Preview Mode Links will not work in preview mode

Aug 24, 2020

Ms. Berlin: Tabletop D&D exercise

    Blumira is hiring https://www.blumira.com/career/lead-backend-engineer/ 




Allan Friedman - Director of Cybersecurity Initiatives, NTIA, US Department of Commerce

 

NTIA.gov - National Telecommunications and Information Administration

 

https://www.ntia.gov/sbom  SBOM guidance

 

Healthcare SBOM PoC - https://www.ntia.gov/files/ntia/publications/ntia_sbom_healthcare_poc_report_2019_1001.pdf

 

Allan’s talk at Bsides San Francisco: https://www.youtube.com/watch?v=9j1KYLfklMQ



Questions (more may be added during the show, depending on answers given)

What is NTIA?

What is SBOM?

Why do we need one? Is it poor communications between vendors? 

Is there any difference between “Software transparency” and “Software bill of materials”?

 

How do you make an SBOM? What data formats make sharing easier? What does a company do with an SBOM?

 

Where in the development (hardware or software) would you be creating an SBOM?

 

You mention in your BSSF talk about ‘how detailed it should be’. Can you give us an example of a high level SBOM, versus a more detailed one? Does it become a risk/reward effort concerning detail?

 

IoT device creators are working with their 3rd parties, who are working with their 3rd parties. Someone at home with a webcam cannot easily ask for an SBOM, so how do we convince device makers to want to ask for them?

 

How do you get your 3rd party that is a multi-national corporation to supply you with the information you need to ?

 

As we saw with RIPPLE20, many companies don’t know what they have. How would SBOM help keep another RIPPLE20 from happening?

 

Rob Graham’s blog post highlighted that vulns like HeartBleed would not have been stopped. 

    How does this help us track potential vulns? 

 

Sharing information

    Best way to share information about IoT components? 

 

Could an information sharing org (ISAC) track these more readily?

 

vendor assessments:

    Vendor does not have an SBOM, any specific questions we might ask that will allow an org to get more resolution into a potential vendor?

 

Interesting feedback from NTIA’s RFC

 

Other SBOM types (clonedx, openbom, FDA’s CBOM)

 

Companies are out there creating SBOM, other government agencies have SBOM implementations. How do we keep this from being the XKCD “927” issue? https://xkcd.com/927/

 

non-US implementations of SBOM?

 

How do we get our companies to implement these? 

 

SBOM could easily be something that could give hackers a lot of information about your org and depending on the information contained, I could see why you might not want to get super specific… Thoughts?






What is a ‘Bill of Materials’?
A bill of materials (BOM) is a comprehensive inventory of the raw materials, assemblies, subassemblies, parts and components, as well as the quantities of each, needed to manufacture a product. In a nutshell, it is the complete list of all the items that are required to build a product.”



SBOM - Definition 

 

As of November 2019, an estimated 126 different platforms - https://www.postscapes.com/internet-of-things-platforms/



NTIA did an RFC on “promoting the sharing of Supply Chain Security Risk Information”

https://www.ntia.gov/federal-register-notice/2020/request-comments-promoting-sharing-supply-chain-security-risk

    https://www.ntia.gov/federal-register-notice/2020/comments-promoting-sharing-supply-chain-security-risk-information-0

 

Secure and Trusted Communications Network Act of 2019 (Act) - Calling it “CBOM”

 

Other groups working on similar: FDA https://www.fda.gov/media/119933/download

 

SPDX: LInux Foundation:https://spdx.org/licenses/ 

 

OpenBOM https://medium.com/@openbom/friday-discussion-why-boms-are-essential-for-the-iot-platform-e2c4bd397afd

 

https://github.com/CycloneDX/specification

 

https://www.fda.gov/medical-devices/digital-health/cybersecurity

 

https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-premarket-submissions-software-contained-medical-devices

 

Medical device IR Playbook: https://www.mitre.org/sites/default/files/publications/pr-18-1550-Medical-Device-Cybersecurity-Playbook.pdf

 

Companies are helping to get “CBOM” for devices:

“It can take anywhere from six months to a year for a new medical device to get its 510(k) clearance from the FDA,” said MedCrypt CEO Mike Kijewski in a news release” 

https://www.medicaldesignandoutsourcing.com/medcrypt-acquires-medisao-in-medtech-cybersecurity-deal/

 

SBOM doesn’t work in DevOps: https://cybersecurity.att.com/blogs/security-essentials/software-bill-of-materials-sbom-does-it-work-for-devsecops

 

Intoto software development: https://www.intotosystems.com/



510k process: https://www.drugwatch.com/fda/510k-clearance/

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#AmazonSmile: https://brakesec.com/smile 

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#Pandorahttps://pandora.app.link/p9AvwdTpT3

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec