DHS units partner to improve SBOM transparency

Everyone knows that software bills of materials (SBOMs) are crucial to cybersecurity. But deciphering these documents is a challenge for many agencies.

Everyone knows that software bills of materials (SBOMs) are crucial to cybersecurity. But deciphering these documents has been a challenge for many agencies. The Silicon Valley Innovation Program aims to help. It is part of the Homeland Security Science and Technology Directorate. It has a program to promote development of what it calls “supply chain visibility tools.” For details, the Federal Drive with Tom Temin with the managing director of the Silicon Valley Innovation Program, Melissa Oh and with it technical director, Anil John.

Interview Transcript: 

Tom Temin Tell us what’s going on here. Maybe a little bit of background on the Silicon Valley Innovation program, and then we’ll get into what you’re doing to help agencies with this SBOM conundrum. I guess you have to read SBOMs, and nobody knows how to do it.

Melissa Oh That’s right. Well, thanks, Tom. Really glad to be here. And the Silicon Valley Innovation Program within the Department of Homeland Security’s Science and Technology Directorate is focused on working with the startup community and identifying problems that they can help us solve by baking in some of the pain points that DHS has into the commercial products that they’re developing. And so by leveraging the other transaction authority, we’re able to more quickly reach the startup community and get them under contract quite quickly and get them working on some of our hard problems within DHS.

Tom Temin Yeah. Anil tell us about SBOMs because it sounds like a great idea. Read the ingredients and you know what’s in your software. But in fact, these are complex documents. There could be thousands of components in a given software program. And there are competing, I guess, standard languages for expressing SBOMS. Fair to say?

Anil John Very fair to say. I’ll start with the last piece first. There is a very famous cartoon that is out there that is prevalent in the standards community, where there are competing standards. And then somebody else comes in and says, hey, we need to have one standard that sort of unifies all of them. And now we have three competing standards. So I want to start out by saying that what we want to do here is not that. We do not want to create a new standard. There are two very mature standards in the SBOM space called CycloneDX and SPDX, that targets different communities, but are both considered SBOM standards. And as you noted, Tom, as SBOMs are very similar to the nutrition labels on food, it provides an indicator of what goes into software and identifies potentially things that are vulnerable that need to be updated. And we want to sort of ensure the interoperability and the broad acceptability of that through our work here.

Tom Temin Yes, they’re like food labels, except it would be a food that has 10,000 ingredients, in some cases.

Anil John More, in some cases, open source components, closed source components and a variety of other things pulled from a variety of places. So that is exactly why we need visibility into the, for lack of a better word, the supply chain of software before it is deployed within a government network.

Tom Temin Sure. Those ingredients there’s more in software than there is in, say, Doritos. So it’s a really a long list. And Ms. Oh, these companies, what will they be doing? What are you seeking from these companies in this effort to organize the reading of SBOMS.

Melissa Oh As Anil set up, the need for the ability to translate between these two standards is important in order to ensure the broader adoption of SBOMS across enterprises and other organizations. And so our cohort of startups developed actually in SBOM translation tool called Protobom, which has now been launched and is now openly available through the open source community at OpenSSL, through the Linux Foundation. So we’re really excited. They announced that at just last week at Open Source Summit, and it’s available for everyone to start to adopt.

Tom Temin We are speaking with Melissa Oh. She is managing director of the Silicon Valley Innovation Program, and also Anil John, technical director of that program at the Homeland Security Science and Technology Directorate. And is the overall goal then to maybe abstract for a given agency practitioner, the SBOM, which is this big document and such that they can apply some of these new products that you’re having developed to an SBOM and figure out what the SBOM is telling them, because maybe there’s only 10% of it that might be of concern in a given package.

Anil John I think that it’s spot on. It’s more on the lines of agencies or organizations or even tool builders should not need to worry about the format and the standards that are being used for SBOM. But if by using the Protobom that Melissa mentioned, they have the ability to sort of automatically translate that and sort of ingested without having to worry about all of that. And to your point there, the projects that we are funding, the Protobom piece is an artifact that is going to be baked into all of the capabilities that we are funding. For example, like visualizing SBOMs. The ability to sort of visualize software right within the software development environment, like within security information and event management (SIEM) products and show connectivity to like vulnerabilities and things like that. That’s the high-level piece that is really important because SBOMs by themselves just show you what is in there, but it doesn’t directly tell you if something is vulnerable or not. So the products that we’re building and having our companies build are actually doing that connectivity and protobom abstracts and sort of makes the translation war go away or the format war go away.

Tom Temin And it sounds like it does this in a situation that is context sensitive. That is, if you’re in your SIEM program, you need one view. And if you’re maybe, I don’t know, in acceptance or runtime type of situation, then you need another view.

Anil John That is absolutely correct. We fully realize that obviously different entities within an enterprise need to look at this, whether it is a developer that is building software, having it directly visible within their software integrated development environment (IDE) , whether it is a system administrator having it visible across the enterprise, and somebody who’s sort of looking in our software in general and what are the assets that they have, having the ability to visualize that as well. So all of those capabilities are something that are being built out by the cohort of companies that we are funding. And underneath the covers, all of them are also baking in the protobom translation software into their products, such that basically, they don’t have to worry about the format that the SBOM comes in.

Tom Temin Right. And by the way, Protobom only has one B in it, correct?

Anil John That is correct.

Tom Temin Make sure we get that spelling right. And Melissa, tell us about the programmatic aspects of this. You have multiple vendors involved in the protobom effort. How do they get along and what’s the intellectual property sharing piece of all of this from the project standpoint?

Melissa Oh So as far as the companies are concerned, they’re working collaboratively together as a cohort. Their IP is their IP. They are contributing to the open source. They’re developing their own products and tools and solutions independently. But because they’re pulling in protobom, they work collaboratively together. And so they’re doing great. They just finished phase one. They’re all entering phase two. And by the end of phase four, they’ll have solutions that are completely commercialized and available for acquisition by government organizations or commercial enterprises. Many of them are actually commercializing their existing product suites now, and by the end of phase four, they’ll have fully functioning commercial capabilities.

Tom Temin And it sounds like the Cybersecurity and Infrastructure Security Agency,  one of your partner components at DHS, could be a channel for getting this in front of individual agencies, since they do that with so many other types of cyber concerns.

Melissa Oh Absolutely. CISA is our partner in this project, and they’ve been advocating for the work that we’re doing with the companies as well. And so we are working very closely with Allan Friedman, who I’m sure has been on the pod before. He’s definitely a great advocate for what we’re doing here.

Tom Temin And what is delivered is a usable product to application that is already compiled and has an interface. And people can say, shove there SBOMS in and get some wisdom out of them. Anil?

Anil John I think the model of SVIP is absolutely that. At the end of the phase 4 there should be a product skew that is available in the market that agencies can buy and the product community can buy. In this particular case, obviously there are two tiers to that. So there is the products themselves that the companies will have that basically maybe addons to software IDs may be addons to same product, maybe addons to visualization software that people can actually acquire and buy. And obviously the piece that is fully documented, open source, available under a license that both open source as well as closed source companies can leverage, is the Protobom, which is now been accepted into the OpenSSL, which is a pretty big deal because then you got in a global eyes on it, maintainers that are going to be supporting it, contributing and the like that is going to have a life of its own and maintained going forward as well.

Tom Temin In other words, the Protobom is kind of like the engine about which people can build all different types of vehicles.

Anil John I think it’s too much to say that it is an engine. I think it is definitely a critical part of an engine that basically provides the entire capability more than anything else. And the critical part of providing is basically not having to worry about the different formats of SBOMs that are out there.

Tom Temin Right. So the final question to you, Ms. Oh, is the demand signal from agencies, both in DHS and maybe around the government, great we’re getting SBOMs, but it’s like somebody dumping a load of hay on us. And it’s really hard to rationalize what it is that’s in front of us. This big pile.

Melissa Oh That’s right. I do think that by having these capabilities, the executive order that was put out will make it much more simple to be able to achieve some of the requirements that are out there in terms of cybersecurity and software supply chain visibility.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Getty Images/iStockphoto/Andrii Panchykcybersecurity

    Amid rising threats to critical infrastructure, CISA developing ‘physical security’ goals

    Read more