Software Bill of Materials: Finding Consensus on Third-Party Code Transparency presented at SupplyChainCybersecuritySummit 2019

by Allan Friedman,

Summary : A "software bill of materials" that lists third-party dependencies can help both software suppliers and enterprise customers understand what is in the products they build, ship, and use. In 2018, the National Telecommunications and Information Administration (NTIA) launched an open process that used experts across many sectors to identify challenges in assembling, sharing, and using these data. A year later, the NTIA has made substantial progress in establishing a common vision of what constitutes a software bill of materials and how it can help security across the supply chain and empower the end customer. The agency has also identified a set of existing protocols to communicate dependency data. This talk will present progress and highlight successes in harmonizing standards as well as in sector-specific use cases. It will conclude with a list of the challenges that remain and how participants can get involved in establishing a new norm in software transparency.