By Deb Radcliff, DevSecOps analyst and editor of CodeSecure’s TalkSecure educational content (syndicated at Security Boulevard, YouTube, and Bright Talk)
Artificial Intelligence (AI) took top billing at the RSA Security Conference (RSAC) this month, but SBOMs (Software Bills of Materials) were also widely represented in speaker tracks, meetups, and working groups. In some instances, the two topics came together, such as a track and meetup about AI BOMS.
We can thank the Feds for this growing acceptance of SBOMs, and these agencies came out in force at RSAC. Foremost among them, Secretary of State Anthony Blinken, who delivered a keynote as protestors for Palestine stood outside waving posters in their black masks and checkered scarves. With a focus on national security and the AI arms race, Blinken also appealed to developers and engineers of critical infrastructure systems. Speakers from the CISA, DHS, NIST, and other federal agencies stood up for multiple sessions that included SBOMs in their presentations.
On the opening night of RSAC 2024, numerous heavy hitters attended the third annual SBOM meetup, which was standing-room only this year. I can’t name them all here, but here’s a short list: Cassie Crossley, VP of supply chain security at Schneider Electric, who signed her book “ Software Supply Chain Security;” Allan Friedman, “father of the SBOM” and leader of CISA’s SBOM strategies; Helen Oakley, SAP’s director of secure software supply chain and secure development; and Dmitry Raidman, CEO of Cybeats SBOM Studio who cohosted the event with CodeSecure and Vulncheck.
Growing Importance of SBOMs
RSAC bills itself as a security conference (not a developer show), so to me, the level of SBOM awareness across security product buyers, security vendors, and the larger security community marks an important confluence between cybersecurity and product development. To confirm that analysis, I pulled aside two experts from the SBOM meetup to ask them their take on SBOM representation at RSAC and what that means for the future of SBOMs.
Chris Blask, who chaired the SBOM working group under CISA, comes from a policy and frameworks perspective, and he agreed that SBOMs have turned a corner in the cybersecurity community. “Talk of SBOMs was everywhere at RSAC this year. I heard SBOMs mentioned in pretty much every conversation—starting at badge at registration while going back and forth between south, east, and west halls, and when running into a person from Deloitte who’s working with a DoD contract that’s all about SBOMs,” he said.
Blask added that the uptick in SBOM activity at RSAC represents a three-year cycle that goes beyond awareness and discussion, “the point you see SBOMs all over the place and audiences lining up to learn more.” He adds that, “This year, you could walk the floor and most vendors knew what an SBOM is about, but last year when I brought up SBOMs, vendors and security pros just stared blankly.”
The other expert I interviewed was Joseph Silvia, CEO of MedWare, who, with 20 years of experience in the security of medical and other embedded devices, approaches SBOMs from a product point of view.
“I thought I was going to this meetup and that’s all I’d hear about SBOMs. But in many other sessions, I’d hear more about SBOMs, while I was seeing a lot about SBOMs on the agenda, and attending sandbox events with SBOM focus,” Silvia explained. “NSA, DOD, Bank of America, so many others were talking about SBOMs. So, I was pleasantly surprised at how pervasive the topic was.”
The Future of SBOMs: Usability and ROI
Blask predicted that the next RSAC (2024) will reveal more vendor integration with vulnerability exchanges supporting SBOM attestations. He hopes that overlapping standards and frameworks for SBOM language expression and execution put forth by OWASP, OASIS, CISA, NIST, and others will also come together.
Ultimately, he said, product companies producing SBOMS will begin to see more value and return on their investments. “I know what we’re building in here with supply chain security, and product companies will come to realize that radical transparency is better, faster, cheaper. With that transparency, they have better customer relationships and relationships between partners down the supply chain line.”
If that transparency is not offered or available, product companies may lose business to another product company that can provide it to their customers, Blask added. He explained how Dennis Murphy at the national grid firmly asks for SBOMs from new product companies before the grid operators install anything new in the national grid. “It’s cheaper to pen test if they have the SBOM. It saves time for the red team testers and the defenders. And time is money.”
SBOMs and AI BOMS Working Together
Silvia predicted that SBOMs will prove to be especially important for the medical device market. “Even in premarket, in order for you get your product idea approved, the FDA now demands an SBOM attestation,” he said. “But despite the vertical, we all have the same challenges with SBOM attestation standardization, concern about sharing SBOMs, who owns the SBOMs, can they be trusted, and version maintenance especially on open-source software.”
Next year, he expects to see even more attention drawn to SBOMs. “We’re just scratching the surface now,” Silvia explained. “You will see more conversations about the way software’s being developed now, transitive dependencies, and education about the usability of SBOMs.”
Silvia belongs to several SBOM working groups and encouraged others to join SBOM workstreams while advocating for more gender, neuro, and racial diversity in these groups. “In the future, I will be joining the AI BOM working group, given how important AI has become to clinical medicine,” he added. “Who knows? Maybe AI BOMs will fall under the umbrella of SBOMs in the future.”
