Cloud Security Today

SBOMs: Good but less than a silver bullet

Matthew Chiodi Season 3 Episode 9
Audio Player
00:00
00:00 | 50:29

Send us a text

Episode Summary

On today’s episode, Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency, Allan Friedman, joins Matt to discuss SBOMs. As Senior Advisor and Strategist at CISA, Allan coordinates the global cross-sector community efforts around software bill of materials (SBOM). He was previously the Director of Cybersecurity Initiatives at NTIA, leading pioneering work on vulnerability disclosure, SBOM, and other security topics.

Before joining the Federal government, Friedman spent over a decade as a noted information security and technology policy scholar at Harvard’s Computer Science Department, the Brookings Institution, and George Washington University’s Engineering School.

He is the co-author of the popular text Cybersecurity and Cyberwar: What Everyone Needs to Know, has a C.S. degree from Swarthmore College, and a Ph.D. from Harvard University.

Today, Allan talks about SBOMs and their adoption in non-security industries, Secure by design and secure by default tactics, and how to make software security second nature. What, exactly, is the SBOM? Hear about how SBOMs could’ve helped against significant attacks, the concept of antifragility, and why vulnerability disclosure programs are so important.

 

Timestamp Segments

·       [02:27] Allan’s career path.

·       [05:10] Allan’s day-to-day.

·       [06:15] What has been most rewarding?

·       [08:00] SBOMs in non-security startups.

·       [10:50] Real-world examples of Secure by Design tactics.

·       [17:30] Will software security ever seem obvious to us?

·       [19:30] What is the SBOM, and will it solve all our problems?

·       [23:41] Could an SBOM have helped against the SolarWinds attack?

·       [27:52] Memory-safe programming languages.

·       [30:16] Misconceptions around Secure by Design, Secure by Default.

·       [32:00] The importance of vulnerability disclosure programs.

·       [35:37] Antifragility in cybersecurity.

·       [41:47] VEX.

·       [44:29] How to get involved with CISA.

·       [48:00] How does Allan stay sharp?

 

Notable Quotes

·       “Sometimes, organizations need a good excuse to do the right thing.”

·       “It is bananas that software that we use, and pay for, still delivers with it not just the occasional vulnerability, but very real risks that require massive investments from customers.”

·       “When tech vendors make important logging information available for free, everyone wins.”

·       “The SB in SBOM doesn’t stand for Silver Bullet.”

 

Relevant Links

Email:              sbom@cisa.dhs.gov

Website:          www.cisa.gov

LinkedIn:         Allan Friedman

 

Resources:

Open Source Security Podcast

Risky Business Podcast

The future of cloud security.
Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.