By Deb Radcliff, DevSecOps analyst and editor of CodeSecure’s TalkSecure educational content (syndicated at Security Boulevard & YouTube)
At the RSA Security Conference (RSAC) last month, a multitude of vendors and speakers talked about Software Bills of Materials (SBOMs), which I posted about in my RSAC follow up article.
In this interview with SBOM experts Dick Brooks and Joseph Silvia, we uncover why SBOMs trended at RSAC, which is typically a security conference and not a software product development show. Brooks and Silvia explain how SBOM data is useful to other security operations beyond DevSecOps and product selection—particularly for security operations, response, and compliance. They are both focused on embedded systems and supply chain risk management and participate in a variety of SBOM working groups.
Joseph Silvia has been involved with the manufacturing and medical devices sectors for decades, which led him to various supply chain and SBOM working groups under NIST (National Institute of Standards), CISA (Cybersecurity Infrastructure Security Agency under DHS), the Linux Foundation, OWASP (Open Worldwide Application Security Project) and others.
“A lot of times you find this form factor ‘Internet of Medical Things,’ and they don’t have the right bill of materials, then these devices get plugged into hospitals,” Silvia says. “SBOMs will help security teams proactively manage security risk, prioritize patches, and align to regulations, including the EU Medical Device Regulation (EMDR).”
Over the years, Silvia crossed paths with Dick Brooks, and they ended up on many of the same SBOM working groups.
Brooks started his software security journey as a software engineer at DEC in the 1980’s when infamous hacker, Kevin Mitnick, broke into one of their source-code servers. He now spends most of his time working with CISA’s Supply Chain Risk Management group, including the National Risk Management Center focused on operationalizing SBOM data for use in government agencies. He also works with CISA’s critical manufacturing sector risk management agency focused on National Security Memorandum 22 to harmonize cyber security across critical industry sectors.
According to Brooks, SBOMs bring visibility that security and response teams will need at the supplier, product and component level, something critically important when the next Log4j vulnerability or SolarWinds type breach occurs up the supply chain. “A lot of these vulnerabilities are not reported at the product level when it’s at the component level. An SBOM will tell you what components are built in so when the next Log4j comes out, you can find what components of what products are in that ecosystem. And at the product level, security practitioners can say, ‘Do I have any products running SolarWinds in my environment?’”
As evidenced at RSAC, security vendors see the value in correlating and enriching their toolsets with SBOM data. Brooks and Silvia explain how automation will play a key role in bringing SBOM data to security and response teams.
Tune in to this 30-minute show. The discussion and insights are as educational as they are entertaining!
Additional Resources:
On June 8, the CISA started requiring product companies to provide software development attestations submitted through the CISA RSAA portal.
Check out CodeSecure’s resources on attestations and SBOM generation from binaries.
