Marc Frankel

Yeah, I guess I would begin by saying that SBOMs are not scary. Most people who are familiar with SBOMs know that they're not scary. Most people who aren't, more or less, you know, there's a tendency to break out in hives once they see their first piece of JSON and they're like, oh my goodness, what am I supposed to do with this? And rightly so, right? It's an intimidating thing.

Yeah, I guess I would begin by saying that SBOMs are not scary. Most people who are familiar with SBOMs know that they're not scary. Most people who aren't, more or less, you know, there's a tendency to break out in hives once they see their first piece of JSON and they're like, oh my goodness, what am I supposed to do with this? And rightly so, right? It's an intimidating thing.

So an SBOM stands for software bill of materials. The two second non-technical, you know, explain it to a six-year-old version of this is that software is the only thing that we buy that you don't get to know what's in it. The FDA for a 100 years has required General Mills to disclose what's inside a box of cereal.

So an SBOM stands for software bill of materials. The two second non-technical, you know, explain it to a six-year-old version of this is that software is the only thing that we buy that you don't get to know what's in it. The FDA for a 100 years has required General Mills to disclose what's inside a box of cereal.

Auto manufacturers have to have that sticker in the window of a new car that they sell telling you that it has heated seats and, you know, a stereo surround system and, you know, automatic whatever's. When you buy a house, you get a home inspection. When you buy a T-shirt, it comes with a tag that says 80% cotton and 20% polyester.

Auto manufacturers have to have that sticker in the window of a new car that they sell telling you that it has heated seats and, you know, a stereo surround system and, you know, automatic whatever's. When you buy a house, you get a home inspection. When you buy a T-shirt, it comes with a tag that says 80% cotton and 20% polyester.

But when you, and by you I mean the federal government or a Fortune 500 company or any enterprise really, purchases a piece of software, it just shows up in their environment with no list of ingredients. And for the first 40 to 50 years of software, it wasn't okay, but it was an acceptable risk.

But when you, and by you I mean the federal government or a Fortune 500 company or any enterprise really, purchases a piece of software, it just shows up in their environment with no list of ingredients. And for the first 40 to 50 years of software, it wasn't okay, but it was an acceptable risk.

Over the course of the last 15 to 20 years, with the explosion of open source software, software has gone from a guy in a hoodie typing away furiously at a keyboard, creating something net new out of scratch, to something that resembles much more assembly, like Lego bricks, effectively.

Over the course of the last 15 to 20 years, with the explosion of open source software, software has gone from a guy in a hoodie typing away furiously at a keyboard, creating something net new out of scratch, to something that resembles much more assembly, like Lego bricks, effectively.

And the problem with that is that when you have developers who are grabbing Lego bricks, in this case, software applications from GitHub or from NPM or what have you, you don't have a sense for what is the provenance of these bricks that I'm bringing into my Lego house that I'm building, so to speak. And when you buy software, there has become an urgent need for the U.S.

And the problem with that is that when you have developers who are grabbing Lego bricks, in this case, software applications from GitHub or from NPM or what have you, you don't have a sense for what is the provenance of these bricks that I'm bringing into my Lego house that I'm building, so to speak. And when you buy software, there has become an urgent need for the U.S.

Department of State, the U.S. Air Force, auto manufacturers, defense contractors, et cetera, to begin requiring these lists of ingredients because of the meteoric rise of a threat vector known as software supply chain vulnerabilities or software supply chain

Department of State, the U.S. Air Force, auto manufacturers, defense contractors, et cetera, to begin requiring these lists of ingredients because of the meteoric rise of a threat vector known as software supply chain vulnerabilities or software supply chain

Basically, nation state actors and non-nation state actors, Iran, China, North Korea, et cetera, have woken up to the fact that large companies in the West and large federal agencies in the West consume software without asking what's inside. And so the software supply chain vulnerabilities have been on the rise by some accounts, 1300%. over the last three years.

Basically, nation state actors and non-nation state actors, Iran, China, North Korea, et cetera, have woken up to the fact that large companies in the West and large federal agencies in the West consume software without asking what's inside. And so the software supply chain vulnerabilities have been on the rise by some accounts, 1300%. over the last three years.

Some of them have made headline news. Some of your listeners may be familiar with like SolarWinds, for instance, or the Log4Shell vulnerability. Log4Shell by itself cost an estimated $10 billion in remediation costs. It was massive. And it all stems from the fact that we don't know what's in the software that we build and buy. We don't have these lists of ingredients.

Some of them have made headline news. Some of your listeners may be familiar with like SolarWinds, for instance, or the Log4Shell vulnerability. Log4Shell by itself cost an estimated $10 billion in remediation costs. It was massive. And it all stems from the fact that we don't know what's in the software that we build and buy. We don't have these lists of ingredients.

The equivalent would be if the FDA put out a statement saying that there was an E. coli outbreak in raisins. And the first thing you would do is you would go into your pantry and if you opened your pantry and all you saw were gray cardboard boxes, you know, just blank boxes with no ingredients on the labels, you'd have to call Monsanto and General Mills and Post and everybody.

The equivalent would be if the FDA put out a statement saying that there was an E. coli outbreak in raisins. And the first thing you would do is you would go into your pantry and if you opened your pantry and all you saw were gray cardboard boxes, you know, just blank boxes with no ingredients on the labels, you'd have to call Monsanto and General Mills and Post and everybody.