BrakeSec Education Podcast

A podcast about the world of Cybersecurity, Privacy, Compliance, and Regulatory issues that arise in today's workplace. Co-hosts Bryan Brake, Brian Boettcher, and Amanda Berlin teach concepts that aspiring Information Security professionals need to know, or refresh the memories of seasoned veterans.

http://www.brakeingsecurity.com

subscribe
share






episode 31: Allan Friedman, SBOM, software transparency, and knowing how the sausage is made


 

Ms. Berlin: Tabletop D&D exercise

Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/ 

Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce

NTIA.gov - National Telecommunications and Information Administration

https://www.ntia.gov/sbom  SBOM guidance

Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf

Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ

Questions (more may be added during the show, depending on answers given)

What is NTIA?

What is SBOM?

Why do we need one? Is it poor communications between vendors? 

Is there any difference between “Software transparency” and “Software bill of materials”?

 

How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?

 

Where in the development (hardware or software) would you be creating an SBOM?

 

You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?

 

IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?

 

How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?

 

As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening?

 

Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped. 

How does this help us track potential vulns? 

 

Sharing information

Best way to share information about IoT components? 

 

Could an information sharing org (ISAC) track these more readily?

 

vendor assessments:

Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?

 

Interesting feedback from NTIA’s RFC

 

Other SBOM types (clonedx, openbom, FDA’s CBOM)

 

Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/

 

non-US implementations of SBOM?

 

How do we get our companies to implement these? 

 

SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts?






What is a ‘Bill of Materials’?
“A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.”

SBOM - Definition

As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/

NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information”

https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk

https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0

Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM”

Other groups working on similar: FDA https://www.fda.gov/media/119933/download

 

SPDX: LInux Foundation:https://spdx.org/licenses/ 

 

OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd

 

https://github.com/CycloneDX/specification

https://www.fda.gov/medical-devices/digital-health/cybersecurity

https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices

Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf

Companies are helping to get “CBOM” for devices:

““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release” 

https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/

SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops

Intoto software development: https://www.intotosystems.com/

510k process: https://www.drugwatch.com/fda/510k-clearance/


fyyd: Podcast Search Engine
share








 August 19, 2020  44m