[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tool to Tool Software Bill of Materials effort and first get together


Thank you for your interest in help explore the idea and details of a tool level exchange standard for Software Bills of Materials (SBOMs) facilitating better interactions between the development tools, orchestration/build tools, repository management tools, and various types of test and assessment tools.

This effort is meant to be complimentary to the work that the Department of Commerce's NTIA is doing with industry on Software Transparency under Allan Friedman and others. I am engaged with the NTIA effort as are many of you. In fact, the bulk of the work preceding this Nashville meeting is coming from work done in support of the NTIA effort in Software Transparency.

In our Nashville meeting (September 24-26) we explored the first phase work from the NTIA's efforts and discuss how tools in the developer environment can support, produce, and utilize the SBOM concepts so that the broad software tooling ecosystem could natively and naturally provide any developer with the SBOM information when they need it. In addition to the first phase efforts of the NTIA, which is wrapping up, we hope that this group can help explore some of the phase 2 concepts of integrity, provenance, and pedigree identified as future work within NTIA's efforts. [The full agenda for Nashville is at the end of this message.]

The native, internal use of a standard SBOM in software development and management is key to getting consistent and broad uptake and appropriate availability and use of this data. This is especially true of the software provenance (i.e., chain of custody) information and the pedigree (i.e., formulation/compilation choices) information, since it is extremely hard to recover or abstract that information accurately and consistently after the fact.

It is our hope that this work will help streamline, strengthen, and improve the integration among these types of tools and provide for the wide availability and adoption of SBOMs in the market.

There are people from many open source projects and commercial offerings involved in the effort coming from the software development tooling side, from the software composition analysis side, and in ongoing software inventory related efforts, including: Nexus, Apache Foundation (Maven, NetBeans, Ant, Groovy), the Continuous Delivery Foundation (Jenkins, JenkinsX, Tekton, Spinnaker), Microsoft, Google, GitHub, the Eclipse Foundation, the Linux Foundation, In-toto, TUF, and Grafeas, as well as several software composition analysis offerors (WhiteSource, SourceClear, CAST Software, Snyk, JFrog, BlackDuck, and SonaType).

The meeting in Nashville, which was held as a Consortium for Information & Software Quality (CISQ) working group (with Bill Curtis, the Founding Executive Director of CISQ, co-leading the meeting) had several of the SCA organizations as well many development tool related organizations participating.

Involvement will hopefully continue after that meeting, in reviewing the draft and prototyping implementations in the various places of the ecosystem, but we were interested in getting as many technical perspectives in the initial meeting on this challenging area as possible while still allowing us to move quickly and coordinate with the NTIA software transparency efforts.

Exploring what is needed, what can be done, what would be stable and useful to the tooling community and the end user / operational community is the core of what we will be discussing over the 3 days of our meeting.

At the end of the day, our objective is to make useful and powerful standard SBOMs a normal part of creating, integrating, testing, and operating software on all platforms for all kinds of systems and devices. SCA tools and capabilities are going to have a large roll in capturing SBOMs for existent software and so we want to make sure we don't define a standard SBOM that can't be filled out by SCA capabilities when appropriate. At the same time, we want the standardized SBOM to become a key enabler of assured DevSecOps capabilities as well as addressing software supply chain issues within the market.

The short paper elaborating the Usage Scenarios described in the agenda below discusses the roles of the different software ecosystem elements and software composition analysis capabilities regarding SBOMs and is available on the Google Drive – as are the slides from the Nashville meeting.

Looking forward to further work,

Robert (Bob) Martin
Sr. Secure SW & Technology Principal Eng.
Trust & Assurance Cyber Technologies Dept
Cyber Solutions Technical Center
MITRE Corporation

SBOM CISQ WG Agenda - Day 1 (0900-1700):

08:00-09:00  Registration and Breakfast on Your Own
09:00-09:30  Welcome and Introductions Around the Room
09:30-10:00  Background on this Effort and It's Goals
10:00-10:30  Break - Provided
10:30-11:00  NTIA Phase 1 Effort Specifics
11:00-11:30  NTIA Phase 2 Ideas
11:30-12:00  SW Development Ecosystem Members/Roles
12:00-1300  Lunch - Provided
13:00-13:30  Deployment Environments for SW Ecosystem Members
13:30-14:00  SBOM Deployment Options for these Environments
14:00-14:30  Supporting Environments (utilities, libraries, versions?)
14:30-15:00  Data to Support Refer To, Transfer, or Purchase Usage Scenario
15:00-15:30  Break - Provided
15:30-16:00  Data to Support Pedigree Usage Scenario
16:00-16:30  Data to Support Provenance Usage Scenario
16:30-17:00  Review of Day 1 and Discussion of Day 2 Agenda

SBOM CISQ WG Agenda - Day 2 (0900-2000):

08:00-09:00  Breakfast on Your Own
09:00-09:10  Day 2 Agenda Review and Update
09:10-09:50  SBOM w/ TUF (cryptographic frameworks)
09:50-10:20  SBOM w/ In-toto
10:20-10:30  Break - Provided
10:30-11:00  SBOM w/ SPDX
11:00-11:30  SBOM w/ Grafeas
12:00-13:00  Lunch - Provided
13:00-13:15  Data to Support SBOM Integrity Usage Scenario
13:15-13:30  Data to Support Proper and Legal Usage Scenario
13:30-13:45  Data to Support Known Vulnerabilities Usage Scenario
13:45-14:00  Data to Support Assurance Usage Scenario
14:00-14:15  Data to Support Software as A Service Usage Scenario
14:15-14:45 Data to Support Software Supply Chain Sequence Integrity Usage Scenario
14:45-15:00  Review of Days 1 & 2 and Discussion of Day 3 Agenda
15:00-15:30  Break - Provided
15:30-17:00  Discussions and Poster Board Scenarios Walk Thru
18:00-20:00  Social with heavy horderves

SBOM CISQ WG Agenda - Day 3 (0900-1700):

08:00-09:00  Breakfast on Your Own
09:00-09:10  Day 3 Agenda Review and Update
09:10-10:00  Which capabilities can provide what data - DevTools and SCA
10:00-10:30  Break - Provided
10:30-11:15  Discuss phase 2 ideas on NTIA phase 1 items
11:15-11:25  Discuss ideas for input on new NTIA phase 2 activities
11:25-11:35  Ideas for prototyping
11:35-12:00  Others that should be contacted/connected
12:00-13:00  Lunch - Provided
13:00-13:30  Review of this week
13:30-14:00  Thoughts on next steps
15:00-15:30  Break - Adjourn