Thursday, March 4, 2021

The third SBOM webinar is scheduled!


Allan Friedman of the NTIA has scheduled the third in a series of informational webinars on use of software bills of materials (SBOMs) in the electric power community. It will be presented on March 24 at noon Eastern time. Connection details are pending. If you would like to be on Allan’s mailing list for this and subsequent energy events, send him an email at afriedman@ntia.doc.gov. Here are the connection details:

SBOM in Energy Info Session – Lessons Learned

Wednesday, March 24, 12-1pm ET

Teams Link

Dial-in:+1 202-886-0111,,239096326#   United States, Washington DC

Phone Conference ID: 239 096 326#

Find a local number

The third webinar will include discussions by (I believe) two large suppliers (one hardware, one software) to the power industry, on why it is important to them to produce SBOMs and distribute them to their customers. It will also feature members of the healthcare software community – both medical device makers (MDMs) and hospitals, who call themselves healthcare delivery organizations or HDOs – discussing their experience with proofs of concept for industry use of SBOMs. The community started their first PoC in 2018 and it continued into 2020. They then started their second PoC, which continues today, although it’s now in its third “iteration”.

In each iteration, the participants in the PoC – there were about five HDOs and five MDMs in the first PoC, although the numbers have grown since then and are continuing to grow – decide at the beginning what questions they want to answer in that iteration. In the first PoC, the questions were very simple: Can SBOMs be successfully produced in a standard format by suppliers, and can the hospitals use them successfully as part of their software supply chain risk mitigation efforts? The answers to both of those questions were yes.

In each subsequent iteration, the participants have become more ambitious, especially in setting up procedures and validating machine-readable formats for automatic production of SBOMs by the MDMs, as well as automatic “ingestion” of them by the HDOs. They are moving closer and closer toward the Holy Grail they’re aiming at: demonstrating an (almost) fully automated program for producing and utilizing SBOMs.

But there have been a number of surprises along the way; it’s impossible to state at the outset all of the different obstacles you’ll run into in any new technical endeavor, but it’s inevitable that you will. I wrote about two of these obstacles last year: the “naming problem” and the problem of “vulnerability exploitability”, or VEX for short. Both of these are hard problems, but neither of them is insurmountable. In both cases, working groups within the NTIA’s Software Component Transparency Initiative have worked on solutions, and the healthcare PoC has put those solutions to the test.

A PoC for the autos sector (where the “consumers” of SBOMs are the automobile manufacturers, and the producers of SBOMs are the suppliers of the electronic components that make the modern car more like a computer on wheels every day) will start soon. Of course, we hope to start the energy PoC soon as well. The webinar will feature MDMs and HDOs sharing their stories about why their organizations felt it was important to participate in the PoC, and what they’re getting out of it. 

If you missed the first two webinars, you can watch the first one (an introductory session) here. And today Allan posted the recording of the second webinar (essentially SBOM 101, although there was more than a little 201 and even some 301 in it) here. Even though I attended the second webinar (and participated in the first), I’m going to review it this weekend, since there was a lot of material to absorb.

I hope you’ll join the third webinar, and consider participating in the PoC itself. I will point out that, if you and your organization just don’t have the bandwidth to be direct participants, there will still be regular meetings (perhaps weekly) that are open to anybody. In those, the participants will discuss lessons they’ve learned and problems they’ve encountered, as well as collaborate to create a document describing what they’ve learned, like the document produced by the first healthcare PoC. Since I’ve been participating in the public meetings for the healthcare PoC, I can assure you they’re quite interesting, and get into some really interesting questions.

And speaking of interesting questions, in case you’re wondering why people are going to all this trouble over something called SBOMs, when you don’t exactly wake up in the middle of the night wondering how you can survive another day waiting for SBOMs to arrive on the scene, I recommend you view the recording of Robert M. Lee’s keynote address to the SANS virtual ICS Summit 2021, which he delivered today.

The address was wonderful in all sorts of ways (and I will write a post on it soon), but I want to point out that Robert wasn’t ten minutes into his presentation before he pointed to Ripple 20 as a stark reminder that most organizations have no idea what’s inside the software products that their organizations depend on. And he said the way to fix this problem is for SBOMs to be widely available and widely used. That’s where you come in.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment