Marc Frankel
Appearances
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
I have a six year old, so I have plenty of experience explaining things to six year olds. Excellent. It's a great question. First and foremost, I would say you need to check the regulations. There have been a raft of regulatory requirements over the course of the last three years requiring SBOMs for different industries and different geographies.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And so to name a few, Executive Order 14028 signed by President Biden. I guess I've deviated from the six year old thing here for just a moment. But President Biden signed an executive order requiring anybody who sells software to the U.S. federal government, enabling the U.S. government to require SBOMs from those government contracts.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Similarly, the FDA has started requiring SBOMs from medical device manufacturers. So they have said that they will refuse to approve any new software-enabled medical devices unless the pre-market submission is accompanied by an SBOM. For your listeners specifically, the Cyber Resilience Act in the EU...
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
which was, and I'm not a EU legislative policy expert by any stretch of the imagination, but the enforcement will begin in two years. So if you have business operations that involve the generation of software in the EU, much like GDPR, you know, touches just about everybody who interacts with the EU, you may be required to produce those SBOMs to a regulator in as little as two years time.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
So step number one is check the regs. Do you operate in Europe? Do you touch any of these other regulated fields? Step number two is check what your downstream customers are requiring. So it's a little bit different if you are physically putting together a box of cereal.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
But if you are in the food delivery, food manufacture industry and you have software enabled assembly lines or you have quality control capabilities or you have anything that involves software, you may be required in the not too distant future by your customers to provide these SBOMs to them. So step number one is regulation. Step number two is the customer mandate.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
I left for an attack service management company called Expanse, but we stayed in touch. And when the log four shell vulnerability hit, I was at Palo Alto Networks that had acquired Expanse. Daniel was at the Pentagon.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Step number three is to check your internal DevOps and DevSecOps capabilities. So do you, with every new version of every new software application that your company develops, do you have an SBOM? Do you have an inventory of what are the third party and open source components that went into this piece of software?
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
So that when something goes bump in the night and a new vulnerability is disclosed, you can be one click away from understanding.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
You know, like I'm equally pooped out by the ball pit. But yes, every company, whether they want to be or not, is in the software generation space these days. And then I think I'm up to four. I don't recall specifically. But the last one that I would close with is you're generating software, but your vendors are providing software to you. Go back.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Look at your third party risk management, vendor due diligence procedures. If it doesn't say in question, question 1A ought to be what's the name of your company, Mr. Vendor? Question 1B ought to be upload your SBOM.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
If you are buying software from a vendor who can't tell you or who won't tell you what's inside that software, you have a duty to your company to examine whether or not that's a vendor that you're comfortable doing business with. And it's not in an effort to like be a jerk to AWS or Microsoft, you know, right?
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
It's the long tail companies that you work with that you have accumulated over the years that now touch business critical functions. Imagine, you know, the log for shell situation of having to call each one of them and say, hey, are you affected? The best time to start requiring SBOMs was 15 years ago. The second best time to start requiring SBOMs is today.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And we both watched these large mission critical, sophisticated organizations unable to answer a simple question of where do we have a problematic component in our software supply chain? And that seemed like a problem, not just a problem worth solving, but a problem worth solving urgently. And those were our criteria for success. jumping in and taking the entrepreneurial leap together.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Yeah, you, we're getting to the point, I mean, financial services, this is a very widespread and common practice. The defense industrial basis is becoming very widespread and common. Medical device manufacturers, auto manufacturing, etc.,
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
You would never in a million years let an 18 wheeler through the front gates of your food production facility without asking who's the driver and what's inside this container. You know, it just wouldn't happen.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Yeah. However, software became kind of a bit of a boiling frog problem. Right. You know, all of a sudden now we we start off with this like very slow adoption. Hey, we have software in these places, but the software was generated by IBM or whoever. And, you know, they're responsible for every line of the code.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Now, between 85 to 90 percent of software applications that are delivered, you know, that are sold are open source are pieced together from open source. And that, you know, if you're not maintaining an inventory of that open source, you have effectively unbounded exposure. Something like 68% of cybersecurity professionals in a recent poll named software supply chain as their biggest blind spot.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
This is this is a massive problem. And the nice thing about SBOM is that particularly from a TPRM perspective, This is not a particularly hard solution for security professionals to implement, right? You already have vendor due diligence questionnaires. You already have third-party risk management processes in place.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Adding an additional, we have like a whole playbook for how to automate the process of requiring SBOMs. This doesn't have to be a scary thing. Oftentimes where people get tripped up is it's just like, hey, that seems like a really niche, complicated, convoluted field. And like, I just don't even know where to begin.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
So that was about about two years ago now. And and we're still friends.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Yeah, exactly right. Our goal at Manifest basically is to make SBOMs the easiest thing your organization does. Forget about Cyclone DX versus SPDX. Forget about version 1.5 versus 1.6. Forget about OpenVex versus CSAF. Forget about CPE to Perl matching.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
We want to abstract all of this away so that organizations like your listeners can get to software supply chain security without, again, having to have a PhD in cyber risk management. And the way that we do that is a number of ways. One is we automate the SBOM generation process.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
So for your developers who are generating new software applications on the back end in the CICD pipeline, we are automating every time they hit build or every time they hit push or publish or whatever, it generates, it stamps out a new SBOM and that SBOM flows into the manifest platform. So in an ideal world, no human hands touch this artifact.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
I spare a thought for anybody. You know, we hear stories of people who found companies based on folks that they met on Hacker News or, you know, Y Combinator or whatever. I just I can't imagine going on this journey without somebody that I had the bedrock of a decade long friendship to rely on.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And yet you ended up with an inventory of every third party open source proprietary component that went into the piece of software that they developed. That's step one. Step two is requiring SBOMs from your vendors. And here we've developed this SBOM outreach playbook, which, by the way, it's not like, you know, a proprietary thing that you have to go to Barnes and Noble and spend $50 on.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Anybody who's listening, if you want it, we'll give it to you. We're all fighting the same fight of pushing for software spot chain transparency. I'll drop it in the show notes, the link to it. There you go. What we realized was that meaningful hurdle to deploying an SBOM requirement to third parties was all the administrivia that surrounded it. What's the contract language that we put in an MSA?
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
What's the one trust question that we add to our survey? What's the email that we write to our vendors explaining what it is we need and how we need it? What's the follow up email? And so we've just created more or less like Mad Libs templates.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
You know, it's like, you know, dear vendor name, Enterprise is requiring SBOMs because we are concerned about, you know, software supply chain visibility. You have blank many days, you know, and it's almost like Mad Libs. Try not to put in, you know, all the things that you would have put in the back of like, you know, your fifth grade bus ride home when you were doing Mad Libs.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
But the idea is to- I mean, you could, but- You could. You'd probably be in big trouble. You would, yeah, yeah. Dear Bozo. Yeah, no. Uh- But the idea is to templatize this as much as we possibly can to make this the first customer that we ever had who required SBOMs. We needed to generate all of this from scratch. Every one of our customers thereafter ought to be able to build.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
So we've templatized the process of requiring SBOMs from your vendors. We even built a capability in our platform that we call Ask. to solicit SBOMs. If you know your vendor's email address, we'll take care of the rest. And then once you are generating SBOMs for your internal applications and requiring SBOMs from your third party vendors, we are automating the analysis, right?
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
So you're still not touching The JSON file, we are comparing it to leading vulnerability databases, the NBDs, the OSBs, the EPSSs and the KEBs of the world to analyze this. Some cases really the luminous JSON file to say, hey, here's where they have a component that matches a known software vulnerability.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And then we are contextualizing that to tell you these are the ones that have been proven to be exploitable or these are the ones that are likely to be exploitable. And these are the ones that you probably don't really need to care about. And so we give you a walk-up usable view of how good or bad should you feel about this SBOM in human consumable language.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And all of that is in service of the next time there's a log for Shell or SolarWinds or Apache Struts or whatever, you're one click away from understanding which of my vendors and which of my software applications are affected as opposed to 50,000 hair on fire phone calls.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And so I think that's a really, really important criteria for anybody who's, you know, considering taking the plunge.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Wow. Okay. So my favorite, I'll start with my favorite food memory and it's not a good one.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Well, it comes from a place of good intent. And I think that that's important to remember is that you have people who have spent literally years, if not decades, in service of software supply chain security. And some of them will spend years, if not decades, more advancing the cause of software supply chain security.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And if they hadn't defined Cyclone DX and SPDX and CSAF and OpenVex and whatever else, we wouldn't be able to make it easy and approachable because there wouldn't be a thing to make easy and approachable. But that being said, when it rises to the level of creating a barrier to entry, that's when, you know, a translation capability or a tool set to automate this and put it on rails is warranted.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
I would advocate to anybody who's considering creating an acronym, anything with the word BOM in it, probably not great just from like a TSA perspective, but yes.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Yeah. It's not the easiest thing to fly with necessarily. We give away these little squishy bomb-shaped balls with the letter S on. But when you're traveling with a backpack full of them to a conference, Wow, that's intense. But yeah, I think, so the last thing that I'll say just about the everybody has to remember their mission is we as a company are, I mean, we're driven by mission.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
I know that, you know, probably most people, they hearken back to, you know, the Thanksgiving table or what have you, but my favorite food memory actually was an ice and they're a local, I don't even know if you would call it a delicacy, but certainly a local food that they've eaten historically or traditionally is called Hakarl. It's fermented Greenlandic shark.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
We're not here to like buy something for a dollar and sell something for two. There's a whole field. You know, if you want to work in Excel, you're welcome to do that. But the types of customers that we support, the Air Force, Department of Homeland Security, auto manufacturers, defense contractors, food security, et cetera, everyone has a mission.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
They're contributing to the not just the continued survival, but the success of our way of life. And you said, you know, I want to make sure that I feed my children trustworthy food. I want to make sure when we go into a doctor's office, they can access my kids medical records.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
I want to make sure when I drive a car that it can't be hijacked by somebody with like a really powerful transponder standing by the side of the highway. You know, all of these are becoming real world concerns as our world becomes more and more dependent on software.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
One of the best lines that I've ever heard is the software supply chain is the most valuable supply chain that humanity has ever created. And yet it's the one in which arguably we have done the least to provide visibility into. And so when I read things like major hospital systems can't access their medical records or I speak to you and we contemplate
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
the implications for food security, this has real world implication. And if the only thing that's stopping a major provider of this essential service from having visibility into their software supply chain is walk up usable tooling and templatized deployment mechanisms, we have a duty to create them.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And it was clearly born out of times of difficulty and deprivation. It's not something that you would eat necessarily if you had other choices, but they catch a Greenlandic shark. These things can live up to, you know, 300 years old and they fillet it basically.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Yeah. I love that because, you know, I've watched that modern Marvel show. Right. And you're like, oh, wow. Like, look at all those candy bars, you know, coming off the factory line or whatever. It would be interesting to say like, hey, what's behind that door? Oh, that's accounting. Oh, can I see that? Nope. Nope. Not part of the tour.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Like, you know, you don't want to see those, you know, big stacks, the reams of paper or the change control board meeting that was supposed to happen.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Yeah. Right.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And it just goes to show you, you know, if anybody deserves visibility, like we have it, we have a duty to do this. We have a duty to get it right. Much like any of your listeners have a duty to make sure that they understand what's inside the 18 wheeler that pulls up to the front gate.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
They also have a duty to understand what's inside the software application that pulls up to the proverbial front gate of their network. And in the rapidly changing cyber threat landscape to monitor those things, not just when you bought it, but every day thereafter. And it's kind of crazy that it's 2024 and that's not just common practice everywhere.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
But it's going to take hardworking individuals like yourself, like your listeners, to get us to a place where we can recover from the growth of open source software without an accompanying inventory.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And they hang, it's poisonous if you eat it raw, but they hang it in barns, open air barns with flies and what have you on it for months until the lye or whatever the poison is kind of gets extracted out of it. And And it becomes these like little white, they chop them up into like little cubes and you eat them with a toothpick. And my now wife, my then girlfriend and I went to Iceland.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Yeah, it's a great question. The next frontier of this, the equally scary frontier, is much like we consume software, unfortunately, without asking what's in it, so too do we consume AI applications without asking what's in them. And if you had AI on your bingo card for this podcast, congratulations. Hopefully it was the center square and you win. You know, everybody's talking about AI.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
AI is eating the world. We're sprinkling AI fairy dust on everything. The boring, unsexy, infrastructurally critical work of documenting which models does this AI application use and which data sets are those models trained on is absolutely essential. We only get one opportunity to close this barn door before the horses all run out of it.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
There are hundreds, if not thousands of AI applications, I'm sure, in use in the food service industry every single day. For your listeners or for you, Kristen, ask yourself, which models do they use and which data sets are they trained on? Where's that list?
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
What happens if one of those data sets is found to be problematic, either accidentally because it biases against a certain race or a certain religion or a certain hair color or whatever, or intentionally because the China's or the Russia's or the North Korea's of the world poisoned a particular data set or because it contains illegal information.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
I'll tell you one very quick and scary story, and then hopefully we can end on a more positive note. But if we don't have an inventory of what's inside the stuff that we buy, writ large, doesn't matter if it's AI, doesn't matter if it's traditional software, doesn't matter if it's Raisin Bran, we are vulnerable when the upstream components are found to be problematic.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
The terrifying story that I will tell you is that the most common, the most popular text-to-image model, you know, you type in, make me a picture of a cat wearing a sombrero, and it generates a picture of a cat wearing a sombrero. The most popular text-to-image model is called staple diffusion. It's in use very, very widely. Different applications use it.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Stable Diffusion is trained on a number of different data sets. One of them is called the LION-5B. Again, the names here don't really matter. But this training data set had 400 million text-to-image pairs. So it had a picture of a cat. When it said the word cat, it had a picture of pencil, so the word pencil.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
It was probably about eight or nine years ago now. And we were like, hey, we just have to try this. We have to try it for the memory. And so we went into a grocery store and we bought this, you know, Hakarl, grabbed the little toothpick and we ate it. And I still remember exactly where on my tongue the piece of Hakarl touched.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Security researchers at Stanford in December discovered that this training data set contained over 1,600 images of child pornography. Accidentally. Accidentally. Nobody did this on purpose. This wasn't anybody's fault, right? This is an artifact of what happens when you hoover up at scale 400 million images and then put text labels on them.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
So all of a sudden it becomes this like rapid question of what did we train online on 5B? Oh, we trained stable diffusion. Where do we have stable diffusion deployed? Well, I don't know because we haven't been requiring that from our AI.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And so the future, what I anticipate the future of the BOM or the technology supply chain field to be is going to be a concept known as AI BOM, artificial intelligence bills of materials. It's the exact same problem. We need a better name. We need a better name. I don't name these things, but it's the exact same problem as SBOM.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
It's the exact same problem of we found out that there was, you know, pencil shavings and, you know, a box of cereal. It's the exact same problem of whenever you have upstream components and downstream components, you have a duty to inventory the upstream components so that you know how to remediate when one of the downstream components is found to be wrong.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And that's really where I feel the industry is going is transparency, not just for traditional software, not just for on-prem software, not just for artificial intelligence, but transparency across the technology supply chain. Because otherwise we're going to end up in some pretty scary situations where our businesses are built on technologies that we don't have a full accounting of.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And when that happens, you know, there's going to be a lot of finger pointing and a lot of tough questions being raised.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
It had the consistency of like it was like a gummy bear, I guess, like covered in Vaseline. It was it was really kind of kind of vile. But it's those sorts of memories that are that are memorable, obviously. But, you know, that that help you recall a time and a place in your life and an adventure that you went on. So I was really grateful to have that experience.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Yeah, absolutely. That cultural muscle. of of course we have to know where this thing came from and of course we have to know what's inside of it we see it in automotive we see it in manufacturing we see it in food we've seen pharmaceutical uh certainly where we don't where we have a harder time is in verticals that are not as reliant on intimately understanding their supply chains writ large.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
They don't have that muscle. They don't have that institutional mantra of, of course, we have to know where all this stuff came from. And that's where it's, you know, it's harder to make the case. But no, I'm with you. I anticipate that food manufacturing will be an area that will adopt the concept of an SBOM. These are large, complex organizations.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
I'm not going to go so far as to say easily, but culturally and philosophically and ideologically, they're on board.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Thanks for having me, Kristen.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And it was it was definitely something unique, something that I will I won't soon forget.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
There you go. There you go. And then my favorite food is probably just, so there's a place in New York on the Lower East Side called Russ and Daughters. The bagels are good, but the smoked salmon is phenomenal. I would argue it's the best in the world. And so they slice it really, really thin. You put capers and you put onions and whatever else on it.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And again, it's more about like, you know, the memory or the experience than it is about the food itself. The food is good, but, you know, there's probably like a limit to how good a piece of smoked salmon can be. But it's really just more about like the community or the experience when I'm there.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And so I'm either going with my parents, my siblings, my, you know, the family that I grew up with, or I'm taking my kids, giving them that experience too. So it's a great bite of food. It's an even better memory and experience.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Well, you're, you're always welcome up here to the Northeast.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Well, a time and a place for that too.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Yeah, I guess I would begin by saying that SBOMs are not scary. Most people who are familiar with SBOMs know that they're not scary. Most people who aren't, more or less, you know, there's a tendency to break out in hives once they see their first piece of JSON and they're like, oh my goodness, what am I supposed to do with this? And rightly so, right? It's an intimidating thing.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
So an SBOM stands for software bill of materials. The two second non-technical, you know, explain it to a six-year-old version of this is that software is the only thing that we buy that you don't get to know what's in it. The FDA for a 100 years has required General Mills to disclose what's inside a box of cereal.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Auto manufacturers have to have that sticker in the window of a new car that they sell telling you that it has heated seats and, you know, a stereo surround system and, you know, automatic whatever's. When you buy a house, you get a home inspection. When you buy a T-shirt, it comes with a tag that says 80% cotton and 20% polyester.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
But when you, and by you I mean the federal government or a Fortune 500 company or any enterprise really, purchases a piece of software, it just shows up in their environment with no list of ingredients. And for the first 40 to 50 years of software, it wasn't okay, but it was an acceptable risk.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Over the course of the last 15 to 20 years, with the explosion of open source software, software has gone from a guy in a hoodie typing away furiously at a keyboard, creating something net new out of scratch, to something that resembles much more assembly, like Lego bricks, effectively.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And the problem with that is that when you have developers who are grabbing Lego bricks, in this case, software applications from GitHub or from NPM or what have you, you don't have a sense for what is the provenance of these bricks that I'm bringing into my Lego house that I'm building, so to speak. And when you buy software, there has become an urgent need for the U.S.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Department of State, the U.S. Air Force, auto manufacturers, defense contractors, et cetera, to begin requiring these lists of ingredients because of the meteoric rise of a threat vector known as software supply chain vulnerabilities or software supply chain
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Basically, nation state actors and non-nation state actors, Iran, China, North Korea, et cetera, have woken up to the fact that large companies in the West and large federal agencies in the West consume software without asking what's inside. And so the software supply chain vulnerabilities have been on the rise by some accounts, 1300%. over the last three years.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Some of them have made headline news. Some of your listeners may be familiar with like SolarWinds, for instance, or the Log4Shell vulnerability. Log4Shell by itself cost an estimated $10 billion in remediation costs. It was massive. And it all stems from the fact that we don't know what's in the software that we build and buy. We don't have these lists of ingredients.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
The equivalent would be if the FDA put out a statement saying that there was an E. coli outbreak in raisins. And the first thing you would do is you would go into your pantry and if you opened your pantry and all you saw were gray cardboard boxes, you know, just blank boxes with no ingredients on the labels, you'd have to call Monsanto and General Mills and Post and everybody.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Absolutely. My name is Mark Frankel. I am the CEO and co-founder of a software supply chain security company called Manifest.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And you'd have to say, hey, does this thing that I bought have raisins in it?
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
and that's exactly effectively what happened in the log4shell vulnerability there was a new vulnerability that was disclosed nobody had lists of ingredients of what's inside the different software applications that we've bought and so they had to call all of their vendors individually the answer to we don't know what's in the software that we are consuming is a list of ingredients no different than the list of ingredients on the side of a box of cereal except because it's a more technical artifact we call it a software bill of materials as opposed to just an ingredients label
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
So that's exactly right. The problem is, and this is not unique to software supply chain, this is universal, I would argue, across the cybersecurity industry, is that oftentimes you get very technical, very, very smart people who get very in the weeds with a concept. And before you know it, there's been a proliferation of acronyms and concepts.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Not by accident, I can tell you that much. That's good. So my co-founder Daniel and I met about 10, 11 years ago. We started at a company called Palantir on the same day together. He was this symbolic systems grad from Stanford. I had barely touched a keyboard in my life. And so we were seated together during orientation. I was like cheating off of his computer. I had come from the finance world.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
And there can be a real hesitancy to jump into a new area of cybersecurity. You don't want to appear dumb. You don't want to, you know, appear like the newbie. You don't want to have basic concepts explained to you. And so if we look at the SBOM industry, we've fallen victim to that exact same thing. And not without reason, right?
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
There are good reasons why we have terms like Cyclone DX, SPDX, CSAF VEX, Open VEX. As the listeners blaze over, the listeners are all passing over now. Exactly right. And what I feel that we in the cybersecurity community do, where I feel we do a disservice is that an SBOM is an extraordinarily valuable and powerful artifact. But it's one of its primary benefits is to non-technical people.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
So if you think about, and I imagine that some of your listeners are probably in third party risk management or IT security or IT risk or what have you. Definitely. vendor due diligence, et cetera, they are contorting themselves, bending over backwards to put out 200-page vendor due diligence questionnaires, asking everything under the sun from, do you do background checks on your developers?
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Do you have a disaster recovery site 90 miles away? Do you have your SOC 2 type 2 compliance? Do you have any foreign investors on your cap table? But the one question they probably really want to be asking is, what's inside this thing that we're about to trust our data to? And that's what an SBOM gives you. And the problem is,
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
If we develop as an industry, this technical jargon moat of you're not allowed to be in our club unless you understand these 50 esoteric concepts. Well, everybody in that TPRM, vendor due diligence, third party risk, governance, risk and compliance have AppSec, ProdSec, DevSecOps, et cetera.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Everyone in those ecosystems who hasn't spent the last two years intimately familiarizing themselves with this terminology all of a sudden feels excluded. So what we have invested heavily is in making SBOMs approachable to people who don't have a PhD in cyber risk management, because it can be a very valuable tool, but only very valuable if they feel like they know how to use it.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
You can, as a matter of fact. I used to work with somebody who had one. It was daunting.
Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
I didn't have much of a background in tech, but he was this, you know, very patient, very accommodating, really great teacher. And we stayed friends for about a decade. We followed each other through Palantir, working on federal civilian, intelligence community, DoD stuff. He left for a company called Exabeam and then Defense Digital Service and ultimately CISA.