ITSPmagazine Podcasts

The Missing Link: How We Collect and Leverage SBOMs | An OWASP 2024 Global AppSec San Francisco Conversation with Cassie Crossley | On Location Coverage with Sean Martin and Marco Ciappelli

Episode Summary

Join Sean Martin and Marco Ciappelli as they sit down with Cassie Crossley at the OWASP Global AppSec conference in San Francisco to explore the critical role of Software Bill of Materials (SBOMs) in securing applications. Dive into an engaging discussion on how SBOMs can help manage software risks, even for smaller companies, and the broader implications for the cybersecurity industry.

Episode Notes

Guest: Cassie Crossley, VP, Supply Chain Security, Schneider Electric [@SchneiderElec]

On LinkedIn | https://www.linkedin.com/in/cassiecrossley/

____________________________

Hosts: 

Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/sean-martin

Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli

____________________________

Episode Notes

In this episode of On Location with Sean and Marco, hosts Sean Martin and Marco Ciappelli head to San Francisco to attend the OWASP Global AppSec conference. They kick off their journey with a light-hearted conversation about their destination, quickly segueing into the substantive core of the episode. The dialogue provides a rich backdrop to the conference's key focus: securing applications and the crucial role of Software Bill of Materials (SBOMs) in this context.

Special guest Cassie Crossley joins the hosts to delve deeper into the significance of SBOMs. Cassie introduces herself and highlights her previous engagements with the podcast, touching on her upcoming session titled "The Missing Link: How We Collect and Leverage SBOMs." She explains the essential function of SBOMs in tracking open-source and commercial software components, noting the importance of transparency and risk evaluation in modern software development.

Cassie explains that understanding the software components in use, including transitive dependencies, is crucial for managing risks. She discusses how her company, Schneider Electric, implements SBOMs within their varied product lines, ranging from firmware to cloud-based applications. By collecting and analyzing SBOMs, they can quickly assess vulnerabilities, much like how organizations scrambled to evaluate their exposure in the wake of the Log4J vulnerability.

Sean and Marco steer the conversation towards the practical aspects of SBOM implementation for smaller companies. Cassie reassures that even startups and smaller enterprises can benefit from SBOMs without extensive resources, using free tools like Dependency-Track to manage their software inventories. She emphasizes that having an SBOM—even in a simplified form—provides a critical layer of visibility, enabling better risk management even with limited means.

The discussion touches on the broader impact of SBOMs beyond individual corporations. Cassie notes the importance of regulatory developments and collective efforts, such as those by the Cybersecurity and Infrastructure Security Agency (CISA), to advocate for wider adoption of SBOM standards across industries.

To wrap up, the hosts and Cassie discuss the value of conferences like OWASP Global AppSec for fostering community dialogues, sharing insights, and staying abreast of new developments in application security. They encourage listeners to attend these events to gain valuable knowledge and networking opportunities. Finally, in their closing remarks, Sean and Marco tease future episodes in the On Location series, hinting at more exciting content from their travels and guest interviews.

____________________________

This Episode’s Sponsors

HITRUST: https://itspm.ag/itsphitweb

____________________________

Follow our OWASP 2024 Global AppSec San Francisco coverage: https://www.itspmagazine.com/owasp-2024-global-appsec-san-francisco-cybersecurity-and-application-security-event-coverage

On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllTcqoGpeR1rdo6p47Ozu1jt

Be sure to share and subscribe!

____________________________

Resources

The Missing Link - How We Collect and Leverage SBOMs (Session): https://owasp2024globalappsecsanfra.sched.com/event/1g3XV/the-missing-link-how-we-collect-and-leverage-sboms

Why the Industry Needs OpenSSF | A Conversation with Omkhar Arasaratnam, Adrianne Marcum, Arun Gupta, and Christopher Robinson | Redefining CyberSecurity with Sean Martin: https://redefiningcybersecuritypodcast.com/episodes/why-the-industry-needs-openssf-a-conversation-with-omkhar-arasaratnam-adrianne-marcum-arun-gupta-and-christopher-robinson-redefining-cybersecurity-with-sean-martin

Learn more about OWASP 2024 Global AppSec San Francisco: https://sf.globalappsec.org/

SBOM-a-Rama: https://www.linkedin.com/feed/update/urn:li:activity:7232385837869469699/

____________________________

Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast

To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast

Are you interested in sponsoring our event coverage with an ad placement in the podcast?

Learn More 👉 https://itspm.ag/podadplc

Want to tell your Brand Story as part of our event coverage?

Learn More 👉 https://itspm.ag/evtcovbrf

Episode Transcription

The Missing Link: How We Collect and Leverage SBOMs | An OWASP 2024 Global AppSec San Francisco Conversation with Cassie Crossley | On Location Coverage with Sean Martin and Marco Ciappelli

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] Marco.  
 

Marco Ciappelli: Sean, where are we going?  
 

Sean Martin: We're going to San Francisco.  
 

Marco Ciappelli: Oh, good, because you said I'll pick you up and, uh, and I have said yes, but I didn't know where we were going. 
 

Sean Martin: I think I let you know at the last minute you're on this ride. 
 

Marco Ciappelli: I know, I know. I'm always happy to go to San Francisco though. So what's going on there? 
 

Sean Martin: Well, it's a lot of things, uh, but It's a conference hosted by OWASP. It's a global conference held in San Francisco. So as you know, I was in, in, uh, Lisbon with the crew there and had some really great chats and I said, you know what, I want to, I want to do more with AppSec. So it's a focus for me, uh, certainly through the rest of this year and probably into next year as well. 
 

Apps are a big part of everything we do and in business and in life in general. And there's a lot of. A lot of sessions and topics talking about how do we secure apps, how do we secure the data in them, how do we secure the transactions, how do we maintain privacy, [00:01:00] uh, how does AI impact all this stuff, and, And ultimately, it all starts with what's in the software, at least from my perspective, and how secure are each of the, each of the components. 
 

Marco Ciappelli: That's the difference between me and you. You want to know what is in the software. I want to know what happened after it.  
 

Sean Martin: I like to know what's in the recipe and hopefully it tastes good. You just want to know if it tastes good.  
 

Marco Ciappelli: That's right. That's right. All right. Let's, let's, let's introduce our guest. 
 

Sean Martin: I know. I'm thrilled. Cassie Crossley has been on the show a couple of times now. She's written a book. We've had her on for the book. We had a chat in Broadcast Alley. I want to say conference. It's a pleasure, Cassie, to have you on again.  
 

Cassie Crossley: Great. Thank you so much for having me here, Sean and Marco.  
 

Sean Martin: Yeah, super fun. 
 

And this is part of, if folks haven't figured out, this is part of our chats on the road. To OWASP Global in San Francisco. Uh, we're going to have a few chats from folks speaking there, a couple of keynotes and, uh, an update on the [00:02:00] OWASP top 10 for AI LLMs and a bunch of stuff. So, but today we're looking at. 
 

Software, Bill of Materials, SBOMs, not bombs with a B at the end, but a bomb with a B at the front. Um, AI happens to have fun with that when it transcribes things. But anyway, Cassie, um, congratulations on getting a speaking spot in San Francisco. Um, can you give us maybe an overview for folks who aren't familiar with Bill of Materials for in the software world? 
 

Um, it's. Not unlike what you find on a label for food, perhaps, but, uh, a little more complicated, I don't know, maybe easier. And we just haven't figured it out yet. So kind of give us an overview of what SBOMs are, bill of materials and, uh, how that's impacting how we operate and work and, you know,  
 

Cassie Crossley: Sure. 
 

Sure. Well, I think that, uh, sufferables of materials, uh, they are something that [00:03:00] as developers we've had for a long time, we kept track of what open source we were using, what licensing we were using. Uh, but in general, we never provided that to external resources. If you look at, for example, the Instagram about page, it actually lists the open source that they use, uh, within the product. 
 

And that is something that those that are running applications, um, Would like to know more about and we saw this primarily, uh, come to the forefront with log for J. People wanted to know, am I affected really quickly and that they would have scanners that could detect it, but for a lot of products such as software products or even, um, firmware, we have at Schneider electric, we've got 15, 000 plus, uh, intelligent products, a lot of them are firmware. 
 

Uh, which embedded software. And then, of course, we have mobile apps and cloud and on premise software. So all of the various mixtures, but [00:04:00] being able to if you're at a company and you don't have scanning tools that can look to see if you're at least even using that library open source, let alone there are commercial libraries, you know, closed source libraries that you wouldn't know. 
 

And so the software bill materials provides that list Uh, it can be what's called just the, you know, the tier one, the first party list, a third party list of just what I'm using, but software libraries can call other software libraries. So there's something called transitive dependencies, and that means I'm dependent on something. 
 

And so software bills and material are much more complicated. So for example, if you're looking at a recipe list and it has a recipe, uh, an ingredient that has one component, but that component. Can be made up of other components. Sometimes that information is not detailed out even on those ingredients. 
 

And so software builds material. Are you going to just have a list like [00:05:00] a PDF, but there's really two main machine readable formats called Cyclone DX and SPDX. So I'm going to be talking about how our company leverages those, um, at the OWASP AppSec event.  
 

Marco Ciappelli: It's kind of like, how, how far back do you go? 
 

Right. It sounded like, okay, well, to go to the Big Bang, we're all made of same, um, the same stuff of the universe, but do we really need to know that to cure something or to, you know, so what, where, where, what do you think is enough to go back and have this list of related, um,  
 

Cassie Crossley: Sure. Well, I think the more you know, the better informed you can potentially be. 
 

Uh, so for example, um, let's just take, it wasn't a cyber event, but let's just take the CrowdStrike. And for those, uh, that were having their systems go down, um, they were working with, These third party [00:06:00] systems that they probably did not create and they were using CrowdStrike on those systems So what kind of transparency did you if you are buying a baggage handling system? 
 

And they're using CrowdStrike because you asked them to keep it secure and so they did But they just didn't, you know, in that case, you don't know what those additional dependency. So I think it's important for us to understand both our third party, but also fourth party and above the, you know, you're not just your tier one suppliers, but potentially your tier two, tier three, tier four suppliers, because we're very interconnected, um, in the world. 
 

And that's what the software bill of materials like at the moment, I don't have an S bomb for the dot Microsoft dot net deal allows or the Oracle Java so they could be using open source and I don't know that it's compiled binary. So you know, where are we going to go further for that transparency? I think it's important for that visibility and to better manage risk.[00:07:00]  
 

Sean Martin: So your session is called, uh, or entitled, uh, the missing link, how we collect and leverage S bombs. So I want to hone in on the, the dot net, just as one example. So in that world where we have no idea what's inside, maybe some idea, but not completely, um, how do organizations kind of factor that in? To me, that's many missing links underneath. 
 

Yes. So do we just, do we, Yeah. Identify that, assign some risk level. Is there a standard risk level that we can assign or is it based on individual organizations, risk appetite? And, and then what do we do? Do we additional controls or other mitigating factors in the development process, the deployment process, the operating process, the operating environment, what does that look like? 
 

Cassie Crossley: Yeah, that's a lot of questions that you just put in there sean, um,  
 

Sean Martin: you have 20 minutes  
 

Cassie Crossley: Let's look at it from uh the world [00:08:00] of a product developer Having that visibility when you're making that Decision whether or not. So let's just say you're starting new of using some open source and it may have some additional open source. 
 

It calls. That's really important decisions that we need to take now that before it's like, Oh, it works. But now you have so many supply chain attacks. I mean, just for, you know, the revival, you know, hack and things like that, where people are replacing old pie pie Libraries that were deleted with new libraries. 
 

So all of this, there's risk that you're bringing in. I like to say developers are essentially, you know, a doctor with a scaffold without any training at this point, there is a lot that they can do, but a lot of damage that can be caused and without having better https: otter. ai Information to make those risk based decisions, you might make, you know, a wrong choice. 
 

So in the world of software bill [00:09:00] materials, so let's say I was going to buy a library from somebody to include in a product and I asked them for, you know, if it's compiled, but if I've seen the social scores code and I have that, I can have some visibility and I can do my own research. There's not a one way fits all open SS. 
 

Open SSF has a scorecard, but there are ways to get around better scoring of open source. You know, any, any brand new open source that is released, I would be very hesitant, um, without doing a lot of risk evaluation, scanning, reviewing of the code. If it's less than one year, Old and not being leveraged in other places. 
 

And that's one of the benefits of an S bomb. Let's just say in our world, I can see with my large, uh, product base with the S bombs collected. I can see which open source we're leveraging quite a bit so I can identify and watch for, you know, key [00:10:00] areas. We've seen it a lot with open SSL. Right. I mean, there's just been numerous vulnerabilities that have been released over the years and having that library of which products are using open SSL is very valuable. 
 

And that's sort of that missing link is before very being dependent on that product team. We're also as a risk and governance group able to look at, you know, where, which products that, you know, is this risk. We see this with commercial products too. There are some commercial products that are more geared towards, let's say, real time operating systems or using embedded Linux. 
 

So knowing which product sets are using that gives us a quick, uh, idea. Even Codasys. Uh, which is a commercial library. It can be used in certain types of products. So we're able to leverage and understand deeper without going to. We've got hundreds and hundreds of product teams and going to them [00:11:00] every single time about, you know, something or a question when I have that information that's available and software bills and materials is Is really being able to reduce. 
 

They can focus on what they're working on. And when it looks like something we do need to ask for more detail of whether or not they are affected, it's just because you have a library doesn't mean that you're affected because there could be mitigation mitigating controls. Like you mentioned, there could be what we call backporting patches. 
 

So if I have version seven, but version eight had a patch, For a security fix, I could potentially bring that patch into version 7. I could have branched that software and removed a lot of the extra code that I didn't need. So there are many reasons why, just because you have that label of that library, there Could mean you're not affected by a certain vulnerability. 
 

And again, we saw that in the log for shell log for J where, you know, there was actually to see the ease and, you know, if you [00:12:00] stand on your, you know, one leg and tap your head and rub your belly, you might have been affected. But, you know, the other side, you weren't. Um, so there's a lot of, uh, validation that dev teams in general still have to do. 
 

Marco Ciappelli: So one question for me, like you work for Schneider's is a big corporation and I can see. Resources that that are available a team to go and dig deep into these and patch and I'm thinking like the smaller company, they may just rely on this list, which I think is necessary. But is there a, I don't know, a tier one and a tier two of how in depth you can go? 
 

Maybe a third party assessment solution that help protect and provide this to those that don't have the huge resources that you may have?  
 

Cassie Crossley: Sure. I work with startups, you know, all the [00:13:00] time, both as suppliers, but, but customers to, uh, from a software bill materials, let me just say, uh, this is something that any dev team can implement and those with a more modern pipeline, more modern CICD process and build pipeline, they can easily find projects or something that can tie in and create the software bill materials so that they can provide it to their customers. 
 

So overall, uh, they have. Let's say a better advantage than those that have had build cycles that might be, you know, a decade or more old, like in my world, but in the consumption and the risk factor. So let's take a look at you know what? I like to use the example of water utilities. They're definitely underfunded from a resource and I T and O. 
 

T. Perspective on you know, they're not going to go find a service to be able to leverage. Mhm. So we are as a critical infrastructure provider. We provide those as bombs to customers and [00:14:00] there are free tools or something called dependency track that they can actually import that software build materials. 
 

However, it's not the easiest. There are some other ways that people are going to be ingesting those, but you can just actually take it. The S bomb and look at an XML viewer and just do a search like if I had them all, you know, all of my S bombs from a bunch of different, uh, different companies, I could put them all in a folder and the moment, you know, a new log for J, you know, version, whatever comes out, at least I know. 
 

where I might have an impact. So it's really, um, I love this, uh, example that a CISO for a electrical utility gave me an example. He goes, I have to know if I need to put eyes on a dial. And what that means is he has to know, should he focus his intention may not have the answer, but if there's a potential risk. 
 

So a lot of what I see is that, uh, even just asset management, noting [00:15:00] whether or not those assets are internet facing, internet connected, not just connectable because you've got lots of OT products that are within the, you know, firewall segmented off or whatever, but just knowing which ones are internet. 
 

Effect. You know, Internet facing is really important. That's where you should be prioritizing. So looking even at separating out those. I was at a very small company separating out the S bombs from the Internet facing applications versus the internal. I've already done a super easy risk management to say those are the ones I need to consider patching and upgrading and finding out. 
 

And there is something called that we're working on as an industry called VEX. Which is a vulnerability exploitability exchange. And what that would do is it would say these two log4j CVEs, we are affected or not affected or we're looking at it. You know, it's, we're investigating it. And eventually, it's really hard [00:16:00] right now. 
 

It's a, you know, think of all the thousands of then objects just for log4j. I would have had about 256, 000 records because of all the different SBOM versions and everything. But as. A simple way to just manage this, having those S bombs and that visibility. It's not perfect, but it will get you somewhere to know the risk. 
 

So, you know, I think there are definitely ways that you can manage it even at a small company level. Now, getting those S bumps from large corporations is still a difficult task. It's not mandatory that they provide it. Even the FDA. Uh, has required S bombs now to be provided, but only to them. It's not mandatory that you provide it to the hospitals. 
 

So, you know, there's a ways to go, uh, whether or not your supplier or manufacturer is willing to give you that information.  
 

Marco Ciappelli: So I asked you the wrong question. Should I ask the way around? [00:17:00]  
 

Sean Martin: Uh, well, there's no wrong question and no lack of questions. Uh, that's for sure. That's a topic that, uh, That's intriguing to me, and it's one that the government invests in heavily. 
 

I know CISA's doing, doing quite a bit in it. I was actually, uh, chatting with, uh, Alan Friedman this morning. Focuses on this quite a bit. I think if you say that, if you say S bomb, Alan pops out of the woodwork. Yes. Yes. But, uh, yeah, I'm gonna, he's at, uh, CISA event talking about this. I'm going to catch up with him in a week or so and get, get an update from him as well. 
 

Cassie Crossley: Yeah. We have the SBOMorama, uh, in Denver and, and, uh, I'll leave it for it tomorrow afternoon.  
 

Sean Martin: There you go. So kind of a double event coverage. So you'll be there with Alan and others interested in this. Um, this is about OWASP, uh, Global AppSec San Francisco. Your session is the missing link. How we collect and leverage SBOMs. 
 

It's on Thursday, September 26th. [00:18:00] Um, what can people expect? Some, some insights from what you do, what you actually implement.  
 

Cassie Crossley: Yeah. I, you know, it's again, we're, we're large, but this is something, what I'm demonstrating to everyone is how we've changed our mode, uh, and really I was. From, uh, contracts that came in from utilities back in 2020. 
 

So in January of 2021, I required software bills and materials from all of my product teams and releases. And as I mentioned, This is not hard to really do. If you have a more modern, uh, pipeline. So I talk about how we've modified, you know, our work and our flow and and everything that's needed to be able to do that. 
 

But then I also talk about how we're leveraging it for vulnerability management, both for the, for the Vulnerability management that we provide to customers, but also, you know, moving toward the vulnerability [00:19:00] management and working with our third party suppliers being able to go to them and take their details. 
 

You know, with open source, it's quite a bit harder. There's You know, just the, uh, who's in charge of the project and the committers. Uh, but we do buy commercial libraries and we do, you know, commercial source code. So we're leveraging, um, this overall platform that we're doing. And, you know, I just, what it does is it shows that not only are we doing it internally, but also the value of bringing this together so that when a customer requests one, we have it available. 
 

Sean Martin: Good stuff. I am. I'm excited to hear how that goes. And I'm sure you'll have a packed room full of folks interested in this. Uh, it's a key part of what we do in terms of app development and delivery and, and the broader ecosystem, right? Everybody's using apps and libraries and APIs now, even for tons of [00:20:00] stuff. 
 

So global AppSec, uh, 2024 in San Francisco, September 23rd through the 27th at the Hyatt Regency. Um, I love the OWASP community. They do great work and these conferences. Uh, are a tremendous way for bringing people together and having conversations and meeting folks like you who've put the work in to understand how we work through some of the challenges, uh, that we face as a, as a community. 
 

So I encourage everybody to attend and, uh, Definitely catch Cassie in her session and afterwards. Marco, lots more coming.  
 

Marco Ciappelli: Lots more coming. A lot of planning, uh, subscribe to the conference and event coverage called also On Location with Marco and Sean or Sean and Marco depending on what the main topic is, but usually we try to go together. 
 

So although I didn't get to go to Portugal, you didn't get to go. [00:21:00] I'm upset about that. You shouldn't  
 

Sean Martin: be. It was a great event. I had a lot of good chats there.  
 

Marco Ciappelli: We'll have other opportunities to travel and either cover virtually or in person. And Cassie, thank you so much.  
 

Cassie Crossley: Thank you for having me, gentlemen. 
 

Sean Martin: And safe journey to Espama Rama and to Global AppSec. Thanks everybody. We'll see you on the next one.