The document discusses the importance of software Bills of Materials (BOMs) for managing software supply chain risks. It provides background on the creator's work developing standards like CycloneDX and tools like Dependency Track. BOMs allow organizations to understand component dependencies, track vulnerabilities, and ensure compliance. The document outlines common use cases like vulnerability analysis and outlines standard BOM formats like CycloneDX and Package URL. It demonstrates how BOMs can integrate with DevOps pipelines and provide continuous monitoring of supply chain risks.
2. § Creator of OWASP Dependency-Track
§ Creator of CycloneDX BOM Specification
§ Contributor to OWASP Dependency-Check
§ Contributor to Package URL Specification
§ Multiple Software Transparency Working Groups
§ Software Security Architecture at ServiceNow
About
@stevespringett
steve.springett@owasp.org
https://stevespringett.com
https://github.com/stevespringett
3. § Dependency-Track project reboot (dubbed v3)
§ Analyzing specifically what problems I was trying to solve
§ Facts vs evidence, multi-vuln intel, outdated components, actionable intelligence
§ OWASP Summit 2017
§ Sherif Mansour noticed that NVD and Dependency-Track trying to solve similar problem
§ NTIA created multi-stakeholder process to improve Software Transparency
§ NIST, MITRE, NSA, OWASP, Linux Foundation, Software, Healthcare, Device Manufactures,
Financial Services, etc.
§ Multiple working groups
Backstory
4. NTIA Software Transparency
Working Groups:
• Understanding the Problem
• Use Cases and State of Practice
• Standards and Formats
• Healthcare Proof of Concept
https://www.ntia.doc.gov/SoftwareTransparency
7. § Compliance
§ Regulation
§ FDA and others
§ Economic / Supply-Chain Management
§ Use fewer & better suppliers, use highest quality parts, track throughout lifecycle
§ Market Forces
§ SDLC maturity, procurement, operational costs, risks, impact analysis
§ Forensics
§ NTSB and others
Contributing Factors
8. Cybersecurity in Medical Devices
Cybersecurity Bill of Materials (CBOM) – a list that includes but
is not limited to commercial, open source, and off-the-shelf
software and hardware components that are or could become
susceptible to vulnerabilities.
Content of Premarket Submissions for Management of Cybersecurity in Medical
Devices:
https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/
GuidanceDocuments/UCM623529.pdf
9. Deliver Uncompromised
A strategy for supply chain security and resilience in response to
the changing character of war.
https://www.mitre.org/sites/default/files/publications/pr-18-2417-deliver-
uncompromised-MITRE-study-8AUG2018.pdf
Chris Nissen, John Gronager, Ph.D., Robert Metzger, J.D., Harvey Rishikof, J.D.
10. § Another thing an organization has to do
§ Incorrect. A simple change in strategy
§ Doesn’t improve the security of the thing I’m tracking parts on
§ Wrong. Facilitates accurate vulnerability and other supply-chain risk analysis
§ Not in vested interest
§ Some SCA vendors. Other vendors are on-board
§ License compliance
§ Yeah… That’s a problem
Reluctance
11. Game: Find the Fallacies
https://www.alienvault.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops
19. § Decentralized URI describing component and its place within ecosystem
§ Support virtually unlimited number of ecosystems
§ Maven, Docker, NPM, RPM, etc
§ Identifies all relevant component metadata
§ Ecosystem (type)
§ Group (namespace)
§ Name
§ Version
§ Key/Value pairs (qualifiers)
Package URL