On this week’s episode of Security Nation, we are joined by Josh Corman and Audra Hatch of I Am The Cavalry, an organization dedicated to improving public safety through computer security. As a champion of software transparency, Josh and Audra share their experiences with the Rapid7 team, including how to stay ahead of cybercriminals, and how software bills of materials (SBoMs) can work for everybody.

SBoMs and public safety

When a single Java D serialization flaw can take an entire hospital out of commission, it’s obvious that computer security intersects with public safety in urgent and tangible ways. With the Hollywood Presbyterian Hospital shutdown occurring the week before I Am The Cavalry first met, the incident underscored the urgency of the organization’s mission.

The idea for I Am The Cavalry germinated nearly seven years ago at DEF CON and BSides Las Vegas. Josh describes realizing “The cavalry isn’t coming”—the government remained insufficiently responsive to public safety issues stemming from tech dependency, so it would be up to tech leaders themselves to form crisis management security solutions. Today, the organization runs more than 800 strong and includes everyone from hackers to public policymakers, serving enterprise clients in the automotive and medical technologies industries, and forming high-trust partnerships with governmental bodies such as the DHS, NTIA, and the FDA. Developing a software bill of materials (SBoM) is a central focus.

SBoMs may be new, but they borrow from supply chain concepts dating back to the 1940s. Like ingredient lists that tell us what’s in our food (and alert those with allergies about what to skip), SBoMs tell us what’s in our software, and everything that runs on that software, from pacemakers to dishwashers. This makes it easier to avoid known vulnerabilities and address emerging threats as they arise.

The concept is simple: Transparency in manufacturing leads to safer and more efficient outcomes. When something as basic as material-naming conventions differ between cell phone manufacturers and IoT camera manufacturers, the application proves trickier. How can we make creating SBoM as minimally intrusive as possible? Government partners should strive for industry inclusion, and aim to create functional, realistic policy that benefits everyone.

Currently, I Am The Cavalry is developing FDA enforcement, a safe and orderly recall procedure, and pre-market guidance for medical devices. Discussions with the Commerce Department center on generating a list of voluntary best practices for software companies. Eventually, the team hopes SBoM will become an automatic byproduct to software development—ubiquitous as a receipt.

Combatting cyber adversaries

What happened at Hollywood Presbyterian Hospital was an accident. An intentional attack—from malicious actors ranging from the cybercaliphate to your garden variety black hat hacker—could prove even more disastrous.

That’s where active Congressional outreach comes in. Motivating representatives to act is critical, yet Congress tends to respond only after a crisis arrives—once WannaCry ransomware has already taken out UK hospitals, or an Apache Struts vulnerability already hit domestic banks, or Heartbleed has already attacked. In the last instance, the IRS site struggled with the nightmare scenario of determining its risk just before Tax Day.

Fortunately, policymakers are beginning to take precautionary measures to minimize damages from the next unthinkable intrusion. When that does occur, identifying patterns—e.g., attacks targeting bespoke code—can help formulate an actionable and timely response. Likewise, greater transparency about what won’t necessarily work helps us avoid a false sense of security. For instance, cleaning up your code base may yield little added protection if Cisco routers remain vulnerable.

Which is to say, outreach also means education. Josh points out that people commonly responded to the SamSam warning by asking, “What’s a J boss?” They simply didn’t know how to determine whether they were at risk. SBoMs alone won’t solve everything, but they do offer a clear understanding of what’s in your software, making it easier to detect threats quickly.

Understanding opponents to mainstream adoption

In addition to the challenges posed by SBoMs—fighting unnecessary code bloat, coordinating identification and naming conventions across industries—it should be noted that embrace of SBoM isn’t universal. But its most vocal critics are often those who would stand to gain from its implementation.

As clients ping manufacturers to alert them to flaws, many companies naturally evolve systems around an ad hoc approach to cataloging solutions, integrating piecemeal updates as needed. Creating a from-scratch inventory of materials can mean confronting confusion and bloat that demands reevaluation on a systemic level. No one wants to see the time and resources sunk into triage go to waste—even if, from an efficiency standpoint, the initial energy investment in drafting SBoMs pays off in the long run.

While not everyone supports SBoM adoption, given SBoM’s obvious benefits, and the increased demand for market transparency from consumers and regulatory bodies alike, Josh and Audra are confident adoption is inevitable. But first it’s about developing a viable foundation—using SWID, SPDX, and sometimes cyclone DX—that’s extendable across business sectors and adaptable to international standards.

Listen to the full podcast

We’d like to thank Josh and Audra for joining us to discuss SBoMs and boosting technical literacy. Check out the full podcast and subscribe so you don’t miss future episodes of our series.