Discover the Software Development Invoice Example for Research and Development that Streamlines Your Billing Process

Software development invoice example for Research and Development

[Music] welcome to the SEI podcast series a production of the carnegi melon University software engineering Institute the SEI is a federally funded research and development center sponsored by the US Department of Defense a transcript of today's podcast is posted on the SEI website at sei.com podcasts welcome to the SEI podcast series a production of the Carnegie melon University software engineering Institute my name is Suzanne and I'm a principal researcher in the SEI software Solutions division joining me today to talk about their work on designing and building a software bill of materials framework are my friends Michael bandor a senior software engineer and Dr Carol Woody who's the principal researcher over inert welcome to you both hello yeah good afternoon so let's begin by having you tell our audience a little bit about yourselves I know you've both been on before although Mike it's been quite a while so let's start with you tell us what brought you to the SEI what you do here and what's one of the coolest things about your job uh I joined in May 2005 just after wrapping up a almost 23-year military career with the US Air Force as in listed programmer I was aware of the the software engineering Institute from their process Improvement days and was a practitioner um so so they were a known Factor the coolest thing to me is the way we work across our various customer bases uh the dod and federal government we can see Trends and see things that might not readily be apparent to other organizations and we can bring some of that insight into our customer work and say hey we're we're starting to notice this problem's creeping up across several programs that maybe there needs to be a way to address it so we can uh and that we can also uh we early adopters of many things uh we were one of the early folks assisting the dod with agile implementations uh es bombs is going to be another case where we're getting an early foot in okay and Carol what's something you haven't told us before about you in terms of your career here oh now that's a tough one because I've done lots of podcasts um well I uh came to the uh to SEI to actually finish my PhD uh I was a consultant for New York City uh having a uh 5 and a half hour commute every day and one does not get things done like in-depth research doing that um I stayed after I finished my PhD uh because it was such a neat team of people to work with uh that it's it's like being um one of the superstars with uh uh all this in-depth knowledge that you can wander down the halls and and connect with uh right now I'm leading a team of experts we're focusing on the challenges of cyber security early in the life cycle um because too frequently organizations are kicking the can down the road because they don't know what to do about cyber security until it's almost too late uh and by that time they've designed in all kinds of problems they've built in all kinds of problems and they're going to have to start over which uh nobody's willing to do so that's why we have a lot of operational problems that we still don't know what to do with Mike and I are are um working with other cyber Security Experts delving into um how we integrate cyber security in the supply chain because that is um almost the Holy Grail at this point and we have a podcast on that so that's one of the things we'll reference in the transcript um because that's a very important piece so it's good to have you back Mike it's good to talk to you on the podcast it's been a long time as we were talking about earlier um today as Carol mentioned and and Mike we're here to talk about the idea of a software bill of materials and the framework that you've put together to help people to deal with that but let's first talk about the threat landscape um you talked in your blog post about a recent report from security scorecard that examined more than 230,000 organizations and they found that the systems of 90 8% of them so well over 150,000 of them have had third-party software components breached within the the preceding two years can you talk a little bit more about this and talk about sort of how the sbom idea might actually have helped uh to avoid that all of those breaches or at least some of those breaches uh Carol let start with you yeah um since the Heartland incident which uh was 2009 um that's that was one that really um hit a broad group of people um a lot of uh credit and debit card transactions were exposed um and um a lot of people got very nervous but not nervous enough to really address the problems but they've been growing exponentially since then um and essentially uh we're dealing with confidentiality integrity and availability of all of this critical data that gets compromised in every one of these um activities um being um a real challenge for identity theft for organizations uh structures in terms of um financial management Etc I mean everything is is being exposed these days a big chunk of this is now coming through the thirdparty products and services that we've all been adopting um very um energetically because it saves us time and money uh we can do things quickly we can Implement them uh very very quickly but what you're doing is you're basically adopting risk from other organizations and you don't really have good insight into what they're doing what other what pieces of other products they've actually integrated into what they're selling you or uh or giving you in the case of open source um and without an esom you really don't have any level of transparency into what's going on um aside from the marketing material um and maybe some implementation guides um this is a lot of risk uh and to start reducing this risk uh is really going to be massive um we're hoping that es bombs will start to be at least um a step forward to provide us transparency but it's no Silver Bullet um Mike you've been participating in some of the experiments with that maybe you want to add uh your two cents worth sure um some of the the earlier work we did front of the customer revolved around sulfur obsolescence and was we were doing that I start the sbom information came out I started looking at this looks like an esbon it's pretty much the same information and so we found found is a lot of organizations tend to track things on spreadsheets you go with the lowest common denominator and that was one of them and they were trying to track components and relationships on a spreadsheet you can't see all the inter relationships that way and so we started using a graph engine d4j in just the data and start to see where oh this has a dependency on this package but so does this and so does this and you start seeing things from a broader perspective than just the spreadsheets would show you that was some of our early experimentation so when we're talking about an sbom if I have a an app on my phone let's say I I get a um an app for a debit card you know a bank right now I'm guessing I couldn't send an email to the bank and say hey could I see the s bomb and of all the different you know applications that your uh phone app depends on are I'm kind of assuming we're not there yet in terms of that level of transparency is no we we are we aren't there yet um the concept of an S bomb's been around for a long time the hardware worlds had bill of materials or H bombs for a long time but s bombs there's been attempts over many years and there's been some reluctance to provide okay what's what's the ingredient list um that's actually one of the things well my revealing something I don't want to do this no you're saying these are the ingredients but I'm not giving you the recipe how to assemble those ingredients that that's a big difference but some people don't even want to let you have the ingredients because they fear that you're a good enough Chef that you can uh actually to replicate engineer it right so that's that's where some of that fear comes from so so there is a this balance between transparency and privacy in terms of the privacy of the people that are building the application and um intellectual prop as well go ahead go ahead Carol the other piece is that um if you are if you know you're using products that are of uh sketchy uh origin um by providing this esom you're essentially providing um information to those that might want to do something to your product that you may not want to have added um so it it's somewhat of a uh um a listing of potential vulner abilities if they can identify them in the components that you're using um so all of those become very much concern points for vendors in terms of putting these uh out in the open I think we're not looking at them as something that somebody's going to be able to just call up and arbitrarily get their hands on there'll be a little bit more control on it than that and when I when I look at the commercial there's that side and then we then also have the dod and we have um the uh executive order 14028 um from 2021 and that basically says the US government has to enhance supply chain software uh security and integrity and that's one of the places that you're looking at es bombs really being a part of that understanding is that correct it is but the espon by itself is not going to really do anything more than provide you with a picture of what you've got and maybe some insight into where you might be vulnerable um but certainly it's going to take a lot more integration with other information to actually make use of it um we've been exploring a lot of the potential uh for how we can actually um leverage an es bomb um face it putting all those you have a lot of third- party software you're going to have a lot of data around sbom if you're going to the expense and energy of collecting it putting it together uh we need to make more use of it than just having a nice package on the shelf that checks the box and says yes I did compliance um so we have been exploring how do you get value out of this uh how can you really make it work for your organization uh some of that comes with what Mike was talking about with the visualization um I think a lot of it also comes with just increasing your familiarity with what you really have as far as risk uh you should be able to start to assemble a realistic perspective uh on what you have in house and uh potentially how you need to uh improve your protections uh Mike did you want to talk a little bit more maybe about the graphics that we were doing in terms of the use cases yes um we started on on behalf of one of our customers we started looking at some use cases for ES bombs and what an sbom has in it that can answer that use case on its own versus I need additional information beyond the sbom for example um an sbom will tell you I have component X and and it depends on component y it won't necessarily tell you where in the software architecture it is that information is typically not part of an esbo it will tell you what Hardware element or segment it's in so you're going to need additional information from there so an sbom plus other information gives you a lot better site picture on what's going on with your system what the risks are because it could turn out quite easily that arbitrary example log 4J that you've got more than one instance in your system that multiple components depend on that you may not necessarily be aware of until you start looking at those dependencies and this also includes your tool chain that developed those products okay so we we've been talking around sbom and sort of without actually defining what's in and out of the sbom so before we go further why don't we go ahead and for those that aren't familiar with this concept already what what would they expect to see in an sbom and as you were saying Mike what would they expect not to see so there is uh in in the guidance that came out there's a minimum essential elements document uh what that laid out was we expect to see okay the author what Who provided this information where is the the component from the name of the component the version number if there's some sort of unique identifier uh what is the DAT of the esom how current is it and does it contain or depend upon other components and that's where you get your your primary your secondary your tertiary all those layers down till oh I don't depend on anything else so I know that that line stops as far as my dependencies is concerned that's the minimum set most of the esom tools uh like right now the the guidance that came out from that minimum essential elements talk about either using the spdx format Cyclone DX or the software identification and each of those standards have additional elements that a tool May support so there's additional information but at a minimum there's those elements they want you to have to complete compliance with the the executive order now where things get interesting there was a a recent uh report report that came out earlier this year the company did they looked at 3,000 es bombs uh I'm I'm guessing based on the source it was mostly open source only 1% of them were compliant with the minimum essential elements the rest of them had problems incomplete information versioning information uh other things like that that they weren't fully compliant so there's there's still some quality issues that need to be addressed that hopefully it will slowly start to converge to to where there's a a better set of expectations and have you guys done a survey of like how many I I I I just thought about this um how many systems are out there that you would want to have es bombs for it's got to be in the hundreds of thousands at this point I mean it I would guess be that if you you've got the primary product and then any components it uses and those components have components they use so this this becomes a a a problem expands exponentially rather quickly so yeah that's what we're talking about with a lot of data um because you're going to have to go many many levels deep to really know what you've got in your products um the framework we built though really is focused on how to use this stuff uh because the and organization is going to have to have some really um new practices and effective processes in place to really make use of this um they've got to have a whole series of processes integrated into their bills that feeds the um the software billing materials to appropriately insert their information they're going to have to have some way through their acquisition of acquiring the es bombs for each one of the products libraries um services you name it I mean it just goes on and on and on because we we do a tremendous amount of reuse uh across the technology base um and then there has to be a way of vetting them in terms of quality which gets to the issue Mike was talking about um garbage in garbage out is is uh one of the standard statements and this will just feed that engine if we're not careful um and then if we're going to effectively use it we we were exploring several use cases um if you need to find an vulner if a new vulnerability comes out and you need to determine do I have this you've got to go beyond just uh accessing the es bomb that'll tell you yeah there is there piece is there somewhere in your ingredients list that is spread all over your organization uh good luck in finding it um so it's got to integrate with other areas in your environment environment your configuration management um um all of all of the controls that you have in your operational environment you're going to want a way to flag this stuff automatically I mean there're new vulnerabilities discovered minute by minute the volume that volume is huge you're not going to want to look these up one at a time this is going to have to be something that also has automation related to it um so we're really talking about an EOS system here um our framework is really just scratching the surface it's saying we know we need ISS changes in all of these different areas so this is where you need to at least think about get started on some of them you'll start manually but you also be need need to be thinking about automating them yeah one of the approaches we did when we did the framework wasn't that how do you generate an es bomb we went from the standpoint as you have an sbom now what do I do with it what should I be doing with it what thing should I how should I handle it should it be a configuration item does it affect uh my acquisition does it affect engineering does effect test in The Vow things like that so that's that's kind of a unique approach we've seen in the esom uh literature it's out there right now no one seems to be addressing the now what questions and and you're you're making me think about sort of one of the connections that you sort of briefly mentioned but I want to come back to it um there's the configuration piece but then there's also the architectural view of the system which is I'm going back to what you said earlier Carol about we need to get security and earlier this is one of the places where if the architecture is identifying the elements and then that goes into an es bomb you've got a connection back to that if we decide that we're not going to use this component here are the effects that that has because there's all these other places that use it or not and so it seems like there's a strong connection between having an sbom and having a well defined software architecture that you can understand how the pieces in the es bomb essentially are are being are part of the recipe if you will for the whole thing right and you're going to have more than one es bomb you're can have multiple es bombs because your product coming through your developmental pipeline is going to have one or more es bombs depending on how many things are com through there s bombs of the components that make up your pipeline your tools because some of vulnerabilities may not only be in your product they may be in your tool chain and you've got tools that may support the end product out in the field that didn't necessarily come through your pipeline that could also still have those vules so we're talking multiple s bombs that's why one of the the the things the tools need to do is be able to ingest s bombs besides generate them that I can okay I got an s bomb for Adobe Reader or some other package um how many programs have we seen where they're using multiple versions of the same component you're going to have to have s bombs for each of those this is okay this is not the current version this was like Windows 8 I need an s bomb for that so yeah and and you're going to have to maintain those that information about those multiple versions as you roll upgrades through your organization um all of these are are are issues that are coming to the Forefront um having an S bombb is nice but actually making use of it uh is is the only thing that makes sense right uh because this will help us at least better understand what we've got in the supply chain and also as we can start to characterize these we should be able to start to quantify the risk somehow that's more research more research you always have a research agenda Carol you you never you are never bored it's it's a Target Rich environment what can I say there you go so another Target I'm thinking about our Legacy systems and I know that many of our of our government customers uh don't often always have the option of upgrading they have to use systems that have been in play for a long time that were way before anybody thought about es bombs what are some of the is it better just to leave it alone or are Legacy systems something you really want to pay attention to and create es bombs for if you can uh Legacy systems do present a challenge if you've got access to the source code you could use an sbom tool to try to generate an ESP bomb the best of your ability at least of that first level of of components right uh from there it's going to take some analysis if you don't have access to the code you may have to derive one through software composition analysis scans of some type trying to figure out okay what's what's what's in this recipe what do I need to be worried about because it all comes down to managing the risk that they when they talk about on the uh the executive order and then the subsequent minimum elements talk about the what unknowns do I have how do I manage those well to it you really need to prioritize the Legacy products some of them have more exposure than others right um and so again it looks at how are your um how are you organized in terms of Technology protection if these are standard alone tools that aren't widely uh connected then your risk is fairly minimal maybe you put that on the the lower uh priority but if this is something that's a key component to your product and it's widely used um you really need to analyze it and understand what you've got because we know supply chain risk is growing that's I I I love talking to you all and then I hate it because then I can't sleep for two nights afterwards exactly you you are not the first person who made that that statement that s yes welcome I don't know how you sleep I swear I don't know how you sleep all right um so let's let's switch gears a little bit um so Tech manufacturers many of them are taking this seriously but what are the the biggest mistakes that they can make what what cautions would you give to Tech manufacturers that do want to take this seriously and do want to create software bills and materials for their for their products so not necessarily mistakes more challenges uh as I said earlier the quality are is the data complete uh that's that's a big one do I have all the fields filled out so the end user whether it's going into another product or I am then prob knows what's in there uh consistency in like the version schemes you name the versioning scheme it's probably an es bomb but taking that version information and because right the emphasis seems to be on vulnerabilities and tying it to a vulnerability database if I can't make that match there's a lot more manual analysis that has to be done again drilling down in those dependencies beyond the primary component if can I figure out what's out there so that that's one of the challenge um there's discussions back and forth I I've seen in some of the articles about how do we how do we make the es bomb data available uh uh one method potentially could be okay most of these uh developers or vendors have a support page you can make it publicly available that way others may be a little little bit more cautious about what we don't really want to tell you all the component there's some sensitivities um for whatever reason and in that case you may have to do a a get a direct submission from that vendor to whoever's developing your system or to you as the acquiring organization so there are those challenges so it's and again there's always discussions about intellectual property again there there are ways to do it without said you're showing the ingredients you're not showing the recipe right well also I think it's a case where they need to crawl before they run um start experimenting with a few of your products work with some of your close customers so that you can start to create a smooth way before you roll something out and then have everybody screaming at you because it's missing this that and the other or they can't get to it the way they need to um you know it it there are so many variables right now um and we don't have what I would consider to be well structured processes ready for this yet um and the tooling is just getting started it's still uh very much on the uh uh Hands-On stage um that's what I like to think of where you have to babysit it a lot uh to get out of it what you need uh and we're still discovering what do we ultimately need you don't want to get halfway through a major development and realize oh my God if we' done three or four other things at the beginning it would be so much smoother uh let's work our way into this okay but the value I think is definitely to be had so you're you're actually kind of moving into the transition aspects of this um so what kind of piloting have you done for this framework and can you share any of the results or any of the in progress things that you're seeing that have informed how you're thinking about the esbon problem I think what from piloting it would be more Expert Eyes on the problem right now we're really trying to assemble the best Minds to figure out for the framework now Mike you've been uh exploring a few other avenues a little more closely right like I said we we with our approach that what do we do with this now that we have it that's that has been where we're trying to look for for pilot an opportunity so we're always interested in hearing from organizations that are interested in applying it getting feedback did is it working is it not working do we need to tweak something something that was not addressed um there is some growing interest from from some of our DOD and federal customers uh a lot of it's through word of mouth and plus seeing it at out on our website and I know I was contacted from at least one commercial company that was interested okay how do we apply this this might make sense to us as a a company that provides software to the federal government right right yeah that's going to be interesting because I I'm also thinking about even things like uh small businesses that you know uh Provide support software and other support to Federal uh government you know this is this could be very impactful if you are a small business and you're trying to to do this as opposed to you know one of the larger companies that have a lot of resources so there's uh I can see a lot of implications for this as as as this becomes a more popular way of communicating about what are our ingredients in our recipe well I think small businesses are going to have an easier time because they have fewer ingrain processes they've got a little more flexibility than major organizations um which especially if you have a lot of Divisions and you want to have things done consistently structuring that the right way to roll out at large is challenging yeah I mean the there are commercial tools there's open- Source tools out there so pick what makes sense for you what works um there are uh other ways to get involved with this the uh cyber security infrastructure Security Agency sisa website has a lot of good esbo information they also have several working groups that the public or organizations can attend I know I sit on one of them just to see what's going on with the adoption the transition uh the national telecommunications and Information Administration website also has a lot of good software building materials information on it they were the ones that originally hosted the uh the original minimum essential elements that came out of the Department of Commerce okay that website also has an interesting sbom myths and it's one of them that that Carol actually touched upon earlier about well if I give you an esom it'll show you what's in my my recipe I can attack this that while that is a risk that is the first myth that attackers aren't using S bombs to get into your system they have other ways they're finding out from zero days bomb is not yeah that's true so there there are other things to worry about so any other guidance that you would want to give government agencies typically who are acquiring um you know that they're starting out in this what should they be asking for what should they be looking for from their vendors they're going to have to ask for ES bombs in the contract if they want them uh that's not something they can assume that a vendor just going to hand them um we've already seen several agencies running into that problem of oh this is a new mandate uh let me just have the es bomb and the vendors are saying uh it's extra work for us you're going to have to pay for that um so I think that's one of the the starting areas yeah it's not a give me the s bomb check the box I got an s bomb and again you need to do the analysis what are the impacts have it's a configuration information and it needs to be treated as such just as any other configuration item in your system and take take the time to do the due diligence for the analysis that is the big payoff but the other thing that I I heard you say is don't assume that just because it's it's standard if you will configuration information that it's going to be provided you must ask for it EXP itly at this point in the way um vendors are treating that kind I mean a lot of times the way these executive orders and other other policy changes that come down from where the federal government those aren't reflected in the contract so it takes a contract change from the acquiring organization to say hey we need to start doing this let's do figure out how much it's going to cost when we can do it when we going to start expecting the the outputs from it so it's not oh matter of get a tool and run it and send it to us when you got it right also figuring out the the frequencies of the deliveries uh right now a lot of the wording says major release or when the software is delivered well Define major release Define delivered if you're using an agile methodology every build should have an sbom coming out of it so there's some language lawyer wording that they need to be careful of to make sure everyone's interpreting what those terms actually mean when and comes time to impl the contract okay so this plays into our we don't call it a series but basically we've been essentially doing a series of of podcasts on supply chain security um over time and Carol that's that's a passion of yours I know um beyond the es bombs what's next for you in that realm of supply chain security well we're really trying to figure out how how do you um characterize what the supply chain risk is um how do you think about it if I have a supply chain H uh how do I characterize that risk right now we're we're just trying to figure out qualitatively but ultimately there should be a way that we can measure that risk can we measure uh we don't want to count vulnerabilities that doesn't really tell you anything um because in order to be useful the measurements have to give you a way to figure out how to respond in terms of what's too risky uh how do I know when it's when it's reasonable when it's not going to create additional problems all of those are are questions we really don't know how to answer yet we don't know how to evaluate it um we can look at it within a single product for a supply chain and look at the product itself but all of the pieces that go go into it are now just becoming part of the attack surface um so we have this expanded window um that we need to add to our risk picture um and that's what we're working on right now trying to characterize it and then figure out what do we do with it okay and Mike what are what what's next for you are you going to continue with the es bomb stuff for a while I am actually I still have a keen interest in the potential of graphing out the esom when combined with architectural data and the vulnerability data in particular to show how you can take those different sets of data put them together and you have this oh light bulb moment I've got a problem and here's where it's at uh one aspect I am currently working on for another customer is looking at how es bombs might effectively be used to support test and evaluation activities uh looking at various things there yeah it's a very specific area that yeah we we're looking at some potential use cases there and like I said we also had an opportunity uh recently to provide some comments back for the proposed Federal acquisition rate wording we've probably had enough enough information to be dangerous right now I'm afraid yeah that's the thing all right uh well thanks again for uh keeping me awake tonight I always have that to look forward to providing tonight's insomnia here there you go but I I do seriously I do want to thank you for talking with us today I think that this is one of the many topics in cyber security that are starting to get attention and that need a lot more attention so we do appreciate you taking the time to help us understand it um we W as always we're going to include links in the transcripts to resources websites that were mentioned during this podcast and finally a reminder to our audience that our podcasts are available pretty much every place you download podcast as well as our own SEI YouTube channel uh and if you like what you see in here today you're always welcome to give us a thumbs up we always appreciate that I want to thank Carol and Mike again for joining me today and I want to thank all of our viewers for paying attention to this important information thanks for joining us this episode is available where you download podcasts including SoundCloud TuneIn radio and apple podcasts it is also available on the SEI website at sei.com podcasts and the sei's YouTube channel this copyrighted work is made available through the software engineering Institute a federally funded research and development center sponsored by the US Department of Defense for more information about the SEI and this work please visit . se. cmu.edu as always if you have any questions please don't hesitate to email us at info@ SEI docu doedu thank [Music] you