WEBVTT 00:00:00.000 --> 00:00:08.136 [ Music Playing ] 00:00:08.125 --> 00:00:09.791 Do you know what's in that cake? 00:00:09.791 --> 00:00:11.416 Of course I do. 00:00:11.416 --> 00:00:14.625 It's on the back of the box. 00:00:15.750 --> 00:00:17.291 hmm... 00:00:17.984 --> 00:00:20.070 [Alarm sounds] 00:00:20.083 --> 00:00:21.875 Oh... There's something wrong. 00:00:21.875 --> 00:00:24.875 Do we know which version of the software this is running? 00:00:25.208 --> 00:00:28.500 A software bill of materials, otherwise known as an ‘SBOM’ 00:00:28.500 --> 00:00:32.208 is an inventory of all the different components in a piece of software 00:00:32.208 --> 00:00:36.291 that provides greater transparency about potential risks or vulnerabilities. 00:00:36.291 --> 00:00:37.958 Why does this matter? 00:00:37.958 --> 00:00:41.166 A more comprehensive understanding of the different parts of a whole 00:00:41.166 --> 00:00:45.541 makes it easier to evaluate risk and take action to mitigate disaster 00:00:45.541 --> 00:00:47.291 before it happens. 00:00:47.291 --> 00:00:49.708 Thankfully, the SBOM told us which version we are running 00:00:49.708 --> 00:00:51.541 and we could respond more quickly and easily 00:00:51.541 --> 00:00:53.416 before that turned sideways. 00:00:53.916 --> 00:00:55.000 How does it work? 00:00:55.000 --> 00:00:58.625 An SBOM is a formal record containing the details of supply chain 00:00:58.625 --> 00:01:02.166 relationships of various components used in building software. 00:01:02.583 --> 00:01:05.750 Essentially a list of ingredients for software that is created during 00:01:05.750 --> 00:01:10.000 development and is machine readable and easily processed via automation. 00:01:10.291 --> 00:01:13.500 A bill of materials (BOM) is commonly found in manufacturing, 00:01:13.500 --> 00:01:17.875 and it only makes sense to apply this same rigor to the software supply chain. 00:01:18.791 --> 00:01:21.514 Having a full inventory of those parts enables 00:01:21.514 --> 00:01:23.890 better visibility and risk management. 00:01:23.875 --> 00:01:26.333 By having greater awareness of your inventory 00:01:26.333 --> 00:01:30.291 potential vulnerabilities can be quickly addressed as they're discovered. 00:01:30.291 --> 00:01:33.333 Adversaries often exploit those vulnerable parts. 00:01:33.333 --> 00:01:36.112 It's hard to claim that you have a secure development process 00:01:36.125 --> 00:01:38.291 if you're not tracking your components. 00:01:38.291 --> 00:01:41.750 Supply chain transparency is key, and if you want to know what's under 00:01:41.750 --> 00:01:45.958 the hood an SBOM will greatly help you conduct comprehensive risk analysis. 00:01:46.750 --> 00:01:51.041 Then, when a new vulnerability arises, you can respond quickly and efficiently. 00:01:51.583 --> 00:01:55.333 Even if there's just a potential risk, you can take mitigating actions. 00:01:55.750 --> 00:01:57.125 Thanks for catching that. 00:01:57.125 --> 00:02:00.333 If we didn't have an SBOM we could have lost the company 00:02:00.333 --> 00:02:03.333 thousands of staff hours, and that's a lot of dollars and cents! 00:02:03.458 --> 00:02:05.333 The benefits are multi-tiered. 00:02:05.333 --> 00:02:09.041 In addition to better managing vulnerabilities and enhancing productivity 00:02:09.333 --> 00:02:13.666 an SBOM can help customers manage risk by identifying the source of components. 00:02:13.666 --> 00:02:17.458 It empowers the developer and producer with increased recall ability, 00:02:17.708 --> 00:02:21.500 and it can track the chain of custody in a more comprehensive and effective way. 00:02:22.083 --> 00:02:26.708 Beyond vulnerabilities, SBOM driven transparency can help organizations 00:02:26.708 --> 00:02:30.250 understand risks such as licensing requirements, compliance 00:02:30.250 --> 00:02:33.250 rules and developer security and maintenance practices. 00:02:33.416 --> 00:02:37.416 All of this leads to better security, less risk, more accountability, 00:02:37.500 --> 00:02:41.375 transparency, and ultimately a more consistent and reliable product. 00:02:41.750 --> 00:02:44.041 Which means greater consumer trust. 00:02:44.041 --> 00:02:45.875 Security is a team sport. 00:02:45.875 --> 00:02:50.666 While SBOM is not a new concept, it’s only really taken root more recently. 00:02:50.666 --> 00:02:54.208 To institute it as a standard best practice across a wide 00:02:54.208 --> 00:02:57.291 swath of industries will require community engagement. 00:02:57.291 --> 00:02:59.583 This should be a community led effort. 00:02:59.583 --> 00:03:02.500 It's not something government can readily solve on its own. 00:03:02.500 --> 00:03:05.625 The path forward has to be shaped by integrating the perspectives 00:03:05.625 --> 00:03:09.333 of the developer, the consumer and those who choose software. 00:03:09.833 --> 00:03:12.583 It should reflect new software practices 00:03:12.583 --> 00:03:15.583 as well as those challenged by complex legacy systems. 00:03:15.625 --> 00:03:19.625 This common vision can traverse all industries with the understanding 00:03:19.625 --> 00:03:24.250 that each industry and organization will make the SBOM process uniquely theirs. 00:03:24.625 --> 00:03:25.958 The path forward. 00:03:25.958 --> 00:03:29.458 We have the basics today and we can get started on implementation. 00:03:29.583 --> 00:03:32.625 Meanwhile, we can work on enhancing and refining 00:03:32.625 --> 00:03:36.375 SBOM practices, generation consumption and key edge cases, 00:03:36.416 --> 00:03:40.958 as well as integrating SBOM processes into existing security practices. 00:03:41.375 --> 00:03:43.458 Tools are a key part of this. 00:03:43.458 --> 00:03:46.208 One way we're doing this is through DHS S and T 00:03:46.208 --> 00:03:49.583 Silicon Valley Innovation Program’s partnership with startups 00:03:49.583 --> 00:03:53.916 to energize the market with SBOM enabled software supply chain visibility tools. 00:03:54.375 --> 00:03:56.583 Future iterations of these tools and services 00:03:56.583 --> 00:03:59.458 build on lessons from the community that will further address 00:03:59.458 --> 00:04:02.666 specific needs across the very diverse software ecosystem 00:04:02.666 --> 00:04:05.928 by advancing and enhancing the data captured and shared 00:04:05.916 --> 00:04:07.750 integrating that data into related 00:04:07.750 --> 00:04:10.583 security and quality processes and practices 00:04:10.583 --> 00:04:12.903 and implementing transparency 00:04:12.903 --> 00:04:16.063 for large and complex legacy systems and organizations. 00:04:16.291 --> 00:04:18.541 What can you do to help advance this effort? 00:04:18.541 --> 00:04:19.958 Well, there are three things. 00:04:19.958 --> 00:04:23.000 First, start asking for SBOMs from your suppliers today. 00:04:23.416 --> 00:04:27.333 Second, think about what it would take for you and your team to generate 00:04:27.333 --> 00:04:30.333 SBOMs from your own software and what tools are available. 00:04:30.791 --> 00:04:32.666 And lastly, join us. 00:04:32.666 --> 00:04:36.833 Learn about how CISA is enhancing and refining SBOM technology and practices. 00:04:37.708 --> 00:04:40.708 Visit cisa.gov/sbom 00:04:40.708 --> 00:04:42.958 Or email us if you have questions at 00:04:42.958 --> 00:04:47.620 sbom@cisa.dhs.gov 00:04:47.620 --> 00:04:59.998 [ Music Playing ]