Matt Fussa, Cisco’s Trust Strategy Officer, discusses using the upcoming future Software Bill of Materials for everyone’s benefit
“We are at a moment in technology, where the ability to deliver transparency is going to move from what I describe as a light microscope to an electron microscope,” said Cisco’s Trust Strategy Officer, Matt Fussa, at Cybertech Europe earlier today.
Fussa discussed one of the key problems that afflict cybersecurity – software. “Think of all the breaches that we know of caused by vulnerabilities in the software – whether from a poor selection of a vendor, poor process, poor management of the software, poor maintenance…those are the choices that are creating risk for all of us.”
And so, the question is how to move “past the sense of insecurity, to building more trust through transparency.” Fussa finds the solution in the upcoming Software Bill of Materials (SBOM) – a formal record containing the details and supply chain relationships of the various components used in building the software. This initiative was announced by US President Joe Biden in his Executive Order on Improving the Nation’s Cybersecurity, published one year ago.
“It will give us unprecedented transparency into the way vendors make selections about sourcing, building software and managing software – and deliver it to customers in a machine-readable format so that in the future, when you download software, you can see the full ingredients list,” explained Fussa.
While a list of materials “does nothing on its own to make software more secure,” said Fussa, it is up to how “we use this information together, how we create rules for formats, for delivery, for use of information. New tools, processes, regulations that are going to make the difference in how the Bill of Materials is going to transform the industry and build trust.”
Key elements of SBOM are the essential data fields that show sourcing decisions made by vendor, as well as which open-source software is used. Fussa noted the major Log4j challenge of actually finding the vulnerable software in the system, mentioning that “in our better future, where we will have a Software Bill of Materials, it will be as simple as running commands, and it will change the way we manage risk in software.
“Today, the greatest challenge in most IT department is patching, keeping up with maintenance on the software. We need better tools and processes to give customers a complete risk picture of the software but at the same time show that we are reducing the risk for them.
“I predict that instead of tools that give us lists of software, in our future we will have tools that give us a risk analysis.”