Wondering what all the hype about Software Bill of Materials or SBOMs is? They’ve become a regular talking point when discussing the composition of software, and if you haven’t heard of them yet, you surely will soon.
Join DJ Schleen as he interviews experts who shed light on what Software Bill of Materials are, how they are used by organizations to exchange information on software composition, and the effect they will have on consumers of software from large organizations to government agencies. We’ll dig into how SBOMs enable consumers to identify security vulnerabilities and explore the ever expanding world of Bill of Materials formats to provide you with the knowledge you need for an emerging industry concept. (edited)
Lauren Hanford on Add TACOS to your SBOM Combo Platter
Remember the X-Files television show? Dana Scully was one of the main characters - a brilliant FBI agent who worked on unsolved cases involving paranormal phenomena. Often skeptical of the supernatural, she was always willing to keep an open mind, and she was also a great role model.
She inspired many women in Technology, one of them being Lauren Hanford. Scully’s inspiration led Lauren into the field of Criminal Justice and Chemistry, and then she made a pivot into Computer Science, and Design. The catalyst being a desire to make doing homework easier.
It’s funny how technology always finds us.
Lauren has been a part of the open source community for years, and has a massive understanding of the space.
Recently, she brought the TACOS framework (Trusted Attestation and Compliance for Open Source) to the community to help assess the secure development practices of open source software. It’s a perfect companion to a software bill of materials.
…and the name? It’s a nod to GUAC and to SLSA.
Welcome back, to daBOM
Hasan Yasar on The Multiverse of SBOM Phases
There's no better way to get to know someone than staying awake for 24 hours straight while moderating sessions of the world's biggest virtual DevOps conference - All Day DevOps. It's One of the many times I've gotten to spend with Hasan Yasar over the years.
We were hunkered down in an office in Tyson's Corner, just outside of Washington, DC, broadcasting throughout the day to an audience spanning the world, introducing some of the world's most talented minds before they shared their stories.
Hassan and I met back in 2017 when we were both speaking at DevOps Connect at RSA, and I was floored at the wealth of knowledge he had about DevSecOps. He's done the research, knows the practice, and has the mind of an architect.
Hassan isn't only a speaker in the community, though, he's also an organizer of events such as DevSecOps Days Istanbul, DevSecOps Days Tokyo, and one very memorable panel I was on at an event hosted by the Software Engineering Institute at Carnegie Mellon University. Hassan placed me on a panel beside Brigadier General Greg Tohill in front of an audience of military personnel to discuss DevSecOps.
I will never forget fielding a question with General Tohill from a member of the Air Force. They asked "how do you fail fast with a ballistic missile?"
" You better have some good simulators."
When Hassan and I caught up again at the RSA conference this year, our conversation turned to the topic of Software Bill of Materials and how they fit into the SDLC.
... and then Hassan started talking about how we could shift them extremely far left...
Welcome back, to daBOM.
Trac Bannon on the connection between Generative AI, LLM and SBOMs
I'll never forget the day I met Tracy, although I really think we were actually separated at birth. We were scheduled to be on a podcast together and after introducing ourselves to each other in the call lobby, we began a discussion that most likely would've gone on forever at the host, not interrupted us to get the show started.
It turns out we both have similar passions in the DevOps, DevSecOps, and SRE spaces, and not just philosophical ideas and hoopla high fives. We've actually done it. Practical implementation of ideas that have injected security into the software we all develop.
An architect, a programmer, a dreamer, and a visionary, she's also a strong advocate for diversity and inclusion in the technology industry, and has often shared her experiences about being a woman in technology.
Two topics that are very close to my heart as well...
Earlier this year, Tracy and I were brought together by Mark Miller for "It's 5:05", a podcast produced by The Sourced Network that brings snack sized news about open source and security topics to the masses on a daily basis.
From the seeds of "It's 5:05" came the opportunity for me to create this podcast. And also for Tracy to create a podcast called "Real Technologists". And if you haven't heard it, you need to. It's a brilliantly done production about the people "behind the technology".
And speaking of real technologists, Tracy is one of them.
Welcome back, to daBOM.
Philippe Ombredanne on SBOMs, SCA and PURLs. Oh my!
It must have been a year or so ago when I was looking for an open source vulnerability scanner to use in a project I was working on. As I scoured the internet, I stumbled upon a project called "VulnerableCode" - a server that could run locally and would return vulnerability information if you called its API and gave it a Purl.
What's a Purl? It's an abbreviation for Package URL and it identifies a component that's used in a software we build. Think of it like a hyperlink that contains metadata such as ecosystem, name, version, among other things...
Why is it so important? It's quite simple. If you have a component Purl, you can query a vulnerability database and get a list of CVEs that affect that component.
So we can think of a Purl as a key of sorts - and it shows up everywhere in a Software Bill of Materials.
Anyway, let's get back to the story.
The project I was working on? It was a little proof of concept CLI that would eventually become "bomber" - one of the first open source SBOM vulnerability scanners. I started prototyping using VulnerableCode but then moved on to vulnerability APIs that were available online, but I always wanted to return to VulnerableCode someday.
That day came in December last year when a new issue was created in the bomber project on GitHub. It was titled "Fetch Data from VulnerableCode" and was submitted by one of its creators, Philippe Ombredanne. When we finally connected via email a few months later, I found out a few very interesting things about Philippe.
First, he invented the Purl.
Second. He's a long history with SPDX, CycloneDX, and Software Bill of Materials.
Welcome back, to daBOM.
Tim Miller on Do You Want Some GUAC with that SLSA?
I read an interesting post on Twitter the other day about Software Bill of Materials. The author said "SBOMs promise a picture of what lies beneath the surface of software, but without large scale automated binary analysis, at best, they reflect intent not reality. As a result, relying on them is like being an explorer without a compass."
The author does make some good points here. Large scale binary analysis is definitely lacking in some regards - but the technology is there to do it, and we've had a guest on the show that has talked about how they're doing it today for mobile apps.
But binary analysis is only one use case. There's so much more to Software Bill of Materials.
As for the compass, even as late as the 1700's European explorers still used AstroLabs. They helped navigate using the stars, and although the compass was invented around the same time in Asia, it was only used as a backup to the Astrolabe.
What that shows is you don't need to have a compass to be an explorer.
Just like you don't have new technologies without innovators like Tim Miller. He's one of the folks behind Guac - and that's an acronym for "Graph for Understanding Artifact Composition". It's an open source tool that aggregates software security metadata into high fidelity graph databases.
What does that mean? It means that it ingests SBOMs and provides a way for users to query that information.
Tim reached out to me after seeing Guac as part of my SBOM Reference Architecture" in a LinkedIn post that hit his feed. After getting on a quick call to discuss what I had planned for Guac I knew I had to get him on the show.
What do we do with SBOMs after we get them? Buckle up, because we're going to talk about one thing you can do...
Welcome back, to daBOM.
Dan Walsh on Practical Use from a CISO in Healthcare
Every one of us has a few of those people in our lives that change the trajectory of our careers, and for me, Dan Walsh is one of them.
It was just a few weeks after the world shut down during the pandemic when I was introduced to Dan by a mutual friend of ours - Aaron Rinehart - after Aaron heard I was looking for my next big adventure. He introduced us via text message and when I got a chance to meet with Dan We talked for over two hours, and I think we cracked a few brews along the way. It was a conversation that was filled with ideas, possibilities, and dreams.
Although I never met Dan in person, it didn't stop me from going to work with him in one of the biggest healthcare groups in the world.
We still hadn't met in person when I followed him to another company in the healthcare industry. We were just talking heads on a screen to each other at that time. But it was a new world, and none of it hindered our innovative spirit and friendship.
As the pandemic restrictions started to wind down, I arranged a trip to Chicago to meet my team, and as I landed, I hoped that I'd get to the hotel on time for a quick drink before the bar closed.
I'd arranged to meet up with Dan. In person.
It was almost two years after we first talked on Zoom and here my plane was delayed, and it was really late. But I did get to the hotel... just in time.
I'll never forget walking into the lobby bar at the W, in downtown Chicago and seeing Dan with 4 full pints of beer in front of him.
"It was last call" he said,
"you're taller than I thought you were", I responded.
Welcome back, to daBOM.