WEBVTT

00:00.000 --> 00:09.000
We have Anthony with the day in the life of his mom.

00:09.000 --> 00:13.000
I will not be getting long his reductions. We don't have time for that.

00:13.000 --> 00:15.000
Anthony, you're probably right.

00:15.000 --> 00:18.000
Thank you. Good morning, everyone.

00:18.000 --> 00:23.000
I have a lot to try and say in 20 minutes, so apologies if it gets quick.

00:24.000 --> 00:28.000
So, who are I? I'm a solution architect.

00:28.000 --> 00:35.000
I have delivered big systems that never finish, so it takes a long time to build complex systems.

00:35.000 --> 00:40.000
I now have on my own business which is really focused on software supply chain,

00:40.000 --> 00:42.000
S-bombs and software risk.

00:42.000 --> 00:46.000
I'm a co-founder with only your handson of S-bombs.

00:46.000 --> 00:51.000
You're trying to help. You're at understand what S-bombs is all about.

00:51.000 --> 00:53.000
I like lots of open-source software.

00:53.000 --> 00:57.000
So those of you who are the fringe event probably saw some of my software.

00:57.000 --> 01:00.000
We've gone to mention some of it in this presentation.

01:00.000 --> 01:03.000
And I mentor the next generation of coders.

01:03.000 --> 01:07.000
So I'm a mentor for things like Google, Summer of Code,

01:07.000 --> 01:11.000
Teach Python to students, et cetera.

01:11.000 --> 01:14.000
That picture is a picture of a manchester B.

01:14.000 --> 01:16.000
Not a no-woss wasp.

01:17.000 --> 01:19.000
Manchester is worker.

01:19.000 --> 01:23.000
It's the worker B. We work hard in Manchester in UK.

01:23.000 --> 01:25.000
And when I'm not doing open-source software,

01:25.000 --> 01:28.000
I tend to be rolling around money fields on a Saturday morning.

01:28.000 --> 01:32.000
So I haven't done that this weekend because I've been here.

01:32.000 --> 01:37.000
This I think is an increasingly common question.

01:37.000 --> 01:40.000
Can you give me an S-bombs?

01:40.000 --> 01:42.000
What's your reaction?

01:42.000 --> 01:44.000
Is it?

01:45.000 --> 01:46.000
Thank you.

01:46.000 --> 01:51.000
I know why I've been creating S-bombs because people want them.

01:51.000 --> 01:55.000
Or is it what's an S-bombs?

01:55.000 --> 02:03.000
Or I need more information because I have got so many S-bombs which one do you want?

02:03.000 --> 02:06.000
Because it's a problem.

02:06.000 --> 02:11.000
S-bombs are part of risk management and S-bombs are part of use cases.

02:11.000 --> 02:14.000
Are you using for what with your S-bombs?

02:14.000 --> 02:18.000
Which S-bombs are what data do you need?

02:18.000 --> 02:21.000
There's also two standards S-b-d-d-x and S-b-d-x.

02:21.000 --> 02:27.000
Depending on what version is going to depend what information you're going to get.

02:27.000 --> 02:30.000
And there's also these things called different types of S-bombs,

02:30.000 --> 02:34.000
which is what we're going to describe today.

02:34.000 --> 02:37.000
These are the typical use cases,

02:37.000 --> 02:42.000
and there are more and more use cases coming if people realize the value of S-bombs.

02:42.000 --> 02:45.000
So you've got license compliance, you've got vulnerability management.

02:45.000 --> 02:47.000
We've got regulations.

02:47.000 --> 02:52.000
I've got people looking at S-bombs to help escrow systems.

02:52.000 --> 03:01.000
But really, I do not believe every S-bom is suitable for all those use cases.

03:01.000 --> 03:05.000
And I believe one S-bom is not going to be good enough.

03:05.000 --> 03:10.000
We're going to have to have several S-bombs for our products.

03:10.000 --> 03:13.000
So we live a question shopping now.

03:13.000 --> 03:18.000
Can you give me the white S-bom for your products?

03:18.000 --> 03:23.000
Not just any S-bombs.

03:23.000 --> 03:25.000
Two and a half years ago, three years ago,

03:25.000 --> 03:31.000
S-ser published these S-bombs types.

03:32.000 --> 03:36.000
Six S-bombs types to represent the life cycle.

03:36.000 --> 03:41.000
Let's go in from design into an operational system.

03:46.000 --> 03:49.000
These are now embedded within the two standards.

03:49.000 --> 03:53.000
S-b-d-x-3, cyclone-d-x started from 1.5,

03:53.000 --> 03:56.000
quickly cyclone-d-x adopted these standards.

03:56.000 --> 04:00.000
You'll notice the names are slightly different, but they're map pretty well.

04:01.000 --> 04:07.000
And the 2024 S-E-I ran a plug vest,

04:07.000 --> 04:11.000
which was to look at the different S-bom types, S-bom tools,

04:11.000 --> 04:13.000
across S-b-d-x and cyclone-d-x,

04:13.000 --> 04:18.000
and they targeted source and bills.

04:18.000 --> 04:20.000
Very few tools.

04:20.000 --> 04:25.000
Actually mentioned the type of S-bom they were generating.

04:25.000 --> 04:28.000
There was only one S-b-d-x version free.

04:28.000 --> 04:32.000
A candidate and they did mention it.

04:32.000 --> 04:37.000
But cyclone-d-x, nearly all of them with 1.5 or 1.6,

04:37.000 --> 04:42.000
only one vendor included the S-bom type.

04:45.000 --> 04:48.000
So why is that?

04:48.000 --> 04:51.000
If we now start thinking about C-R-A,

04:51.000 --> 04:54.000
which really, we know exploitable vulnerabilities,

04:54.000 --> 04:57.000
and I know we're going to hear lots of this today,

04:57.000 --> 05:00.000
which S-bom type do we need.

05:04.000 --> 05:08.000
If we look at a typical S-bom typical software product,

05:08.000 --> 05:11.000
there's lots of software operating systems,

05:11.000 --> 05:15.000
one time systems, applications, APIs, whatever.

05:15.000 --> 05:17.000
There's a lot of software there,

05:17.000 --> 05:20.000
so where do we get that full complete picture

05:20.000 --> 05:25.000
for us to then be able to then assess our system for vulnerabilities?

05:25.000 --> 05:29.000
So let's go through each type of S-bom.

05:29.000 --> 05:33.000
Very quickly, sorry, because I've got a lot of text.

05:33.000 --> 05:36.000
Design S-bom's, I won't be really afraid.

05:36.000 --> 05:38.000
This is what we're going to build.

05:38.000 --> 05:40.000
It's not what we've built.

05:40.000 --> 05:42.000
So it's a plan.

05:42.000 --> 05:46.000
I couldn't find any S-bom tools that actually do design S-bom's,

05:46.000 --> 05:49.000
so I do what normally do, I created a tool.

05:49.000 --> 05:51.000
So I created S-bom as a code.

05:51.000 --> 05:53.000
I don't know whether it's any use,

05:53.000 --> 05:57.000
but I can generate something that says it's a design S-bom.

05:57.000 --> 06:00.000
Simple YAML generates an S-bom,

06:00.000 --> 06:02.000
but it says nothing about the target environment.

06:02.000 --> 06:05.000
It doesn't tell you what the versions of the components are,

06:05.000 --> 06:10.000
so I don't think a design S-bom is relevant for C-R-A.

06:10.000 --> 06:16.000
S-S-bom's is about your source files.

06:16.000 --> 06:19.000
You're going to identify things like licenses,

06:19.000 --> 06:20.000
some of them.

06:20.000 --> 06:22.000
You're going to hide it copyright.

06:22.000 --> 06:23.000
Again, that's useful.

06:23.000 --> 06:25.000
And direct dependencies.

06:25.000 --> 06:28.000
But it's not going to tell you anything about what you're building again.

06:28.000 --> 06:32.000
So you're going to get quite a richer S-bom

06:32.000 --> 06:33.000
than you will for design,

06:33.000 --> 06:37.000
but again, it's not going to have all the information.

06:37.000 --> 06:39.000
Let's go to build.

06:39.000 --> 06:43.000
We start into build components,

06:43.000 --> 06:47.000
and we start into getting some more dependencies

06:47.000 --> 06:49.000
like the transitive dependencies,

06:49.000 --> 06:52.000
and we're starting to identify versions,

06:52.000 --> 06:55.000
and we can maybe start identifying components using

06:55.000 --> 06:57.000
some of that per or C-P-E's,

06:57.000 --> 07:00.000
and we're going to start looking at the ecosystem.

07:00.000 --> 07:02.000
So we're starting to get a bit more granular,

07:02.000 --> 07:04.000
and a bit closer to the target,

07:04.000 --> 07:07.000
but it's still not telling me what operating system we're using.

07:07.000 --> 07:12.000
I'll just build it for Python, for example.

07:12.000 --> 07:15.000
And again, we get more data,

07:15.000 --> 07:18.000
but is that sufficient for doing all the vulnerabilities?

07:18.000 --> 07:20.000
Probably not.

07:20.000 --> 07:24.000
We then have this one called analysis.

07:24.000 --> 07:29.000
And the idea I believe is to analyze a group of S-bom's together.

07:29.000 --> 07:31.000
Now, that sounds really useful.

07:31.000 --> 07:34.000
Do we need a different type of S-bom?

07:34.000 --> 07:36.000
I don't think so.

07:36.000 --> 07:41.000
There's lots of tools over there that analyze the quality of an S-bom,

07:41.000 --> 07:45.000
have we included all the licenses, all the components got,

07:45.000 --> 07:47.000
identifies et cetera,

07:47.000 --> 07:50.000
but do we need to have a S-bom for that?

07:50.000 --> 07:52.000
I don't think we do.

07:52.000 --> 07:54.000
I think there's already enough tools for that,

07:54.000 --> 07:58.000
so I don't think that type actually has a value.

07:58.000 --> 08:01.000
Now, when we get to deploy this Bom's,

08:01.000 --> 08:06.000
now we're starting to really get closer to the target.

08:06.000 --> 08:12.000
What software is actually sitting on your device?

08:12.000 --> 08:21.000
That's going to give you a precise definition of all the components.

08:21.000 --> 08:26.000
It's starting to identify the one-time dependencies,

08:26.000 --> 08:31.000
but don't appear until you've actually get deployed.

08:31.000 --> 08:35.000
Every component should identify as,

08:35.000 --> 08:37.000
it should have licenses.

08:38.000 --> 08:41.000
We know that, no, the real honestly, don't we?

08:41.000 --> 08:46.000
But the big benefit of here is this is the actual target environment

08:46.000 --> 08:51.000
that actually is what you deliver to your customer.

08:51.000 --> 08:54.000
This is the version that I believe is what we should be using

08:54.000 --> 08:59.000
for monitoring exploits that this is what the C-R-A is going to require.

08:59.000 --> 09:02.000
I'm sure we're going to have an interesting discussion

09:02.000 --> 09:06.000
throughout the day about that, but that's where I'm setting my set in the C.

09:07.000 --> 09:11.000
And then we get to runtime.

09:11.000 --> 09:16.000
This is observing your system running.

09:16.000 --> 09:20.000
Systems generally have multiple ways of operating,

09:20.000 --> 09:23.000
you know, you may have a test mode, you may have an operational mode,

09:23.000 --> 09:25.000
you have a degraded mode.

09:25.000 --> 09:28.000
So I don't know how this is going to give you a moment of instance

09:28.000 --> 09:31.000
in terms of what your system is executing,

09:31.000 --> 09:35.000
but is it how useful that be in terms of identifying what's exploitable?

09:35.000 --> 09:40.000
Again, I couldn't find tools that do runtime,

09:40.000 --> 09:49.000
so I've started developing something that I hopefully might be useful for the community.

09:49.000 --> 09:54.000
I've already identified ways of getting the libraries that have been loaded,

09:54.000 --> 09:57.000
so you can look at your deploy desk bar,

09:57.000 --> 10:02.000
and then you can see which of those libraries have actually been loaded and executed.

10:03.000 --> 10:07.000
I'm starting to look at now at which ones are starting to call out to external services

10:07.000 --> 10:11.000
like network services, so you can start seeing those APIs,

10:11.000 --> 10:13.000
which might be really important for C.R.A,

10:13.000 --> 10:18.000
which is when it says, do you need an external service to provide it to support your product?

10:18.000 --> 10:21.000
And we can start seeing configuration files.

10:21.000 --> 10:25.000
So this is very much working progress, like people to help me,

10:25.000 --> 10:30.000
but actually I think this might be useful as well as as useful diagnostic tool.

10:33.000 --> 10:37.000
So if you summarize sort of the use cases,

10:37.000 --> 10:40.000
I think until you get to deploy,

10:40.000 --> 10:44.000
you don't get that big full picture of how your product is,

10:44.000 --> 10:48.000
that your product is actually being used by your customers.

10:48.000 --> 10:55.000
There are other use cases which may be where these other types of S-bombs may be relevant.

10:55.000 --> 11:00.000
Esco, I think, is going to be really useful at the source level.

11:01.000 --> 11:13.000
But I think we nearly need to be looking at getting good high quality deployed S-bombs for our products.

11:13.000 --> 11:16.000
I've been writing tools.

11:16.000 --> 11:23.000
And so I have a library, which is the basis of all my tools.

11:23.000 --> 11:26.000
That sort of suits like a data model, which is an abstracts,

11:26.000 --> 11:30.000
the S-bombs that can convert between S-P-D-X and Cyclone-D-X.

11:30.000 --> 11:36.000
One of the features I've now done is it provides the S-bombs type for S-P-D-X2,

11:36.000 --> 11:42.000
following what OpenShame to Find, as a way of including the S-bombs type as a comment.

11:42.000 --> 11:47.000
So we can now provide S-P-D.

11:57.000 --> 12:00.000
Please join me in making those better.

12:00.000 --> 12:04.000
Please make sure and help them deliver what we need.

12:04.000 --> 12:07.000
I can't do these all myself.

12:07.000 --> 12:14.000
They're all accessible and they're all in swap between S-B-D-X and Cyclone-D-X.

12:14.000 --> 12:19.000
S-B-D-X-B is coming when I get round to do in it.

12:19.000 --> 12:23.000
So to summarize, I still think there's a lot of confusion

12:23.000 --> 12:26.000
when people say can you give me an S-Bomb.

12:26.000 --> 12:31.000
We need to be a lot more precise about what use case that S-Bombs

12:31.000 --> 12:38.000
is going to be used to support, and we need to recognize that most of the really useful information

12:38.000 --> 12:46.000
that we need doesn't appear until quite late in the development life cycle of that product.

12:46.000 --> 12:53.000
When I ask people what S-Bomb types you support, I get blank faces from vendors.

12:53.000 --> 12:58.000
I get, you mean Cyclone-D-X or S-B-D-X?

12:58.000 --> 13:03.000
We need to educate people to say there are these extra different types,

13:03.000 --> 13:11.000
and we need to ensure that our S-Bombs define which life cycle or where in the life cycle they've been produced.

13:12.000 --> 13:19.000
I think we probably have too many types, and we might not have the right types

13:19.000 --> 13:22.000
to support things like products.

13:22.000 --> 13:28.000
Maybe we need a product based S-Bomb, which pulls all things together.

13:28.000 --> 13:33.000
And we've got things like O-Bombs in Cyclone-D-X, which is like an operational bomb,

13:33.000 --> 13:36.000
is that what we need or do we need other things,

13:36.000 --> 13:40.000
and I think we probably get discussion about that throughout the day.

13:41.000 --> 13:48.000
Trace, normal things to trace me, linked in, get a lot of websites,

13:48.000 --> 13:51.000
and please join me on this journey.

13:51.000 --> 13:55.000
I've enjoyed it for the last four years, and in creating tools,

13:55.000 --> 13:58.000
please let's make the tools better.

13:58.000 --> 14:14.000
Thank you, Anthony, and thank you for keeping it on time.

14:14.000 --> 14:20.000
The next speaker should be getting ready to that, but meanwhile, questions.

14:20.000 --> 14:27.000
Yes, thank you for the great overview of S-Bombs.

14:27.000 --> 14:33.000
One question, and in this type, we need to find that S-Bombs,

14:33.000 --> 14:40.000
and S-Bombs is the product for the S-Bombs.

14:40.000 --> 14:44.000
And what is very strange to me is that in this document,

14:44.000 --> 14:47.000
they don't use their own types.

14:47.000 --> 14:57.000
So this is about S-Bombs.

14:57.000 --> 14:59.000
So I'll repeat the question.

14:59.000 --> 15:07.000
So S-Bombs are not dating in terms of the contents of S-Bombs.

15:07.000 --> 15:11.000
The question we're saying is, they didn't reference the six types of S-Bombs

15:11.000 --> 15:13.000
that I identified in the presentation.

15:13.000 --> 15:17.000
They came up with three different types of names.

15:17.000 --> 15:20.000
I don't know what that, and this is one of it.

15:20.000 --> 15:24.000
The backers may be able to support that.

15:24.000 --> 15:28.000
Until that gets re-issued, I don't know.

15:28.000 --> 15:34.000
As we can see, those six types are widely used currently,

15:34.000 --> 15:41.000
reducing it to three, maybe better, but let's see.

15:42.000 --> 15:47.000
To contest, I didn't have a one-time S-Bombs on my bed at the top.

15:47.000 --> 15:52.000
But I found that this is a few years ago, which I would go out to,

15:52.000 --> 15:57.000
to see if you are seeing these, because the original problem,

15:57.000 --> 16:00.000
I was after it, was not the program of length itself,

16:00.000 --> 16:03.000
I found another problem by looking at the code,

16:03.000 --> 16:06.000
but it was a D-D-C-1.

16:06.000 --> 16:09.000
So, by conceiving the one thing is the program,

16:09.000 --> 16:12.000
I would add it to the same circumstances,

16:12.000 --> 16:15.000
if you can see a beautiful problem,

16:15.000 --> 16:18.000
but if you have to do these things,

16:18.000 --> 16:22.000
and the one type of thing is the advantage of C-Bombs.

16:22.000 --> 16:23.000
Okay?

16:23.000 --> 16:26.000
Yeah, the one is the one that is going to be going to be going to be

16:26.000 --> 16:29.000
going to be matching the value of C-Bombs.

16:29.000 --> 16:30.000
Yeah.

16:30.000 --> 16:32.000
So, the question is saying, they're basically,

16:32.000 --> 16:35.000
sometimes vulnerabilities are only seeing quite late,

16:35.000 --> 16:37.000
on the different ways of seeing,

16:37.000 --> 16:40.000
where you look,

16:40.000 --> 16:42.000
which I think is really the same way,

16:42.000 --> 16:43.000
the one time of the deployed,

16:43.000 --> 16:47.000
or really the level that you need to start seeing that dependencies,

16:47.000 --> 16:49.000
because that's the dynamic nature.

16:49.000 --> 16:50.000
It's great.

16:50.000 --> 16:53.000
Lots of great questions here.

16:53.000 --> 16:55.000
Thank you.

16:55.000 --> 16:56.000
Thank you.

16:56.000 --> 16:57.000
Yes?

16:57.000 --> 17:11.000
Okay, so the question is about my library,

17:11.000 --> 17:12.000
and how I interchange.

17:12.000 --> 17:14.000
It's all my old code.

17:14.000 --> 17:16.000
It's not using any bloody else.

17:16.000 --> 17:19.000
It's not using S-P-D-X or Cyclone-D-X.

17:19.000 --> 17:20.000
Is it possible?

17:20.000 --> 17:21.000
Sorry?

17:21.000 --> 17:22.000
I'll do it.

17:22.000 --> 17:23.000
Okay.

17:23.000 --> 17:30.000
So, the question is, why don't you use protobombs?

17:30.000 --> 17:33.000
Okay, so the question is, why don't you use protobombs?

17:33.000 --> 17:36.000
I started the two before protobombs was invented.

17:36.000 --> 17:37.000
Sorry.

17:37.000 --> 17:39.000
Yes, it is.

17:39.000 --> 17:43.000
If I receive an S-Bombs that is in protobomphoma,

17:43.000 --> 17:45.000
I deal with it,

17:45.000 --> 17:47.000
and the same within Toto,

17:47.000 --> 17:50.000
an S-Bombs embedded as an in Toto,

17:50.000 --> 17:52.000
and I have a chat of it offline.

17:52.000 --> 17:53.000
Okay.

17:53.000 --> 17:54.000
Let's go.

17:54.000 --> 17:56.000
Let's go.

17:56.000 --> 17:58.000
Let's go.

17:58.000 --> 17:59.000
Let's go.

17:59.000 --> 18:00.000
Let's go.

18:00.000 --> 18:02.000
Let's see what's.

18:02.000 --> 18:03.000
See what's.

18:03.000 --> 18:04.000
Victor bombs.

18:04.000 --> 18:06.000
And they're not supported yet.

18:06.000 --> 18:07.000
They're not supported yet.

18:07.000 --> 18:09.000
They're not on my road map to deal.

18:09.000 --> 18:11.000
That's probably the next thing I will deal with.

18:11.000 --> 18:13.000
Okay.

18:13.000 --> 18:15.000
What do you think about the paper?

18:15.000 --> 18:17.000
It's true.

18:18.000 --> 18:19.000
I'll have to stay.

18:19.000 --> 18:21.000
I'll be here all day.

18:21.000 --> 18:22.000
Sure.