Open-source components and their use within the software supply chain has become ubiquitous within the past few years. Current estimates are that 80-90% of new software applications consist of open-source components and frameworks. Section A9 of the OWASP Top 10 places components with known vulnerabilities as one of the most prevalent and abused parts of the software supply chain, placing it at a security weakness level of three, on a scale from one to three. Quoting from the OWASP description in A9, "Component-heavy development patterns can lead to development teams not even understanding which components they use in their applications or APIs, much less keeping them up to date."
In today's episode, I speak with Allan Friedman, Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration. Our talk focused on the creation of a Software Bill of Materials, or an SBOM. As we begin, Allan describes his role in the project and what they hope to accomplish.
I'm the Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration, or NTIA. We're a tiny part of the US Department of Commerce, and our mission really is about promoting a free, open, and trustworthy internet.
Over the past few years, we've engaged in what we call "multistakeholder processes", trying to identify areas where the entire digital ecosystem can come together on things that they care about and make progress. So the government doesn't have a vested interest in the outcome, we just feel that we'll all be better off if the community can find common ground and consensus.