We all know that software bills of materials (SBOMS) are important for cybersecurity. However, deciphering these documents has been difficult for many government agencies. The Silicon Valley Innovation Program aims to help with this. It is part of the Homeland Security Science and Technology Directorate. The company is running a program to accelerate the development of what it calls “supply chain visibility tools.” For more information, Tom Temin and Federal Drive With Melissa Oh, Managing Director of the Silicon Valley Innovation Program, and Anil John, its Technical Director.
tom temin Please tell me what's going on here. Let's provide a little background on the Silicon Valley Innovation Program and then explain what we're doing to help agencies meet this SBOM challenge. I think I need to reconfigure SBOMS, but no one knows how.
Melissa Oh That is correct. Well, thank you, Tom. I'm really happy to be here. And the Silicon Valley Innovation Program within the Department of Homeland Security's Science and Technology Directorate is working with the startup community to help them incorporate some of the pain points that DHS has into the commercial products they offer. We focus on identifying problems that we can help solve. It's developing. So by leveraging other transactional powers, we can reach out to the startup community much more quickly, close deals very quickly, and get them to work on some of the tough issues within DHS.
tom temin Yeah. Anil please tell us about her SBOMS. I think it's a great idea. Reading the ingredients will tell you what is in the software. But in reality, these are complex documents. A particular software program may contain thousands of components. And I think there are competing standard languages for expressing SBOMS. Is it natural to say that?
Anil John Very fair. Let's start with the last piece. There is a very famous manga that is popular in the standards community where there are competing standards. And then someone else comes along and says, “We need his one standard that will unify everything.” And now there are three competing standards of his. So I'd like to start by saying that that's not what we want to do here. We don't want to create a new standard. There are 82 very mature standards in the SBOM field called cyclone DX and SBDX, each aimed at a different community, but both considered his SBOM standards. Tom, as you pointed out, SBOMS is very similar to food nutrition labels, so it provides an indicator of what's built into the software and helps identify potentially vulnerable things that need updating. To do. And we hope through our efforts here to kind of ensure interoperability and that it's widely accepted.
tom temin Yes, they're like food labels, but sometimes they're food products with 10,000 ingredients.
Anil John Additionally, in some cases, it includes open source components, closed source components, and a variety of other things taken from various places. That's why we need, for lack of a better word, visibility into the software supply chain before any software is deployed within government networks.
tom temin of course. These elements are more present in software than in, say, Doritos. It's a very long list. And oh, what are these companies going to do? What do we want from these companies in this effort to sort out the interpretation of SBOMS?
Melissa Oh The need for the ability to convert between these two standards is critical to the broader adoption of SBOMS across businesses and other organizations, as Anil founded. So our startup actually developed with his SBOM conversion tool called Protobom. The tool has now been launched and is publicly available through the Open SSL open source community through the Linux Foundation. So we're really excited. They announced it at the Open Source Summit just last week and now everyone can start deploying it.
tom temin We're talking with Melissa Oh. She is the Managing Director of the Silicon Valley Innovation Program and Anil John, the Program's Technical Director at the Homeland Security Science and Technology Directorate. And the overall goal is her SBOM abstracted for specific agency personnel. It's this big document where you can apply some of the new products we've developed to her SBOM so you can understand what the SBOM is. That's because a given package probably only contains 10% of the ingredients that could be of concern.
Anil John I think that's exactly right. Rather, a government agency or organization, or even a tool creator, does not have to worry about the format or standards used in his SBOM. But with his Protobom that Melissa mentioned, you'll be able to automatically translate them and bring them all in without worrying. And when it comes to the projects that we fund, the protobomb part is the deliverables that go into all the features that we fund. For example, visualization of SBOMS. Ability to visualize software within SDE, such as within a scene product, showing connections to vulnerabilities, etc. This is a very important high-level part because the SBOMS itself only shows what is there and does not directly indicate whether something is vulnerable or not. So the product that we're building and that we're having our company build is really doing connectivity and proto-bomb abstraction and eliminating translation wars and format wars.
tom temin And this seems to be done in context-dependent situations. In other words, if you are using a SIEM program, you need one view. And maybe, I don't know, if you're in an accept type or runtime type situation, you need a different view.
Anil John That's totally correct. Whether you're a developer building software, making it visible directly within a software IDE, or a system administrator making software visible across your enterprise. We are fully aware that this needs to be verified by someone else, but a distinctly different entity within the company. We also have the ability to visualize who is looking at our software in general and what assets they have. So all of these capabilities are being built by a group of companies that we're funding. And behind the scenes, all the companies are incorporating proto-bomb conversion software into their products and basically don't have to worry about the format of his SBOM.
tom temin right. By the way, Protobom only has one B in it, right?
Anil John That's right.
tom temin Please make sure the spelling is correct. And Melissa, tell me about the programmatic side of this. Multiple vendors are involved in the Protobomb effort. How do they work together and what is the shared part of all this intellectual property from a project perspective?
Melissa Oh So, as far as companies are concerned, they are working together as a cohort. Their IP is their IP. They contribute to open source. They independently develop their own products, tools and solutions. But they work together, as they are pulling in a proto-bomb. So they're doing well. They just finished phase one. They are all in phase two. By the end of Phase 4, we will have a fully commercialized solution available to government agencies and commercial enterprises. Many of these companies are now actually commercializing their existing product suites and will have fully functional commercial capabilities by the end of Phase 4.
tom temin And the Cybersecurity and Infrastructure Security Agency (CISA), one of the partner components of DHS, could become a channel through which this issue could be communicated to individual agencies on many other types of cyber issues. is.
Melissa Oh absolutely. CISA is our partner in this project and also supports the work we are doing with companies. So we're working very closely with Alan Freedman. He must have been in the pod before. He's definitely a great champion of what we're doing here.
tom temin What you receive is a product that is already compiled and ready for use in applications with interfaces. And people can say, let's shove SBOMS in there and draw wisdom from it. Anil?
Anil John I think the SVIP model is exactly that. At the end of Phase 4, there should be a bias of products available in the market for purchase by distributors and the product community. In this particular case, clearly he has two stages. So there's a product in and of itself that a company has, and basically an add-on to a software ID could be an add-on to the same product, and maybe an add-on to a visualization software that people can actually get and buy. There is a gender. And obviously, the part that is fully documented, open source, and available under a license that is available to open source companies as well as closed source companies is the protobomb, which is now accepted into open SSL. This is very important. It will then gain worldwide attention, have and continue to have its own lifestyle, with maintainers supporting and contributing to it.
tom temin In other words, Protobomb is like an engine that allows people to build all kinds of vehicles.
Anil John I think calling it an engine is an overstatement. I think it's definitely an important part of the engine that basically provides the entire functionality more than anything else. And the big thing about offering is that you basically don't have to worry about the different formats of his SBOMS that are out there.
tom temin right. So, Mr. Oh, my last question for you is the demand signals from DHS and probably agencies around the government. It's great that SBOMS is happening, but it's like someone is dumping us a ton of hay. And it's really hard to rationally explain what's in front of us. This big mountain.
Melissa Oh That is correct. I think having these capabilities in place will make it much easier to accomplish some of the cybersecurity and software supply chain visibility requirements through the executive orders that have been issued.
Copyright © 2024 Federal News Network. All rights reserved. This website is not directed to users within the European Economic Area.
