software bill of materials - first · art manion, cert coordination center. art commutes by bike...
TRANSCRIPT
![Page 1: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/1.jpg)
Software Bill of Materials:Progress toward transparency
of 3rd party code
Allan Friedman, U.S. Department of Commerce
Art Manion, CERT Coordination Center
![Page 2: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/2.jpg)
Art commutes by bike
• “Torn up grade crossing in bad weather at a low angle, what could possibly go wrong?”
• “Wow it takes longer to heal when you’re over 40."
![Page 3: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/3.jpg)
Where’s Allan?
• “Flying in the morning of the talk should be fine.”
• “My slides are mainly pictures, surely Art will know what I wanted to say."
![Page 4: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/4.jpg)
Paying attention vs Checking Email
• The case for transparency
• How transparency can help the software ecosystem
• Why aren’t we doing this already?
• What is a Software Bill of Materials?
• How do we do this?
• What next?
![Page 5: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/5.jpg)
![Page 6: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/6.jpg)
![Page 7: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/7.jpg)
Analogies
![Page 8: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/8.jpg)
Analogies
![Page 9: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/9.jpg)
Analogies (cont’d)
![Page 10: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/10.jpg)
Analogies (cont’d)
![Page 11: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/11.jpg)
A data layer to drive innovation
![Page 12: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/12.jpg)
• Supplier selection
• Supply selection
• Supply vigilance
Supply chain
![Page 13: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/13.jpg)
•Produce software
•Choose software
•Operate software
Three perspectives across the supply chain
![Page 14: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/14.jpg)
• Monitor for vulnerabilities in components
• Better manage code base
• Execute white-list or black-list practices
• Prepare and respond to end-of-life contingencies
• Minimize code bloat
• Know and comply with license obligations
• Provide an SBoM for customers
Use Cases: Producing software
![Page 15: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/15.jpg)
• Identify known vulnerabilities
• More targeted security analysis
• Verify sourcing
• Compliance
• EOL awareness
• Verify some supplier claims
• Understand software integration
• Market signal of secure development process
Use Cases: Choosing software
![Page 16: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/16.jpg)
• Vulnerability management
• Better understanding of operational risks
• Real time data on components in assets
• Improved understanding of potential exploitability
• Enable potential non-SW mitigations
Use Cases: Operating software
![Page 17: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/17.jpg)
So why aren’t we doing this already?
![Page 18: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/18.jpg)
![Page 19: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/19.jpg)
It’s hard.
![Page 20: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/20.jpg)
• Apache2
• Apache Web Server
• Apache
• HTTPd
• HTTPd2
![Page 21: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/21.jpg)
A market failure?
![Page 22: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/22.jpg)
Enter your friends, the Feds
![Page 23: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/23.jpg)
The “multistakeholder” model
Multistakeholder Characteristics
Open to all Stakeholders
Bottom up process
Consensus Driven
Transparent
Accountable
Open, transparent, consensus based
processes that bring together diverse
stakeholders can catalyze real progress
across the ecosystem.
![Page 24: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/24.jpg)
The “multistakeholder” model
![Page 25: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/25.jpg)
The “multistakeholder” model
![Page 26: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/26.jpg)
• Regulation
• Source code disclosure
• Standards development
What we’re not doing
![Page 27: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/27.jpg)
• Harmonization
• Amplification & routinization
• Extensions & innovation
![Page 28: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/28.jpg)
• Clear appreciation across sectorson the potential value oftransparency
• Consensus already on• The broad scope of the problem
• Machine-readability of the solution
• “Minimum Viable Identity” (MVI)
Making progress
![Page 29: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/29.jpg)
Framing
Éamonn Ó Muiríhttps://flic.kr/p/46dsizhttps://creativecommons.org/licenses/by/2.0/legalcode
• Conceptual design
• Terminology
• Broad requirements
• Cross-cutting issues
Emerging consensus, or at least temporary acceptance
![Page 30: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/30.jpg)
What is an SBoM?
1. Core information elements: Minimum Viable Identity (MVI)• Cryptographic hash (or signature)
2. Other very, very important and useful identify information• Supplier (aliases), author, component (aliases), version, relationships
3. Other information necessary for most use cases and applications• License, entitlement, vulnerability mapping, formulation, provenance
• Software components• Defined and named by suppliers, at time of delivery (build, package, install, deploy)• Hardware not excluded• Source code not excluded
![Page 31: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/31.jpg)
Applications
• Intellectual property management• Licensing, entitlement• Most mature application
• Vulnerability management• What components are affected by vulnerabilities?• Transitivity – vulnerability is not necessarily exposure or exploitability
• High assurance• Provenance, pedigree, formulation, integrity, chain of custody
• Economic benefits of supply chain hygiene
![Page 32: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/32.jpg)
Selected SBoMElements
• No SBoM without MVI
![Page 33: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/33.jpg)
IntellectualProperty
• Well-established application
• Licensing, liability, entitlement
![Page 34: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/34.jpg)
VulnerabilityManagement
• Requires vulnerability mapping to external catalog
• Related technologies and other components helpful for coordinated disclosure
![Page 35: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/35.jpg)
HighAssurance
• Critical systems, national defense
• Formulation: How component was built
• Not shown: Provenance, pedigree, chain of custody
![Page 36: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/36.jpg)
SBoM Processes
• Supplier responsibilities1. Define self-created components and create SBoMs2. Obtain SBoMs from direct, immediate suppliers3. Provide collected set of SBoMs to consumers
• Change SBoM when software changes• Patch, update, new version
• Change SBoM when other information changes• License, new upstream information
• Challenge: Claims about other suppliers’ SBoMs• Author and Supplier are different
![Page 37: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/37.jpg)
Terminology
• SBoM (Software Bill of Materials): inventory and associated information in a standardized format
• Inventory: list of components using Minimum Viable Identity
• Author: entity that creates SBoMs
• Supplier: entity that defines and identifies components and creates associated SBoMs
• Consumer: entity that obtains SBoMs
• Component: unit of software defined by a supplier at the time the component is built, packaged, or distributed
![Page 38: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/38.jpg)
Existing Work
• Software Identification Tags (SWID)• ISO/IEC 19770-2, NIST (US)
• Software Package Data Exchange (SPDX)• Linux Foundation
• Software Heritage• Focus on source code• Identifiers for Digital Objects
• package URL (purl)
• Common Platform Enumeration (CPE)• Software Asset Management (SAM)
• Software Composition Analysis (SCA)• Supply Chain Risk Management (SCRM)
![Page 39: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/39.jpg)
Example: Simple Table
![Page 40: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/40.jpg)
Example: namespace:name
org.openssl:”OpenSSL 0.9.8a”
org.apache:”httpd 1.3.26”
com.mdm1:”FooPump 4.0 0x44a83…”
![Page 41: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/41.jpg)
Example: purl
pkg:tgz/org.openssl/[email protected]
pkg:tgz/org.apache/[email protected]?requires=pkg:tgz/org.openssl/[email protected]
pkg:device/com.mdm1/[email protected]?hash=0x44a83…&requires= pkg:tgz/org.apache/[email protected]
![Page 42: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/42.jpg)
Example: SWID
<SoftwareIdentity name="openssl" tagId="openssl/[email protected]" version="0.9.8a"/>
<SoftwareIdentity name="apache_httpd" tagId="apache/[email protected]" version="1.3.26"/><Link href="swid:openssl/[email protected]" rel="requires"/>
<SoftwareIdentity name="MDM1 FooPump" tagId="MDM1/[email protected]" version="4.0"/><Link href="swid:apache/[email protected]" rel="requires"/>
![Page 43: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/43.jpg)
Example: SPDX
PackageName: opensslSPDXID: openssl/[email protected]: 0.9.8a
PackageName: apache_httpdSPDXID: apache/[email protected]: 1.3.26Relationship: openssl/[email protected] PREREQUISITE_OF apache/[email protected]
PackageName: ”MDM1 FooPump”SPDXID: mdm1/[email protected]: 4.0Relationship: apache/[email protected] PREREQUISITE_OF mdm1/[email protected]
![Page 44: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/44.jpg)
Example: Graph
![Page 45: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/45.jpg)
Example: Additional SBoM Data
SWID SPDX
Hashhash-entry
hash-alg-idhash-value
PackageVerificationCode
PackageChecksum
FileChecksum
License
LicenseConcluded
PackageLicenseDeclared
LicenseName
Entitlement @entitlementKey
![Page 46: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/46.jpg)
SWID IRL
![Page 47: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/47.jpg)
47
Open questions to figure out together
![Page 48: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/48.jpg)
48
Obstacles to obtaining SBOM data?
![Page 49: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/49.jpg)
Federation
• Vertical slices of solution• Automatic updates, package managers
• Centralized authority and collection does not scale• NIST (US) Common Platform Enumeration (CPE)
• NIST (US) National Software Reference Library (NSRL)
• TagVault (for SWID)
• Distribute effort to suppliers (vendors)• Least Cost Avoider
• Most suppliers are also consumers
![Page 50: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/50.jpg)
Opacity and Translucency
• Suppliers have first-hand knowledge about components they originate and those they directly obtain from an upstream supplier
• What happens when SBoM is not available?• Knowledge that there are no further upstream dependencies
• Lack of such knowledge
• Third-party claims is fragile design
![Page 51: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/51.jpg)
51
Vendors Customers
Transparency
Mechanisms of
sharing
SBOM data?
![Page 52: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/52.jpg)
Transparency Options
• Include SBoM files with install: SWID, SPDX• Constrained storage? CoSWID
• Even more constrained storage? Lookup
• Publication• ROLIE Software Descriptor Extension
• Cataloging
![Page 53: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/53.jpg)
Challenge: Vulnerability vs Exploitability
53
Vendors can communicate risk (or the lack thereof) with their customers.
We need to enable this process.
Vulnerability vs.
Exploitability
![Page 54: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/54.jpg)
High Assurance SBoMs
![Page 55: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/55.jpg)
SBoM for Services
https://research.fb.om/wp-content/uploads/2017/01/paper_icse-savor-2016.pdf
![Page 56: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/56.jpg)
•Drafts of “minimum viable” by late June for feedback
•After minimum viable:• Extending the model• Developing and collecting tooling
• Awareness and adoption• Testing ⟷ revision
Next steps
![Page 57: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/57.jpg)
Testing
• Previous attempt at CERT/CC: Component Relationship Database (CRDb)• Neo4j, Sesame, RDF
• Next experiment: Index cards and Sharpie
![Page 58: Software Bill of Materials - FIRST · Art Manion, CERT Coordination Center. Art commutes by bike •“Torn up grade crossing in bad weather at a low angle, what could possibly go](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f5b30a1d068ff5a081ba658/html5/thumbnails/58.jpg)
• Tracking third party components can help understand and address a wide range of risks across the entire ecosystem
• An ongoing, open process convened by NTIA is bringing together experts to address:
• What a Software Bill of Materials is
• Why it can help across the supply chain
• How we can implement it
• Get involved in the NTIA process!• [email protected] @allanfriedman
• [email protected] @zmanion
To recap…