Podcasts about cyclonedx

The introduction of the Cyber Resilience Act (CRA) marks a major shift for the software industry: for the first time, manufacturers are being held accountable for the cybersecurity of their products. Olle E. Johansson, a long-time open source developer and contributor to the Asterisk PBX project, explains how this new regulation reshapes the role of software creators and introduces the need for transparency across the entire supply chain.In this episode, Johansson breaks down the complexity of today's software supply ecosystems—where manufacturers rely heavily on open source components, and end users struggle to identify vulnerabilities buried deep in third-party dependencies. With the CRA in place, the burden now falls on manufacturers to not only track but also report on the components in their products. That includes actively communicating which vulnerabilities affect users—and which do not.To make this manageable, Johansson introduces the Transparency Exchange API (TEA), a project rooted in the OWASP CycloneDX standard. What started as a simple Software Bill of Materials (SBOM) delivery mechanism has evolved into a broader platform for sharing vulnerability information, attestations, documentation, and even cryptographic data necessary for the post-quantum transition. Standardizing this API through Ecma International is a major step toward a scalable, automated supply chain security infrastructure.The episode also highlights the importance of automation and shared data formats in enabling companies to react quickly to threats like Log4j. Johansson notes that, historically, security teams spent countless hours manually assessing whether they were affected by a specific vulnerability. The Transparency Exchange API aims to change that by automating the entire feedback loop from developer to manufacturer to end user.Although still in beta, the project is gaining traction with organizations like the Apache Foundation integrating it into their release processes. Johansson emphasizes that community feedback is essential and invites listeners to engage through GitHub to help shape the project's future.For Johansson, OWASP stands for global knowledge and collaboration in application security. As Europe's regulatory influence grows, initiatives like this are essential to build a stronger, more accountable software ecosystem.GUEST: Olle E Johansson | Co-Founder, SBOM Europe | https://www.linkedin.com/in/ollejohansson/HOST:Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESCycloneDX/transparency-exchange-api on GitHub: https://github.com/CycloneDX/transparency-exchange-apiVIDEO: The Cyber Resilience Act: How the EU is Reshaping Digital Product Security | With Sarah Fluchs: https://youtu.be/c30eG5kzqnYLearn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

Helen Oakley, Senior Director of Product Security at SAP, and Dmitry Raidman, Co-founder and CTO of Cybeats, joined us live at the RSAC Conference to bring clarity to one of the most urgent topics in cybersecurity: transparency in the software and AI supply chain. Their message is direct—organizations not only need to understand what's in their software, they need to understand the origin, integrity, and impact of those components, especially as artificial intelligence becomes more deeply integrated into business operations.SBOMs Are Not Optional AnymoreSoftware Bills of Materials (SBOMs) have long been a recommended best practice, but they're now reaching a point of necessity. As Dmitry noted, organizations are increasingly requiring SBOMs before making purchase decisions—“If you're not going to give me an SBOM, I'm not going to buy your product.” With regulatory pressure mounting through frameworks like the EU Cyber Resilience Act (CRA), the demand for transparency is being driven not just by compliance, but by real operational value. Companies adopting SBOMs are seeing tangible returns—saving hundreds of hours on risk analysis and response, while also improving internal visibility.Bringing AI into the SBOM FoldBut what happens when the software includes AI models, data pipelines, and autonomous agents? Helen and Dmitry are leading a community-driven initiative to create AI-specific SBOMs—referred to as AI SBOMs or AISBOMs—to capture critical metadata beyond just the code. This includes model architectures, training data, energy consumption, and more. These elements are vital for risk management, especially when organizations may be unknowingly deploying models with embedded vulnerabilities or opaque dependencies.A Tool for the Community, Built by the CommunityIn an important milestone for the industry, Helen and Dmitry also introduced the first open source tool capable of generating CycloneDX-formatted AISBOMs for models hosted on Hugging Face. This practical step bridges the gap between standards and implementation—helping organizations move from theoretical compliance to actionable insight. The community's response has been overwhelmingly positive, signaling a clear demand for tools that turn complexity into clarity.Why Security Leaders Should Pay AttentionThe real value of an SBOM—whether for software or AI—is not just external compliance. It's about knowing what you have, recognizing your crown jewels, and understanding where your risks lie. As AI compounds existing vulnerabilities and introduces new ones, starting with transparency is no longer a suggestion—it's a strategic necessity.Want to see how this all fits together? Hear it directly from Helen and Dmitry in this episode.___________Guests: Helen Oakley, Senior Director of Product Security at SAP | https://www.linkedin.com/in/helen-oakley/Dmitry Raidman, Co-founder and CTO of Cybeats | https://www.linkedin.com/in/draidman/Hosts:Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.comMarco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com___________Episode SponsorsThreatLocker: https://itspm.ag/threatlocker-r974Akamai: https://itspm.ag/akamailbwcBlackCloak: https://itspm.ag/itspbcwebSandboxAQ: https://itspm.ag/sandboxaq-j2enArcher: https://itspm.ag/rsaarchwebDropzone AI: https://itspm.ag/dropzoneai-641ISACA: https://itspm.ag/isaca-96808ObjectFirst: https://itspm.ag/object-first-2gjlEdera: https://itspm.ag/edera-434868___________ResourcesLinkedIn Post with Links: https://www.linkedin.com/posts/helen-oakley_ai-sbom-aisbom-activity-7323123172852015106-TJeaLearn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsa-conference-usa-2025-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage______________________KEYWORDShelen oakley, dmitry raidman, sean martin, rsac 2025, sbom, aisbom, ai security, software supply chain, transparency, open source, event coverage, on location, conference______________________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

Josh Marpet is a seasoned entrepreneur and a renowned authority in the field of information security, compliance, and risk management. With a rich background in law enforcement, Josh has translated his diverse experiences into shaping security protocols in various high-risk environments. He serves as the Chief Strategy Officer at Cyturus, where he drives advancements in compliance process products. Notably, Josh contributes to the esteemed IANS faculty and co-hosts the well-known Paul's Security Weekly podcast. His efforts also extend to organizing BSides Delaware, further cementing his influence and dedication to the cybersecurity community.He shares his diverse career journey from law enforcement to tech support and finally into cybersecurity leadership. Listeners gain insight into his work with compliance frameworks like CMMC and SPDX, and his strategic approach at Cyturus, focusing on "dynamic risk monitoring" as a forward-thinking solution for mitigating risks. This episode also delves into the global regulatory landscape, comparing U.S. frameworks with those abroad and discussing AI regulation insights. As always, the conversation is enriched with amusing anecdotes and expert advice, making it not only educational but also engaging.TIMESTAMPS:0:00 - Exploring Security, Compliance, and Innovation3:05 - Reviving In-Person Tech Conferences Post-COVID Challenges11:58 - From Tech Support to Cybersecurity and Compliance19:12 - The Challenges and Importance of Software Bill of Materials24:25 - The Global Regulatory Landscape and Its Impact on AI Development28:37 - HIPAA Compliance Challenges for Lawyers and Medical Startups30:00 - Dynamic Risk Monitoring as a Compliance and Revenue Driver34:32 - The Impact of Podcasts on the Cybersecurity Community40:14 - Exploring Unique Bars and Crafting Cybersecurity-Themed CocktailsSYMLINKSCyturus Website - https://cyturus.comOfficial website for Cyturus, a leader in compliance process products and solutions, focusing on dynamic risk monitoring and governance.Josh Marpet on LinkedIn - https://www.linkedin.com/in/joshuaviktor/Josh Marpet's professional LinkedIn profile for networking and insights.Paul's Security Weekly - https://securityweekly.comOne of the top cybersecurity podcasts, providing news, insights, and discussions on emerging threats and best practices in security.SPDX (Software Package Data Exchange) - https://spdx.devOfficial resource for SPDX, an ISO-certified standard for managing Software Bill of Materials (SBOM).CycloneDX - https://cyclonedx.orgA standard designed for the SBOM, with a focus on integration with CI/CD pipelines and automated systems.Executive Order 14028 - https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/U.S. Executive Order mandating the use of Software Bill of Materials (SBOM) for federal software contracts to improve cybersecurity.Helen Oakley - https://www.linkedin.com/in/helen-oakley/Profile and resources related to Helen Oakley, a professional working on AI Bill of Materials.NIST AI RMF (Risk Management Framework) - https://nist.gov/ai/rmfU.S. NationCONNECT WITH USwww.barcodesecurity.comBecome a SponsorFollow us on LinkedInTweet us at @BarCodeSecurityEmail us at info@barcodesecurity.com

In this episode of the Application Security Podcast, hosts Chris Romeo and Robert Hurlbut welcome back Steve Springett, an expert in secure software development and a key figure in several OWASP projects. Steve unpacks CycloneDX and the value proposition of various BOMs. He gives us a rundown of the BOM landscape and unveils some new BOM projects that will continue to unify the security industry. Steve is a seasoned guest of the show so we learn a bit more about Steve's hobbies, providing a personal glimpse into his life outside of technology.Links from this episode:https://cyclonedx.org/Previous episodes with Steve Springett:JC Herz and Steve Springett -- SBOMs and software supply chain assuranceSteve Springett — An insiders checklist for Software Composition AnalysisSteve Springett -- Dependency Check and Dependency TrackBook: Software Transparency: Supply Chain Security in an Era of a Software-Driven Society by Chris Hughes and Tony TurnerFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Recorded Date: 31 May 2024 Title: Blow your Brains Out Overview Josh, Kito, and Danno are joined by fellow Java Champion , the maintainer of JReleaser and a Senior Principal Product Manager at Oracle. They discuss new updates to JReleaser, reproducible builds, the EU's Cyber Resilience Act (CRA), a new free version of Oracle Database, JetBrains Aqua, the discontinuation of Grails funding, OpenRewrite, JakartaEE 11, and more. Social links (for reference when posting to social media) @kito99 @kito99@mastadon.social @Java_Champions @JavaChampions@mastodon.social @javajuneau @javajuneau@fosstodon.org https://www.linkedin.com/in/dhevolutionnext/ @dhinojosa @dhinojosa@mastodon.social https://bsky.app/profile/dhinojosa.bsky.social @ianhlavats About Andres Almiray Socials:Twitter Mastodon Bluesky Title: Senior Principal Product Manager, Oracle Bio: Andres is a Java/Groovy developer and a Java Champion with more than 20 years of experience in software design and development. He has been involved in web and desktop application development since the early days of Java. Andres is a true believer in open source and has participated on popular projects like Groovy, Griffon, and DbUnit, as well as starting his own projects (Json-lib, EZMorph, GraphicsBuilder, JideBuilder). Founding member of the Griffon framework and Hackergarten community event. Server Side Java Object Computing Discontinues Grails Support Jakarta EE 11 Forthcoming Tools JReleaser Tell us about CycloneDX, SPDX, SBoms, and JReleaser, publication to Sonatype Portal, SLSA, Swid Tags NixOS OpenRewrite JetBrains Aqua Commonhaus Foundation Devoxx Genie Data Oracle Database 23ai Free | Oracle Oracle Autonomous Database (Cloud) Oracle Database Docker Images Oracle Database Docker images from Oracle Container Registry Java Platform GitHub - moditect/layrry: A Runner and API for Layered Java Applications Security The Open Source Community is Building Cybersecurity Processes for CRA Compliance | Life at Eclipse Picks SnoreLab (Kito) Ollama (Kito) OCI Generative AI Certification - Free (for now) (Josh) AI Assistant (JetBrains) (Danno) Conventional Commits (Andres) Wagakki Band - 焔 (Homura) + 暁ノ糸 (Akatsuki no Ito) / 1st JAPAN Tour 2015 Hibiya Yagai Ongakudo (Andres) GitHub - diffplug/spotless: Keep your code spotless (Danno) youtu.be/z8L202FlmD4?si=6pdHKx (Danno) The Rise of Oracle, SQL and the Relational Database (Danno) Other Pubhouse Network podcasts OffHeap Java Pubhouse Events ÜberConf July 16 - 19, 2024 Westminster, CO jconf.dev - September 24-26 Dallas, Texas Code.talks - Sep 19-20, Hamburg, Germany Devoxx Morocco - Oct 2-4, Marrakech, Morocco Devoxx Belgium - Oct 7-11, Antwerp, Belgium Codemotion Milan - Oct 22-23, Milan, Italy Twin Cities Software Symposium August 9-10, 2024 Northern Virginia Software Symposium September 5-6, 2024 Central Iowa Software Symposium September 12-13, 2024 DevOps Vision December 2-4, 2024 Tech Leader Summit December 4-6, 2024 Arch Conf December 9-12, 2024 Dev2next - Sept 30 - Oct 3, Lone Tree, Colorado, USA, 2024 https://jakartaone.org/ JakartaOne Livestream Dec 3, 2024

It's no surprise that OT security has fared poorly over the last 30+ years. To many appsec folks, these systems have uncommon programming languages, unfamiliar hardware, and brittle networking stacks. They also tend to have different threat scenarios. Many of these systems are designed, successfully, to maintain availability. But when a port scan can freeze or crash a device, that availability seems like it hasn't put enough consideration into adversarial environments. We chat about the common failures of OT design and discuss a few ways that systems designed today might still be secure 30 years from now. In the news, how HTTP/2's rapid reset is abused for DDoS, a look at the fix for Curl's recent high severity bug, OWASP moves to make CycloneDX a standard, Microsoft deprecates NTLM, VBScript, and old TLS -- while also introducing an AI bug bounty program. Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/asw-259

How HTTP/2's rapid reset is abused for DDoS, a look at the fix for Curl's recent high severity bug, OWASP moves to make CycloneDX a standard, Microsoft deprecates NTLM, VBScript, and old TLS -- while also introducing an AI bug bounty program. Show Notes: https://securityweekly.com/asw-259

It's no surprise that OT security has fared poorly over the last 30+ years. To many appsec folks, these systems have uncommon programming languages, unfamiliar hardware, and brittle networking stacks. They also tend to have different threat scenarios. Many of these systems are designed, successfully, to maintain availability. But when a port scan can freeze or crash a device, that availability seems like it hasn't put enough consideration into adversarial environments. We chat about the common failures of OT design and discuss a few ways that systems designed today might still be secure 30 years from now. In the news, how HTTP/2's rapid reset is abused for DDoS, a look at the fix for Curl's recent high severity bug, OWASP moves to make CycloneDX a standard, Microsoft deprecates NTLM, VBScript, and old TLS -- while also introducing an AI bug bounty program. Visit https://securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/secweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://securityweekly.com/asw for all the latest episodes!

How HTTP/2's rapid reset is abused for DDoS, a look at the fix for Curl's recent high severity bug, OWASP moves to make CycloneDX a standard, Microsoft deprecates NTLM, VBScript, and old TLS -- while also introducing an AI bug bounty program. Show Notes: https://securityweekly.com/asw-259

Podcast: Unsolicited Response (LS 33 · TOP 5% what is this?)Episode: SBOMs & CycloneDX with Steve SpringettPub date: 2023-08-23Steve Springett is the Chair of the OWASP CycloneDX Core Working Group. CycloneDX is one of the two main machine readable formats that SBOMs are being created in, although CycloneDX can capture all sorts of BOMs. In this episode we assume listeners know what a SBOM is and why it might be desired by a vendor and asset owner. The beginning of the show we cover some basics of CycloneDX If you know the basics, skip to 14:24 where we get into the details Statistics on who is generating and using CycloneDX SBOMs, and the impact of governement regulations on the use. Steve's view of the NTIA Minimum Elements for SBOM v. CycloneDX elements. How CycloneDX tries to capture the completeness of and confidence in the SBOM. The naming problem. CPE, CVE, NVD, SWID, PURL and more. Steve describes the problem and what he thinks is the way forward. Vulnerabilities ... and why Steve thinks VEX is a missed opportunity. Outdated component analysis (this could be very useful in a procurement decision) and more Links CycloneDX document: Authoritative Guide To SBOM ICS-Patch (what to patch when in ICS / risk based decision tree) S4x24 CFPThe podcast and artwork embedded on this page are from Dale Peterson: ICS Security Catalyst and S4 Conference Chair, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Steve Springett is the Chair of the OWASP CycloneDX Core Working Group. CycloneDX is one of the two main machine readable formats that SBOMs are being created in, although CycloneDX can capture all sorts of BOMs. In this episode we assume listeners know what a SBOM is and why it might be desired by a vendor and asset owner. The beginning of the show we cover some basics of CycloneDX If you know the basics, skip to 14:24 where we get into the details Statistics on who is generating and using CycloneDX SBOMs, and the impact of governement regulations on the use. Steve's view of the NTIA Minimum Elements for SBOM v. CycloneDX elements. How CycloneDX tries to capture the completeness of and confidence in the SBOM. The naming problem. CPE, CVE, NVD, SWID, PURL and more. Steve describes the problem and what he thinks is the way forward. Vulnerabilities ... and why Steve thinks VEX is a missed opportunity. Outdated component analysis (this could be very useful in a procurement decision) and more Links CycloneDX document: Authoritative Guide To SBOM ICS-Patch (what to patch when in ICS / risk based decision tree) S4x24 CFP

Software supply chain seems to be front and center for technologists, cybersecurity and many governments. One of the early pioneers in this space was Steve Springett with two highly successful projects: OWASP Dependency Track and CycloneDX. In this episode, we catch up with Steve to talk about how he got started in software supply chain management as well as the explosive growth for Dependency Track and ClycloneDX. We also touch on future developments for CycloneDX and places where Steve never expected to see his projects go. Enjoy! Show Links: - OWASP Dependency Track: https://dependencytrack.org/ - Dependency Track Github: https://github.com/DependencyTrack - CycloneDX: https://cyclonedx.org/ - CycloneDX Github: https://github.com/CycloneDX - Software Component Verification Standard: https://scvs.owasp.org/ Social Media links: - https://twitter.com/stevespringett - https://infosec.exchange/@stevespringett - https://www.linkedin.com/in/stevespringett/

In this episode, I go solo and review the last year of podcasts but with a twist. I do my best to compare the topics covered to the OWASP Flagship projects. The goal is to see if the episodes I recorded this year match up with the projects strategically important to OWASP. Plus, the holiday listeners get gifts all around as I cover (and link) the OWASP Flagship projects. Show Links: - (January) New Ideas, New Voices, New Hosts: https://soundcloud.com/owasp-podcast/new-ideas-new-voices-new-hosts - (February) Tanya Janca - She Hack Purple: https://soundcloud.com/owasp-podcast/tanya-janca - SAMM (Software Assurance Maturity Model): https://owaspsamm.org/ - (March) Fast Times at SBOM High: https://soundcloud.com/owasp-podcast/fast-times-at-sbom-high-with-wendy-nather-and-matt-tesauro - CycloneDX: https://cyclonedx.org/ - Dependency-Track: https://dependencytrack.org/ - Dependency-Check: https://jeremylong.github.io/DependencyCheck/ - (April) The VOID: Verica Open Incident Database: https://soundcloud.com/owasp-podcast/the-void-verica-open-incident-database - Web Security Testing Guide: https://owasp.org/www-project-web-security-testing-guide/ - Mobile Application Security Guide: https://mas.owasp.org/ - (May) Threat Modeling using the Force: https://soundcloud.com/owasp-podcast/threat-modeling-using-the-force-with-adam-shostack-owasp-podcast-e001 - ASVS (Application Security Verification Standard): https://owasp.org/www-project-application-security-verification-standard/ - AMASS: https://owasp.org/www-project-amass/ - (June) Giving a jot about JWTs: JWT Patterns and Anti-Patterns: https://soundcloud.com/owasp-podcast/owasp-podcast-giving-a-jot-about-jwts-jwt-patterns-and-anti-patterns - Cheat Sheet Series: https://cheatsheetseries.owasp.org/ - API Top 10: https://owasp.org/www-project-api-security/ - (July) Getting Lean and Mean with DefectDojo: https://soundcloud.com/owasp-podcast/getting-lean-and-mean-in-the-defectdojo - DefectDojo: https://www.defectdojo.org/ - (August) Going Way Beyond 2FA: https://soundcloud.com/owasp-podcast/going-way-beyond-2fa - ModSecurity Core Rule Set: https://coreruleset.org/ - (September) Breaching the wirefall with community: https://soundcloud.com/owasp-podcast/breaching-the-wirefall-with-community - Security Shepherd: https://owasp.org/www-project-security-shepherd/ - Juice Shop: https://owasp.org/www-project-juice-shop/ - Security Knowledge: https://owasp.org/www-project-security-knowledge-framework/ - (October) Little Zap of Horrors: https://soundcloud.com/owasp-podcast/little-zap-of-horrors - Zed Attack Proxy (ZAP): https://www.zaproxy.org/ - OWTF (Offensive Web Testing Framework): https://owtf.github.io/ - (November) You've got some Kubernetes in my AppSec: https://soundcloud.com/owasp-podcast/youve-got-some-kubernetes-in-my-appsec - OWASP Top 10: https://owasp.org/www-project-top-ten/ - CSRFGuard: https://owasp.org/www-project-csrfguard/

- You recently wrote an article about the SBOM Frenzy being Pre-Mature. For those not familiar with SBOM's, what is an SBOM and what has led to the frenzy as you call it?- In your article you discuss challenges related to the build environments and hosts that can cause different outputs and SBOM's unless a build occurs on two identical machines. Can you explain why that is? - What role do you think emerging frameworks such as SLSA or SSDF and higher maturity requirements for things such as Reproducible Builds or Hermitic Builds play in alleviating some of these concerns?- Given the challenges of dynamic ephemeral build environments and hosts, do you think this undermines the usefulness of SBOM's as an industry artifact related to software supply chain security?- You also recently wrote a follow-up article about why Software Composition Analysis (SCA) is really hard. What are some of the reasons you think that is the case?- You mentioned challenges with CVE's and their accuracy. As many know, CVE's are created via CNA's and as part of NVD. Do you think alternative vulnerability databases such as the Global Security Database (GSD) or OSV will alleviate any of the vulnerability issues in the industry? - You were involved in founding OWASP. I personally, and I suspect many others would love to hear about that a bit, given just how much of an industry staple OWASP is from Top 10 lists, CycloneDX and countless other widely used projects.- You recently ran a campaign to be elected to the OWASP Board to try and modernize it and address many gaps you state lead to OWASP being on a path to irrelevance. Can you tell us what some of those issues are and your plan to address it to keep such a great organization a key part of our industry in the modern era of Cloud-native and DevSecOps?

Chris: Before we dive into too many specific topics, one thing I wanted to ask is, you've been working in/around the topic of SBOM and Software Supply Chain for sometime via NTIA, CycloneDX, SCVS etc. How did you have the foresight or what drove you to focus on this topic well before many others in the industry?Nikki: You mentioned recently about the SBOM Forum and their recommendation of the NVD adopt Package URL. I think the recommendations are great for NVD, because the NVD, CVE ID mechanisms, and CWE's weren't technically built for al ot of the updated vulnerabilities and concerns we see today, especially in the software supply chain. Can you talk a little bit about the challenges around vulnerability management when it comes to software supply chain?Chris: I wanted to ask you about SaaSBOM which has been a topic of discussion in the CISA SBOM WG that I know you and I participate in. What is a SaaSBOM in your mind and where does it begin and end, given most of the Cloud, including Infrastructure is software-defined.  Nikki: I liked your article titled "SBOM should not exist! Long live the SBOM" - what really caught me was the idea that BOM's or Bill of Materials have been around for a while, and in other industries as well. I'm curious because there are a lot of potential implications for using BOM's outside of software. What are you thoughts on how we could potentially use the idea of BOMs in other cybersecurity or software development areas? Chris: I want to discuss some critiques of SBOM. VEX Is promising but of course requires information from software producers, and then of course trusting their assertions. VEX: Do you see a future where both SBOM and VEX and automated in terms of generation and ingestion to inform organizational vulnerability management and potentially procurement activities? Nikki: I would be re-missed if I didn't ask you about the human element in all of this. I fee like the complexity of the software supply chain, on top of infrastructure, operations, cloud deployments, etc, can get somewhat complex. How do you think the increased complexity around software supply chain is affecting the management and operations groups?Chris: You have long been the lead on the wildly popular Dependency Track project. Can you tell us a bit about its origins, where it stands today and where it is headed?Chris: There has been a lot of guidance lately on Software Supply Chain, such as NIST EO outputs from Section 4, NIST SSDF, guidance from CSA, CNCF et. al - how does SCVS fit into the mix and do you see organizations using all, or rallying around some of the guidance? Chris Follow Up: Some have claimed that these requirements are simply impractical for anyone except large enterprise organizations and software producers. Any thoughts on the practicality of the guidance for smaller organizations who still play a major role in the software ecosystem?

In this fascinating interview, the CycloneDX leader gives his take on the future of CycloneDX and SBOMs, and shares tips on how product security teams should prepare themselves for what's coming

Patrick is a Senior Product Security Engineer in the Application Security team at ServiceNow. He is also Co-Leader of the OWASP CycloneDX project. A lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

Steve Springett is the Senior Security Architect at ServiceNow, Chicago. Steve educates teams on the strategy and specifics of developing secure software. He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive programming techniques.Steve's passionate about helping organizations identify and reduce risk from the use of third-party and open source components. He is an open source advocate and leads the OWASP Dependency-Track project, OWASP Software Component Verification Standard (SCVS) project, CycloneDX software bill-of-material specification, and participates in several related projects and working groups.- https://dependencytrack.org/- https://cyclonedx.org/- https://owasp.org/scvs

Ms. Berlin: Tabletop D&D exercise     Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/  Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce   NTIA.gov - National Telecommunications and Information Administration   https://www.ntia.gov/sbom  SBOM guidance   Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf   Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors?  Is there any difference between “Software transparency” and “Software bill of materials”?   How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?   Where in the development (hardware or software) would you be creating an SBOM?   You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?   IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?   How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?   As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening?   Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped.      How does this help us track potential vulns?    Sharing information     Best way to share information about IoT components?    Could an information sharing org (ISAC) track these more readily?   vendor assessments:     Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?   Interesting feedback from NTIA’s RFC   Other SBOM types (clonedx, openbom, FDA’s CBOM)   Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/   non-US implementations of SBOM?   How do we get our companies to implement these?    SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts? What is a ‘Bill of Materials’? “A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.” SBOM - Definition    As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information” https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk     https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0   Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM”   Other groups working on similar: FDA https://www.fda.gov/media/119933/download   SPDX: LInux Foundation:https://spdx.org/licenses/    OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd   https://github.com/CycloneDX/specification   https://www.fda.gov/medical-devices/digital-health/cybersecurity   https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices   Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf   Companies are helping to get “CBOM” for devices: ““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release”  https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/   SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops   Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonSmile: https://brakesec.com/smile  #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Podcast: Brakeing Down Security PodcastEpisode: 2020-032-Dr. Allan Friedman, SBOM, Software Transparency, and how the sausage is made - Part 2Pub date: 2020-08-24Ms. Berlin: Tabletop D&D exercise     Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/  Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce   NTIA.gov - National Telecommunications and Information Administration   https://www.ntia.gov/sbom  SBOM guidance   Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf   Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors?  Is there any difference between “Software transparency” and “Software bill of materials”?   How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?   Where in the development (hardware or software) would you be creating an SBOM?   You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?   IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?   How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?   As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening?   Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped.      How does this help us track potential vulns?    Sharing information     Best way to share information about IoT components?    Could an information sharing org (ISAC) track these more readily?   vendor assessments:     Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?   Interesting feedback from NTIA’s RFC   Other SBOM types (clonedx, openbom, FDA’s CBOM)   Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/   non-US implementations of SBOM?   How do we get our companies to implement these?    SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts? What is a ‘Bill of Materials’? “A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.” SBOM - Definition    As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information” https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk     https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0   Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM”   Other groups working on similar: FDA https://www.fda.gov/media/119933/download   SPDX: LInux Foundation:https://spdx.org/licenses/    OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd   https://github.com/CycloneDX/specification   https://www.fda.gov/medical-devices/digital-health/cybersecurity   https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices   Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf   Companies are helping to get “CBOM” for devices: ““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release”  https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/   SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops   Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/   Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonSmile: https://brakesec.com/smile  #Brakesec Store!:https://www.teepublic.com/user/bdspodcast #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://pandora.app.link/p9AvwdTpT3 #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesecThe podcast and artwork embedded on this page are from Bryan Brake, Amanda Berlin, Brian Boettcher, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Podcast: Brakeing Down Security PodcastEpisode: 2020-031-Allan Friedman, SBOM, software transparency, and knowing how the sausage is madePub date: 2020-08-18  Ms. Berlin: Tabletop D&D exercise Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/  Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce NTIA.gov - National Telecommunications and Information Administration https://www.ntia.gov/sbom  SBOM guidance Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors?  Is there any difference between “Software transparency” and “Software bill of materials”?   How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?   Where in the development (hardware or software) would you be creating an SBOM?   You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?   IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?   How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?   As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening?   Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped.  How does this help us track potential vulns?    Sharing information Best way to share information about IoT components?    Could an information sharing org (ISAC) track these more readily?   vendor assessments: Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?   Interesting feedback from NTIA’s RFC   Other SBOM types (clonedx, openbom, FDA’s CBOM)   Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/   non-US implementations of SBOM?   How do we get our companies to implement these?    SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts? What is a ‘Bill of Materials’? “A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.” SBOM - Definition As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information” https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0 Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM” Other groups working on similar: FDA https://www.fda.gov/media/119933/download   SPDX: LInux Foundation:https://spdx.org/licenses/    OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd   https://github.com/CycloneDX/specification https://www.fda.gov/medical-devices/digital-health/cybersecurity https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf Companies are helping to get “CBOM” for devices: ““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release”  https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/ SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/The podcast and artwork embedded on this page are from Bryan Brake, Amanda Berlin, Brian Boettcher, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

  Ms. Berlin: Tabletop D&D exercise Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/  Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce NTIA.gov - National Telecommunications and Information Administration https://www.ntia.gov/sbom  SBOM guidance Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ Questions (more may be added during the show, depending on answers given) What is NTIA? What is SBOM? Why do we need one? Is it poor communications between vendors?  Is there any difference between “Software transparency” and “Software bill of materials”?   How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?   Where in the development (hardware or software) would you be creating an SBOM?   You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?   IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?   How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?   As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening?   Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped.  How does this help us track potential vulns?    Sharing information Best way to share information about IoT components?    Could an information sharing org (ISAC) track these more readily?   vendor assessments: Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?   Interesting feedback from NTIA’s RFC   Other SBOM types (clonedx, openbom, FDA’s CBOM)   Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/   non-US implementations of SBOM?   How do we get our companies to implement these?    SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts? What is a ‘Bill of Materials’? “A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.” SBOM - Definition As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/ NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information” https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0 Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM” Other groups working on similar: FDA https://www.fda.gov/media/119933/download   SPDX: LInux Foundation:https://spdx.org/licenses/    OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd   https://github.com/CycloneDX/specification https://www.fda.gov/medical-devices/digital-health/cybersecurity https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf Companies are helping to get “CBOM” for devices: ““It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release”  https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/ SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops Intoto software development: https://www.intotosystems.com/ 510k process: https://www.drugwatch.com/fda/510k-clearance/