Nisha Kumar, Senior Open Source Engineer at VMware, and Allan Friedman, the Director of Cybersecurity Initiatives at NTIA, recently spoke at DevOps Connect at RSAC 2021 about what clouds are made of and how SBoM (Software Bill of Materials) relates to cloud native and modern application development.
It’s well understood across a variety of disciplines that whatever you are building, the end result is only as strong as the weakest ingredient. This is true in software and digital infrastructure as well. All complex modern digital infrastructures contain at least one link that is not as strong or resilient as you expect. To address your weak link, you need to first identify all the “links” – you need to know what you have in your software supply chain. This requires transparency. But while transparency in the software supply chain is important, it is not the end-all, be-all. Transparency should be treated as the starting point to better securing and maintaining modern digital infrastructure – not the destination.
Transparency made possible by a SBoM is not about dictating what is right and wrong— it is about providing accurate information so you can make smart, risk-based decisions. And you cannot make smart risk-based decisions unless you know what source code you have.
Transparency rooted in a SBoM enables you to understand what is coming in your software supply chain. This allows your team to identify and understand the dependencies that lie within your infrastructure.
There are still a number of projects that don’t have a SBoM. The ingredients used to create the machinery are complex. Software components often have long dependency chains and developers are unaware of what their software includes. However, in the cloud native ecosystem, the depth of the dependency chain for infrastructure and applications grows exponentially — making it important to include SBoMs at every step of development.
In the video below, Nisha and Allan discuss why you should be able to track the libraries and dependencies you use and offer an overview of the emerging expectations in software.
Their conversation includes the following key takeaways:
- What is an SBoM?
- SBoM is coming to a corner of the software world near you, potentially in a government or customer requirement.
- SBoM is particularly relevant for cloud native software, and tools exist today to help you get started.
Watch the full discussion below: