EP 40 — Steve Springett on Solving Software Supply Chain Security and SBOM Challenges

In this episode of the Future of Application Security, Harshil speaks with Steve Springett. They discuss the broad definition of what software supply chain security is, the implementation of SBOMs after the White House’s Executive Order, and how organizations can effectively adopt, operationalize, and use SBOMs. They also discuss the biggest drivers for better software supply chain security, why you need to manage more than just vulnerabilities, and how organizations can start chipping away at their software security chain problems.

Topics discussed:

• Steve’s broadly encompassing definition of software supply chain security.
• How organizations scrambled to adopt and operationalize SBOMs after the White House’s Executive Order, and why Steve started SCVS (OWASP Software Component Verification Standard) as a response. 
• Why software supply chain security goes beyond just understanding and addressing your vulnerabilities, but should include knowing your inventory, and the pedigree and provenance of your assets.
• Why SBOMs have suddenly gained in popularity, likely because of supply chain attacks and breach fatigue and the need for better solutions.
• What to do with an SBOM: how do you share it, how can you request it at scale, how can you analyze it, and what do you do with it once you have it.
• How to address the vulnerabilities that are listed in an SBOM that will remain unexploitable, and how to ensure the customer experience isn’t negatively impacted by that list.
• How machine learning may play a role in better understanding risk across the software supply chain.
• Why capitalism and customer demand will be the biggest driver in pushing forward advancements in software supply chain security.

Guest Quotes: 

“A lot of the talk about security in a development context was really focused on vulnerabilities. Are you using a vulnerable component? And there’s so many more dimensions to that that people just weren’t talking about and that were really important.” (6:37)

“A lot of organizations actually don’t know what third party components they have. Or if they are running tools, the tools in some cases don’t do a very good job. So truly knowing what you have in terms of inventory is a starting point.” (8:01)

“I think SBOM, and software supply chain security in general is just gaining popularity because people have been woken up and are now paying attention about just how wide of a problem this actually is, and most of it is currently unsolved.” (13:33)

“It is quite massive, which is why a lot of folks actually talk about software supply chain from their own respective roles. A DevOps practitioner is going to talk about software supply chain from the perspective of building and delivering software. And that’s great, but that’s a small part of the overall software supply chain.” (28:39)

“Organizations are already demanding software bills of materials from their vendors, and this will eventually lead to gradual improvement from those vendors in terms of maintaining hygiene of their components and keeping things up to date and vulnerability-free.” (36:04)