 A fed and a hacker walk on the stage and since it's a little too early for beer I guess we'll just have to talk about supply chain. I think so so the message today is Four fun words that are for fun letters that are fun to say espom is coming and we're gonna need your help To make it a reality. And so one of the core questions is hey first of all What is this keep thing that you keep saying espom is a software bill of materials? Should we get a little more detail about that is that enough are we done? I think we're done on this part Yeah, we so software bill of materials What is an espom like if We have a definition up here This is like an official definition, but like what what actually is an espom like when in words Well, yes, so we can give you this is the official US government definition that some of us had a hand in writing But if we want to get a little more detail, it's actually not that complicated It's the dependency graph of your software So act the application in turn depends on bingo buffer Bob's browser Which in turn depends on Carol's compression engine for each of this data. We don't need that much information It's gonna be very helpful to have more and we're gonna talk a little bit about some of the great tools that we have to do this But we need just some of the basics so that you can track what's going on in your present in your project So So how do we espom then? well, the good news is That We have some projects today. We have some standards that can convey this data now It would be lovely when we set out. We said hey, we don't want to invent anything new Let's use what's already out there So that's good news is that there was at least one approach to do this today Bad news that there's more than one, but that's okay because they're both amazing projects Many of you have been involved in spdx which comes out of linux foundation It actually goes back Over a decade people have been working on it to capture license information And the great news is that it was recently announced that it's an ISO standard And some of you who work in large global companies know how important it is for something to be an international standard Cycling the excess newer comes out of the OAS world. It's sort of dev focused and security focused both of them are great So should we let the block them in a room and let them fight? Let what emerge now what we want to do is sort of help them Harmonize and make sure that we can translate between them and the value here is the core basics What you need to make this a reality? Actually is something that can happen either in either of them and you know what computers are really good at I have no idea. I really don't Computers are really good at taking structured data and moving it around and that's really what our vision here is Let's take the data. Let's make it structured and let's move it around So We're not here just to tell you all about this new technology This is not a technical talk because I'm a really bad engineer. We're here to convince you that this is coming Why do we why are we arguing that this is coming? so if you take a look at what is bomb is and We have a large number of attacks that have gone on that we've had the supply chain has been attacked We have issues around where We don't often know what's inside of our infrastructure is that we're running this really important This really important infrastructure throughout throughout the world and so We want to be able to get an understanding of that and once we get that understanding We can actually start to do something in order to improve the overall security posture of the systems that we come to rely on for For our physical supply chains for a power and similar similar things so Is there anyone here who thinks that supply chain is not an issue should we sort of revisit some of the great points that Luke talked about About how you know supply chain is now a concern One of the points that Luke made that I really liked is that this isn't just any one projects concern This isn't any one company's concern. This isn't any one country's concern There are national security issues, but really this is a global issue that we need to be tracking So What is a supply chain? Well in a nutshell if you take a look at our graph This is the beginning of a supply chain. It's it's a dependency sort of a dependency graph and If we can use an example from physical So if you look at vehicles very often you may have recalls for an airbag or some of the components they know where that airbag came from where it went which cars it went into often down to the VIN number and so this is a very important example of Of a supply chain now if you look on the far end there is this trusted and untrusted Slider that's on there So the most trusted items tend to come from the vendor itself or some entity that has established a trust With you you have your third-party things you bring in that you have to validate at the far Other end of this of a spectrum you have a counterfeit or stolen items Which you're not able to establish that that provenance with and you have no idea if it's gonna break on you It's gonna report back information on you We can also tie this into software. So the same the same concept. We have various Components we have software that ends up in those components that even ends up leading into a product And again, we have this trust slider that's on there of things that like oh We wrote ourselves so we know what it does all the way down to the far other end of the spectrum Which is poison and please don't think of this as like a linear slider the actual trust graph itself is way more complex in this There's a lot of input to go into whether to decide whether you should trust something or not But we have this concept at the very end as to we draw a line somewhere to say This is things that we trust and bring into our infrastructure. These are things that we don't quite trust But with some additional controls, maybe we can down to we don't want to touch this thing with a hundred foot pole And by the way, one of the challenges of what makes security particularly fun and exciting is things we used to trust We wake up and say, you know, maybe we can't trust this anymore And that's the model here of having transparency is allowing you to react when that becomes the case so The other reason we want you to pay attention to it is because people are going to start asking you for s bombs And they're gonna start asking you sooner. So we say people What do we mean? well So first and perhaps most important for those who work for companies is customers Today There's a couple of major hospitals that are already saying if you're going to sell me a medical device The blinking box that's keeping humans alive. I need to know what's in it before I put it on my network This is something that we're starting to see now They may not prevent you from buying it if it contains out-of-date software or vulnerable software, but it's going to delay One of the largest banks in America part of their security team has been asking for s bombs for years Now this was even before we started to standardize the tech They didn't care how you gave them that's bomb you can fax it to them But if you couldn't produce an s bomb that told the security team a Great deal about the quality of your product And they knew from experience that total cost of ownership of your product was going to be much higher than what they would expect And so they were going to take five to ten percent off the asking price off your product before you could even sell to them So this is not just about security. It's about dollars and cents And of course, this is important for the things in life that really are critical to our infrastructure like critical infrastructure The Edison Electric Institute, which is a trade association of the largest utilities in America has said already Before you buy something you should ask for a bill of materials. So this is coming The other thing is Governments get a government Hi, I'm from the US government. I'm here to help Uh The White House has publicly said that everything the US government buys It's going to have to have a software bill of materials I'll give you guys a hint the US government buys an awful lot of things so this is going to be slowly evolving and Becoming bigger. We've defined under this executive order the minimum model of this as we move forward This is going to be even more ambitious Because we're going to see that some of the basics that we know how to do are great Some of the advanced side of supply chain management in S-bomb that you are all working on today that we'll talk about So a quick question. Is it only software that the government buys or is this actually going to extend out to others as well? Well, that's the joy of marketing, right? This is the policy tool that the community has had is to say hey this is going to be something that's important and So most companies aren't going to have two versions of a product most open-source projects aren't going to say Let's have two versions one which we care about supply chain and the other one which we don't which one would you like? so Also line of governments the FDA which regulates medical devices has publicly said Yeah, you're going to need to have this level of transparency in your supply chain so that we can share this But again looking forward It's one thing to talk about the blinking box that's keeping a human alive But almost all of those new devices that are being sold today are controlled not locally but in the cloud and Some of you are working on those very applications that are going to be part of that in the future So what what can the people in the room do what can the nice people do? Well, we could all hide and pretend it doesn't exist, but I don't recommend that so things that we can do is We start with building S-bombs, so It sounds simpler than it actually is because you're talking about build systems You heard in the previous keynote with with Steven about how complex that entire process is But if you if you have something that's difficult and you do it often you get better at it So right now we're terrible at producing S-bombs And so we start producing them then we can start to consume them internally So this actually goes back to I think I give a good example and tie it back to a previous experience so Around eight or nine years ago we were going around and talking about Docker and like this brand new thing nobody had ever heard of and we're trying to convince people to make use of it and what we worked out was people were not going to put into production and they just weren't going to do it and We focused on well, we know we're not going to put it in production But how about you put in your build systems and at the build system runs it over and over and over again over time? they see they they were able to start depending on the outputs of that into the other parts of their system and Once they started consuming that then it just really took off So start building your S-bombs internally and start using them for for that purpose And then that becomes the inputs to your other process your zero trust process it becomes the input towards your reliability you're able to start to run analytics on the things that you that you add into it to try to work out reliability and Over time that also gives you the ability to tie in to to further things as well Like they eventually there'll be CV databases that you can then cross-link to your to your system so you can work out A new CV comes out have you been affected even if it was statically compiled in and your in your image Scanners can't pick it up because we know what's inside of it The goal isn't to create the data for its own sake We all have enough data the goal is to have this data and start to map to things that we care about What's the vulnerability information? What's the license information? What's the risk? How can we make sure that we're using upstream projects that have a great maintenance team rather than you know Hey, maybe there's only one person and that person has decided to play the ukulele instead of maintaining their project Yeah, and we also something that's important about S-bombs is that S-bombs are also their static elements They're not designed to be dynamic things and so when we start to Ingest them into our systems the S-bombs will tell us what's inside of the package, but it's only a part of the story We have other as we're tying into other systems We have projects like six store which we can use to work out where where did the S-bombs itself comes from because it doesn't do Any good to say yeah the S-bombs says this but you can actually check the providence of the S-bombs itself We have processes like we have systems like in total where in total allows us to verify something about the process of the system Systems like spiffy which allow us to then tie that to you know when build system actually build this particular system in a point of point of time Several other tools as well. They're coming out about the overall process So you're seeing these come out of open SSF you have like projects like salsa There's a lot of energy a lot of a lot of focus that's being put on here and so If this is an area that you're interested in like they definitely definitely get involved and As we said, this is part of a delightful ecosystem One of my lovely things about talking to this community is you guys inherently get the idea of an ecosystem Right there isn't going to be one thing that's going to help manage it if you want to learn more about some of those projects Uh that fredrick mentioned, uh, I think the videos from monday's supply chain workshop are going to be posted You'll see find out all of these great tools that are available and they need your help So sbom is not a unique thing It is part of a complete breakfast and everyone has their own favorite breakfast Right, this is one of my favorite breakfast This is a picture from a guest house in the caucus of mountains in the middle of georgia But what you need to manage your risk and how to think about your supply chain is going to vary But we want to make sure that you can sort of add it to the table that you want so, um tying up here What we want to do is let you know how to get involved By the way, this is a fun example of what happens when you don't get your slides to the organizers in an appropriate time Because we've been having some fun on What slide is coming next? So there are some great resources out there that fredrick has started to collect on his website. Can you rattle off the url? Yeah, well So there's a website. It's really simple. It's a z t like zeta theta like or like where I should say like zero trust So z t dot dev dev and there is a link in there that points to a to a List of various projects The actual list itself is on github as well So you if you do a pull request if your project is not listed in there and there's many gaps Feel free to add it on there and we'll make sure that it gets out to to you as all And if you'd like to get involved in the international process Please reach out to me directly in december. We're going to be having the s-bama rama I have official permission for my leadership to call it that i'm very excited And this is something that really is going to cover the domain of all software That means a lot of private companies involved But we absolutely need folks from the open source community and the cloud native community to be involved And helping make sure that what we're doing meets the needs of this community so please Hashtag sbomb on twitter to join the conversation. There are a lot of great projects out there And if this is interesting to you i'm more than happy to talk uh over the next few weeks Yeah, and come find me for the qr code if you if you're having trouble finding it I will produce the qr code for you and then you can scan it Okay, thanks so much for your time