Allan Friedman of the NTIA has scheduled the third in a series of informational webinars on use of software bills of materials (SBOMs) in the electric power community. It will be presented on March 24 at noon Eastern time. Connection details are pending. If you would like to be on Allan’s mailing list for this and subsequent energy events, send him an email at afriedman@ntia.doc.gov. Here are the connection details:
SBOM in Energy Info Session – Lessons Learned
Wednesday, March 24, 12-1pm ET
Dial-in:+1 202-886-0111,,239096326# United States, Washington DC
Phone Conference ID: 239 096 326#
The third webinar will include discussions by (I believe) two large suppliers (one hardware, one software) to the power industry, on why it is important to them to produce SBOMs and distribute them to their customers. It will also feature
members of the healthcare software community – both medical device makers
(MDMs) and hospitals, who call themselves healthcare delivery organizations or
HDOs – discussing their experience with proofs of concept for industry use of SBOMs.
The community started their first PoC in 2018 and it continued into 2020. They
then started their second PoC, which continues today, although it’s now in its
third “iteration”.
In each iteration, the
participants in the PoC – there were about five HDOs and five MDMs in the first
PoC, although the numbers have grown since then and are continuing to grow – decide
at the beginning what questions they want to answer in that iteration. In the
first PoC, the questions were very simple: Can SBOMs be successfully produced
in a standard format by suppliers, and can the hospitals use them successfully
as part of their software supply chain risk mitigation efforts? The answers to
both of those questions were yes.
In each subsequent iteration, the
participants have become more ambitious, especially in setting up procedures
and validating machine-readable formats for automatic production of SBOMs by
the MDMs, as well as automatic “ingestion” of them by the HDOs. They are moving
closer and closer toward the Holy Grail they’re aiming at: demonstrating an (almost)
fully automated program for producing and utilizing SBOMs.
But there have been a number of
surprises along the way; it’s impossible to state at the outset all of the
different obstacles you’ll run into in any new technical endeavor, but it’s
inevitable that you will. I wrote about two of these obstacles last year: the “naming
problem” and the problem of “vulnerability
exploitability”, or VEX for short. Both of these are hard problems, but
neither of them is insurmountable. In both cases, working groups within the
NTIA’s Software Component Transparency Initiative have worked on solutions, and
the healthcare PoC has put those solutions to the test.
A PoC for the autos sector (where
the “consumers” of SBOMs are the automobile manufacturers, and the producers of
SBOMs are the suppliers of the electronic components that make the modern car more
like a computer on wheels every day) will start soon. Of course, we hope to
start the energy PoC soon as well. The webinar will feature MDMs and HDOs
sharing their stories about why their organizations felt it was important to participate
in the PoC, and what they’re getting out of it.
If you missed the first two
webinars, you can watch the first one (an introductory session) here. And today Allan
posted the recording of the second webinar (essentially SBOM 101, although
there was more than a little 201 and even some 301 in it) here. Even though I attended
the second webinar (and participated in the first), I’m going to review it this
weekend, since there was a lot of material to absorb.
I hope you’ll join the third webinar,
and consider participating in the PoC itself. I will point out that, if you and
your organization just don’t have the bandwidth to be direct participants,
there will still be regular meetings (perhaps weekly) that are open to anybody.
In those, the participants will discuss lessons they’ve learned and problems
they’ve encountered, as well as collaborate to create a document describing what
they’ve learned, like the document
produced by the first healthcare PoC. Since I’ve been participating in the public
meetings for the healthcare PoC, I can assure you they’re quite interesting,
and get into some really interesting questions.
And speaking of interesting
questions, in case you’re wondering why people are going to all this trouble
over something called SBOMs, when you don’t exactly wake up in the middle of
the night wondering how you can survive another day waiting for SBOMs to arrive
on the scene, I recommend you view the recording of Robert M. Lee’s keynote
address to the SANS virtual ICS Summit 2021, which he delivered today.
The address was wonderful in all
sorts of ways (and I will write a post on it soon), but I want to point out
that Robert wasn’t ten minutes into his presentation before he pointed to
Ripple 20 as a stark reminder that most organizations have no idea what’s
inside the software products that their organizations depend on. And he said the
way to fix this problem is for SBOMs to be widely available and widely used. That’s
where you come in.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment