Blog

Making SBOMs Actionable Webinar [On-demand Session]

Jul 20 2022/Webinar/32 min read
Learn how to improve your supply chain security workflow, enhance visibility, and prevent a disaster like Log4J by using Syft, Grype, Cosign, and Cloudsmith as the container registry in this 1-hour webinar available to watch on-demand.

Learn how to improve your supply chain security workflow, enhance visibility, and prevent a disaster like Log4J by using Syft, Grype, Cosign, and Cloudsmith as the container registry in this 1-hour webinar available to watch on-demand.

Can't see the embedded YouTube video above? Click here.

Have you seen the news lately? Software supply chain attacks are becoming the new normal. Now more than ever it's time to make Software Bill of Materials, or SBOMs a core part of your process for building and shipping software. In fact, The Linux Foundation research team revealed that 78% of organizations expect to produce or consume the Software Bill of Materials (SBOMs) in 2022

This on-demand session explores how to improve your supply chain security workflow, enhance visibility, and prevent a disaster like Log4J by using Syft, Grype, Cosign, and Cloudsmith as the container registry.

Featuring:
Christopher Phillips, Senior Software Engineer, Anchore
Alison Sickelka, VP of Product, Cloudsmith
David Schmitt, Staff Engineer, Cloudsmith
Moderated by Ciara Carey, Developer Relations, Cloudsmith

Transcript:
(00:00) Great and to analyze your s-bomb chris is going to talk about his his tooling and then i'll go into Cloudsmith's integration with Sigstore to let you host sbombs then we'll finish up with a demo on making sboms actionable and um we'll have our fireside tap chat with our team and answer any questions you guys have so before we start there's a few housekeeping things are um we have a moderator today hillary thank you for all your work and she's going to be monitoring all the chats so we're streaming on four

(00:35) different platforms if you're on if you're on twitter and youtube we can't you can't actually use the chat or the pearl function on but we will be watching for your tweets same with linkedin we're on if you um chat in linkedin chat hillary's going to be there looking for questions so please stay to the end and we're giving out three different prizes it's like what do we call it the cloudsmith prize pack i think that's right so uh yes you have to stay till the end and uh another thing is if you want to

(01:08) watch this later this is going to be available on tiesmith.com for slash block before the end of the day yeah so let's get started oh sorry a few introductions i'm Ciara Carey I work in developer relations at Cloudsmith i started there last year and before that I was a software developer for over 10 years so i'll pass it on to Christopher. Hey guys my name is Christopher Phillips i'm a senior software engineer at Anchore and if you've ever interacted they've done pull requests on sifter gripe you've probably seen me on the issues or

(01:45) just helping you get along so can't wait to meet everyone and show off the tools.  I'm Aliison I am vp of product at cloudsmith and hi i'm David Schmidt staff engineer at Cloudsmith i've been building out the uh the sbomb storage on large service and so on here for for that background. So a little bit about Cloudsmith, Cloudsmith is a cloud native fully managed package management as a service our mission is to help organizations

(02:30) address the complexity of managing software artifacts at scale so across many teams or in support of many customers by solving those problems for them we can then deliver on our vision which is helping organizations solve problems of trust by becoming that single source of truth for them so we can become that single source of truth for the assets the data the dependencies of their software assets all the way from source through to delivery organizations that use cloudsmith reduce their infrastructure costs they

(03:00) eliminate the overhead of management and maintenance that comes from having no solution or using other non-cloud native solutions in the space uh they can empower the development team to focus on their core business and they can control and reduce software supply chain risk through that single source of truth so that's a little bit about cloudsmith cool and then from the anchor side um i'll just talk about our open source if you go to github.

(03:34) com Anchore uh under the organization you can find sift and gripe and we just want to build the shovels and tools that help kind of an s bomb powered uh supply chain uh universe come forward so that just means that taking your docker images taking your packages your directories your distros generating sbombs and a format agnostic way and then using gripe on the other side to scan it and provide you you know amazing and hopefully accurate vulnerability reports that can help you slowly shift the left with your security

(04:05) posture and just you know your security journey as an organization carrie you're muted just as a heads up but um can you hear me now sorry about that so we're going to have our first poll um we'd love to hear if your organization is actively trying to secure its software supply chain that could be training that could be introducing new security tooling or trying that first stage of finding out all your dependencies so we'd like to hear um yeah yes no or not sure so Alison i don't know what you think i

(04:53) know you've been talking to a lot of customers about this uh yeah i'm gonna take a bet and say that a is not going to be the number one answer here but we will see hmm that's right i'll give it a few minutes it's such an emerging topic it's like since the solarwinds attack it's really realized how like um vulnerable people's software supply chain is and how there's been a lack of monitoring in that area so it's uh it'll be interesting to see what people say yeah we're we're fortunate we have some

(05:33) early adopters of software supply chain uh using cloudsmith today so we're able to see some of the uh concerns and solutions that they're looking at to try to become more secure across their software supply chain okay will we move on i know there's not many answers there but let's just keep going maybe it's because they're using those different streaming methods to watch this but um if you put your answer if you put a question into um twitter or linkedin chat we'll be listening out for that as

(06:05) well okay i'm going to start with explaining what the software supply chain is so it's basically everything that goes into building your software it's your code it's your dependencies their dependencies it's your the tooling you use your plugins your package manager your cicd tooling and your package repository so it's everything and a software supply chain attack kind of targets anything along that um along as you're building the software so any point in time it can um try to attack

(06:46) try to get into your system to change the software they generally do this by developer account takeover can happen maybe and then get into your build system and or else tricking you to downloading malicious packages or targeting vulnerabilities in your third-party dependencies so the attack surface is quite fast for this and the the first time it came into prominence was the solar winds attack in late 2020 it brought a ton of attention to supply chain attacks so a huge part of our software supply chain is open source software i think

(07:30) it's like over 80 percent of of people's software contains open source and that's because it's like it's free to use there's so much innovation when you think of kubernetes and docker of nginx linux it's like without it development would be painfully slow it's a positive source of good in the world and maintainers volunteered their expertise in time and i really appreciate them most people consume um open source software using these public repositories so um may even central or

(08:11) or npm and docker hub yeah so that's where people get their open source software from generally and a massive part of securing your software to supply chain has to be securing your open source what you're consuming and being happy that you trust that so i don't want people to think that proprietary software is less secure it's not less secure but its attackers can maximize their impact and reach um by targeting vulnerabilities in the in open source the kind of attacks that are specific to

(08:52) open source are like say targeting critical vulnerabilities in your um that are in your open source so you might have heard of recently log for shell which was a 10 out of 10 remote code execution vulnerability in a popular java package called log4j and the problem with these critical vulnerabilities is like they're actually patched pretty quickly usually once they're found but it's the long tail the amount of time it takes to fully upgrade and patch everybody that's using that software and we're not just talking about direct

(09:30) dependencies it's it might be in your software because it's a transient dependency a dependency of a dependency there was a study done in 2020 about a um a vulnerability called heartbleed in openssl which took place in 2014 and in 2020 that was still exploitable and attackers were still used scanning for this um vulnerability because it was it was a great attack vector and that so that even though the vulnerability was patched right away in 2014 it was still exploitable in 2020 so another type of attack and it's kind

(10:10) of related or a vulnerability let's say or threat is abandoned open source software so your somebody creates software pushes it up people consume it but for whatever reason the maintainer doesn't update it or maintain it they've things happen in people's lives you know and these um vulnerabilities these new vulnerabilities as they come along are not being patched not being worked on but they're still in people's code base so that's sort of connected to that critical vulnerability um issue

(10:47) there's other types of attacks on public repositories um where you can source your open source like dependency confusion attacks or typos squadron attacks where they kind of try to trick you to installing a malicious package so these are the types of attacks or threats to open source software that you've got to think about so since the the solar winds attack there's been a huge response starting with the executive order from Biden where um it said they wanted to improve the cyber security of your software supply

(11:26) chain and in it he mandated that any software that the federal government purchases will have to have an s-bomb by a certain date i think it's around now that they're updating contracts i'm not i heard it was like last year so i heard somewhere that was like around may time so i'm saying i'm going to say it right now so and another big response is that the white house brought in all the stakeholders for from um open source software so the consumers of the open source software the big tech companies of course

(11:59) the open source um representatives and they brought them in they came up with this big ten point plan there was a 150 million attached to it or something like that and one of the 10 points is s-bombs everywhere so they want to promote the use of s-bombs and invest in training and tooling so s-bombs are important yeah so i keep on talking about a sponsor i haven't really explained them so that's that's what i'm going to do now don't worry don't worry um i got my slide up here okay so and software bill materials and sbomb

(12:38) is basically a list of all the components that are in your software product it's a great way to if you have this list you can use that to see if you're vulnerable to these new um threats that um the minimum elements um to an s bomb include your dependencies their dependencies the supplier name the component name the identifiers it's quite quite a short list and then there's optional things to add to that like um licensing information and other stuff like that even vulnerability information which is a bit um

(13:17) people i know people aren't sure if you should attach vulnerabilities to your responsibility so the two machine readable formats for sbombs are sbdx and cyclone dx and they're both great um spdx is an iso standard cyclone dx came from owasp from a dependency track project i don't know Chris if you have an opinion on which is better um but they're both pretty good yeah from our side we just want to be formed agnostic like when it comes to generating lists of packages whether it be spdx cycle and dx or even like a more

(13:54) kind of data rich json format that has all the metadata possible you just want to provide the most source of truth with regards to packages into images into the software being consumed so we'll let the format wars you know happen on the mailing lists and the forums where they like it doesn't i don't know people seem to be most of the tooling seems to be trying to generate both that seems to be which is great because i think spds is more licensing stuff and cyclone dx is more vulnerability stuff but i don't

(14:20) like it that's that's sort of very high level i'm not really too sure they're both good don't worry so s bombs at their core answer the question what is in my software so another poll we've got some of the answers there to the previous poll so a lot of people say that securing your software is critical to your software so that's that's great to have and hardly anybody says not important or um i haven't heard of sponsors before today but there was one person that say they haven't heard of

(14:53) restaurants so good so much learning and um okay so the next pill the new poll is for my organization s-bombs are critical and nice to have not important or i haven't heard of s-bombs before today oh sorry that was that was this one yeah i know so here the the for the previous one we had 30 answers and 87 percent say that securing their software supply chain is is important and that they're actively trying to do that today so oh thank you all maybe for the next part i'll let you answer because i'm i'm not very good at most

(15:29) classes yeah i know yeah we already have some folks coming in on this one too so um yeah half of the people who've answered say that s bombs are critical for the organization so that's really great to hear yeah that's great to hear because sometimes it's where it feels like very early in the process and you're not sure if you're like um you're working on the right feature but it feels right i feel like it's gonna be um everywhere soon so um i'll move on people can still answer that when i move on to the next

(15:59) slide right okay okay now let's talk about tooling to support your s-bombs so the tooling will need to generate your s-bomb host your s-bomb and analyze it so cloudsmith can help six-store and of course anchors open-source stealing gripe and sift so i'm going to let chris talk about gripe sift later on and i'll just talk about a little bit about hosting so six store is an open ssf project which really tried to promote the use of like signing packages especially for open source packages to make that

(16:39) process easier to and sign things to verify them and just to use them so signing in the past is like it it can be difficult for people to especially the key management part of it to do that in a secure way can be difficult i'm going to go through a demo later on today showing um cosine six store because cloud smith recently integrated with that tooling and david has worked on this so to um to attach uh s-bomb to your container image and you can also attach attestations and that's where your sbom goes so i will move on

(17:20) i am going to pass this over now to chris oh there you go cool hi everyone uh so again my name is chris phillips and we provide some of the uh i guess base level tools uh in an open source way to help secure your supply chain so i'm gonna post the two in chat right now uh those are the github links to sift and to gripe and we can kind of move forward and show you what both of these are so the first one is we talk about making sbombs actionable but for you to actually have an actionable s-bomb uh you need to

(17:55) have one so that's where sift comes in we can generate s-bombs from multiple sources whether they be you know oci image formats the docker image format itself file system archives you name it we can do it and like i said before we're format agnostic so it doesn't really matter to us if you want cyclone dx or if you want spdx we also offer our own format which we can kind of show off but that can be converted back and forth to be more standard and kind of out there formats that people are consuming from

(18:24) day to day we also do linux distribution identification and then through our tools you can create the scientists formatted stations that um everybody's been kind of talking about as far as how do i actually trust this document now that i have it uh on the other side of things we have grape and grape is the you know title of this talk making your s-bomb actually actionable we can take that huge large.

(18:48) json document or spdx document cyclone dx document we can generate a list of vulnerabilities uh for your container for your file system again detecting most if not all major operating system packages if you see one that we don't have patch is welcome pr is welcome we want as much people contributing to this as possible um but this is kind of how we get the ball rolling uh so to kind of show that off i'm going to share my screen let's do this real fast and i want to share this screen right here all right everybody see my screen thumbs up yes verification we're good

(19:21) okay so one of the best parts about sift is that we can install it super easily if you just go to the top of our sips repo you can see a quick curl command we also offer it through brew but we know system administrators people who are writing you know scripts and want to get into the tooling curl is out there you can download it and then if i just do which zip from that great i have sift installed um let's see what it looks like to actually generate in this box so if i do time and i do sift node latest what we're going

(19:51) to do is we're going to take the base image for node latest that's up on docker and we're going to request it we're going to parse all of the packages on there we're going to build out the file system we're going to go through and dig into all the node modules licenses that are available every single piece of metadata that you could think that could possibly exist about a package on node colon latest we want to find it whether it be through npm whether it be through its actual distro that gets based that gets built

(20:18) from if they're not building from distro list yet if it exists within there we want to find it and we want to show as much truth as possible about that image so here we go we're cataloging the packages we have zero right now and hopefully at the end of the day we're going to see boom this is the list of packages and now you can see 42.

(20:40) 18 seconds so if you think about all of the time it takes day to day to analyze to build out the entire picture of an image that is a ton of compute time what if you already had that generated as a cyclone dx a json output or an spdx output that actually represents your entire package and to show you why this is important and why s bombs are kind of the future that make an action on this uh i'm going to do a quick demo so i'm going to do the same thing i'm going to generate that list of packages and i'm going to scan it for vulnerabilities so

(21:10) if i do time and i do g-r-y-p-e and i do node latest this is going to do exactly what we just did but except it's going to spit out all of the vulnerabilities that are associated with that s bond so we're going to do that and we're going to let it sit and then i'm going to do on this side i'm going to do great yeah this time right and instead of this we're going to do test.

(21:37) json so now i'm going to use the json that we outputted which is the s bomb itself and we're going to scan that instead of parsing this image each time we want to do the vulnerabilities again so let's just see how this looks insert jeopardy we're still parsing over here 17 seconds to actually do the vulnerability scan against node latest but if we generate this s-bomb again still waiting still parsing catalog 614 packages processed 1000 vulnerabilities against it and still waiting for the output probably some there we go

(22:15) oh 54 seconds so almost three to four times the compute time it would take to generate and rescan the image we want s-bombs to become this kind of base like truth of what represent what's representative within software within packages within docker images within any kind of directory and we can hopefully take that base truth of what assembles it and use it as our new like modicum of data for processes like vulnerability scanning or auditing or license auditing etc and hopefully you can see now like if you're spending so much time in your

(22:47) cloud provider to do this process here on the left over and over and over again uh you can save almost you know three times to four times x the time to just moving two s-bombs to actually scan and do your analysis from there so with that i'm going to stop sharing my screen um i guess one of the admins can bring back up the materials and we can move forward with how we can take these building blocks and put them onto a cool platform like cloudsmith oh i think i can do this oh my god it worked ah yeah it wasn't so bad that was great and i

(23:25) can confirm using sift and gripe was really crazy the only thing i didn't like doing well nothing to do with swift and gripe was like that you know the attestation using jquery to get the s1 barcode i don't like them now there does the rest of the entire ecosystem right now we're trying to find better ways to store those out of stations i promise oh okay oh no no you didn't sift and gripe poker yeah great so so now i'm going to show you a demo on how to make s-bombs actionable with the sifting gripe tooling as well as

(23:58) cloudsmith and sigstore i'm also going to be using the cloudsmith cli so i will share my screen okay i'm going to put this over here so i'm going to be using the command line but you can see all this in um i've a workflow in github actions if you'd like to see this in real life so if you want to try it out yourself okay i'm going to share my screen um i guess i want to share okay okay so i've actually already pushed an image to um a cleanser repository so you can see this one here it's an image i prepared

(24:48) earlier just to save a little bit of time like a minute i just couldn't handle it the silence and um and just to show you placement repositories you can actually host all the different types of formats let's see how many 28 different types of formats all in the same repository so these are multi-format repositories just to let you know and okay so now i'm going to start this that image that image there is i'm just going to push it again it's the same image but just to show you the process okay great and then i'm going to use

(25:29) cosine tooling to sign the image so i'm going to generate a new key and we can verify this using i thought i didn't generate a new keyboard okay sorry i'm going to generate a key now remove those keys oh okay okay yes okay overrated file key and i gotta resign it i'm sure this would be fine so now it's going to push the signature to cloudsmith oh that's because i've resigned it

(26:42) there's two signatures but don't worry about that that's my my issue so now i am going to um create i'm going to verify that signature so using my public key and it should say kira kerry signed this image now i'm going to generate my s bomb okay so you can see i'm using sift tooling here i'm generating the s-bomb for my image there and i want it to be outputted in spdx format and then that's going to be outputted to this file here i'm just gonna find all the dependencies

(27:51) in my image and then when that's finished i'm gonna add this to i'm gonna use cosine to add this s-bomb as an attestation to my image and then it'll push it up there and i can store my s-bomb alongside my image which is great yeah so this is the code for the attestation part of it i'll just put in my password so it's cosine a test say the type and then the store the s-bomb in the predicate use your key your cosine key here and you just tell it what image you're talking about so the benefit of using an attestation

(28:43) to attach the s-bomb to it it means that you can prove that this person attached this s-bomb and this is becoming more important um to prove the providence of your software these attestation statements and they're in total so let's go back to the repository and you can see this attestation attached to our container image so you can see it there yeah and then because we've um we've assigned attestation we can verify it using our public key so i'm going to verify it and then just send the output to

(29:26) um a file same kind of um it's similar cosine verified to the verifying the signature except for its it's cosine verify attestation you still use your public key and you point it to the image and you tell it what type of attestation it is okay so now we have our attestation what we want to do is we want to we want to um if we're going to be continuously analyzing this like so you have your image up on cloudsmith and you're it's deployed or whatever and you want to monitor this like using some continuous security maybe you're

(30:07) monitoring it nightly you're checking every night if there are new vulnerabilities attached to this and then you can make decisions based on that you could say if it's above a certain level of vulnerability that i am going to stop this image being deployed okay so i'm extracting my um s bomb back out from the image that's stored in cloudsmith and i've stored it in this in this um s-bomb format here s-problem file so now that i have my s-bum i'm going to say what i was talking about just a minute ago i'm going to use

(30:50) gripe the Anchore princess tooling to find out if there's any critical books and critical vulnerabilities so and if there's any critical vulnerabilities i'm going to fail this and you can use this in a workflow and the one that i posted up in the chat that that um that has a nightly workflow that will fail on a critical vulnerability great and luckily i have a vulnerability so test this out and now i'm going to use the cloudsmith cli to just get the identity of that image and then i'm going to use a new um

(31:28) new feature called quarantining that david was involved in um working on as well as s-bombs so and this will quarantine the image you won't be able to download it or deploy it to infrastructure and you can see how this can be used in a workflow to just stop a vulnerable image being deployed okay so before i show you i'll show you that it's not quarantined and then what it looks like when it is quarantined so we have our image here and we have we can use this quarantine function from the ui as well so this is basically

(32:02) using the cli to quarantine it and now yeah so here this um this little icon here lets you know that this is now quarantined and that you can't download it or deploy it so using the api doesn't work either so yeah that's our demo and i'll just kind of walk you through the um workflows on github and i've actually worked this from dan lauren's code for me from Anchore and um there's two workflows one workflow anytime there's a change to the code it will build the image um sign it using cosine

(32:50) and generate an s bomb attach that as an attestation it actually also uses gripe to attach um and attaches that vulnerability and report as an attestation and how that could be useful is that you can say when this image was built there was no vulnerabilities of a certain level and that might be useful to some organizations so we have that there and then we also now that we have our image along that stored alongside the s-bam we have a nightly workflow that will check that sbomb for new vulnerabilities and quarantine them if

(33:24) they're above a certain level so i'll let you peruse that yourself and i will stop sharing okay great i'll bring back those slides and yes so one more poll why not for your so this one is do you think that s bombs help secure your supply chain so hopefully this isn't too shocking we've demonstrated that they're useful you know and based on the responses to the other polls it seems like we should yeah we're with our people great so um and we'll talk about that later on we'll just have our little um

(34:13) far side chat now so i'm now going to talk to the gang alison, david and christopher if you want to unmute um i just want to ask you guys about s-bombs and supply chain security so i'll start with allison um why are s-bombs important to cloudsmith yeah so we talked a little bit at the start about the mission and vision of cloudsmith and we really think that as a package management solution we can add a lot of value for our customers by becoming that single source of truth for all data associated with the

(34:51) with your software supply chain so not just the artifacts but the dependencies and the data that go along with them and we see s-bombs as one of those critical pieces and it makes sense to be able to store that alongside the packages and the artifacts from your software supply chain so for us it was really important to introduce support to be able to host those s-bombs and when we were thinking about what our first pass that the feature could look like it was really important for us to understand where uh the community was headed and so there

(35:24) was a lot of development leveraging cosign um and and leveraging sbombs specifically around oci artifacts so that was um that was where we picked for our starting point for being able to host s-bombs yeah that seems like the nicest i know it's an emerging field but that's of the emerging stuff that seems like the nicest workflow working with the container image you can do the whole workflow it's still a bit up in the air about how um you should what's the best practice to host um just packages non-container images um

(35:58) so but david on from that i know when we were first thinking about us bombs i think we were thinking about generating are the ass bombs ourselves can you work us through why we didn't do that and why we might have thought about it yeah the idea was on the table at first uh but diving into the implementation and and the how it's currently being used uh it became clear that that's not where where classmates is gonna be able to to provide its value right um like uh i i think it's it became clear in looking how how sponsors get created

(36:35) that the way to go is to integrate the build or the the sbomb generation into your build process uh like chris was showing off um it even scanning a docker image uh takes quite a while right um and we want to do that once and then use cosine to attach that cryptographically verified information to the image and then based on that we can we can make the other later scans much faster and and that's where cloudsmith can help in uh hosting that um s bomb next to your packages uh or your docker images um and we can leave the gnarly bits to other

(37:20) people and i have a question here how are the attestation storage i think they're um are there metadata on the docker image itself i believe it's stored in it in a blob layer but maybe you guys want to talk about this i'll leave it to christopher and david to answer that i i wrote the integration so i i can easily uh take that nice soft one for you there then yeah yeah uh actually in inside the lci registry it looks like another uh docker image uh there are subtle differences between what the docker image and the oci images

(37:56) um but uh that's that's probably just for for people like myself who are working on implementation but in the end it's it's just another docker image that just has a file instead of a file system inside it uh right um and in in cosmos as you showed here uh you're you're just showing that it exists and you can kick into and look at the details um but really i i think the the cosines here live workflow either for for you as a user or then in in ci when you're uh building the image or in your cluster

(38:32) when you're deploying it and checking those at the stations um i i think that's that's uh much more uh much smoother than uh than anything else that we could provide from the hosting site yeah oh and uh christopher there's a question here about does um does it list the third-party dependencies this is always a tricky one i'm sure sometimes it doesn't sometimes it does and i'm not i'm actually not sure so you can tell me yeah we try our best when it comes to just grabbing as much metadata as

(39:01) possible about things that are unpublished or kind of proprietary internal software that you're scanning uh if it's only one of the ecosystems that we say we support obviously we'll go if you have some kind of code that you're installing whether it's through the rpmdb or if like a custom go binary installed in your package we'll detect that we'll find that static binary for the for the go side we'll break it down and use the debug.

(39:23) build info to find as much information that got installed into it via the compiler for other more sophisticated ecosystems static analysis we're still working on but for java for python for npm for even for rust we have some new support that's gone in for that so to say to to answer your question yeah there's some nuance where we're not doing the detection we're getting better every day but for the ecosystems that we say we support on the readme thumbs up you should get your proprietary internal code also detected in packages listed

(39:49) there cool and i i i saw that like there's gonna be um docker have done something with build kit to let you um generate it at build time is um what will that add to the s1 generated yeah what we're like what we really want is a world where again if you think of like the attestation being included kind of as a sibling to the docker image you want that also from the build kit from the get-go from the base image and s-bomb to just be provided so that we say hey i built this image and you don't have to do the analysis right you can

(40:23) just trust that we at anchor put our s-bomb along with this build kit and then you can just rip that out of the image when you pull it down now obviously just like with everything in trust and software if we mess up a couple times you go oh i don't trust those like anchor guys or those google guys anymore i'm going to make sure that you know what they say in their sbom is the same thing as the image analyzed and then you can kind of get really sophisticated dips of if people are actually saying you know our bill of

(40:49) materials is what is in our software so you can go back to them like to a vendor and say hey within the within your image you included this s bomb as part of the build kit initiative but we actually analyzed the image and we found xxxyz that's not part of that and so that kind of transparency and openness going forward just helps you know hopefully software move into a more secure place we say hey you might have had a supply chain attack because you say your s bomb is this but the image that you distributed to us had two more

(41:16) packages that doesn't jive with that manifest you provided oh cool so it's really like you could nearly audit the yes bomb using yeah that's cool and um i just wanna uh is there security professionals have to deal with a lot of vulnerabilities and sometimes it's hard to prioritize that is there a way to um help with that process i'm kind of this is a leading question i'm basically talking about banks yeah we want uh we definitely have we've offered deck support on the cyclone dx side as kind of like an integrated part

(41:46) where vendors bring kind of a vex document with their s-bomb you can plug those together and for people who are on the call and they're not like super familiar with vex the metaphor i like to use is that if an s-bomb turns all the light switches on and builds that huge dashboard of all the things you kind of have to care about compiled with a vulnerability report vex takes that and uses all the context of no that one doesn't matter we're in a private security group no that one doesn't matter no network

(42:11) attack vectors work to that no that one doesn't matter like we have our own custom like built image inside that's that package that we've signed off on and no is not vulnerable like you can make a security officer or a security analyst life easier by just turning off a bunch of those warning lights with a vex document so hopefully we can reduce the surface area that humans have to actually integrate with yeah it's because humans it's hard to get if it's security professionals those those are that's tough

(42:38) our job would be impossible if uh we couldn't automate some of the things we automate now it's just like it's a it's a it's an object-impossible task basically and so i'll answer one question just wondering where do you think um the issues lie with s-bombs and um yeah and where you think the future of s-bomb is so it's a big question i think i think the biggest issue right now is kind of what we're discussing on this call which is like making sbombs actionable it's like already people are

(43:09) being told hey you need sbombs hey you need this thing you you have to include this with your bill pack but people just don't know like what the next step forward is and then the community just like with all open sources throwing a bunch of stuff on top of it they say hey you need to attest your s bombs hey you need to sign them hey you need to store them here hey you need to keep like if you keep stacking the jenga blocks taller color it gets to the point where you know security analysts and researchers are going to go i've been

(43:29) fine forever and they throw their hands up so the the problem is is mostly like a messaging thing but as soon as you like wrap your head around the idea that your organization is paying for compute time for analyzing these things every single day there is a format that just simplifies everything if we get that to be the most accurate source of data and of truth and we can you know compare that back to an analysis of a recent image you have this kind of square one to build from and go forward and once the community like zips on that then

(43:58) there's going to be no more of these working group fights of like well why do we need this what format's the best why do we include vex or not include backs like there's just all this churn because it's such a new technology so absolutely it's emerging i suppose it's only when people start using it and poking holes in it that will figure out what's the most the best practice workflow so um oh i just saw your cat in the background okay so that was really great i i we actually answered a lot of the questions

(44:35) on the fireside chat oh we have um one more here i appreciate if you guys can address the blog queries developers can pull pre-compiled binaries or raw code into their code bases in that case how can we ensure s-bond records all requires dependencies so i suppose this is about um building stuff without a package manager really isn't it and how can you i suppose it is more difficult to detect that but um what do you guys think of it from the anchor side where like what we want to do is we want to provide uh integrations where if we don't have the

(45:20) kind of cataloging support for that users can kind of bring things that they say hey we see that like you know you can't discover this like pre-compiled binary for whatever reason right this just doesn't exist or a good example is let's say um in the go tooling for debug that build they don't have a way to inject what the major like vcs tag is for that module because there's no standard everyone is just injecting it in different variables different ways so we can provide interfaces for users to

(45:44) bring in like hits or bring in like addendums to s bombs or they can like build them out themselves then for those small edge cases you can then kind of build out where the gaps are within that document that would be like kind of one bridge going forward while we work on the detection side of getting making sure every single little thing is covered within the software ecosystem yeah and i i'm sure there are some things that that will always be easier to just provide instead of detect right i've seen for example uh gradle from

(46:15) from the java ecosystem around maven uh has has already a s bomb generator that you can build directly into your build process of your entire java project um and that has much much richer information available that that you would ever get from uh from scanning afterwards because it can add information like where does where was it downloaded from were there any additional attestations from there and and so i think as we see as from usage mature in the community we'll we'll also continue to see uh workflows where

(46:48) s-bonds from various sources get integrated into into one uh bigger output and and i'm sure anchor will will happily also integrate that information once it's available right yeah that's like that's kind of the the path forward because we're really really happy with where we are on the java detection side of being able to not just like decode your base package but also jars within jars within jars so that like just to use the the non-du jour of the security like world cycle sorry log4j if you had it deep nested

(47:21) within like five or six jars we can rip out that metadata information and the more the more context we get from the maven ecosystem and from their build tools the richer that information that we rip out is going to be in the future so the more tooling that we can integrate with the better brilliant and so the second part of that question our second question is how can we achieve s-bomb generation um with every new release of components like so i suppose is this like it's gonna be because there's so many releases or anyway over to you i

(47:53) would just i suppose you use like the cicd workflows is um how i would suggest but maybe there's more to that question that i'm not understanding yeah i i would have also read it like uh going back to your demo like the commands you showed in in in the shell but wrap it up in in your build process and as you upload the image or as you build the image uh create the s1 for the image using uh for example sift and then upload it uh to a repository like cloudsmith where you can have them hosted together and available for anyone

(48:29) consuming it and if you are not building your artifacts uh in in uh in a shielded cicd system then a lot of the guarantees that an sbomb can give you or go out the window anyways because uh if if i'm building something on my local dev workstation that has been exploited all bets are off right so um i yeah so and oh and um somebody posted the cyclone dx raven plug oh that was help answered the previous question.  Thank you so much for staying till the end yeah thanks everybody um especially christopher for being our special guest star and um i hope people have learned more about sbombs and how they can help you secure your supply chain so that's it that's all bye bye cheers!
Get our next blog straight to your inbox