#60: Bonus Episode: Dr. Allan Friedman Returns: CISA SBOM-a-Rama Fall 2024
In this episode, Dr. Allan Friedman from CISA returns to discuss the upcoming SBOM-a-Rama Fall 2024, a pivotal event in supply chain cybersecurity. He shares insights on the evolution of SBOMs, the significance of community collaboration, and what to expect from this year’s hybrid event, including a showcase of innovative SBOM solutions.
About Dr. Allan Friedman
Today we welcome back to our show the esteemed Dr. Allan Friedman, a.k.a the “SBOM rockstar” from the Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS). Dr. Friedman is one of the world’s most prominent leaders in product cybersecurity. He is both a technologist and a policymaker, with more than 15 years of experience in international cybersecurity and technology policy. He is known for his amazing ability to design, convene, and facilitate complex, multi-stakeholder policy processes, which he demonstrates often while leading CISA’s efforts to coordinate the use of and interoperability of SBOMs across industries. Dr. Friedman also travels the world spreading the SBOM gospel as a keynote speaker at various events, including the first Left to Our Own Devices: The Conference which took place last April, and many others.He is here to discuss today CISA’s upcoming SBOM-a-Rama Fall 2024 – one of the most important events in the world of supply chain cybersecurity, which will take place as a hybrid event on September 11th and 12th, in Denver, Colorado, and also virtually.
To learn more about the event, visit: https://www.cisa.gov/news-events/events/sbom-rama-fall-2024
A Summary of Our Conversation with Dr. Allan Friedman
In this episode of “Left to Our Own Devices,” Dr. Allan Friedman from the Cybersecurity and Infrastructure Security Agency (CISA) returns to dive into the world of Software Bill of Materials (SBOMs) and to preview the much-anticipated SBOM-a-Rama Fall 2024 event. As one of the leading voices in the field of software transparency and supply chain security, Allan offers a wealth of knowledge and updates on the evolving landscape of SBOMs, the challenges faced by organizations in adopting this crucial tool, and the significance of community efforts in advancing cybersecurity practices.The Rise of SBOMs and Their Importance in Cybersecurity
Dr. Allan Friedman begins by revisiting the journey of SBOMs, tracing their roots from a niche concept to a central pillar in supply chain cybersecurity. He emphasizes the growing recognition of SBOMs as a fundamental component in ensuring software transparency, which is critical for identifying vulnerabilities and managing risks in increasingly complex software ecosystems. As software becomes more integrated into critical infrastructure, the need for a clear understanding of the components and dependencies within these systems has become paramount.
Allan highlights how SBOMs have moved from being a technical curiosity to a widely endorsed practice, supported by government initiatives, industry standards, and international collaborations. He points out that the momentum gained by SBOMs is largely due to the realization that without transparency, the risks associated with software vulnerabilities cannot be effectively managed. SBOMs provide a way to map out the software supply chain, allowing organizations to identify and address potential security issues proactively.
The Evolution of SBOM Adoption and Implementation
The conversation shifts to the current state of SBOM adoption. Allan acknowledges that while there has been significant progress, there are still challenges to overcome. One of the primary obstacles is the variation in SBOM formats and the lack of standardization across industries. This diversity can make it difficult for organizations to integrate SBOMs into their existing workflows. However, Allan remains optimistic, noting that efforts are underway to develop common standards and practices that will streamline the creation, sharing, and utilization of SBOMs.
Allan also discusses the role of automation in SBOM generation and management. As the complexity of software systems grows, manual processes become untenable. Automation is key to scaling SBOMs across large organizations and diverse supply chains. He underscores the importance of developing tools that can automatically generate accurate SBOMs and integrate them into continuous integration and deployment (CI/CD) pipelines. This approach not only reduces the burden on developers but also ensures that SBOMs are kept up-to-date as software evolves.
Community Collaboration and the Power of Collective Action
A recurring theme in Allan’s discussion is the importance of community collaboration. He explains that the success of SBOMs hinges on the collective efforts of the cybersecurity community, industry stakeholders, and government agencies. The SBOM initiative is not just a technical challenge but also a social one, requiring buy-in from various sectors and the alignment of interests to achieve widespread adoption.
Allan praises the collaborative spirit that has emerged around SBOMs, particularly in the open-source community. He notes that many of the tools and standards being developed are the result of open collaboration, with contributions from a diverse range of stakeholders. This inclusivity has been instrumental in driving innovation and ensuring that the solutions developed are practical and scalable.
The SBOM-a-Rama Fall 2024: A Showcase of Innovation and Best Practices
The conversation culminates in a discussion about the upcoming SBOM-a-Rama 2024 event, which Allan describes as a pivotal moment for the SBOM community. The event, set to be a hybrid of in-person and virtual sessions, will bring together experts, practitioners, and policymakers to share insights, showcase innovative solutions, and discuss the future of SBOMs in cybersecurity.
Allan reveals some of the key themes and topics that will be covered at SBOM-a-Rama 2024, including the latest advancements in SBOM tools, case studies from organizations that have successfully implemented SBOMs, and discussions on the policy implications of SBOM adoption. The event will also feature demonstrations of cutting-edge SBOM technologies, offering attendees a glimpse into the future of software transparency.
One of the highlights of SBOM-a-Rama 2024 will be the emphasis on real-world applications of SBOMs. Allan explains that while the concept of SBOMs is now widely accepted, there is still a need for practical examples that demonstrate how SBOMs can be effectively used to improve security. The event will showcase case studies from various industries, illustrating how SBOMs have been integrated into supply chain security practices and the tangible benefits that have resulted.
Looking Ahead: The Future of SBOMs in Cybersecurity
As the conversation wraps up, Allan shares his thoughts on the future of SBOMs. He is optimistic about the trajectory of SBOM adoption, predicting that as tools and standards continue to mature, SBOMs will become an integral part of the cybersecurity landscape. He envisions a future where SBOMs are not just a regulatory requirement but a standard practice adopted across industries to enhance software security.
Allan also touches on the broader implications of SBOMs for national security. He points out that as cyber threats become more sophisticated, the ability to understand and secure the software supply chain will be critical to protecting critical infrastructure and national interests. SBOMs, with their focus on transparency and accountability, are a key tool in this effort.
In conclusion, Dr. Allan Friedman’s insights underscore the importance of SBOMs in the ongoing battle to secure software supply chains. His preview of the SBOM-a-Rama 2024 event highlights the progress made so far and the exciting developments on the horizon. For anyone interested in the future of cybersecurity, SBOMs represent a vital area of focus, and SBOM-a-Rama 2024 promises to be a significant event in advancing this crucial initiative.