Resilient Cyber

Chris: Before we dive into too many specific topics, one thing I wanted to ask is, you've been working in/around the topic of SBOM and Software Supply Chain for sometime via NTIA, CycloneDX, SCVS etc. How did you have the foresight or what drove you to focus on this topic well before many others in the industry?

Nikki: You mentioned recently about the SBOM Forum and their recommendation of the NVD adopt Package URL. I think the recommendations are great for NVD, because the NVD, CVE ID mechanisms, and CWE's weren't technically built for al ot of the updated vulnerabilities and concerns we see today, especially in the software supply chain. Can you talk a little bit about the challenges around vulnerability management when it comes to software supply chain?

Chris: I wanted to ask you about SaaSBOM which has been a topic of discussion in the CISA SBOM WG that I know you and I participate in. What is a SaaSBOM in your mind and where does it begin and end, given most of the Cloud, including Infrastructure is software-defined. 

 Nikki: I liked your article titled "SBOM should not exist! Long live the SBOM" - what really caught me was the idea that BOM's or Bill of Materials have been around for a while, and in other industries as well. I'm curious because there are a lot of potential implications for using BOM's outside of software. What are you thoughts on how we could potentially use the idea of BOMs in other cybersecurity or software development areas? 

Chris: I want to discuss some critiques of SBOM. VEX Is promising but of course requires information from software producers, and then of course trusting their assertions. 

VEX: Do you see a future where both SBOM and VEX and automated in terms of generation and ingestion to inform organizational vulnerability management and potentially procurement activities? 

Nikki: I would be re-missed if I didn't ask you about the human element in all of this. I fee like the complexity of the software supply chain, on top of infrastructure, operations, cloud deployments, etc, can get somewhat complex. How do you think the increased complexity around software supply chain is affecting the management and operations groups?

Chris: You have long been the lead on the wildly popular Dependency Track project. Can you tell us a bit about its origins, where it stands today and where it is headed?

Chris: There has been a lot of guidance lately on Software Supply Chain, such as NIST EO outputs from Section 4, NIST SSDF, guidance from CSA, CNCF et. al - how does SCVS fit into the mix and do you see organizations using all, or rallying around some of the guidance? 

Chris Follow Up: Some have claimed that these requirements are simply impractical for anyone except large enterprise organizations and software producers. Any thoughts on the practicality of the guidance for smaller organizations who still play a major role in the software ecosystem?