Marc Frankel

If you are buying software from a vendor who can't tell you or who won't tell you what's inside that software, you have a duty to your company to examine whether or not that's a vendor that you're comfortable doing business with. And it's not in an effort to like be a jerk to AWS or Microsoft, you know, right?

If you are buying software from a vendor who can't tell you or who won't tell you what's inside that software, you have a duty to your company to examine whether or not that's a vendor that you're comfortable doing business with. And it's not in an effort to like be a jerk to AWS or Microsoft, you know, right?

It's the long tail companies that you work with that you have accumulated over the years that now touch business critical functions. Imagine, you know, the log for shell situation of having to call each one of them and say, hey, are you affected? The best time to start requiring SBOMs was 15 years ago. The second best time to start requiring SBOMs is today.

It's the long tail companies that you work with that you have accumulated over the years that now touch business critical functions. Imagine, you know, the log for shell situation of having to call each one of them and say, hey, are you affected? The best time to start requiring SBOMs was 15 years ago. The second best time to start requiring SBOMs is today.

Yeah, you, we're getting to the point, I mean, financial services, this is a very widespread and common practice. The defense industrial basis is becoming very widespread and common. Medical device manufacturers, auto manufacturing, etc.,

Yeah, you, we're getting to the point, I mean, financial services, this is a very widespread and common practice. The defense industrial basis is becoming very widespread and common. Medical device manufacturers, auto manufacturing, etc.,

You would never in a million years let an 18 wheeler through the front gates of your food production facility without asking who's the driver and what's inside this container. You know, it just wouldn't happen.

You would never in a million years let an 18 wheeler through the front gates of your food production facility without asking who's the driver and what's inside this container. You know, it just wouldn't happen.

Yeah. However, software became kind of a bit of a boiling frog problem. Right. You know, all of a sudden now we we start off with this like very slow adoption. Hey, we have software in these places, but the software was generated by IBM or whoever. And, you know, they're responsible for every line of the code.

Yeah. However, software became kind of a bit of a boiling frog problem. Right. You know, all of a sudden now we we start off with this like very slow adoption. Hey, we have software in these places, but the software was generated by IBM or whoever. And, you know, they're responsible for every line of the code.

Now, between 85 to 90 percent of software applications that are delivered, you know, that are sold are open source are pieced together from open source. And that, you know, if you're not maintaining an inventory of that open source, you have effectively unbounded exposure. Something like 68% of cybersecurity professionals in a recent poll named software supply chain as their biggest blind spot.

Now, between 85 to 90 percent of software applications that are delivered, you know, that are sold are open source are pieced together from open source. And that, you know, if you're not maintaining an inventory of that open source, you have effectively unbounded exposure. Something like 68% of cybersecurity professionals in a recent poll named software supply chain as their biggest blind spot.

This is this is a massive problem. And the nice thing about SBOM is that particularly from a TPRM perspective, This is not a particularly hard solution for security professionals to implement, right? You already have vendor due diligence questionnaires. You already have third-party risk management processes in place.

This is this is a massive problem. And the nice thing about SBOM is that particularly from a TPRM perspective, This is not a particularly hard solution for security professionals to implement, right? You already have vendor due diligence questionnaires. You already have third-party risk management processes in place.

Adding an additional, we have like a whole playbook for how to automate the process of requiring SBOMs. This doesn't have to be a scary thing. Oftentimes where people get tripped up is it's just like, hey, that seems like a really niche, complicated, convoluted field. And like, I just don't even know where to begin.

Adding an additional, we have like a whole playbook for how to automate the process of requiring SBOMs. This doesn't have to be a scary thing. Oftentimes where people get tripped up is it's just like, hey, that seems like a really niche, complicated, convoluted field. And like, I just don't even know where to begin.

Yeah, exactly right. Our goal at Manifest basically is to make SBOMs the easiest thing your organization does. Forget about Cyclone DX versus SPDX. Forget about version 1.5 versus 1.6. Forget about OpenVex versus CSAF. Forget about CPE to Perl matching.

Yeah, exactly right. Our goal at Manifest basically is to make SBOMs the easiest thing your organization does. Forget about Cyclone DX versus SPDX. Forget about version 1.5 versus 1.6. Forget about OpenVex versus CSAF. Forget about CPE to Perl matching.

We want to abstract all of this away so that organizations like your listeners can get to software supply chain security without, again, having to have a PhD in cyber risk management. And the way that we do that is a number of ways. One is we automate the SBOM generation process.

We want to abstract all of this away so that organizations like your listeners can get to software supply chain security without, again, having to have a PhD in cyber risk management. And the way that we do that is a number of ways. One is we automate the SBOM generation process.