Marc Frankel

And you'd have to say, hey, does this thing that I bought have raisins in it?

And you'd have to say, hey, does this thing that I bought have raisins in it?

and that's exactly effectively what happened in the log4shell vulnerability there was a new vulnerability that was disclosed nobody had lists of ingredients of what's inside the different software applications that we've bought and so they had to call all of their vendors individually the answer to we don't know what's in the software that we are consuming is a list of ingredients no different than the list of ingredients on the side of a box of cereal except because it's a more technical artifact we call it a software bill of materials as opposed to just an ingredients label

and that's exactly effectively what happened in the log4shell vulnerability there was a new vulnerability that was disclosed nobody had lists of ingredients of what's inside the different software applications that we've bought and so they had to call all of their vendors individually the answer to we don't know what's in the software that we are consuming is a list of ingredients no different than the list of ingredients on the side of a box of cereal except because it's a more technical artifact we call it a software bill of materials as opposed to just an ingredients label

So that's exactly right. The problem is, and this is not unique to software supply chain, this is universal, I would argue, across the cybersecurity industry, is that oftentimes you get very technical, very, very smart people who get very in the weeds with a concept. And before you know it, there's been a proliferation of acronyms and concepts.

So that's exactly right. The problem is, and this is not unique to software supply chain, this is universal, I would argue, across the cybersecurity industry, is that oftentimes you get very technical, very, very smart people who get very in the weeds with a concept. And before you know it, there's been a proliferation of acronyms and concepts.

And there can be a real hesitancy to jump into a new area of cybersecurity. You don't want to appear dumb. You don't want to, you know, appear like the newbie. You don't want to have basic concepts explained to you. And so if we look at the SBOM industry, we've fallen victim to that exact same thing. And not without reason, right?

And there can be a real hesitancy to jump into a new area of cybersecurity. You don't want to appear dumb. You don't want to, you know, appear like the newbie. You don't want to have basic concepts explained to you. And so if we look at the SBOM industry, we've fallen victim to that exact same thing. And not without reason, right?

There are good reasons why we have terms like Cyclone DX, SPDX, CSAF VEX, Open VEX. As the listeners blaze over, the listeners are all passing over now. Exactly right. And what I feel that we in the cybersecurity community do, where I feel we do a disservice is that an SBOM is an extraordinarily valuable and powerful artifact. But it's one of its primary benefits is to non-technical people.

There are good reasons why we have terms like Cyclone DX, SPDX, CSAF VEX, Open VEX. As the listeners blaze over, the listeners are all passing over now. Exactly right. And what I feel that we in the cybersecurity community do, where I feel we do a disservice is that an SBOM is an extraordinarily valuable and powerful artifact. But it's one of its primary benefits is to non-technical people.

So if you think about, and I imagine that some of your listeners are probably in third party risk management or IT security or IT risk or what have you. Definitely. vendor due diligence, et cetera, they are contorting themselves, bending over backwards to put out 200-page vendor due diligence questionnaires, asking everything under the sun from, do you do background checks on your developers?

So if you think about, and I imagine that some of your listeners are probably in third party risk management or IT security or IT risk or what have you. Definitely. vendor due diligence, et cetera, they are contorting themselves, bending over backwards to put out 200-page vendor due diligence questionnaires, asking everything under the sun from, do you do background checks on your developers?

Do you have a disaster recovery site 90 miles away? Do you have your SOC 2 type 2 compliance? Do you have any foreign investors on your cap table? But the one question they probably really want to be asking is, what's inside this thing that we're about to trust our data to? And that's what an SBOM gives you. And the problem is,

Do you have a disaster recovery site 90 miles away? Do you have your SOC 2 type 2 compliance? Do you have any foreign investors on your cap table? But the one question they probably really want to be asking is, what's inside this thing that we're about to trust our data to? And that's what an SBOM gives you. And the problem is,

If we develop as an industry, this technical jargon moat of you're not allowed to be in our club unless you understand these 50 esoteric concepts. Well, everybody in that TPRM, vendor due diligence, third party risk, governance, risk and compliance have AppSec, ProdSec, DevSecOps, et cetera.

If we develop as an industry, this technical jargon moat of you're not allowed to be in our club unless you understand these 50 esoteric concepts. Well, everybody in that TPRM, vendor due diligence, third party risk, governance, risk and compliance have AppSec, ProdSec, DevSecOps, et cetera.

Everyone in those ecosystems who hasn't spent the last two years intimately familiarizing themselves with this terminology all of a sudden feels excluded. So what we have invested heavily is in making SBOMs approachable to people who don't have a PhD in cyber risk management, because it can be a very valuable tool, but only very valuable if they feel like they know how to use it.

Everyone in those ecosystems who hasn't spent the last two years intimately familiarizing themselves with this terminology all of a sudden feels excluded. So what we have invested heavily is in making SBOMs approachable to people who don't have a PhD in cyber risk management, because it can be a very valuable tool, but only very valuable if they feel like they know how to use it.

You can, as a matter of fact. I used to work with somebody who had one. It was daunting.

You can, as a matter of fact. I used to work with somebody who had one. It was daunting.