Redefining CyberSecurity

The Importance of Software Bill-of-Materials (SBOMs) | ITSPmagazine Event Coverage: RSAC 2023 San Francisco, USA | A Conversation with Allan Friedman

Episode Summary

In this episode, Sean Martin interviews Allan Friedman, a senior advisor and strategist at the Cybersecurity and Infrastructure Security Agency (CISA), on the topic of software bill of materials (SBOMs). The conversation covers RSA Conference, the importance of SBOMs, and how the government can help create better markets for security.

Episode Notes

Guest: Allan Friedman, Senior Advisor and Strategist at CISA [@CISAgov]

On LinkedIn | https://www.linkedin.com/in/allanafriedman/

On Twitter | https://twitter.com/allanfriedman

____________________________

Host: 

Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin

____________________________

This Episode’s Sponsors

BlackCloak | https://itspm.ag/itspbcweb

Brinqa | https://itspm.ag/brinqa-pmdp

SandboxAQ | https://itspm.ag/sandboxaq-j2en

____________________________

Episode Notes

Welcome to the latest episode of the Redefining Cybersecurity podcast with Sean Martin. In this episode, Sean  talks about the upcoming RSA Conference in San Francisco, which promises to be an eventful one with a lot of topics, one of which is the software bill of materials (SBOM). Sean recently came across a tweet by Allan Friedman, a senior advisor and strategist at the Cybersecurity and Infrastructure Security Agency (CISA), about his hope to speak at RSA on SBOMs. In this episode, Sean invites Allan to discuss what prompted him to put that tweet up and how things have transitioned in the last few years.

According to Sean, Allan and his team's work has played a significant role in pushing the software community to take action and to make some progress on SBOMs. During this episode, Allan shares his journey into CISA, his work before on coordinated vulnerability disclosure, and how the government can help create better markets for security. He also shares his perspective on how the proliferation of APIs and microservices has taken off in recent years and how the SBOM concept has become more relevant than ever.

If you're interested in learning more about SBOMs and how they can help organizations mitigate security risks and vulnerabilities, then you don't want to miss this episode. So make sure you subscribe to Redefining Cybersecurity Podcast on your favorite platform and share this episode with your colleagues and friends.

____________________________

Resources

Supply Chain Integrity Month: https://www.cisa.gov/supply-chain-integrity-month

"Scaling Software Supply Chain Source Security in Large Enterprises" session: https://www.rsaconference.com/usa/agenda/session/Scaling%20Software%20Supply%20Chain%20Source%20Security%20in%20Large%20Enterprises

"The World on SBOMs" session: https://www.rsaconference.com/usa/agenda/session/The%20World%20on%20SBOMs

"The Opposite of Transparency" session: https://www.rsaconference.com/usa/agenda/session/The%20Opposite%20of%20Transparency

28 sessions on Supply Chain: https://www.rsaconference.com/usa/agenda/full-agenda#q=supply%20chain&t=agenda-upcoming-tab&numberOfResults=50

22 sessions on Open Source: https://www.rsaconference.com/usa/agenda/full-agenda#q=open%20source&t=agenda-upcoming-tab&numberOfResults=25

Learn more, explore the agenda, and register for RSA Conference: https://itspm.ag/rsa-cordbw

____________________________

For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverage

Are you interested in telling your story in connection with RSA Conference by sponsoring our coverage?

👉 https://itspm.ag/rsac23sp

Are you interested in sponsoring an ITSPmagazine Channel?

👉 https://www.itspmagazine.com/podcast-series-sponsorships

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:

https://www.itspmagazine.com/redefining-cybersecurity-podcast

Be sure to share and subscribe!

Episode Transcription

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.

_________________________________________

 

voiceover00:15

Either we're there or not. ITSPmagazine still gets the best stories that are plenty of conferences and all sorts of events that spark our curiosity and allow us to start conversations with some of the world's brightest minds, in person or virtually, we sit down with them at the intersection of technology, cybersecurity, and society. Together, we discover what the synergy of these three elements means for the future of humanity. Knowledge is power, now, more than ever.

 

sponsor message00:51

Black Cloak provides concierge cybersecurity protection to corporate executives, and high net worth individuals to protect against hacking, reputational loss, financial loss, and the impact of a corporate data breach. Learn more at Black cloak.io.

 

Sean Martin  01:14

Hello, everybody, this is Sean Martin, host of redefining cybersecurity podcast here in ITSPmagazine. And I'm flying solo today for one of our chats on the roads RSA Conference in San Francisco that's coming up the events, and there's a lot going on. And one of the things that it's been on on the top list of topics for a few years now is software bill of materials. And I'm always keeping an eye on this topic on social media and elsewhere. And I came across a tweet, good old social media triggered something from our good friend, Alan Friedman, at CISA, who's on with us, Alan, thanks for joining. Thanks for having me, Sean. And your tweet basically said you, you were hoping to speak at RSA on SBOMs. And there's already a ton of stuff going on in this topic. And rightfully so, a lot of it's because of the work that you and the team at CES have have done over the years. And I want to thank you for that. First off, but then I kind of get your thoughts on, what prompted you to put that tweet up?

 

Allan Friedman02:25

Sure. Well, you know, we always get a little disappointed when we don't get the talk except that at the big flashy conference. And for me, this would be I think, you know, would have been 10 years in a row speaking there. Because, you know, the, we try to find new and important issues around cybersecurity policy talk about but, you know, the talks I pitched, didn't make it past the committee. At first, I was a little sad about that. And then the program came out, I actually got pretty inspired because it turns out there are, you know, probably 10 talks that are related to Aspen another 10 that are in the broader effort. In fact, when the conference published their sort of trends this year, one of them things that they referred to was between open source and supply chain, and you know, focuses on hardware risk. You know, the SP ramification of things has really taken off. And for me, that's the sign that a community has developed is it isn't just one person from the government. Speaking ex cathedra. It's actually saying we've got new approaches to theory, right? What's the future going to be? We've got implementation style talks, how are people doing it? What works? What doesn't? And what's the future? Right? How are we going to relate this to things like aI ml, or other parts of the supply chain rule. So you know, the positive spin is, even though I don't get the nice little speaker ribbon, there's a lot of great things going on at RSA and around RSA around the idea that really shouldn't be that shocking 2023, which is, hey, maybe we should know what's in our software.

 

Sean Martin  04:15

Just a minor point of understanding that we need there. So before and I wanted to talk about the tweet, but before we get any further, Alan, I think a lot of our listeners probably know of you and I've probably come across your work in some fashion, maybe even met you in person at some events. But some folks may be new and not know who Alan is. So maybe a few words about your journey into CISA and the work before and that's for Bill of Materials stuff that you've been working on. Sure.

 

Allan Friedman04:52

I'm Alan Friedman. I'm the guy who doesn't set up a badass bomb. And we'll talk a lot more about that but I'm a failed professor who got suckered into joining government about seven or eight years ago. And a lot of that work, broadly speaking, is to say, how can the government help create better markets for security? So we sometimes talk about a market failure in security? And what can we do through the different levers that we have in government to essentially reward people who are paying attention to security, and nudge along the folks to hopefully drive some change. And so I started off at Commerce, did some work on coordinated vulnerability disclosure, starting in 2015, at a time when that was still a pretty hot button topic. It's the first government initiative, we've done work on some IoT security. And then this idea, that spot, which was was not a new idea, but the work that we started at Commerce, and now at CES a has been to say, how do we pull together, the broad software community, people who write software, people buy software, people who maintain software, and that's pretty much all of us these days, to make some progress. So join Sissa, a year and a half ago, it's the cybersecurity and infrastructure security agency. We're the nation's cybersecurity agency, focusing on how to defend and advance cybersecurity. And I'm a senior advisor and strategist there, I coordinate our SPM efforts both across the US government and around the entire ecosystem, and now around the world, because this isn't just an American issue, cybersecurity is a global issue. And I also work on a number of other related issues around vulnerability management, open source software, and of course, helping to support our new mission around a secure by design and secure by default.

 

Sean Martin  07:03

So I want to get get your perspective on how things have have transitioned over the last few years perhaps, of course, Cloud is not new. API's are not new open source is not new. But certainly the the proliferation, proliferation of API's, and micro services seem to have really taken off where everything is connected to everything. And in there, you have the open source, and you have the commercial stuff, and you have all these elements, how, how was the landscape shifted to where it's perhaps complicated matters for s bomb. And but also maybe the work that you've done around software bill of materials have helped to really wrangle a view of that.

 

Allan Friedman07:56

Sure. So let's start by making sure that we're all on the same page on on what an S bomb is. Right stands for software bill of materials. And this this radical idea that, as I mentioned, we should know what's in our software. And, you know, I, we use the analogy, sometimes I have a list of ingredients. And it's not a perfect analogy. But it's really helpful for a couple of reasons. One, because at the end of the day, it's about knowing what you have to it's also noteworthy that a list of ingredients by itself, it's just a list, it's not going to inherently make things better for you. If there's someone in your family that has a deathly allergy, just the existence of a list of ingredients in the pantry won't save. Right? If if you want to stay on your 2023 diet, saying I'll only buy things that list ingredients won't make that happen. Vegetarian, plant based religious lifestyle, all of these things aren't magically done by list ingredients. But good luck doing any of those things without that list of ingredients. So it is a data layer that helps us think about risk. Yep. So work properly. This model of software transparency at both the technical level. It's always fun when you're gets so excited about the work that pops out of your mouth. And right there in your ear rather, yes. So the right to work properly. It needs to scale for all software. So 10 years ago, 15 years ago, there were very few software companies and software just sat on a disk. Today there are a couple of things which is software is in everything. And everyone is now a software company, right? You make Cars, you're a software company, you make medical devices, you're a software company. And of course, the we've gotten a lot better and more efficient at creating all of these different layers in our stack, serenity, cloud native world containerized, software world infrastructures, code, dynamic code writing, all of these things have changed how we're doing it, and indeed, lots of great discussions about how do we secure it. And our thinking around transparency has to evolve as well. So if something's gonna run on my network, well, then the case for transparency is very easy. Right on my network, I need to know what's in it. So I know how to defend it. When we find the next vulnerability when we find the next log for J. How do I know whether or not I'm affected when s bombs can help? Because I don't want him to call every single vendor all the time. What does that mean for cloud SAS, that's one of the things that we're working on. Here at CES is pulling together industry experts to sort of explore what this means in different domains. So what

 

Sean Martin  11:08

are their different working groups? I don't know. Did you open this up to the public sector? I'm sorry, the private?

 

Allan Friedman11:14

Definitely. So what have we done? It's this around s bomb are a number of things. And we can talk about some of the government side as well. But a lot of it is to say, hey, we need to enhance and refine this. So we started off by saying, what's an S bomb. And people had ideas in their heads. But what we did at NTIA was kind of everyone come together and say, This is the basics. This is the minimum elements, or the minimum viable product and the rest of what we mean. And it turns out, so that's been very powerful, it means that we've been able to make a lot of progress. And over the last couple of years, there are dozens of companies that have grown up to help create us bombs, manage us bombs consume us bombs, dozens of open source projects, and companies that are creating open source tools. But we still need to understand and enhance and refine this. So at Cisco, we're focused on how do we scale this? And how do we refine the concept to apply to new domains, or domains that may not be a perfect fit? includes things like firmware, is there a difference between firmware and software, cloud and other things. So we have five working groups that are all industry led, they're supported by the community, they're open to everyone. We've got people participating from around the world, including one very dedicated guy from the Japanese national search, who chimes in God knows what time of night for him, as well as right companies around the world, representing all sorts of different sectors. And, of course, people from the open source world because again, we're thinking about dependencies, more and more of our software's based on open source. So there are a bunch of different topics want to know more encourage folks to check out sissa.gov/s bomb? We're talking about a range of fun issues. Everything from how do we help people get started? Right? What's the what are the onramps? And adaption to how do we move this stuff around? So we don't really have great solutions today for sharing supply chain metadata down a complex supply chain, how to when I've, you know medical devices on hospital network? How do I figure out what's in them? If I'm worried about, you know, what's in a modern product, and I want to see all the way up the supply chain? How do we get visibility? And so thinking about that sharing is a key piece as well.

 

Sean Martin  13:52

And as he talked scale, I mean, I built enterprise software for a big yellow company for many years. And scale always meant, how do you get that multinational organization secure with all those endpoints and servers and IoT, whatever else was on the networks, and their partners and everything. But scale in this sense, to me also means scaling down to the small shops that don't have big security teams have any lead on proper processes and staffing and skills to actually do this stuff. So how, how do you help some of where probably most of the organizations sit in the small medium business arena. So to help understand this, I like the concept of MVP, MVP. I don't know if that's there's something there that you're doing to kind of help scale this down, so that everybody can absorb it.

 

Allan Friedman14:48

Yeah. So So let's, let's talk more first broadly about the question of scaling broadly in cybersecurity. And there are lots of issues that start off with As specialized key topics for, we'll say the haves in cybersecurity, you know, nothing unique about supply chain, or security assurance for this. Let's look at something like threat intelligence, right? That used to be something that like eight companies in the world could have any specialized employees. And then we had some companies rollout, and people started to meet the needs. And now it's not something that everyone in the world is going to have threatened to diligence. But that's something that now it is a basic part of building a quality security program. Right? This is a trickle down effect. Now, there are always going to be organizations that are lagging right, we don't have an infinite budget for security, even while resource companies often fight for resources in security special in today's approach, and of course, as a systems director, Jen easterly often talks about the target rich cyber poor, right organizations that are vitally important to our way of life, keeping the water on keeping the lights on hospitals, schools, and we want to help them. But on the specific question of s bomb, there are a couple of paths forward. For the people who produce software, a small might actually be an advantage, right? If you're a small new company, maybe you don't have the world's most sophisticated dev SEC ops model. But chances are you're using new tools, chances are you have something that looks a little bit like a CI CD pipeline, you might even be sort of building some cloud native behaviors and containerization behavior. And s bomb is easier as you move into that space. And a lot of the tools that we all use have the potential to have s bomb baked into them. So there's a command in Docker called S bomb. You know what it does, Shawn gives you an S bomb. GitHub just rolled out an automatic s bomb generation feature for free for public repos. So why the smaller organizations are advantaged compared to the big legacy companies. And I'm even talking about the Montview tech giants, which have so many different products. Right? If you're a manufacturer, global manufacturer, you have dozens of different divisions, maybe you don't have a security team that spans across them, everyone's sort of in their own silo, you got a lot of legacy process products, and a lot of legacy processes that you're going to have to adapt. So for example, I talked to Lisa Bradley from Dell, who is doing amazing work in her organization of getting visibility, but she gets annoyed when I say, you know, hey, single command will do this for you. Because right, her organization is very well optimized for producing quality software, not paid by Dell to say that, of course, we don't endorse Dell, or particularly say they're, you know, written anything one way or the other. But we just want to acknowledge that, right? larger organizations are trying to get visibility in a way that involves bringing together many different companies in many different parts of an organization. So one last story here, I've talked to one of the senior product security leads for a very large manufacturer in the energy space. He said, You know, we had s bomb today across our company, it would save us 1000s of human hours a year. Because every time a new vulnerability comes along, they have to say our our customers are affected, right. That's what a good product security team does. And we need automation in that space, as far more solve that problem. But s bomb drives automation that allows us to do that faster and more efficiently.

 

Sean Martin  19:05

You need the data to make those decisions. And certainly you can make the decision or you can automate the decision if you don't have the decision made was invalid. I love that and you're preaching to the choir, it's often something I talked about on my show that if you can just change the way you do something upfront. You can reduce the exposure limit the risk and ultimately downstream, save people time from having to patch stuff or make it easier to patch stuff if it if you know what's going on. Let's let's move a little to what's going on at the conference. I know there's I think I did. I did a search and we just you rattled off some numbers I captured five sessions on s bomb 28 on supply chain 22 on open source I didn't get into the to the hardware security certs. I'm sure There's, there's probably a good dozen in that space as well. I don't know how we want to take this all kind of take your lead, but one way to, for me to kind of look at this as maturity level. So folks just getting into the world of managing software components, where might they starts and then move up or if there was interesting topics or sessions, or kind of leave it to you to maybe highlight some of the things that you're excited about seeing on the agenda you think be worthwhile for folks to take up?

 

Allan Friedman20:39

Sure. And right, always tricky to do this, because you don't want to ignore your friends talks. So I'll flying will throw up.

 

Sean Martin  20:48

All right, I'll take that. I'll take that. And then sure, you can blame me.

 

Allan Friedman20:55

Well, so I think that's a that's a great one of sort of the intersection of technology and policy, as Josh Corman is going to give a talk, where he sort of says, you know, let's look at the political side of transparency, who's who's concerned about this, and then go through some of the more common concerns and the risks of transparency and see which ones are valid, that we collectively need to address. And which ones may be, you know, Fudd, or people playing for time, because they don't want to show the world, that their product has some technical debt in it, or they don't want the cost. They don't want to underwrite the one time cost of getting transparency. So I think that's gonna be a really interesting talk, I'm looking forward to sort of think through an inherent his perspective, because Josh's is an excellent big picture approach. Another more general talk, that is, I think, going to be getting into some of the mechanics is a talk by Chris blast, who's who's been in security for a long time. And I think is now supporting SCI beets. And woman named Kate Stewart, who's vice president of Linux Foundation. And they're going to be doing a little bit of peer peering into the future of saying, hey, the world on s bombs name of their talk, and sort of talk about, hey, what are some of the real benefits and use cases? And what are some things we can anticipate? Because again, what I love about this idea of s bomb is it's a brand new data layer. And right, let's use a more historic example. CVS, don't fix a thing, right, giving a vulnerability. A CVE number doesn't protect anyone. Right? He is just assigning a vulnerability a string. But because we have that program, and because we have things like the NVD. Nan, we have an entire ecosystem of tools that are built on it that organizations can pull together. And tool a supports tool B supports tool C. Or you just write one giant check to one particular major sponsor of RSA, and they'll solve all your problems. But the right the vision is we have a thriving ecosystem. And I think that's a vision that I'm really excited. Both Kate and Chris, have been right about a lot of things. Kate was involved in creating one of the two major s bomb standards called spdx, which along with cyclin, dx are sort of the two ways that we implement this spdx is older. And Kate had the foresight to realize we need machine readable ways of thinking about open source licensing. And Chris has also been sort of looking ahead. So I'm really excited about that as a historical approach. And then, so yeah, those are the two talks that I'm sort of more excited, they're a couple of interesting panels that are also going to be sort of thinking about at the corporate level and at the technical level. So it should be a lot of fun.

 

Sean Martin  24:19

Yeah, and we're certainly not here to recite all the sessions because there's far too many so I'm not not going to make you do that and I'm gonna incur well, we'll put links in the notes for for people, I've done the search and, and we'll make make that party easy for them. There are a couple of other things I wanted your thoughts on on these few points. Kind of where s bomb fits into the security program. I think there's a natural it goes and DevOps dev SEC ops, but but how does it fit into cloud security and containerization versus patch management and risk management versus detection and response and recover Very, any thoughts on that? And not sure if there are any sessions that kind of highlight that, that I think that'd be interesting as well, but not, not necessarily if you don't want to miss a tip here.

 

Allan Friedman25:11

So we like to use three buckets to think about how s bomb can really drive change, right? How do you go from data to intelligence to action. First is the producing of software, whether it's developers or the product team leads, just visibility into what you have know what you ship. And this isn't just good for security, this is good for quality and cost as well. There's a supplier in the sort of OT space that thinks about as bombs. And they've done analysis and tear downs of some very large product systems and some of these major vendors that maybe come from companies that were not super friendly with our shipping, you know, six, seven versions of the same piece of software, that's just code bloat that's inefficient, that raises your total cost of ownership. And so again, security is important, but it's also a quality story. And Shawn, I know, you know, this, that modern DevOps, actually, the security in the software world kind of stole that from heavy industry. And they've really had to invest in quality and quality process to be globally efficient. And so we've seen that spillover through, you know, Jean Kim's work and everyone else into into the DevOps domain. So that's the production side. And then there's the decision side, right, we all either buy software, or select open source software that we're going to run in our organizations. Before we make that decision, there are a lot of things we're going to want to look at, obviously, the economics, but the security risk. And so one is, do I want to buy from someone who can't produce an S bomb? Think about what that means. If there's a company who's selling your product, and they can't actually give you an S bomb? How can you trust that organization? And why can't they do it? Is it just they they know what it is? But it's kept in their own internal data format? Or is it that they just have a bunch of teams going rogue and they pull things together? This also allows you to think

 

Sean Martin  27:20

about all of formula. Yeah,

 

Allan Friedman27:23

well, and some of it is is proprietary, and that's fine. And we have solutions for that. But it also allows you to sort of do the risks that you care about? Are you worried about open source risk and unsupported open source? Are you worried about existing vulnerabilities? Are you worried about nation states being in your supply chain, when you think your regulator may ask you to take certain things out? There's a lot of stuff that goes into this sort of supply chain risk management pre purchase. And then the last piece of what you're going to do with an S bomb, and what tools you're going to have is, hey, once I've asked them, What do you do with it? Now, all acknowledged, that's a new issue right now, because until recently, no one had us bombs. So be kinda weird if we had a bunch of s bomb tools, right. But we're starting to see that fit in to different types of tools that organizations are already using, as well as new startups that are rolling out plans to manage the s bomb data for you, and then integrate it into things we're already doing. One of the things that I'm looking forward to at RSA is talking with a lot of the suppliers in the vendor management in the vulnerability management space, and in the asset management space and in the config management space. Because again, these are services that a lot of companies are already paying for. So let's talk about how we can integrate s bomb data into it. So not only do I see, is there a vulnerability in you know, this blinking box that's vital for my business to operate. But maybe there isn't a CVE against this, because there's only 1000 customers, but I do care about are they using an out of date, crypto library, are there things are there libraries here that are vulnerable to RCS and things like that. So I think this looking ahead, we're gonna see a lot of folks in the Expo Hall having s bomb on their marketing literature, and I gotta tell you, I've got mixed feelings about that. On one hand, it's nice to see. On the other hand, InfoSec marketing is a little InfoSec marketing always makes us all feel a little dirty.

 

Sean Martin  29:31

Let me we won't go there. But I know what you're saying. This as you're talking and I'm thinking of that chain, that you were describing those three, those three buckets and those four steps the last mile I'll call it to the consumer and that's coming out of left field. But I've seen some talks on this as well we're, we're NIST has done some work on you called an ingredients but what what are the What are the elements in the product? And then providing that to the consumer? So I don't know, again, is it out of left field? So if you don't have responses at the moment, that's fine. But any any collaboration with NIS to cover that last mile to say the s bomb turns into the software stuff that gets presented to a consumer, when, when they buy?

 

Allan Friedman30:23

So great question. And you know, who's the target audience who should be making these decisions? There's a lot of work happening all across the government around things like IOT labeling, and really what drives change. So one thing is to push it all the way to the human who is, right, who's making things in home goods, I think as far as might eventually reach there, but right now, this is very much a broader business risk, in part, because those are the organizations that are empowered to make that decision, rather than the bank to make that decision, rather than the bank's customer to say, hey, is my bank safe? We want the bank to do it. So the director of sister Jenny easterly, gave a talk at Carnegie Mellon University about a month ago, where she rolled out, CES is secure by design and secure by default model. And the title of her talk was Unsafe at Any CPU speed. And it asked the question, why, just as you know, 40 years ago, we said, Hey, why are car companies allowed to sell things that when they take a turn wrong blow up? And similarly, we're starting to ask the question, Hey, why are there lots of IT products that when you buy them are inherently insecure, we know there's always going to be risk because you're a risk is not a goal. And everyone in the cybersecurity world knows this. But at very least, we can start asking why are things out of the box, not secure wine, don't they have key common features? Now this is we're starting to push this a number ways across the administration, the President's executive order on 2021 laid out in section four of that executive order, it's a long executive order. Section four said, Hey, for the government to buy it, you got to have these properties. You gotta have MFA enabled in your dev environment, you gotta have a separate dev environment from your build environment. Right? Not impossible things and things that like good security, people don't understand why you don't already have one of those is s bomb. But there's some other features there. And so coming back to your question, what do we want to do is we want to create a world where for the end consumers who are not in a position to secure things, let's work on making things secure out of the box, having common security properties. For organizations that are in a position to make risk decisions about the software they buy. Let's give them the transparency the data, to make those decisions and to make those decisions more cheaply, and more easily. And that's really the idea behind S bomb and our broader agenda around things like Vax, rethinking vulnerability databases, things like that.

 

Sean Martin  33:27

Yep. Yeah. And the reason I asked one is, in my mind, so to ask Mark was not here to stop me. But just the idea of the value of of security. And I think, ultimately, where the where the money is spent, or not spent for supporting the companies that take it seriously and make the investments versus the ones that can't prove that they're do things the right way, quote, unquote, the right way. They don't earn our money, and therefore they don't exist. Maybe that's a little utopian view there. But anyway, that's kind of why I was going with that. Let's, let's look at the future. This bus stop the crystal ball now, because there are a few sessions there. On the list that make me wonder, is it the current state of where we are managing s bombs, or is it a future state? And let's just go to it, it's AI, right. So I know. And certainly with generous, generative AI, there's a lot of conversation right now, which isn't necessarily the same thing as AI and and these types of situations but what's the future hold? How far can we get? Obviously, that's going to be helpful in in decision making and automation and orchestration, those types of things but what what's the future hold with that and other things?

 

Allan Friedman34:48

Sure. So I one of the things that's become gratifying is we sort of see the idea of s bomb go from what is this to Dear God, we can't do that, too. Okay. This seems like part of future is the expansion of the idea of transparency to other domains. So you talked about AI ml. As we think about the risks and the concerns and the power, knowing what's in these engines is going to be key. And so there's already some work happening on what Transparency means in the AI ml context. Berkeley and Stanford have a joint project on this. There's some great work at Indiana University, thinking about what an S bomb means for modern generative AI platforms, you know, how do we track the data separately from the network generation process from, you know, the test assessment software and things like that. Hardware is obviously something that a lot of people care about, especially in the national security context. If you thought s bomb was hard, wait to look at hardware. And that's something you know, I've got a lot of friends in the hardware space. And they always are, you know, looking at me as a software guy saying, Oh, you sweet summer child. And in transparency, that's, that's going to be key, which is, but it's also really hard. There are a number of people who say, Oh, we can already do a hardware supply chain and hardware as bonds or H bombs. And sadly, I don't think he can, we'll get there. But you can take the hash of a software library, we can track the pedigree and provenance of open source can take a hash of a dim. And tracking a SKU, a product number inside a company is very different than saying I can follow that product across a bunch of different organizational boundaries. So we'll get there. But this is something that we're slowly working on. And what I want to do is also focus on linking rather than building one bomb to rule them all. Let's say, let's, let's focus on saying let's build out individual capacity. And then if you want to put them all in the same file, that's great. But there's a lot of reason why we should be tracking this data separately. Because different data is going to change at different times, right? vulnerability data evolves. And we're going to want to sort of be able to map whatever data we're looking at the different types of risks.

 

Sean Martin  37:21

Nice and another, maybe off the wall question the role of blockchain. Because the so if there's any value, you need to you need to have integrity, right. So in that spot on a blockchain to help solve that, or what,

 

Allan Friedman37:42

here's where I'm going to run very close to making my press person a little terrified, as I'm speaking for myself, and not persist. But I've been pretty outspoken in my skepticism for ledger technology. One because it has been the next big thing for 10 years. And I think at a certain point, it's you don't get to be the brand new special belle of the ball, if you haven't produced anything meaningful in 10 years, despite a ridiculous amount of money. And a huge number of companies is blockchain will solve this. And then they realize it can't. And there are a bunch of reasons why including scaling issues, and and leaving the fact that once you layer the security pieces on to your DLT, then you're like, Oh, well, we need a PKI anyway, so we don't have any of the savings that come from making things truly distributed. There are a couple of companies out there that have been doing this, and they're full of very smart people. But I think the requirements of what are needed can't just be solved by magical separation. I'm not going to rule it out that the solution won't be something that is a distributed ledger. But the distributed ledger by itself won't solve our all of our problems to sprinkle little blockchain on it hasn't worked for just about anything won't work here.

 

Sean Martin  39:13

I appreciate your your candor there. And yeah, who knows where things are. And I won't even go down the there's no need to go down another path. But listen, I'm thrilled. One to have you on the show. It's great, great to get your insight and all this stuff. And I want to thank you for all the work you've done. Leading up to your current role at Cisco and bringing the community together to move things forward. Lots to do still, of course. And I want to say that we only scratched the surface here. One, there are plenty of sessions right on this topic. I'll include links for that. But more importantly, perhaps In the notes, we'll have Alan's profile, connect with them on social media where he wants that to happen. And Sissa will be at at RSA, leaving a booth there. So I encourage everybody to stop by say, Hello, ask a few questions that relevant for you and your organization, and perhaps even contribute, become part of part of a working group and help help move things forward. So the your heard as part of this solution,

 

Allan Friedman40:32

and if anyone is interested in learning more, we have a nice handy Email Address S bomb at ces@dhs.gov. To learn more if you want a briefing for your organization, and if you want to see some great available resources, cisco.gov/s Bomb stop by our booth at RSA, and at the risk of getting a little too far for the plugin. We're always hiring. We need really smart people who are committed to cybersecurity mission who want to help secure the nation. And we have a lot of interesting roles. So again, if that's the sort of thing that you're interested in, stop by our booth at RSA.

 

Sean Martin  41:11

I love it. I've thought about it many times.

 

Allan Friedman41:17

We'd love to have you, Sean, come on, be a senior advisor. Help us shape the future. I'm someone I'm your perspective. I'm

 

Sean Martin  41:24

here doing podcasts spreading the word. Excellent. But an absolute pleasure, Alan, and I look forward to seeing you and the rest of the team there in San Francisco. And yeah, appreciate you being part of this. And for everybody listening, as I mentioned, tons of links to tons of good stuff. And stay tuned as we continue our coverage for RSA Conference. 2023 Thanks. Thanks, everybody. See you all

 

Allan Friedman41:51

in Moscone. Thanks.

 

sponsor message41:56

Black Cloak provides concierge cybersecurity protection to corporate executives and high net worth individuals to protect against hacking, reputational loss, financial loss, and the impact of a corporate data breach. Learn more at Black cloak.io

 

voiceover42:16

We hope you enjoyed this episode of our on location conversation. If you learned something new and this podcast made you think then share itspmagazine.com with your friends, family, and colleagues. If you represent a company and wish to associate your brand with our conversations sponsor, one or more of our podcast channels, we hope you will come back for more stories and follow us on our journey. You can always find us at the intersection of technology, cybersecurity, and society.