Bites & Bytes Podcast
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel
Mon, 03 Jun 2024
In this episode of the Bites and Bytes Podcast, host Kristin Demoranville chats with Marc Frankel, CEO and co-founder of Manifest Cyber, a software supply chain security company. They talk about the world of Software Bills of Materials (SBOMs) and their critical role in cybersecurity, especially within the food industry. Marc shares insights on the importance of SBOMs, their implementation, and the future of supply chain security. He also provides a unique perspective on the intersection of cybersecurity and the food industry, making this a must-listen for anyone interested in protecting our food systems. Tune in to learn how SBOMs can help your organization stay resilient in the face of cyber threats. ______________________________ Episode Key Highlights: (02:29 - 03:11) Navigating Relationships as Entrepreneurs (09:11 - 11:07) Importance of Software Ingredient Lists (16:54 - 17:59) Understanding SBOM Regulatory Requirements (25:49 - 26:35) Streamlining Software Supply Chain Security (34:54 - 36:25) Mission-Driven Software Supply Chain Importance (38:33 - 39:23) Duty to Monitor Software Security ------------------------------------------ Show Notes: Hakarl, have you ever wondered what fermented Greenlandic shark tastes like? 🌊🦈 Discover the unique Icelandic delicacy that Marc Frankel bravely sampled! Learn More Russ & Daughters (NYC, Lower East Side): Experience the legendary smoked salmon from one of NYC's most iconic spots. Perfect for your next bagel craving! 🥯🐟 Visit Russ & Daughters US Executive Order on Improving the Nation's Cybersecurity (14028): Stay informed about the latest national cybersecurity measures. Read the Executive Order FDA Medical Devices Cybersecurity Guidelines: Learn about how medical devices are secure with the FDA's latest guidelines. 🏥🔒 Explore the Guidelines EU Cyber Resilience Act Learn about the upcoming changes in EU cybersecurity regulations. 🌍🛡️ Read the Act Log4Shell: Get the details on one of the most significant cybersecurity vulnerabilities of recent times. 🔍💻 Learn More ______________________________ Marc and Manifest Information: Find Marc Frankel on LinkedIn. Connect with Marc to jump into the world of SBOMs and cybersecurity. Connect with Marc Information on Marc's company, Manifest. Discover how Manifest is revolutionizing software supply chain security. Visit their Website or LinkedIn for more details. ______________________________ Bites and Bytes Podcast Information: Website: Explore all our episodes, articles, and more on our official website. Visit Now Merch Shop: Show your support with some awesome Bites and Bytes gear! 🧢👕 Shop Now Blog: Stay updated with the latest insights and stories from the world of cybersecurity in the food industry. Read Our Blog Audience Survey: We value your feedback! Help us make the podcast even better. Take the Survey Schedule a Call with Kristin: Want to share your thoughts? Schedule a meeting with Kristin! Schedule Now
Welcome to the Bites of Bites podcast, where we explore the intersection of cybersecurity, technology, and so much more in the food industry. I'm your host, Kristin de Marenville, and today we have a great guest for you, Mark Frankel, CEO and co-founder of Manifest Cyber.
Mark is here to help us unpack the complex world of software bill of materials, or as they are more commonly known as SBOMs, and their critical role in securing our food systems. I hope you enjoy our conversation about the world of SBOMs and the food industry. Hi, Mark. Thanks for being here. Really appreciate your time. I will jump in with an introduction first. Sure.
Absolutely. My name is Mark Frankel. I am the CEO and co-founder of a software supply chain security company called Manifest.
Excellent. And how did you get to that co-founding-ness?
Not by accident, I can tell you that much. That's good. So my co-founder Daniel and I met about 10, 11 years ago. We started at a company called Palantir on the same day together. He was this symbolic systems grad from Stanford. I had barely touched a keyboard in my life. And so we were seated together during orientation. I was like cheating off of his computer. I had come from the finance world.
I didn't have much of a background in tech, but he was this, you know, very patient, very accommodating, really great teacher. And we stayed friends for about a decade. We followed each other through Palantir, working on federal civilian, intelligence community, DoD stuff. He left for a company called Exabeam and then Defense Digital Service and ultimately CISA.
I left for an attack service management company called Expanse, but we stayed in touch. And when the log four shell vulnerability hit, I was at Palo Alto Networks that had acquired Expanse. Daniel was at the Pentagon.
And we both watched these large mission critical, sophisticated organizations unable to answer a simple question of where do we have a problematic component in our software supply chain? And that seemed like a problem, not just a problem worth solving, but a problem worth solving urgently. And those were our criteria for success. jumping in and taking the entrepreneurial leap together.
So that was about about two years ago now. And and we're still friends.
That's good. It's very hard to maintain a relationship and be an entrepreneur and a co-founder. I know this from experience. It's definitely a journey for sure. And sometimes you're heading towards Mordor and you just have to kind of steer away.
I spare a thought for anybody. You know, we hear stories of people who found companies based on folks that they met on Hacker News or, you know, Y Combinator or whatever. I just I can't imagine going on this journey without somebody that I had the bedrock of a decade long friendship to rely on.
And so I think that's a really, really important criteria for anybody who's, you know, considering taking the plunge.
Yeah, there's a lot of entrepreneur startups in the food industry for sure, too. So I think a lot of them come out of families and friends. And I think that's the way to do it. I think you're right, Mark. Thanks for that intro. So let's jump into my favorite part of the podcast. Besides all the great information I get, tell me your favorite food and your favorite food memory.
They do not need to be one in the same.
Wow. Okay. So my favorite, I'll start with my favorite food memory and it's not a good one.
I know that, you know, probably most people, they hearken back to, you know, the Thanksgiving table or what have you, but my favorite food memory actually was an ice and they're a local, I don't even know if you would call it a delicacy, but certainly a local food that they've eaten historically or traditionally is called Hakarl. It's fermented Greenlandic shark.
And it was clearly born out of times of difficulty and deprivation. It's not something that you would eat necessarily if you had other choices, but they catch a Greenlandic shark. These things can live up to, you know, 300 years old and they fillet it basically.
And they hang, it's poisonous if you eat it raw, but they hang it in barns, open air barns with flies and what have you on it for months until the lye or whatever the poison is kind of gets extracted out of it. And And it becomes these like little white, they chop them up into like little cubes and you eat them with a toothpick. And my now wife, my then girlfriend and I went to Iceland.
It was probably about eight or nine years ago now. And we were like, hey, we just have to try this. We have to try it for the memory. And so we went into a grocery store and we bought this, you know, Hakarl, grabbed the little toothpick and we ate it. And I still remember exactly where on my tongue the piece of Hakarl touched.
It had the consistency of like it was like a gummy bear, I guess, like covered in Vaseline. It was it was really kind of kind of vile. But it's those sorts of memories that are that are memorable, obviously. But, you know, that that help you recall a time and a place in your life and an adventure that you went on. So I was really grateful to have that experience.
And it was it was definitely something unique, something that I will I won't soon forget.
Obviously listeners can't see me and I'm making all kinds of like cringe faces and on top of the fact that it was shark and like, it's just bleh. So I mean, that's like, I guess it's like a, maybe I should start doing the worst food memory, but I feel like I don't, I don't think we want to talk about those stories, but I do like that you had a travel food story.
So we're going to call it that Mark, your favorite travel food story.
There you go. There you go. And then my favorite food is probably just, so there's a place in New York on the Lower East Side called Russ and Daughters. The bagels are good, but the smoked salmon is phenomenal. I would argue it's the best in the world. And so they slice it really, really thin. You put capers and you put onions and whatever else on it.
And again, it's more about like, you know, the memory or the experience than it is about the food itself. The food is good, but, you know, there's probably like a limit to how good a piece of smoked salmon can be. But it's really just more about like the community or the experience when I'm there.
And so I'm either going with my parents, my siblings, my, you know, the family that I grew up with, or I'm taking my kids, giving them that experience too. So it's a great bite of food. It's an even better memory and experience.
Well, thank you for sharing that. That's great. I'm glad I, and we're recording obviously in the morning and you wouldn't know this listeners, but I just ate breakfast. So I'm really glad I ate breakfast because otherwise I would be starving.
Well, you're, you're always welcome up here to the Northeast.
Well, it is, it is my home. You know, I am a Northeaster, so I understand we do crave weird food when we're up there for sure. Including things like whoopie pies and you know, all that fun stuff, which I don't eat anymore, but yes.
Well, a time and a place for that too.
Yeah, I think you're right. It's really the nostalgic kind of thing. Having one is sort of like remembering childhood, you know, that like really over pungent, sweet, spongy cake with the cream sauce. Yeah, it's definitely like childhood or like proper farm stand ice cream, you know, Mert ice cream, not soft.
So yeah, that's definitely the whole nostalgic memories come flying back when you start thinking about all of that and where you were and the fact that it's probably summer and you got it all over yourself too. And yeah, all those memories are great. Thanks, Mark. This is great.
So going back to your company and the reason why I wanted to have you on the show is because we're going to talk about SBOMs. And everybody's like, what's that? That sounds horrible. It's not. Acronyms are weird. But I'm going to let you, Mark, explain what an SBOM is and how that intersects with the food industry. And most people who touch it in the food industry know what it is.
But I want to make sure the rest of the listeners know, since we have a mixed audience. Take it away.
Yeah, I guess I would begin by saying that SBOMs are not scary. Most people who are familiar with SBOMs know that they're not scary. Most people who aren't, more or less, you know, there's a tendency to break out in hives once they see their first piece of JSON and they're like, oh my goodness, what am I supposed to do with this? And rightly so, right? It's an intimidating thing.
So an SBOM stands for software bill of materials. The two second non-technical, you know, explain it to a six-year-old version of this is that software is the only thing that we buy that you don't get to know what's in it. The FDA for a 100 years has required General Mills to disclose what's inside a box of cereal.
Auto manufacturers have to have that sticker in the window of a new car that they sell telling you that it has heated seats and, you know, a stereo surround system and, you know, automatic whatever's. When you buy a house, you get a home inspection. When you buy a T-shirt, it comes with a tag that says 80% cotton and 20% polyester.
But when you, and by you I mean the federal government or a Fortune 500 company or any enterprise really, purchases a piece of software, it just shows up in their environment with no list of ingredients. And for the first 40 to 50 years of software, it wasn't okay, but it was an acceptable risk.
Over the course of the last 15 to 20 years, with the explosion of open source software, software has gone from a guy in a hoodie typing away furiously at a keyboard, creating something net new out of scratch, to something that resembles much more assembly, like Lego bricks, effectively.
And the problem with that is that when you have developers who are grabbing Lego bricks, in this case, software applications from GitHub or from NPM or what have you, you don't have a sense for what is the provenance of these bricks that I'm bringing into my Lego house that I'm building, so to speak. And when you buy software, there has become an urgent need for the U.S.
Department of State, the U.S. Air Force, auto manufacturers, defense contractors, et cetera, to begin requiring these lists of ingredients because of the meteoric rise of a threat vector known as software supply chain vulnerabilities or software supply chain
Basically, nation state actors and non-nation state actors, Iran, China, North Korea, et cetera, have woken up to the fact that large companies in the West and large federal agencies in the West consume software without asking what's inside. And so the software supply chain vulnerabilities have been on the rise by some accounts, 1300%. over the last three years.
Some of them have made headline news. Some of your listeners may be familiar with like SolarWinds, for instance, or the Log4Shell vulnerability. Log4Shell by itself cost an estimated $10 billion in remediation costs. It was massive. And it all stems from the fact that we don't know what's in the software that we build and buy. We don't have these lists of ingredients.
The equivalent would be if the FDA put out a statement saying that there was an E. coli outbreak in raisins. And the first thing you would do is you would go into your pantry and if you opened your pantry and all you saw were gray cardboard boxes, you know, just blank boxes with no ingredients on the labels, you'd have to call Monsanto and General Mills and Post and everybody.
And you'd have to say, hey, does this thing that I bought have raisins in it?
and that's exactly effectively what happened in the log4shell vulnerability there was a new vulnerability that was disclosed nobody had lists of ingredients of what's inside the different software applications that we've bought and so they had to call all of their vendors individually the answer to we don't know what's in the software that we are consuming is a list of ingredients no different than the list of ingredients on the side of a box of cereal except because it's a more technical artifact we call it a software bill of materials as opposed to just an ingredients label
That is probably the best way I've ever heard it described. Thank you for relaying it back into food because I think everybody understands what you just said. I, you know, I was thinking too, that it's not like you can actually print out a recipe of all the code, you know, necessarily. I mean, you can, but are you going to understand it? It has to be like labeled. This is the header.
This is the footer. This is, this is how the little boxes green, you know, whatever, all the crazy design stuff on top of the actual functional aspects of it. That's, Very daunting and wow, you know, and this is why it's such a beast of a situation because it's huge. It's massive.
Think about all the things that run on software, especially inside the food industry, which, as we know, has become a prime target for all kinds of cyberware attacks. And this is this is just one of those attack factors that we need to deal with better and more efficiently, I think I would say, because it's not that people aren't aware of it. It's just you don't know what you don't know.
Like you said, you don't know that there's no labels on your your raisin boxes in the in the pantry. You know, you just know you have reasons, you know, that's it.
So that's exactly right. The problem is, and this is not unique to software supply chain, this is universal, I would argue, across the cybersecurity industry, is that oftentimes you get very technical, very, very smart people who get very in the weeds with a concept. And before you know it, there's been a proliferation of acronyms and concepts.
And there can be a real hesitancy to jump into a new area of cybersecurity. You don't want to appear dumb. You don't want to, you know, appear like the newbie. You don't want to have basic concepts explained to you. And so if we look at the SBOM industry, we've fallen victim to that exact same thing. And not without reason, right?
There are good reasons why we have terms like Cyclone DX, SPDX, CSAF VEX, Open VEX. As the listeners blaze over, the listeners are all passing over now. Exactly right. And what I feel that we in the cybersecurity community do, where I feel we do a disservice is that an SBOM is an extraordinarily valuable and powerful artifact. But it's one of its primary benefits is to non-technical people.
So if you think about, and I imagine that some of your listeners are probably in third party risk management or IT security or IT risk or what have you. Definitely. vendor due diligence, et cetera, they are contorting themselves, bending over backwards to put out 200-page vendor due diligence questionnaires, asking everything under the sun from, do you do background checks on your developers?
Do you have a disaster recovery site 90 miles away? Do you have your SOC 2 type 2 compliance? Do you have any foreign investors on your cap table? But the one question they probably really want to be asking is, what's inside this thing that we're about to trust our data to? And that's what an SBOM gives you. And the problem is,
If we develop as an industry, this technical jargon moat of you're not allowed to be in our club unless you understand these 50 esoteric concepts. Well, everybody in that TPRM, vendor due diligence, third party risk, governance, risk and compliance have AppSec, ProdSec, DevSecOps, et cetera.
Everyone in those ecosystems who hasn't spent the last two years intimately familiarizing themselves with this terminology all of a sudden feels excluded. So what we have invested heavily is in making SBOMs approachable to people who don't have a PhD in cyber risk management, because it can be a very valuable tool, but only very valuable if they feel like they know how to use it.
Can you get a PhD in cyber risk management?
You can, as a matter of fact. I used to work with somebody who had one. It was daunting.
Wow. That's really intense, actually. I'm kind of scared of what their dissertation was, to be truthful. I don't want to know that necessarily. Yikes. Absolutely.
I think that that's the premise of why we have Bytes & Bytes podcast and why we talk about this kind of thing, because we're trying to make it less daunting, less scary, less intimidating to have a conversation with cybersecurity experts and IT people. because we're all trying to do the same thing and just going about it in a different way.
And I really think that being a generalist is a really important thing these days, as well as being a specialist. But you can't be a specialist in isolation. Like you just said, you can't.
You have to be able to talk to people around you because SBOM's touched so much in so many different parts of the business, as well as, you know, cybersecurity does and IT does and food safety and all these things. We're all on the same mission, you know, safe food for all. regardless of what our role is.
And I think it's so important to continue to having conversations with different aspects of the business, including these type of things, because as we digitize, it's just becoming more apparent that we don't know what we don't know. And since the food industry loves to innovate and we love them for it, we need to make sure that they're protected.
Are you worried about software supply chain security and managing your SBOMs? Don't stress. Let Manifest Cyber do the heavy lifting. As a leader in this field, Manifest Cyber provides essential solutions to help enterprises meet the growing regulatory demands in the United States and the Cyber Resilience Act in the EU.
Trusted by Fortune 500 companies, medical device manufacturers, defense contractors, auto manufacturers, governments, financial institutions, and yes, even the food industry, Manifest Cyber automates the entire SBOM lifecycle. This ensures your organization can stay ahead of vulnerabilities like Log4Shell by securely generating, collecting, analyzing, alerting, and sharing SBOMs.
With Manifest Cyber, you'll be patching and remediating faster than you can say cybersecurity while smoothly meeting those regulatory requirements. For more information and to request your very own SBOM, email info at manifestcyber.com or find us on the web at manifestcyber.com.
So Mark, can you give top five things if you're concerned that you might have an issue with SBOMs in your company, like what to do? And I don't necessarily need to go into massive detail. I love this six-year-old explanations you're doing because for myself as well, even though I am familiar with them, it helps. So thank you. Sure.
I have a six year old, so I have plenty of experience explaining things to six year olds. Excellent. It's a great question. First and foremost, I would say you need to check the regulations. There have been a raft of regulatory requirements over the course of the last three years requiring SBOMs for different industries and different geographies.
And so to name a few, Executive Order 14028 signed by President Biden. I guess I've deviated from the six year old thing here for just a moment. But President Biden signed an executive order requiring anybody who sells software to the U.S. federal government, enabling the U.S. government to require SBOMs from those government contracts.
Similarly, the FDA has started requiring SBOMs from medical device manufacturers. So they have said that they will refuse to approve any new software-enabled medical devices unless the pre-market submission is accompanied by an SBOM. For your listeners specifically, the Cyber Resilience Act in the EU...
which was, and I'm not a EU legislative policy expert by any stretch of the imagination, but the enforcement will begin in two years. So if you have business operations that involve the generation of software in the EU, much like GDPR, you know, touches just about everybody who interacts with the EU, you may be required to produce those SBOMs to a regulator in as little as two years time.
So step number one is check the regs. Do you operate in Europe? Do you touch any of these other regulated fields? Step number two is check what your downstream customers are requiring. So it's a little bit different if you are physically putting together a box of cereal.
But if you are in the food delivery, food manufacture industry and you have software enabled assembly lines or you have quality control capabilities or you have anything that involves software, you may be required in the not too distant future by your customers to provide these SBOMs to them. So step number one is regulation. Step number two is the customer mandate.
Step number three is to check your internal DevOps and DevSecOps capabilities. So do you, with every new version of every new software application that your company develops, do you have an SBOM? Do you have an inventory of what are the third party and open source components that went into this piece of software?
So that when something goes bump in the night and a new vulnerability is disclosed, you can be one click away from understanding.
And before people go, oh, my company doesn't develop software, you probably do and you don't realize it. Because a lot of the- Chuck E. Cheese developed software. Right, that's terrifying. Because I immediately thought of the mouse moving around and I thought, well, that's probably a software built in the background. I thought of the ball pit.
You know, like I'm equally pooped out by the ball pit. But yes, every company, whether they want to be or not, is in the software generation space these days. And then I think I'm up to four. I don't recall specifically. But the last one that I would close with is you're generating software, but your vendors are providing software to you. Go back.
Look at your third party risk management, vendor due diligence procedures. If it doesn't say in question, question 1A ought to be what's the name of your company, Mr. Vendor? Question 1B ought to be upload your SBOM.
If you are buying software from a vendor who can't tell you or who won't tell you what's inside that software, you have a duty to your company to examine whether or not that's a vendor that you're comfortable doing business with. And it's not in an effort to like be a jerk to AWS or Microsoft, you know, right?
It's the long tail companies that you work with that you have accumulated over the years that now touch business critical functions. Imagine, you know, the log for shell situation of having to call each one of them and say, hey, are you affected? The best time to start requiring SBOMs was 15 years ago. The second best time to start requiring SBOMs is today.
Yeah, definitely. And I think a lot of people just need to take a look at third party risk management. And that doesn't necessarily mean on a cybersecurity front, there's enterprise third party risk management, you know, and what is your company actually doing? Are you managing your vendors? Are you asking questions? Are you being due diligent? And to me, this is part of food safety culture.
You have to be due diligent. People are coming into your facilities, whether it's digitally or physically, they should be questioned at the door. And not just because you're an exclusive club, mainly because you're an exclusive club, but you have to have bouncers and that's what this is. This is about protecting the food systems that we have because we have to do it.
We've now live in a world that is changed. This wasn't a question 20 years ago.
necessarily and now all of a sudden it's become that I think about like the the chipsets for boards and things like that I've watched them being made in factories before and I often question does anybody have what happens with the software that goes on this do we have like a list of things that go on this and people always looked at me weird and I was like but I'm just curious like what are you doing and the question always was it goes to the the vendor and then they do what they want with it but we made the board are we responsible
I don't know, like those kind of things start to come in my mind for when I talk about SBOMs because where does the responsibility really lie? You know, is it, I think it's both parties. I think it's the receiver and the giver for sure have to be responsible on both sides of the house for what they do with their software. It's basic hygiene, really.
Yeah, you, we're getting to the point, I mean, financial services, this is a very widespread and common practice. The defense industrial basis is becoming very widespread and common. Medical device manufacturers, auto manufacturing, etc.,
You would never in a million years let an 18 wheeler through the front gates of your food production facility without asking who's the driver and what's inside this container. You know, it just wouldn't happen.
And you wouldn't even let your driver in the door. They sit in like a caged area inside the warehouse, generally speaking.
Yeah. However, software became kind of a bit of a boiling frog problem. Right. You know, all of a sudden now we we start off with this like very slow adoption. Hey, we have software in these places, but the software was generated by IBM or whoever. And, you know, they're responsible for every line of the code.
Now, between 85 to 90 percent of software applications that are delivered, you know, that are sold are open source are pieced together from open source. And that, you know, if you're not maintaining an inventory of that open source, you have effectively unbounded exposure. Something like 68% of cybersecurity professionals in a recent poll named software supply chain as their biggest blind spot.
This is this is a massive problem. And the nice thing about SBOM is that particularly from a TPRM perspective, This is not a particularly hard solution for security professionals to implement, right? You already have vendor due diligence questionnaires. You already have third-party risk management processes in place.
Adding an additional, we have like a whole playbook for how to automate the process of requiring SBOMs. This doesn't have to be a scary thing. Oftentimes where people get tripped up is it's just like, hey, that seems like a really niche, complicated, convoluted field. And like, I just don't even know where to begin.
I think that's because people try to boil the ocean when they just need to make a cup of tea. One of my favorite quotes from a friend. It's true, though, right? Because when you look at it as a whole, it's like, oh, my goodness, like this is so much. And then you center it down to like that one warehouse that you're working with or that that one particular facility you're in.
It gets a little easier to deal with because if you can get it to work in one of your production environments or your your farm or any type of industry you're in, you'll be able to duplicate it. It should be fairly easy. It might be a little more nuanced in some places, depending on what you have, if you have different regulations that are based on that.
But generally speaking, you can duplicate the work. It's not like you're gonna reinvent the wheel every time. And I think that's what people get stressed about because supply chain in general is so daunting because you're looking at the whole supply chain. It's ginormous. You can't do that. You have to look at it and like, how does it affect me?
And I always tell people, get a whiteboard or something or a piece of paper. And literally draw like your facility in the middle and then figure out everything that's around it and then go after it one at a time, you know, and then if you can attack a couple at a time, great.
That's how you deal with supply chain, really, in like the most basic bare bones sense in terms of security and or management in general. Yeah. And I'm sure there's some supply chain people on the on that are listening to like. No, it's so much more complicated. No, it really isn't. Like it really is that much of a breakdown. You don't have to make it difficult. You're just making it difficult.
Don't make it difficult. You need to make it simple. And especially with the food industry that's running in a rapid rate, they're forecasted out. This is a lot of stuff going on. We're innovating. We're preparing for the future at all times. Nobody's got time to sit there and deal with the detailed daunting tasks. So if they can replicate it and do it faster, they will.
Or if they can automate it in some capacity, also will help. I mean, we have things like AI. I know open source is a scary thing, but that is going to help in this situation at some point, I'm sure, because it can analyze massive amounts of data, which a human being can't do. So...
Mark, as I'm saying all that, I'm now wondering what does Manifest Cyber do in this world and how are you helping and get through this? Because clearly this is something that where everybody's going to probably either need help with or to scale up or if you're a small shop or even if you're a big shop, you're going to need a little support because again, like we said, can't boil the ocean.
You can only make that cup of tea.
Yeah, exactly right. Our goal at Manifest basically is to make SBOMs the easiest thing your organization does. Forget about Cyclone DX versus SPDX. Forget about version 1.5 versus 1.6. Forget about OpenVex versus CSAF. Forget about CPE to Perl matching.
We want to abstract all of this away so that organizations like your listeners can get to software supply chain security without, again, having to have a PhD in cyber risk management. And the way that we do that is a number of ways. One is we automate the SBOM generation process.
So for your developers who are generating new software applications on the back end in the CICD pipeline, we are automating every time they hit build or every time they hit push or publish or whatever, it generates, it stamps out a new SBOM and that SBOM flows into the manifest platform. So in an ideal world, no human hands touch this artifact.
And yet you ended up with an inventory of every third party open source proprietary component that went into the piece of software that they developed. That's step one. Step two is requiring SBOMs from your vendors. And here we've developed this SBOM outreach playbook, which, by the way, it's not like, you know, a proprietary thing that you have to go to Barnes and Noble and spend $50 on.
Anybody who's listening, if you want it, we'll give it to you. We're all fighting the same fight of pushing for software spot chain transparency. I'll drop it in the show notes, the link to it. There you go. What we realized was that meaningful hurdle to deploying an SBOM requirement to third parties was all the administrivia that surrounded it. What's the contract language that we put in an MSA?
What's the one trust question that we add to our survey? What's the email that we write to our vendors explaining what it is we need and how we need it? What's the follow up email? And so we've just created more or less like Mad Libs templates.
That's awesome.
You know, it's like, you know, dear vendor name, Enterprise is requiring SBOMs because we are concerned about, you know, software supply chain visibility. You have blank many days, you know, and it's almost like Mad Libs. Try not to put in, you know, all the things that you would have put in the back of like, you know, your fifth grade bus ride home when you were doing Mad Libs.
But the idea is to- I mean, you could, but- You could. You'd probably be in big trouble. You would, yeah, yeah. Dear Bozo. Yeah, no. Uh- But the idea is to templatize this as much as we possibly can to make this the first customer that we ever had who required SBOMs. We needed to generate all of this from scratch. Every one of our customers thereafter ought to be able to build.
So we've templatized the process of requiring SBOMs from your vendors. We even built a capability in our platform that we call Ask. to solicit SBOMs. If you know your vendor's email address, we'll take care of the rest. And then once you are generating SBOMs for your internal applications and requiring SBOMs from your third party vendors, we are automating the analysis, right?
So you're still not touching The JSON file, we are comparing it to leading vulnerability databases, the NBDs, the OSBs, the EPSSs and the KEBs of the world to analyze this. Some cases really the luminous JSON file to say, hey, here's where they have a component that matches a known software vulnerability.
And then we are contextualizing that to tell you these are the ones that have been proven to be exploitable or these are the ones that are likely to be exploitable. And these are the ones that you probably don't really need to care about. And so we give you a walk-up usable view of how good or bad should you feel about this SBOM in human consumable language.
And all of that is in service of the next time there's a log for Shell or SolarWinds or Apache Struts or whatever, you're one click away from understanding which of my vendors and which of my software applications are affected as opposed to 50,000 hair on fire phone calls.
We'll be right back after a short break. Or if you would prefer a less personal way to share your feedback, we also have an audience survey available in the show notes and on the website. Did you also know that Bites and Bites podcast has an Instagram and LinkedIn page? Check us out and give us a follow on both. Thank you for those who already do.
Lastly, if you enjoyed the show, please rate us on your listening platform. Believe it or not, this really helps the show and encourages others to find us. As a listener, you are part of the show and your support is paramount. Thank you so much. Now back to my conversation with Mark.
And especially if you're doing food defense investigations or any type of food safety investigations, you will have probably at some point have to look at an SBOM just to understand what happened with the software if it ended up being some type of a cyber physical situation.
And I think that's super important to be able to know where that is and be able to work with the people who can probably translate it for you because some of it won't be overly, as you say, easy to read, basically. Yeah. if some of it will be a little bit more daunting. So being able to work with those teams and knowing which teams to go to is important, too.
And again, this goes back to having a strong third party management team that is actually knows your business and what you're doing. And that's that's super important. You know, you touched on this a bit, Mark, that we isolate a lot inside of our different silos, of course.
And I think it's really frustrating to me that a lot of times when you work in certain aspects of security, you actually don't even really understand what the company is doing or what they are. Are they a manufacturing company? Are they an entertainment company? Are they a food company? Or what are they?
And I think it's super important, especially within food safety culture, that you identify and make sure everybody understands that we are making food, we are a food company, but we also are a food manufacturing company, as an example. And I know that seems really stupid to say, but people forget.
People forget what they're doing because they get so isolated into, I am running the numbers and accounting and finance, and I am the HR person. I'm just dealing with people. And I think some people forget the main mission is good, safe food for all, full stop. And as long as everybody goes to that beat of that drum, it runs smoother. Trust and believe. It really does.
And people are like, oh, Christian culture. Oh, it's this whole, you know. Yeah. All right. Get over it. Like it is. This is what has to happen. I would like to continue eating safe food. I'm sure Mark would like to feed his family and eat good too. Yeah. And if it comes down to that, you have to actually start really working hard to make SBOMs easier to deal with for food. Yeah, do it.
It's it's not a problem in that regard. It's just the again. And everybody's like, oh, no, it's probably too daunting. Again, boil the ocean. Don't do that. You know, make the tea. And you've created a platform that makes tea. It doesn't boil the ocean. which is great.
And I really appreciate the fact that you've put it in common language and you really have kind of formed up that common language for people so they understand what it is and what it isn't, which is what regulations are supposed to do, right? Automove is a great example. They created a language set that everybody can speak to. Now you're creating a language set for SBOM, so it's not so daunting.
Granted, we have the worst acronym, I think, out there. It's okay. We'll just, we're going to roll with it. I mean, I'm sure there are worse ones out there. And if you heard any acronyms on the show today that you were like, what was that? Don't worry about it. It's fine. I honestly, you can Google it if you want, but don't worry. It's, it's, I can't even keep track of all of them either.
And all of the government acronyms too, on top of all the security ones and the IT ones, it gets a very yikes. And then the food industry as a whole has a ton of them as well. So as humans, why are we doing this? Why do we, why do we do this to each other? Cause this just creates confusion. Yeah.
Well, it comes from a place of good intent. And I think that that's important to remember is that you have people who have spent literally years, if not decades, in service of software supply chain security. And some of them will spend years, if not decades, more advancing the cause of software supply chain security.
And if they hadn't defined Cyclone DX and SPDX and CSAF and OpenVex and whatever else, we wouldn't be able to make it easy and approachable because there wouldn't be a thing to make easy and approachable. But that being said, when it rises to the level of creating a barrier to entry, that's when, you know, a translation capability or a tool set to automate this and put it on rails is warranted.
I would advocate to anybody who's considering creating an acronym, anything with the word BOM in it, probably not great just from like a TSA perspective, but yes.
I mean, how do you talk to people on the plane, Mark? You're like, yeah, I work with an S-bomb company. People are like, what?
Yeah. It's not the easiest thing to fly with necessarily. We give away these little squishy bomb-shaped balls with the letter S on. But when you're traveling with a backpack full of them to a conference, Wow, that's intense. But yeah, I think, so the last thing that I'll say just about the everybody has to remember their mission is we as a company are, I mean, we're driven by mission.
We're not here to like buy something for a dollar and sell something for two. There's a whole field. You know, if you want to work in Excel, you're welcome to do that. But the types of customers that we support, the Air Force, Department of Homeland Security, auto manufacturers, defense contractors, food security, et cetera, everyone has a mission.
They're contributing to the not just the continued survival, but the success of our way of life. And you said, you know, I want to make sure that I feed my children trustworthy food. I want to make sure when we go into a doctor's office, they can access my kids medical records.
I want to make sure when I drive a car that it can't be hijacked by somebody with like a really powerful transponder standing by the side of the highway. You know, all of these are becoming real world concerns as our world becomes more and more dependent on software.
One of the best lines that I've ever heard is the software supply chain is the most valuable supply chain that humanity has ever created. And yet it's the one in which arguably we have done the least to provide visibility into. And so when I read things like major hospital systems can't access their medical records or I speak to you and we contemplate
the implications for food security, this has real world implication. And if the only thing that's stopping a major provider of this essential service from having visibility into their software supply chain is walk up usable tooling and templatized deployment mechanisms, we have a duty to create them.
Yeah, well said, well said. And I do think that the world is kind of spinning madly round, we'll call it a song. And I think that a lot of people get stuck on, I call it the shiny, especially when you go in and do a factory tour and they walk you through the lines and it's like the VIP tour and they roll the red carpet out and you get to see all it.
And all you look at about what's coming off of the belt, kind of like those TV shows that you like inside the factory. Yeah, sure. And you're just like, ooh, look at that stuff. And I always say, stop getting stuck on the shiny. You need to start looking around it. You need to start seeing what's going on, how is it supported and put up. And that starts a lot with people in process.
So I like that you've actually handled this on a people process aspect rather than just attacking the tech. Because the tech is important to work with, but ultimately people are going to undo or make it better or make it worse or do all these things around it, manipulate it in some way. based on the processes they use at each facility. So it's not always a cookie cutter situation.
It's more of an organic kind of living situation. I think that's why supply chain management is so daunting because it's like this living organism that kind of keeps changing and adding things and removing things. And now we have new ways of moving product and we have new types of software that are coming in.
Then AI jumps in and then it's like all these things and it's just, some people are just like, whoa. And then I think to myself, how does the animal kingdom actually work, right? Like all these animals live together. I was having this conversation with my partner yesterday.
We were walking around our little lake and he said, do you think the birds talk to each other or do they talk to like the turtle or like the ducks? And I said, I don't know. I think they just acknowledge each other, right? Like they just kind of live in harmony. Like it's kind of there. I said, us humans could really take a beat on that because, you know, we should just live in harmony with it.
And that's, it kind of comes back down to that systems thinking aspect where, you know, everything's kind of in its holistic cycle and that's how the supply chain is. It's a cycle. Ultimately.
Yeah. I love that because, you know, I've watched that modern Marvel show. Right. And you're like, oh, wow. Like, look at all those candy bars, you know, coming off the factory line or whatever. It would be interesting to say like, hey, what's behind that door? Oh, that's accounting. Oh, can I see that? Nope. Nope. Not part of the tour.
Like, you know, you don't want to see those, you know, big stacks, the reams of paper or the change control board meeting that was supposed to happen.
Or the data center that was inside the woman's room.
Yeah. Right.
You know, I have at some point I should do some more stories because I got them on it going in and out of factories. And I'm sure you do too, Mark, when you've heard CFC things.
And it just goes to show you, you know, if anybody deserves visibility, like we have it, we have a duty to do this. We have a duty to get it right. Much like any of your listeners have a duty to make sure that they understand what's inside the 18 wheeler that pulls up to the front gate.
They also have a duty to understand what's inside the software application that pulls up to the proverbial front gate of their network. And in the rapidly changing cyber threat landscape to monitor those things, not just when you bought it, but every day thereafter. And it's kind of crazy that it's 2024 and that's not just common practice everywhere.
But it's going to take hardworking individuals like yourself, like your listeners, to get us to a place where we can recover from the growth of open source software without an accompanying inventory.
You know, I often say that a cyber attack is going to happen. It's just a matter of when, not if now. We're really that far down this line now. And staying resilient through it is what we're trying to do. Meaning you don't lose your business. You don't have to fire your people. You can keep things moving. You can keep the food safe.
So really, in reality, is S-bombs are just trying to keep people resilient. That's just all it is. You know, as long as you know that you can deal with it. If you don't know, then you've got a problem. And nobody wants that like bill that shows up in the mail from something you probably did 10 years ago and totally forgot about.
You know, it's like that kind of like, oh, that anxious feeling, that horribleness, that shame that hits you like a ton of bricks or something to that effect. I think people need to look at it like that, where we're mitigating the shame of you not knowing. And also we're making sure that when something does happen, that you can survive it. That's the important part.
And I really think that that's what we need to talk about more inside of cybersecurity and in I.T. is how we're going to get you through this, because it's going to happen. Nobody's safe anymore from cyber attacks or scams or any type of ransomware or anything like that. all the due diligence you do up front is going to keep you strong. And that's what we want you to do.
We want you to be strong so you can survive that said virus or that said situation or somebody fat fingered something and something happened on the line or whatever happened. We want to make sure that you can get through it. And the nice thing, too, is that you're also providing help for your other factories that are in different companies that are inside your company, because if you have
really good handle on your SBOMs, that's going to be great for those other factories because everybody makes food for everybody else's factories. And, you know, it's a whole chain. It's a web. So I think that you're helping a neighbor out almost if you do this correctly. Right. And I think that's an incentive in itself.
Feel free to use that mark for your company taglines, like helping a neighbor, because it's true. That's what you're doing because you're ultimately helping others by making sure you're OK. And I think that that is, again, another thing that people don't think about that often. Mm hmm.
So, Mark, as we're coming to a close here, and I've really enjoyed this talk because I love it when people make things simple. Talk about the future of SBOMs and where you see the supply chain moving. And I just want to know what you think the next couple of years are going to look like and what we should be on the lookout for.
Yeah, it's a great question. The next frontier of this, the equally scary frontier, is much like we consume software, unfortunately, without asking what's in it, so too do we consume AI applications without asking what's in them. And if you had AI on your bingo card for this podcast, congratulations. Hopefully it was the center square and you win. You know, everybody's talking about AI.
AI is eating the world. We're sprinkling AI fairy dust on everything. The boring, unsexy, infrastructurally critical work of documenting which models does this AI application use and which data sets are those models trained on is absolutely essential. We only get one opportunity to close this barn door before the horses all run out of it.
There are hundreds, if not thousands of AI applications, I'm sure, in use in the food service industry every single day. For your listeners or for you, Kristen, ask yourself, which models do they use and which data sets are they trained on? Where's that list?
What happens if one of those data sets is found to be problematic, either accidentally because it biases against a certain race or a certain religion or a certain hair color or whatever, or intentionally because the China's or the Russia's or the North Korea's of the world poisoned a particular data set or because it contains illegal information.
I'll tell you one very quick and scary story, and then hopefully we can end on a more positive note. But if we don't have an inventory of what's inside the stuff that we buy, writ large, doesn't matter if it's AI, doesn't matter if it's traditional software, doesn't matter if it's Raisin Bran, we are vulnerable when the upstream components are found to be problematic.
The terrifying story that I will tell you is that the most common, the most popular text-to-image model, you know, you type in, make me a picture of a cat wearing a sombrero, and it generates a picture of a cat wearing a sombrero. The most popular text-to-image model is called staple diffusion. It's in use very, very widely. Different applications use it.
Stable Diffusion is trained on a number of different data sets. One of them is called the LION-5B. Again, the names here don't really matter. But this training data set had 400 million text-to-image pairs. So it had a picture of a cat. When it said the word cat, it had a picture of pencil, so the word pencil.
Security researchers at Stanford in December discovered that this training data set contained over 1,600 images of child pornography. Accidentally. Accidentally. Nobody did this on purpose. This wasn't anybody's fault, right? This is an artifact of what happens when you hoover up at scale 400 million images and then put text labels on them.
So all of a sudden it becomes this like rapid question of what did we train online on 5B? Oh, we trained stable diffusion. Where do we have stable diffusion deployed? Well, I don't know because we haven't been requiring that from our AI.
And so the future, what I anticipate the future of the BOM or the technology supply chain field to be is going to be a concept known as AI BOM, artificial intelligence bills of materials. It's the exact same problem. We need a better name. We need a better name. I don't name these things, but it's the exact same problem as SBOM.
It's the exact same problem of we found out that there was, you know, pencil shavings and, you know, a box of cereal. It's the exact same problem of whenever you have upstream components and downstream components, you have a duty to inventory the upstream components so that you know how to remediate when one of the downstream components is found to be wrong.
And that's really where I feel the industry is going is transparency, not just for traditional software, not just for on-prem software, not just for artificial intelligence, but transparency across the technology supply chain. Because otherwise we're going to end up in some pretty scary situations where our businesses are built on technologies that we don't have a full accounting of.
And when that happens, you know, there's going to be a lot of finger pointing and a lot of tough questions being raised.
Yeah. And to end on a positive here. We will. I can get you there. I think what I heard in that was there's opportunity, especially within the food industry specifically, because they are already doing this work very well when it comes to food traceability and the new laws that are coming out with that. And I think that this is just one in the same.
So if your organization is already on that on that journey, then culturally you're good.
Like you're going to get there all the way through with SBOMs as well, because you're going to need it for that transparency aspect and that traceability aspect, because you're going to need to know what software is touching your product, whether it's the machine that's running to make your perfectly round cookies or whatever. or something to that effect.
And I think that's super important to acknowledge is because the food industry is really good at that because they're doing it for the right reasons, the mission, as you said. As a whole, I will say this in a broad sense, in a very optimistic sense, I think the food industry is going to adopt very easily and very well to this. Other industries will struggle.
I don't want to pick on anybody and I'm not going to. But there will be some industries that will have trouble with this because there's too much change. There's too much regulations. There's too much everything. And they won't, they'll be boiling the ocean instead of making their tea again.
I think that that's what I like about the food industry is because the innovative nature, the constant change that's always there. So I think that they can roll through this. The food industry as a whole is really going to adopt this easily.
And I'm sure you're already seeing that, Mark, when your own work that when you have these conversations, especially with the food side, they're like, oh, yeah, OK, totally get that. That's good. Like that kind of thing happens. We understand.
Yeah, absolutely. That cultural muscle. of of course we have to know where this thing came from and of course we have to know what's inside of it we see it in automotive we see it in manufacturing we see it in food we've seen pharmaceutical uh certainly where we don't where we have a harder time is in verticals that are not as reliant on intimately understanding their supply chains writ large.
They don't have that muscle. They don't have that institutional mantra of, of course, we have to know where all this stuff came from. And that's where it's, you know, it's harder to make the case. But no, I'm with you. I anticipate that food manufacturing will be an area that will adopt the concept of an SBOM. These are large, complex organizations.
I'm not going to go so far as to say easily, but culturally and philosophically and ideologically, they're on board.
Absolutely. And I think that is probably the best place to leave it. Mark, thank you very much for your time and being here. And I'm sure we'll have you back on the pod at some point because this is going to constantly be a topic that we're going to have to bring up. It'd be nice if we could get an AI expert on with the same time with you and we can kind of hash that out.
I think that'd be a fun time. But anyways, thank you very much. And all of Mark's information will be in the show notes too. So if you have any questions about his company or any of the other thoughts and feelings, please let him know.
Thanks for having me, Kristen.
That's all for today's Bites and Bites podcast episode. A big thank you to Mark Frankel for joining us and sharing his invaluable insights on S-bombs and cybersecurity in the food industry. All of Mark's information will be in the show notes. Don't forget to check out the new merch store on the website. Like, follow, and subscribe to our social channels and wherever you listen to the podcast.
Thank you for listening as always. And remember, stay safe, stay curious, and we'll see you on the next one. Bye for now.