Demystifying the SBOM’s Impact on Secure Software Deployment with Bill Manning @ SF Bay ISSA

August 24, 2022

< 1 min read

Join JFrog’s William Manning as he speaks in person at the SF Bay ISSA Chapter!

With the White House’s cybersecurity executive order in May 2021, the Software Bill of Materials (aka SBOMs), graduated from being a “nice to have” to a “must-have” global standard when developing and deploying secure software from the cloud? In a nutshell, SBOMs provide visibility into which components make up a piece of software and detail how it was put together, so it’s easy to determine if it contains security and compliance issues.

In this talk, we’ll discuss
► What exactly is an SBOM?
► Securing your Software Supply Chain
► Why SBOM must be a key element of your software development life cycle’s (SDLC) security and compliance approach
► The misconceptions that exist around SBOMs
► Insights and best practices on SBOM creation and usage.

View Slides Here


Bill Manning

Bill is a Solutions Engineering Manager with JFrog. He is also a mentor with TechStars (Nike Incubator), Matter, and NestGSV. He has successfully exited 3 companies and took one public in Australia. He also currently helping various startups as an advisor. In his spare time, he likes to travel with his wife and two boys. He also plays guitar, lives for the beach and rides skateboards.

Video Transcript

uh it’s a privilege to have um bill manning from jfrog present to us today and bill is a

manager of solutions architecture with jfrog he is also a mentor with techstars mater and nest gsv

he has successfully exited three companies and took one public in australia

he is also currently helping various startups as an advisor in his spare time bill likes to travel with his with his

wife and two boys he plays guitar loves the ocean and is avid cyclist

thank you for joining us bill well guys thank you so much for having me and i’m very happy to be here and uh

today what i’m going to do is present to you uh demystifying s-bomb’s impact on secure software development all right

well you know what the idea here is is that you know we’re to go through and explain the importance from it’s the

reasons it’s behind it and also really what it is because we always get a lot of questions uh you know about s-bomb

especially um at my company um also do a lot of these talks publicly and the

thing is as i stated um you know so i’m i’m bill manning uh says william but you can follow me on twitter both uh at

jfrog and also uh on my own personal uh yes they are my thoughts but yes i do

run the solution engineering team for the americas and today when we talk about s-bomb we need to start off with

the reasons why s-bomb suddenly became a thing in the past year and a half you know why did it suddenly out of nowhere

this big critical thing called software bill of materials or x-bombs show up and to understand we need to start off with

the very simple stuff right and the way we start off is software supply chain and software supply chain attacks more

specifically you hear this word a lot you know and what exactly does it mean well the thing is is we see these

headlines everywhere right nowadays you go to hacker news you go to uh even to

google news and you look in you’ll see you know there’s some sort of breach you know there’s some sort of nefarious component that happens some sort of data

loss or whatever and the thing is is that most of the time this is coming from something that could simply be

really rectified uh very simply over time but it’s about raising awareness

though the thing is is that it’s nothing new the thing is is that over the panel this has been going on for a long time i

mean the thing is is that when you look at what a software supply chain attack it’s the basic simple most derivative

thing that you do as a developer besides coding and the thing is is that when you look through this you can see over time

that there’s been plenty of these and the idea is is that somewhere along using those third-party transit

dependencies you use as a developer to build your software and things like that somebody has slipped into the mix and

caused some sort of malicious components or some nefarious components to be injected into the things that you do

now when we look at this like i said this has been happening over time this is nothing new these kind of data

breaches these kind of exploits i’ve been doing and i’m not talking about some of the other ones like some of the web exploits and those things about bad

coding or improper coding or you know those kind of things i’m just talking about the software utilized to supply

what you do as a you know as a coder and the big one that everybody seems to always talk about and really actually to

be honest this was the one that was the catalyst for software bill materials which was solarwinds right back in 2020

march and june this was a huge thing over 18 thousand customers were affected

i mean it was a hundred billion dollar global remediation think about that

eighteen thousand customers but it wasn’t just the customers that uh of

eighteen thousand it was specifically the customers and when i say that especially in the united states it was

people like the department of homeland security it was the dod it was the federal reserve bank right these are

government entities that were attacked by this and the interesting thing about solarwinds was the attack itself and i

always talk about it and i will say i i do have this morbid curiosity fascination with it i think it was

elegant in its approach even though the fact that it did cause so much but the idea was simple it was actually a fourth

level transitive dependency attack meaning that some developer out there working on this code went in did a

standard pull of a library that they needed in this case it was a solarwinds library and wherever that was actually

constructed somewhere in that chain of dependencies that developer needed to do their job somebody slipped in this

little bit of basically another library and this library snuck in got in and the

best part about it and the elegant part the part that i was like this is pretty amazing even though it’s terrible it’s

terribly amazing we’ll say that is the fact that you started it 14 days later

it did its job think about that it laid in wait for 14 days until it did something and then it reached absolute

havoc but the reason why i bring that up and why this was the catalyst for why

so many people were all of a sudden it became a thing was the fact that 85 to 90 of the software you do as a job

as a coder or somebody developing is someone else’s software right and

developers and i exciting is in the forum right before this we’re discussing it is i always tell people and i’m a

coder myself i started my career long long ago back in the 90s right it sounds funny when i say that but the whole thing is

is that we as developers as coders are artists and the palettes we use to

create our our art is those third-party transit dependencies i need you know after i pick a language type to do my

job you know it could be java npm python whatever you know i go out there and i

get the tool sets i need to do the task i’ve been assigned whether it’s a sprint a kpi or whatever and all i know is i

need to do my job and my creativity flows from my ability to want to go in there and do my job perfectly and i look

for those third-party transit dependencies to do my job i need something that’s going to parse the string i need somebody’s gonna create a

hash table whatever whatever it happens to be i will do a search in the appropriate language that i’m using i

will find that component i will bring it in i will use a function to do my task check it off my list and continue on

now the thing is is that i do we do this with reckless abandon right we have this innate naivety on how we actually pull

these binaries in without asking the question are they safe can you trust it and the thing is like i said 85 to 90 of

your software is someone else’s software that you don’t know it’s like somebody walking up to you on the street with an

open snickers bar and says here you go eat it all right that same kind of level-up

idea you go oh you know what do i trust this person do i know them do i want to eat this i don’t know should i probably

test it first but the thing is is you got to remember just because of that there’s other things factors you need to keep in mind

as you’re working through these problems too is also software automation because a lot of these automated tools also

bring in things you know if you’re just following 12 factor or multi-tier which is also another thing we’re discussing

before is the idea is is that your development environment so using like docker images to code you know you’re

coding in should be the same level of environment that you have in your production but when that happens one of

the other things too is we’ve also added a lot of automated tasks so the number of things like even docker images which

have dependencies that have dependencies that have dependencies they have os they have run time your application itself

there’s lots of things but when you automate these processes too there’s stuff coming in behind the scenes sometimes that you don’t know because

remember you have you have direct dependencies that you’ve implicitly stated for the things you’re doing but you also have

indirect transitive dependencies that come along with it and and as you do this and you automate more you can kind

of lose sight and actually just pull in these ideas that this is all behind the scenes it’s being taken care of

automatically but there’s problems there too because sometimes it actually amplifies the risk of what you’re doing

another thing too is like i said all the software built by your company and the software you produce is usually stuff

that a people you don’t know right and the thing is is that it doesn’t really inspire trust sometimes if something

does happen the fault lies upon you know the developers the tool sets and things like that and unfortunately a lot of the

you know practices we go through these days don’t really inspire a heavy level of trust so you need to look at things

behind the scenes sometimes to help improve the software basically you know there’s plenty of tools out there that

can detect those third-party transit dependencies and problems but it also you need to build a trust level between

the things that you’re doing also too when you’re looking at these potential threats and vulnerabilities

and you hear all these things about these libraries out there being nefarious and malicious and all that the thing is is some of these have no

incentive some of them are just for bragging rights but others are targeted there’s plenty of targeted groups out

there that actually do this for money take down corporations take down people extract data you know pull that data out

black you know put onto the black market and sell it so the thing is is that there’s a lot of things you need to keep

in mind in this crazy world of software development that in a way until recently we’ve always kind of

known it’s been like that unspoken rule that we’ve kind of known but now that you know financially this has been so

huge and it’s actually growing because i mean just to give you an idea when we look at this

it’s not just you know are these potentially threatening things that we’re using are they potentially going

to cause my company harm and one of the jokes i always make is no company wants to be a headline for the wrong reasons

and there are wrong reasons such as data breaches but the thing is is not only is

it potentially scary nefarious things that could cause problems 74

of the stuff you use as a developer is old outdated uh end of life and also

contains always one major vulnerability but they can also be fixed with a simple update and this is the thing too is

we’ll also talk about levels of remediation because remediation the faster you can fix something the better

and remember just as a statistic that i don’t talk about in here is that your developers are your frontline defense so

whenever you’re doing this whether you’re using my company’s tools that we have or any other tools out there

enabling your developers to have this awareness because the thing is if you attack it where it matters much which is

at the developer or they call shift left everybody talks about shift left these days the thing is is that it’s the roi

is greatest there the closer you get to production the exponentially cost goes

on so if you get into production it’s like 100x more expensive to fix than something at the developer level

and when we look at this these days i mean the stats are there right 62 percent all exploited tax were from

trusted suppliers for you know i mean from 60 you know that was a six and a half per you know time increment you

know from 2015 to 2021 right every year it’s getting worse and worse and the

thing is is that it’s getting more expensive to fix these things and but there are more tools in the market more

awareness but the thing is is that just to give you an idea i mean supply chain

attacks are i’m explaining to you why they’re so problematic number one they’re low effort you don’t have to be

even that skilled to do it that’s the thing is that some of these are actually dirty exploits right these are things

that people cobble together and put it in the problem is is that these little exploits go in undetected most of the

time as i stated with solar ones it was a fourth level transit dependency when was the last time you as the developer

looked at the indirect transit dependencies you brought in if you’re an mpm developer you have the worst job

ever when it comes to this right i’m going to i’ve done npm for years i call it the house party you know you

have this package.json you know every language has a place where you can define your transit dependencies

package.json is npm i put three things into my package.json that i need to use

maybe it’s a rack free framework maybe it’s some sort of parsing whatever and 500 transit dependencies show up that’s

why i call it the house part you invite three and a lot more show up well the thing is is the reason why they show up

like that is it’s easy to spread because once you’ve been you know gotten into the community mpm maven central whatever

and you put these transit dependencies in undetected by most people it just spreads i pull a transit dependency and

it says a fourth level transit dependency for a library it just comes in they go yeah that’s just the cost of me doing business i never ask what that

extra line was but like i said and the biggest thing is it actually abuses the trust relationship between the company

and the consumers because how can they trust you when a data breach happens there usually is a huge drop in

companies you know ability to actually work with their customers after this because of this lack of trust

but the thing is is that they can open exploits that are even more you know simple than that it could be a back door

into services or it can be just straight up malicious code you know the thing is is that these attackers just simply

blend in that’s the other part of this not only developers have this naivety we also have it i mean i’m part of many

open source groups and the thing is i’ve been doing it for years i was part of some open source projects as a product manager and things like that and the

idea here is is that we’re very welcoming you know we want more the more the merrier right the more coders we

have in the community uh the more you know the more creativity it has the more problems we can solve you know it’s a

very much that mindset of like yeah we’re doing something we’re going ahead and the thing is though is these are

really huge potential threats and how do these attacks occur well they’re very simple like i said i’m

a coder i sit down i pick you know i got to build a product i’ve been assigned a task and you know when i i’m assigned a

task i pick a language uh doesn’t matter what it is and then i say okay great

based on the requirements i have i need to have specific libraries to help me do my job like i said parsing a string uh

you know creating hash tables whatever you know taking an image and turning it into something doesn’t matter but i

depend on these dependencies to do my job so i use my you know whatever tool i’m using i put it together i i i

compile it i i you know i publish it whatever i do with the language specific needs and i create something

but what if one of these components is nefarious now this would be an injury it should be a direct transit dependency i

implicitly stated hey guys remember log for j and log first show biggest ones out at the beginning of this year right

everybody uses log you know log for j hugely popular so i bring it in next

thing you know i’m adding it into into my code unexpectedly to me i give it to my i

send my software to my customer now they’re infected and we’re all happy because now we’re all infected together

it sounds like a coving party i’m just kidding anyway you get the idea right but ninety percent of the time when this

happens it’s actually like i said one of these other transit dependencies a indirect transit dependency something

you did not implicitly state and that comes in the same idea you know next thing you know your customer has a

lovely set of you know vulnerabilities attached to the software you produced for them and the thing is is in 2021 there was a

650 increase in supply chain attacks now i’m not gonna lie i think a lot of this

happened to be is is that this also started to happen during quarantine we actually saw the the stats rise people

were at home a little bit bored had a lot more time on their hands not really going out and like let’s give it a shot

and here they are right 650 percent increase think about that

that’s terrifying when i read the report from garner that brought this up i was i was horrified by it

so when software attacks right this is really what it comes down to and the thing is is that there’s various

types there’s things like typo squatting right the means is you know somebody accidentally puts in you know e before i

instead of i before e some really smart developer out there produced a set of

malicious components out there and they do this by the way you can look it up that they put in misspell or mistyped in

words you know you’re quickly typing in say you know log for j and you transpose uh you know one of the characters well

next thing you know you’re bringing out something illegitimate this is very much a real thing

or dependency confusion you know a lot of companies out there release you know libraries for you to use third-party

components for that you think is from a trusted source right think about that you know like okay you know what and the

example i’m going to use is a real example right i mean you know you know big ones let me look at netflix i mean

netflix developed one of my favorite tools of all time chaos monkey if you ever use chaos

monkey it is the bomb it is so good right i still love using that to do test exploits but the example i’m going to

show you is how do you know whether or not these libraries are real how do you actually know and actually at the end of

the discussion i’m going to talk about an open source project that we’ve actually um that we announced to the

world uh called persia is a way we’re trying to combat this and we’re looking for more people to actually get involved

in we have some big names behind it but we’ll talk about that towards the end because actually one of the attacks that

we actually went ahead and played around with in terms of dependency confusion is paypal

um think about it paypal trusted financial institution you know what

people are like oh it’s a financial payment service no it’s a bank let’s face it if you go down to a paypal as a

bank bar net you go online you’re like you know what i’m building a secure application

i want to go out and make sure i have the most trusted way to have my users authenticate and have the most reliance

i do research and i come back with a bunch of libraries and say paypal i go hey paypal’s a bank they’re regulated

they deal with financial and billions of dollars of financial you know what they must be good i’m going to go ahead and

utilize this you know the problem here is these aren’t paypal pay aml had nothing to do with this the thing is is that

this was actually put out there by a hacker group and they put it out and actually the exploit was absolutely

horrific it took all that data and shoved it off to some sort of tor server

somewhere and spread your information everywhere around the world kind of elegant i’ll admit like i said i

have this morbid curiosity with terrible things i kind of like tom waits i like to sing beautiful songs about terrible

things same idea and the idea here is is that you need to know what you’re utilizing

so why did i talk about all of that right why am i talking about that and what exactly is a software bill of

materials let’s start off simply first of all it’s not new to be honest

it’s been around for a while and actually the national telecommunication information administration in

conjunction with the fda came and proposed this back in 2018 and actually

his lineage goes back before that but the reason why this was created was medical devices medical devices run on

software and these devices can kill you and the thing is is that we needed to

know basically what software ingredients were used in the software to protect itself

against exploits and thus i.e killing people right think about it

everything from pacemakers ventilators you name it right these things operate

on software so the fda was like we need to know what’s in these devices

and the thing is is that this also utilized this to create the framework

for what was going to be announced last may by the biden administration which is the executive order on improving the

nation’s cyber security this was a direct link back to the concepts of what

happened inside of solar ones the us government actually i was very surprised rapidly placed this through but to be

honest once again actually this thing i actually and i did have to read it i hated it and it took me like four days

because it was legalized and boring but the important part of this that i got to when i read this executive order was

this little section right here section four enhancing software supply

chain right this idea here the security aspects behind it specifically in

article 7 of it which is provide a purchaser a software bill of materials for each product directly or by

publishing on the website so what this did is this set the stage for anybody who wants to work with the

us government they need to supply a software bill materials to the government before it can even be

considered as a viable entity or viable usage in the government and variance and

change meaning changes between versions need updated software building materials behind us also

and yes this was a direct feedback from the governments and this was an answer now it’s actually bled over into private

sector right medical device companies or just medical in general um you know any sort of iot a lot of this stuff is now

becoming a regulation in a lot of other industries once again this has set the stage and you need to understand when

they get asked these questions it’s also going to start affecting things like insurance policies towards companies

right you need some sort of a level of accountability and this will help i mean how many software development teams out there have ever gotten a notification

from legal saying you need to provide us with a license diligence report so this way we can make sure that we’re

complying to our company’s standards right so these are kind of things that one of the parts of the software build

materials is of course licensing what is the licensing behind this so it’s also a compliance aspect too

but when we think about it all you got to think about is what i love to talk about and the reason why i got i i gave

this talk before and everybody seemed to laugh at it is the fact that it’s simply this it’s a list of ingredients that the

fei already did for years and years around things like food right and i like

chocolate cake uh german chocolate cake is nice too but the idea here is also not only the ingredients but also to my

contain right that idea of here’s some warnings that you might have along with it but this concept is ideally the same

thing that you have in the software bill of materials so let’s go take a look at some cake because cake’s more fun to

talk about right you know the same idea here you have a cake on the left and you know that this cake was made with things

and here’s the list of ingredients for the cake interesting thing here is yeah you know what have you if you’ve

ever seen the great british bake off which is one of my favorite shows there’s always one of these challenges is here’s a bunch of materials go build

something same idea here is i have a cake here i’m going to show you the

ingredients including the versions or in this case the measurements of it but i’ve never really told you how to make

the cake and that’s the differentiator this is one of the key factors that a lot of people get wrong with software build materials it’s the list of

ingredients and the versions doesn’t tell you how to put it together so you’re not doing any sort of intellectual property loss or anything

like that it’s really all the components all the stuff utilized to make what you do

so solver billing materials is just like a list of ingredients of your software inside it could be it could be open

source right so free you know frost components right you know free as the not free as a speech not as a beer you

know and it can be freed or paid it could be you know data restrictive it doesn’t matter in addition you can also

include other information that might be beneficial to the end recipient of the software like tooling and environmental

information you don’t have to but sometimes it’s nice to put that in to say oh by the way here’s some of the

things that we did in addition to the components we used to build our software

and the thing is is that it’s being utilized by like i said the government was the first to say hey you need to

supply this to us you have no choice if you want to work with us you have to do this and now by the way this started off

with the us but now it’s actually global right the eu has their own thing uh apac is starting to bring a lot of this

information online but really what it is it’s a way for you to go ahead and just

provide information from a legal accountability purpose right also too it can be used sometimes in negotiations or

pre-purposing or in some cases sometimes when companies buy software they actually might start asking this because

they might have their own list of things that you can’t use it’s like the same thing when you’re working with a company

if you have a firm like we do and we talk to companies we use like google docs for the way we do things and so we

always have to ask the customer like hey can we share this google doc and we can use it together in collaboration and

always here is hey we don’t accept we don’t we can’t use google docs they’ve been blacklisted at our office this is

the same idea you might send this over to them and say you know what there’s some components in your software that

our security team has flagged or there we don’t we have some potential threat you know if they don’t like the

licensing behind this component we’re not sure how it’s going to affect that also it provides those teams with a way

to say hey you know what we know that some of these components in this list of software components that

you’re using to build your software um are on the right you know are we’ve seen them uh as being labeled as highly

threatening items uh do you have new versions or what versions of these are available so they understand the

potential of bringing software into the company and the level of acceptable risk they’re willing to take based on what

you built when you know using you know the software that you give them based on what was used to build it

on top of that though there’s a lot of other benefits to you know identifying mitigating any sort of vulnerabilities

you can quickly parse through it you know managing licenses this is a huge one license compliance i mean i went

through an acquisition and one of the times and part of the acquisition process was they wanted a list of all

the open source components on the software we created as part of this and when we went in we realized we didn’t

have accountability behind us because they wanted to know the licenses to find out if we had actually used any

potential licenses that might cause a problem remember there’s all different levels of software licensing like gpl

and all that and you know what’s acceptable in terms of change elements and things that you do so some companies

won’t accept certain licensing it also allows them to you know companies look through and say yes this adheres to our

requirements list also too it allows for more comprehensive information and a lot

of cases also too there’s also a lowering of cost because there’s uh you know internally for the company to

produce the software and also that’s consuming it to find out if there was an issue and a new version comes in you can

go ahead and see if that component was addressed in the software build materials and then you can assure your customer that you fixed it because you

can apply the new software building materials to show where that’s been mitigated or changed

now so all it means is that everything i told you is software has a lot of stuff

in it it’s got a lot of components it’s got a lot of things and those things you know are our libraries and other things

and the l we all know that we all know our job and the thing is is though i like to talk about cake like i said

let’s go back to my cake i like i’m actually kind of hungry i probably should have eaten before this uh but at

the same time we’ll do a cake so look at this cake right what can you tell me about it right we just know we

said this is a piece of software well you know what it might be part of a larger cake we know somebody made it right or it could be and by the way it

could have been automated too right this could have been made in the factory mass produced and shoved out right but

initially somebody had to make it somewhere so this way they could make machinery to fuel it same thing as a

developer right you might experiment with the cake say this is a perfect cake and then you’re going to go ahead and put it into some ci process or in this

case the ci might be cake integration i think this is a new thing anyway you also know that somebody mixed

it you know it was baked in an oven i mean yes there are cakes out there you don’t have to but it was baked in an oven we’ll go with that one maybe it’s

decorated maybe it’s plain right and i hope it’s tasty right i like tasty and but we also know one major thing there

were ingredients here there were things that were used to make this so when we look at this we’ll go back to our cake again you can see there’s a

list of ingredients here now the thing is that you could include more information like i said if you want to

you could even some companies might say well you know what are your processes what are your qa processes um you know

do you have any validation in terms of performance or scoping in terms of of

risk mitigation when this product doesn’t work or is it disasters have disaster recovery uh is can this be

highly available if i do things right so you can include more information behind it including like hey you know what we

made this cake before we gave it to you here’s a list of tools we used and here’s the list of the steps that we

went through to validate the product before we put it into your hands you can do that

but also too what if something changed and i and i’m gonna i’m not gonna lie this has

actually come this example does come from personal experience what if baking soda now i know if anybody’s done you

know bake you know cooking before and i’m sure at least everybody who’s done cooking before has maybe run into one of these what if you swapped out baking

soda for baking powder right i have done this this is not a good thing but this is change elements

right so my software bill of materials reflect that because the expected results are completely different yes

like i said here you go done did it right these are the things you need to know

because we need to know what’s inside right what’s inside the software that counts and how you can mitigate some of

these risks so once again let’s go back to our our developer right third party transitive dependencies

pulls them in creates a product and what a software build of materials is is those exact entities we’re shoving all

that information into the software build materials we’ll talk about formats in a second because there’s two different

formats of software build materials there’s cycle and dx and spdx depending on the organization they might they

might you know choose one or the other but there’s two acceptable formats out there right now but the idea here is is

that you can now supply a software build materials to your customer there are tools out there that do it like my

company we actually you know part of the process of publishing your bills into our product uh it’s artifactory is the

fact that with our x-ray product you can extract the software build materials easily there are tools out there that allow you to do this and give it to your

customers because the big thing is is that also too when you’re dealing with your customers and you go to send your

next release to your customers you want to be able to update your software build materials go in and when you supply that

to them you can do that or if there’s something nefarious inside you can they can also go ahead and find out by

looking at the software mobile materials if they’re affected without them having to come to you even somebody reason

hacker news that a library uh you know is out there and there’s there’s catalogs out there that you know

software catalogs for software build materials they can do a quick search and go oh god are we suspected you know are we are we susceptible to xyz version one

two three four of this library we’ll do a quick search oh my god we are we have five software products running

internally that are actually running this companies know they can start taking the next step contact the vendor

take down the software find out if there’s any remediation steps can we block that software from being accessible whatever this allows

companies to have a knowledge map instead of just having this blank slate that’s what happened with solar winds

soul rings nobody knew the ingredients behind the stuff suddenly it’s everywhere it explodes and there’s a

global catastrophe of epic scale when it comes to this but also too it allows companies

like i said to find out then you know how long say this version of this piece of you know the software you know maybe

how many versions has it been affected in well we find out that version 1 1.2 and 1.3 have all had this vulnerability

and 1.4 seems to be safe this is another way that software build materials is not just a hindrance it’s actually a helpful

method for companies to have even accountability and their customers to have assurances internally that they

understand the things they’re bringing in but what about cake with a lot of layers

right this is always talking about layer cakes each layer can be different each one could have different ingredients

each one can be made independently right each component can be made by somebody else together they might be absolutely

delicious right you actually might be able to go deliver it to different locations right there’s all these things

and all this information and the reason why i do this is i always call it the web services cake right if you ever use kubernetes it’s made of many many

multitude of components that are out there i always like to say the frost is the helm and then each layer of the cake

is docker right and the thing is is that each one of these are handled independently but treated as a whole

and that means that when we look at this and we let’s say a doctor image you got to keep in mind you know has an application layer it has a runtime the

level of complexity in software builds even in web services or anything you’re deploying in there it should have its

own software build materials too right what base os did you use what version of the runtime did you use to host your

application what kind of runtime was it is your application running a specific version and what components does that

have and even when we get into something like web services like this you know you have maybe different kind of layers of docker

images and even helm and you can actually take all this information before you even put it together and even

have a basically a software build materials of software build materials right inside of this helm chart it calls

specific versions of these applications that might be out there might be a ui a data processing back end and something

else but this allows you to even have a counterweight behind web services that you should get into the habit of having

even internally or if you supply a platform to your customers and they have to install it using say kubernetes or

any of this you need to supply the same level of information not just the individual applications because you’re

actually bringing all this in for somebody to use or utilize yourself and when this happens and there’s

something bad this allows companies to go in and directly access that information so they know how they can

address it and remember that the other thing too is you can include things like ci tooling

you know what ci processes you use you know when was it built what were the stages you know what frost could you

know many processes were used as part of this what environments what were the settings in those environments and also

too did you detect any vulnerabilities but you’ve determined that those vulnerabilities are not applicable based

on the complex text of usage meaning maybe you have a library that’s been flagged as in the various components it

might have a hundred functions in it and the function that you’re utilizing is not the function in question based on

the vulnerability right the cve or the cvss score do you really want to throw it out where you can include information

as a caveat to say yes we understand this component is infected but we also let you know we don’t use the

potentially nefarious component and the thing that is exposes to some of the ask you is not part of the process in which

we’ve enabled so this gives you a lot more information that you just apply to your customers to allow someone more assurance in the

things that you’re doing and also for your even your internal processes and legal teams

now misconceptions i brought up some before number one it is not a road map for

attackers yes they could infiltrate one of the larger communities but you’re not the only thing they’ll be singled out as

part of that community right it is not a roadmap to say these are the you know potential vulnerable exploits that might

have you don’t have to disclose source code there is no source code disclosure here they’re not asking you for every

level of detail of things they’re doing and then lastly it’s not going to expose any

intellectual property your sauce is still your secret sauce right you’re you know do you worry when you you know

you’re making it say maybe make a nice uh tomato sauce and has all those things of grandma’s recipe you put it together

you hand it you sell it to somebody you know you might have the ingredients on the outside just to make sure but you

know what you know grandma’s recipe up upstairs right you have that in your head you’re not going to tell that

person you still want them to come back and buy your stuff right you don’t want them to reproduce on their own same idea

and the thing is is that if you need to work with the us government you need to provide this this is going to be this is now a regulation right they actually it

was actually enacted last november you also like i said it needs to include all the foss right the free and open source

software or even things that you’ve even purchased right this isn’t even clues any proprietary stuff also how what and

where when it was made the ability to also do auditing and tracing of potential threats that’s one of the things that actually provides as part of

this complete accountability behind everything that’s been processed and security and license compliance this is

the legal folks coming after you saying hey can you supplies with a list of the stuff that was used in this or handing

off your software before it’s purchased and going through the procurement process they go through this list and they go we flagged a couple of things in

here that say oh you know our company doesn’t think that these versions of this of these libraries are applicable and we’ve

actually need you guys to give us some some level of assurance that that it’s okay think about this what are they it

would happen after the fact you give it to them and suddenly they realize that you’re running something that was not applicable do you really want to have to

do return on the sale this will help you address any of those concerns with those customers and the thing is is that you

got to remember when we go back to this right i always joke around and this is like one of the

best lines i’ve ever heard from somebody right every time you pip install go get made even fetch something you’re always

doing plugging the thumb drive you found on the sidewalk into your production server right and this gives you that

level of accountability on the things you’re doing so we have safety and security that we provide other developers and tool sets and there’s

lots out there so remember software building materials is like the endpoint map of what you’ve done on your quest in

your journey always protect your organization through whatever means necessary to make sure

that you’re not picking up a thumb drive off the sidewalk and if you’re like oh this this is fine i’m going to plug it

in so let’s talk about one last thing here um this is what i was talking about the

end we opened up a one of the problems that we see in the world today is the fact of the accountability behind these

third-party transit dependencies uh we actually have a lot of backing behind this uh there’s a there’s our site

persia dot io uh that you can go to but what we’ve done is we’ve actually gone ahead and we’re looking at building and

getting people as a zero trust binary network a decentralized package registry so in other words what we’re doing is is

that we’re using more of a of a you know the blockchain style accountability ledger to build a basically a series of

regulations in a way or in this case methodologies that package management such as maven central npm python you

know for pip you know taipai uh you know docker registry and things like that to have validation behind this so that you

can say this is a trusted source package right but the thing is we’re calling a zero trust binary network and the idea

here is is it’s decentralized right so there’s no one central source of truth in this case it’s a series of basically

ledgers just like you know just like uh you know bitcoin and all that the idea of the blockchain ledger is it’s pretty

powerful i mean i’ve used i’ve used it in other technologies too but the idea here is is that immutability is that you

know the validation and the ability to validate and so this is one of the things that we want to do with verification or cr you know by spreading

it across and having multiple people actually go in and validate these sources enables trust

and the thing is is that we’re going ahead and we’re going further and further in you know down this we’re getting more and more companies involved

if you want to be involved go to our persia dot io page and the thing is is that we are going to go ahead and open

sources more and like i said we’re looking for as much involvement as possible so if you want to start looking

at and you want to be involved in an interesting project i’m super excited about it and it’s very

new and it’s going to take some time but we need a lot of hands behind it but the idea here is is that we want to even

create a bigger sense of trust on the global scale on top of not just having tool

sets that could detect this we want to go to the root source and try to fix this in a way and have everybody

involved so that we have more accountability and this will actually feed back into the software build materials because we could eventually be

able to crawl like have like a trust id this you know this binary was a trusted source and validated and that’s what

we’re looking to do so the thing is is that if you want to be involved in persia please uh you know

go to the site uh apply and go in and we love love love to have more people um

i’m actually done with this now this is me i’m done i’m bill manning i uh i hope this has been informative and uh you

know what guys thank you so much for having me here and having me part of the conversation um

but thank you thank you very much bill uh that was great i’m gonna go ahead and stop the

recording so if people wanna ask questions and again this is another reason to join our meetings um for the q

and a time uh but thank you again uh bill manning from jfrog