Preview Mode Links will not work in preview mode

Aug 24, 2020

Ms. Berlin: Tabletop D&D exercise

    Blumira is hiring 

Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce - National Telecommunications and Information Administration  SBOM guidance


Healthcare SBOM PoC -


Allan’s talk at Bsides San Francisco:

Questions (more may be added during the show, depending on answers given)

What is NTIA?

What is SBOM?

Why do we need one? Is it poor communications between vendors? 

Is there any difference between “Software transparency” and “Software bill of materials”?


How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?


Where in the development (hardware or software) would you be creating an SBOM?


You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?


IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?


How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?


As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening?


Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped. 

    How does this help us track potential vulns? 


Sharing information

    Best way to share information about IoT components? 


Could an information sharing org (ISAC) track these more readily?


vendor assessments:

    Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?


Interesting feedback from NTIA’s RFC


Other SBOM types (clonedx, openbom, FDA’s CBOM)


Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue?


non-US implementations of SBOM?


How do we get our companies to implement these? 


SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts?

What is a ‘Bill of Materials’?
A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.”

SBOM - Definition 


As of November 2019, an estimated 126 different platforms -

NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information”


Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM”


Other groups working on similar: FDA


SPDX: LInux Foundation: 




Medical device IR Playbook:


Companies are helping to get “CBOM” for devices:

“It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release”


SBOM doesn’t work in DevOps:


Intoto software development:

510k process:


Check out our Store on Teepub!

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email


#Brakesec Store!:




#Youtube Channel:

#iTunes Store Link:

#Google Play Store:

Our main site:

#iHeartRadio App:


Comments, Questions, Feedback:

Support Brakeing Down Security Podcast by using our #Paypal OR our #Patreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM :

#Stitcher Network:

#TuneIn Radio App: