's that's never the right answer and so you know i i understand the concern from organizations that like look this is going to be expensive um this is my impact our reputation because we aren't going to want to essentially disclose the fact that we're using outdated unsupported vulnerable software in our products um and all these other things but like guys it's 20 22. we've seen we've seen cyber security incidents take down gas pipelines we've seen them uh put patient safety at risk when hospitals are getting hit with ransomware we've seen all these things and 90 percent of the time it's known for vulnerabilities that just people haven't fixed or that they didn't know were in their systems because there's no transparent software development this is not a sustainable way for us to continue as a nation approaching cyber security when we are relying we are putting people's lives on on the line in the hands of crappy software and then essentially now trying to turn around and say it's too expensive or it's too hard to not do that and i got to be honest with you from from the fda perspective that's not really an acceptable answer to us anymore so that's awesome ellen you want anything to that okay okay yeah there's a question that's in that um and then i'd like to just quickly touch on which is you know to what detail should the s-bombs describe what's in the software package you know that just at the component level versus the source level it's a fidelity question and it's how much automation you really want to play if something has to be high assurance someone's license there you may want to have that full traceability down to the source file level and every hash is there and you know all your build information because quite frankly you need that to do your safety analysis so um you need to be able to scale from just the component level which is you know a low fidelity but it lets you at least see the live land to all the way down to those source files and you know the amnesia 33 example i just referred to as an example uh what's a you know was a way of clarifying that and if we want to automate we have to be able to do that level of scaling all the way potentially even down to the snippet level okay great hey here's a good question which is um how do we retroactively generate s-bombs for already deployed products that is a fun question i haven't thought of that and it's a great question and well in the the good news is there's actually a thriving marketplace for this um so the answer is we use binary analysis tools and source composition analysis tools uh there are some great ones out there today uh there are even ones that are focused on particular sectors there are companies that are doing this explicitly for medical devices there are a couple of the energy space telecom space so um one of our challenges is going to be to sort of figure out how do you reconcile the output of one of those tools with the output of a build tool or a source tool because there are subtle differences uh but in the short run there are things that look an awful lot like s-bombs that can come out of these tools okay awesome well listen more on time here so i'd like to thank our panelists uh kate jessica and alan for joining me today i also like to thank the audience for the great questions and i think mauricio now has some final instructions for those of you who are listening in thank you so much stephen and thank you kate allen and jessica for your time today it was an incredible webinar um and thank you everyone for joining us just a quick reminder this recording is going to be posted to the linux foundation's youtube page later today so you can check back there for the recording okay thank you everyone again so much have a wonderful day thanks everyone thank you