A “software bill of materials” (SBOM) that lists third party components can help the open source community, developers, software vendors, and enterprise customers address security risks, vulnerabilities, and supply chain concerns. Visibility into the underlying third party components the undergird software can help those across the supply chain make better security decisions about a range of risks. To date, however, there has not been a widely accepted practice on how to assemble and communicate this data between those developing software and those securing it or using it. Without visibility into third party components, developing organizations cannot understand the deeper security risks in what they assemble, organizations lack insight into security risks from outdated or insecurely sourced open components in what they are building or buying, and security teams cannot easily and efficiently determine whether their systems are potentially at risk from newly discovered vulnerabilities.
What was once heresy is becoming a reality! This talk will present on progress made in a recent cross-sector effort convened by NTIA, and give an overview on the whats, the whys, and the hows of SBOM and software component transparency.
Allan Friedman is Director of Cybersecurity at National Telecommunications and Information Administration in the US Department of Commerce. He coordinates NTIA’s multistakeholder processes on cybersecurity, focusing on addressing vulnerabilities in IoT and across the software world. Prior to joining the Federal Government, Friedman spent over 15 years as a noted InfoSec and tech policy scholar at Harvard’s Computer Science Department, the Brookings Institution and George Washington University’s Engineering School. He is the co-author of the popular text Cybersecurity and Cyberwar: What Everyone Needs to Know, has a degree in computer science from Swarthmore College and a PhD in public policy from Harvard University, and is quite friendly for a failed professor-turned-technocrat.