►
From YouTube: Keynote: SBOM is Coming: Why You Should Care and How You Can Help - Frederick Kautz & Allan Friedman
Description
Don’t miss out! Join us at our next event: KubeCon + CloudNativeCon Europe 2022 in Valencia, Spain from May 17-20. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Keynote: SBOM is Coming: Why You Should Care and How You Can Help - Frederick Kautz, AI Chief; Enterprise Architect, Anthem & Allan Friedman, Senior Advisor and Strategist, CISA
A
A
fed
and
a
hacker
walk
on
the
stage,
and
since
it's
a
little
too
early
for
beer,
I
guess
we'll
just
have
to
talk
about
supply
chain.
I
think
so
so.
The
message
today
is
four
fun
words
that
are
four
fun.
Letters
that
are
fun
to
say:
s-bomb
is
coming
and
we're
gonna
need
your
help
to
make
it
a
reality,
and
so
one
of
the
core
questions
is
hey.
First
of
all,
what
is
this
key
thing
that
you
keep
saying
s
bond?
Is
a
software
bill
of
materials?
B
A
Can
give
you
this
is
the
official
u.s
government
definition
that
some
of
us
had
a
hand
in
writing,
but
if
we
want
to
get
a
little
more
detail,
it's
actually
not
that
complicated.
It's
the
dependency
graph
of
your
software,
so
acne
application
in
turn
depends
on
bingo
buffer
bob's
browser
which
in
turn
depends
on
carol's
compression
engine.
A
The
good
news
is
that
we
have
some
projects
today
we
have
some
standards
that
can
convey
this
data.
Now
it
would
be
lovely
when
we
set
out,
we
said
hey,
we
don't
want
to
invent
anything
new,
let's
use
what's
already
out
there.
So
that's
good
news
is
that
there
was
at
least
one
approach
to
this
today:
bad
news
that
there's
more
than
one
but
that's
okay,
because
they're
both
amazing
projects.
A
Many
of
you
have
been
involved
in
spdx,
which
comes
out
of
linux
foundation.
It
actually
goes
back
over
a
decade.
People
have
been
working
on
it
to
capture
license
information,
and
the
great
news
is
that
it
was
recently
announced
that
it's
an
iso
standard,
and
some
of
you
who
work
in
large
global
companies
know
how
important
it
is
for
something
to
be
an
international
standard.
Cyclone
dx
is
newer,
comes
out
of
the
oas
world,
it's
sort
of
dev
focused
and
security
focused.
A
Both
of
them
are
great,
so
should
we
let
the
block
them
in
a
room
and
let
them
fight
let
one
emerge
now.
What
we
want
to
do
is
sort
of
help
them
harmonize
and
make
sure
that
we
can
translate
between
them,
and
the
value
here
is
the
core
basics.
What
you
need
to
make
this
a
reality
actually
is
something
that
can
happen
either
in
either
of
them,
and
you
know
what
computers
are
really
good
at.
A
Computers
are
really
good
at
taking
structured
data
and
moving
it
around,
and
that's
really
what
our
vision
here
is:
let's
take
the
data,
let's
make
it
structured
and
let's
move
it
around,
so
we're
not
here
just
to
tell
you
all
about
this
new
technology.
This
is
not
a
technical
talk,
because
I'm
a
really
bad
engineer,
we're
here
to
convince
you
that
this
is
coming.
Why
do
we?
Why
are
we
arguing
that
this
is
coming.
B
A
So
is
there
anyone
here
who
thinks
that
supply
chain
is
not
an
issue?
Should
we
sort
of
revisit
some
of
the
great
points
that
luke
talked
about
about?
How
you
know
supply
chain
is
now
a
concern.
One
of
the
points
that
luke
made
that
I
really
liked
is
that
this
isn't
just
any
one
project's
concern.
This
isn't
any
one
company's
concern.
This
isn't
any
one
country's
concern.
There
are
national
security
issues,
but
really
this
is
a
global
issue
that
we
need
to
be
tracking.
B
Well,
in
a
nutshell,
if
you
take
a
look
at
our
graph,
this
is
the
beginning
of
a
supply
chain,
it's
it's
a
dependency
sort
of
a
dependency
graph
and
if
we
can
use
an
example
from
physical,
so
if
you
look
at
vehicles
very
often,
you
may
have
recalls
for
an
airbag
or
some
other
components.
They
know
where
that
airbag
came
from
where
it
went
which
cars
it
went
into
often
down
to
the
vin
number,
and
so
this
is
a
very
important
example
of
of
a
supply
chain.
B
Now,
if
you
look
on
the
far
end
there
is
this
trusted
and
untrusted
slider
that's
on
there,
so
the
most
trusted
items
tend
to
come
from
the
vendor
itself
or
some
entity
that
has
established
that
trust.
Well
with
you,
you
have
your
third
party
things
you
bring
in
that
you
have
to
validate
at
the
far
other
end
of
this
of
the
spectrum.
B
A
By
the
way,
one
of
the
challenges
of
what
makes
security,
particularly
fun
and
exciting,
is
things
we
used
to
trust
we
wake
up
and
say
you
know.
Maybe
we
can't
trust
this
anymore
and
that's
the
model
here
of
having
transparency
is
allowing
you
to
react
when
that
becomes
the
case.
So
the
other
reason
we
want
you
to
pay
attention
to.
It
is
because
people
are
going
to
start
asking
you
for
s-bombs
and
they're
going
to
start
asking
you
sooner
so
we
say
people.
A
What
do
we
mean
well
so
first
and
perhaps
most
important
for
those
who
work
for
companies
is
customers
today,
there's
a
couple
of
major
hospitals
that
are
already
saying.
If
you're
going
to
sell
me
a
medical
device,
the
blinking
box,
that's
keeping
humans
alive,
I
need
to
know
what's
in
it
before
I
put
it
on
my
network
right.
This
is
something
that
we're
starting
to
see.
Now
they
may
not
prevent
you
from
buying
it
if
it
contains
out-of-date
software
or
vulnerable
software,
but
it's
going
to
delay
it.
A
A
So
this
is
not
just
about
security,
it's
about
dollars
and
cents,
and
of
course
this
is
important
for
the
things
in
life
that
really
are
critical
to
our
infrastructure.
Like
critical
infrastructure,
the
edison
electric
institute,
which
is
a
trade
association
of
the
largest
utilities
in
america,
has
said
already
before
you
buy
something
you
should
ask
for
a
bill
of
materials,
so
this
is
coming.
A
The
white
house
has
publicly
said
that
everything
the
us
government
buys
is
going
to
have
to
have
a
software
bill
of
materials.
I'll
give
you
guys
a
hint.
The
u.s
government
buys
an
awful
lot
of
things,
so
this
is
going
to
be
slowly
evolving
and
becoming
bigger.
We've
defined
under
this
executive
order
the
minimum
model
of
this
as
we
move
forward.
B
A
The
joy
of
marketing
right
this
is
the
the
policy
tool
that
the
community
has
had
is
to
say,
hey.
This
is
going
to
be
something
that's
important,
and
so
most
companies
aren't
going
to
have
two
versions
of
a
product.
Most
open
source
projects
aren't
going
to
say:
let's
have
two
versions,
one
which
we
care
about
supply
chain
and
the
other
one
which
we
don't,
which
one
would
you
like?
I
think
we're
going
to
want
that
so
also
line
of
governments.
A
The
fda,
which
regulates
medical
devices,
has
publicly
said
yeah
you're
going
to
need
to
have
this
level
of
transparency
in
your
supply
chain
so
that
we
can
share
this
but
again,
looking
forward.
It's
one
thing
to
talk
about
the
blinking
box:
that's
keeping
a
human
alive,
but
almost
all
of
those
new
devices
that
are
being
sold
today
are
controlled
not
locally,
but
in
the
cloud
and
some
of
you
are
working
on
those
very
applications
that
are
going
to
be
part
of
that
in
the
future.
B
Well,
I
mean
we
could
all
hide
and
pretend
it
doesn't
exist,
but
I
don't
recommend
that
so
things
that
we
can
do
is
we
start
with
building
s-bombs,
so
it
sounds
simpler
than
it
actually
is
because
you're
talking
about
build
systems,
you
heard
in
the
previous
keynote,
with
with
stephen
about
how
complex
that
entire
process
is.
But
if
you,
if
you
have
something,
that's
difficult
and
you
do
it
often
you
get
better
at
it.
So
right
now
we're
terrible
at
producing
s-bombs,
and
so
we
start
producing
them.
B
Then
we
can
start
to
consume
them
internally.
So
this
actually
goes
back
to.
Let's
see
if
I
give
a
good
example
and
tie
it
back
to
a
previous
experience.
So
around
eight
or
nine
years
ago
we
were
going
around
and
talking
about
docker
and
like
this
brand
new
thing
nobody
had
ever
heard
of
and
trying
to
convince
people
to
make
use
of
it
and
what
we
worked
out
was
people
were
not
going
to
put
into
production
and
they
just
weren't
going
to
do
it
and
we
focused
on
well.
B
We
know
we're
not
going
to
put
in
production,
but
how
about
you
put
in
your
build
systems
and
at
the
build
system
runs
it
over
and
over
and
over
again
over
time
they
see
they.
They
were
able
to
start
depending
on
the
outputs
of
that
into
the
other
parts
of
their
system,
and
once
they
started
consuming
that,
then
it
just
really
took
off
so
start
building
your
response
internally
and
start
using
them
for
for
that
purpose,
and
then
that
becomes
the
inputs
to
your
other
process.
Your
zero
trust
process.
B
It
becomes
the
input
towards
your
reliability,
you're
able
to
start
to
run
analytics
on
the
things
that
you
that
you
add
into
it,
to
try
to
work
out
reliability
and
over
time.
That
also
gives
you
the
ability
to
tie
in
to
to
further
things
as
well,
like
eventually
they'll
be
cve
databases
that
you
can
then
cross-link
to
your
to
your
system.
So
you
can
work
out.
A
new
cv
comes
out.
A
The
goal
isn't
to
create
the
data
for
its
own
sake.
We
all
have
enough
data.
The
goal
is
to
have
this
data
and
start
to
map
to
things
that
we
care
about.
What's
the
vulnerability
information,
what's
the
license
information?
What's
the
risk?
How
can
we
make
sure
that
we're
using
upstream
projects
that
have
a
great
maintenance
team
rather
than
you
know,
hey,
maybe
there's
only
one
person
and
that
person
has
decided
to
play
the
ukulele
instead
of
maintaining
their
project.
B
Yeah-
and
we
we
also
something
that's
important
about
s
bombs-
is
that
s
bombs
are
also
they're
static
elements,
they're
not
designed
to
be
dynamic
things,
and
so,
when
we
start
to
ingest
them
into
our
systems,
the
yes
bomb
will
tell
us
what's
inside
of
the
package,
but
it's
only
a
part
of
the
story.
We
have
others
as
we're
tying
into
other
systems.
A
As
we
said,
this
is
part
of
a
delightful
ecosystem.
One
of
my
lovely
things
about
talking
to
this
community
is
you
guys
inherently
get
the
idea
of
an
ecosystem
right?
There
isn't
going
to
be
one
thing:
that's
going
to
help
manage
it.
If
you
want
to
learn
more
about
some
of
those
projects,
the
that
frederick
mentioned,
I
think
the
videos
from
monday's
supply
chain
workshop
are
going
to
be
posted.
You'll,
see,
find
out
all
of
these
great
tools
that
are
available
and
they
need
your
help.
So
s
bomb
is
not
a
unique
thing.
A
It
is
part
of
a
complete
breakfast
and
everyone
has
their
own
favorite
breakfast
right.
This
is
one
of
my
favorite
breakfasts.
This
is
a
picture
from
a
guest
house
in
the
caucasus,
mountains
in
the
middle
of
georgia,
but
what
you
need
to
manage
your
risk
and
how
to
think
about
your
supply
chain
is
going
to
vary,
but
we
want
to
make
sure
that
you
can
sort
of
add
it
to
the
table
that
you
want
so
tying
up
here.
A
What
we
want
to
do
is
let
you
know
how
to
get
involved
by
the
way.
This
is
a
fun
example
of
what
happens
when
you
don't
get
your
slides
to
the
organizers
at
an
appropriate
time,
because
we've
been
having
some
fun
on
what
slide
is
coming
next,
so
there
are
some
great
resources
out
there
that
frederick
has
started
to
collect
on
his
website.
Can
you
rattle
off
the
url
yeah.
B
Well,
if
so,
there's
a
website,
it's
really
simple:
it's
a
zt
like
zetta
theta
like
or
like,
where
I
should
say
like
zero
trust,
so
zt.dev
dev,
and
there
is
a
link
in
there
that
points
to
a
to
a
list
of
various
projects.
The
actual
list
itself
is
on
github
as
well.
So
if
you,
if
you
do
a
pull
request,
if
your
project
is
not
listed
there
and
there's
many
gaps,
feel
free
to
add
it
on
there
and
we'll
make
sure
that
it
gets
out
to
to
you
as
well
and
if
you'd.
A
Like
to
get
involved
in
the
international
process,
please
reach
out
to
me
directly
in
december
we're
going
to
be
having
the
s
bamarama.
I
have
official
permission
from
my
leadership
to
call
it
that
I'm
very
excited,
and
this
is
something
that
really
is
going
to
cover
the
domain
of
all
software.
That
means
a
lot
of
private
companies
involved,
but
we
absolutely
need
folks
from
the
open
source
community
and
the
cloud
native
community
to
be
involved
in
helping
make
sure
that
what
we're
doing
meets
the
needs
of
this
community.