Click To Subscribe
Show Notes
Tom Alrich is the author of the new book Introduction To SBOM And VEX. Host Dale Peterson and Tom discuss:
- Who Tom wrote the book for.
- Why the book had so much content prefaced by “in the author’s opinion” and “the author believes”.
- Early wins with SBOMs during procurement.
- The VEX specification problem and what Tom sees as the prospects for a solution.
- Do asset owners want SBOM and VEX? Why would they want to know about vulns that don’t apply to their deployed product?
- Tom’s view that it is ok for vendors to hide some elements of the SBOM that would make them look bad.
- Tom and Dale’s agreement that SBOM and VEX will be provided by service providers, at least in the short run, and what those service providers will look like.
- What’s going on with the National Vulnerability Database?
Links:
- Tom’s blog: https://tomalrichblog.blogspot.com/
Transcript
Dale Peterson
Hi, I’m Dale Peterson and welcome to the unsolicited response show. My guest for this episode is Tom Alrich. He is the principal consultant with Tom Alrich LLC. And I kind of known Tom for almost a decade, probably more. When he was writing long articles on NERC CIP. He was kind of what am I? Who rose Yeah, you still is still all the ins and outs. When I said, I’m going to step back from NERC CIP. Tom and a few others were the people I relied on to tell me what’s important. But then in recent years, Tom, you’ve kind of done that same deep dive that same really deep study contribution in articles on s bombs. And you’re the CO leader of the OWASP s bomb forum. The reason the trigger for this interview is you’re the author of a new book, Introduction to s bomb and Vax. And just in the, in the terms of full disclosure, you also have done some consulting with fortress information security, who is a competitor in this area. So I just wanted you mentioned that in the book, I, you know, it’s no secret. Just wanted to put that out there. So with all that as an intro, Tom, welcome to the show.
Tom Alrich
Yeah, thank you. Glad to be here.
Dale Peterson
I think most of my audience knows what s bomb and vex is. But I’m going to put a challenge to you here, take 30 minutes or not 30 minutes, 30 seconds to take 30 seconds and describe what an S bomb is?
Tom Alrich
Well, yeah, the problem s bomb solves is the software you buy, is really most 90% of the software you buy that is of this code there was not written by the supplier. You know, if you buy from Microsoft 90% of the code was not written by Microsoft, it was written by third parties. And you don’t know what those third party art parties are, you don’t know what kind of vulnerabilities apply to what they those components. And the s bomb tells you what the components are. And yeah, then. Okay, go ahead.
Dale Peterson
That’s fine, I think yeah, I think a lot of people have called S bombs, kind of like, a list of ingredients. You know, they compare it to what you might be, if you’re in a grocery store, and you’re looking what’s what’s in this thing I buy? It’s not the perfect analogy, but it tells them what is this? It’s a software bill of materials, telling, what are the various open source third party libraries and such that are in this and then maybe do the same thing for for Vax, what, what’s the 30x 32nd explanation for Vax?
Tom Alrich
Well, the use case I’m concerned with is basically, you know, it’s right on top of the s bomb, the problem with the S bomb, you know, looking at the components in a database, like the National Vulnerability Database, is that probably over well, definitely over 95% of the vulnerabilities you find, in the, you know, in the components are not actually exploitable in the product itself, because of the way the component was installed. So. So if people get worried, let’s say they find a, you know, 20 components 20 vulnerabilities in the components in a product, because there are plenty of tools that look up those things for you. And 19 of those will be false positives. And so unless you know that you’re going to waste lots and lots of time pursuing these false positive vulnerabilities, you’re going to call up the helpdesk and yell at them when you’re going to pass this and they’ll say, Well, you know, this is not an issue. This is nothing you have to worry about. And so the Vex is supposed to try to cut that response off.
Dale Peterson
Yeah. And then we’ll talk a lot about the use cases and how they might be used and what the future might bring. But, you know, it stands for vulnerability exploitability exchange, the E X. Yeah, it
Tom Alrich
was really, it was one of those cases where the initials came first. And then I mean, the acronym came for literally no, I mean, kind of free associating on vulnerability and exploitability. And then came to vex and then decided to figure out a way, some combination of words. That would, yeah,
Dale Peterson
and it’s a it’s a file that will just basically for a vulnerability that would be one of those ingredients tell you. Does this vulnerability, is it does it affect? Can it be exploited on the machine can be not exploited on the machine and provides additional information so the two work together, I just wanted to kind of set that up. Most of most of our audience will know those but we’re going to kind of as we dive into this, I wanted to start out with those Stephen missions, your book. First of all, congratulations on writing a book every author that ever comes on, I say that because it’s it’s not an easy thing. It’s it’s a lot of work for not a lot of reward in terms of dollars and cents, especially in this industry. So I really appreciate you taking the time to do this. Who did you write this book for? Who should read this book?
Tom Alrich
Well, it’s for anybody concerned about the security of the software they they use? So now, it’s I mean, it basically addresses both. What it’s there for? Is there two main use cases for s bombs. One is this, the suppliers themselves. So for software suppliers, they use them to find out what vulnerabilities you know, they don’t want to ship a product that’s loaded with vulnerabilities. They want to, you know, learn about them. And they, they need the s bomb to learn about all the vulnerabilities. That group, the suppliers are doing a very good job of that now they’re using them very heavily. And they’re, you know, we’re moving a lot of vulnerability. So it’s,
Dale Peterson
well, let’s, let’s actually, let’s stay there, because that was one of my questions. Let’s, let’s look at the supplier case. Now the book focus more on the end user case, which I think is yeah, interesting, difficult case. And we’ll we’ll spend most of our time on that, but the supplier case shouldn’t be ignored. So are you saying right now suppliers are using are are creating s bombs are tracking vulnerabilities based on these s palms? How are they creating them?
Tom Alrich
Well, they there are various, you know, there are all these tools that the you know, you when you have a modern build to process, software build process, then it’s almost it literally is in many cases, just a checkbox item, do you want an S bomb with this, you know, every time you build the software, and now, you know, the the CI CD pipelines, you know, that software suppliers use where they’re continually building, you know, building the product all the time. And then finally, they say, Oh, well, this one’s good, we’ll ship that. But they’re continually building it, every time they do it, you know, they just get an F bomb out. Or they might even get multiple ones at different stages. So it’s, it’s actually very easy. And it’s almost always just kind of a checkbox item. Now, you know, getting a good one is sometimes a problem. And, you know, and often and then there’s this thing called domain naming problem, which is because which is software has lots of different names and software components have lots of different names. And you may be called something in your swan, which, which is a name that you can’t find in any Vulnerability Database anywhere because it’s used another name. And so that’s a big problem. Well, let’s, let’s
Dale Peterson
stay on the supplier side, though, okay, you need to make some estimates in the book, I like this, and tried to make some estimates as to probably based on conversations that you’ve set that you’ve heard where, you know, when a number of people that are really following this come up with similar numbers. It’s it’s not scientific, but it’s at least a reasonable educated guess in terms of the number of vendors that are using s bombs. And I think you had some number like in 2017, it was like 35%, or some number, and it was growing, but it appears to be based on what you were writing it appeared to me then, more than half seemed to be generating as bombs these days. Well, is that what you would think? Or I couldn’t really get a 2024 number out of the book? Well,
Tom Alrich
there’s no way to really measure that. I mean, when you say a vendor, I mean, that might be Microsoft, it might be a little guy sitting in Germany writing code. So, you know, they’re both vendors. And so, you know, it’s, I do, I mean, the numbers I get is from Steve spring, I know you’ve, you’ve interviewed, and who is the leader of the the cyclone DX project, which is huge. Now, it’s going all the time. And they and but he’s also the, in fact, he, he has a tool called dependency track, which he developed more than 10 years ago, to and before there really was talk of F bombs, but it would, it took a manifest, which is kind of an S bomb from software development and, and it looked up the vulnerabilities in it. And in the components, and currently, that will in fact, you know, in the I quoted, I mean, it’s been growing exponentially using the use of that. Currently, it’s used 20 million times a day to look up components vulnerabilities in you know, From from an S bomb. And this is just one tool. And there are lots of other tools that do that, too. Now it’s by far the most one to use. But the point is that Steve admits that almost all that use is by suppliers. It’s not by end users. So the suppliers are using them fine. And, you know, I mean, that’s good, because that means they’re building much more secure software than they would otherwise. But the end users are not getting them in. They’re not using them. Yeah. And what
Dale Peterson
one thing in your book that was interesting, and I guess I liked it, because it agreed with something I’ve written it right, right, if the two of us agree, but I’ve always thought one of one of the early wins here for as bombs is that as an as an end user, we used to do this with security development life cycles, we would say, Do you have an STL? Can we see it? Can we see your your threat model? Can we see your fuzzing efforts, and things like that, and not so much that we really wanted to dig into them deep, but we could just say, this is a, a reasonable program that they have. So it’s, it’s kind of the same way we can do that. Now with when we’re going to buy equipment, we can go to the vendor? Do you have an S bomb? Let me see the s bomb. And you could actually say, I don’t need a copy of it. Because they might freak out about that. But let me look at it. How old are the components in that s bomb? How if I looked at two versions, are they updating the components between major releases, and things like that? And one thing I want to point out for people who might read the book, on page 61, you have a list of about, I think it was like nine questions that you can ask your vendors about their s bombs. And I think that’s really useful, certainly at the procurement process, but even on an ongoing basis, just as so they’re getting that customer pressure to do this. Did you have a favorite one or two favorite questions you would ask if you could, let’s say on the Ask your vendor to questions about the s bombs, what would you ask them?
Tom Alrich
Number one, are they producing? But um, well, that’s, that’s? Yeah. You know, I mean, the thing is, it is good to ask questions about s bombs, and you know, kind of do this ad hoc stuff. But in my opinion, what really matters is automation. I mean, the idea of Automate, you know, as bombs are, well, you can have non machine readable s bombs, you can put the same information in a PDF. And those are probably more widely used now than anything by end users. But the, you really want something that’s machine readable. And when you get to vex, it makes no sense at all without being machine readable. So you really, it does really have to be an automated, the whole idea is you’re going to get an output from s bombs and vexes and it’s you don’t you don’t need the s bomb, you don’t need the Vex, what you need is the output, you know, that you get, which is basically, and this is my opinion, is the real goal is to have a continually updated list of exploitable component vulnerabilities. Because those are the ones you need to go and start researching and bugging the supplier about and things like that. And so, and that also helps you prioritize your patching, which is a big deal for because most organizations nowadays are way, you know, they’ve got a backlog of patches that would take them a decade to have to run out and then they’ll have another decades where so they really need to prioritize, that’s their biggest option. And that can help you do that, too. But it really has to be machine readable. And it’s got to feed into an automated process. And that’s a no, go ahead.
Dale Peterson
Yeah, no, no, I think that’s key. And, and that’s, it’s funny, because I actually had that written in my 32nd. Note that machine readable for automation purposes is really a key for this otherwise, you know, it’s just doomed to failure. You did mention though, you said in your answer you said in my opinion, one of the things I found a little odd about the book, very honest, but but a little odd is there’s many, many parts of the book, in the author’s opinion. The author believes, you know, I would say put it Hate to break it down, but at least I would think at least half is kind of your, your opinion or your analysis of what the situation is and where the world is going. That you that struck me is just unusual. I don’t see that in a lot of books. Well, how
Tom Alrich
many books do you read that are about a subject that’s never been written about before? because this is the first book that’s ever appeared on Amazon, as far as I know, that has software bill of materials or s bomb in the title. I mean, that’s the problem. This is a brand new thing. Well, what’s interesting is there’s been so much written about it in the press and things. And yet, it’s never been put in a book. But having written, I can see why because that’s the problem. There’s nothing. It’s not like you have a Bible you can follow, you know, you have a bunch of documents and Tia, and then sister documents, and the other people have written stuff. And I’ve got a lot of blog posts. But there’s no sort of canonical set. And that’s what I’m trying to do here. So but I mean, the thing is there. And, you know, just because CES, or, I mean, Cisco doesn’t say anything, NTIA doesn’t say anything, all they’ve done is convened groups of people who say something pizza of you know, developers, and then users who says that, well, this is a good idea is a good idea. This is a good idea. And they just write it down. I mean, there’s no. So there’s, it’s not like you you have some sort of corpus and say, Well, this is how it has to be, doesn’t have to be anything. And so, you know, and again, you’ve got to just draw a line. And you know, and that’s still being done. In fact, that’s when one project we were just talking about in our s bomb forum meeting a little while ago. You have to think, yeah,
Dale Peterson
yeah, I think anyone who’s read your stuff will appreciate the level of detail in it. And it was, it was odd, but I also said it was odd. And it was also very Tom, because you were very clear when you are writing. This is what I believe to be fact. And this is, you know, for example, meetings happening format, formatting information and things like that. And then this is, it’s the author’s opinion, the author believes it was really well marked out. And, okay, maybe more authors should do that. Because I even looked at my own writing, I put a lot of my own opinions and analysis in there that are not factual. But one thing that one thing that was factual is you highlight the Vex specification program or problem. And this was kind of interesting, a complete surprise to me, we did the s bomb pavilion, s four and 2023. And we wanted to include vaccinated and we we said, i and l who created kind of the the infrastructure, they created the tools to create the s bombs and some Vex files. And the vendors will saying we’re saying, Well, what are you going to provide us in? And I know really struggled with that, in terms of well, what are we going to provide as a vaccine? Now I understand why they struggled so much, because your classification? Why is that? I mean, I look at the description of it. It does not seem like it would be that hard to specify the specification?
Tom Alrich
Yeah. Well, there have been to an originally there was just one format for Well, one platform on which you could produce a Vax. And that was the csef. Which is a an oasis project. You know, what is the cybersecurity advisory format? I
Dale Peterson
guess it’s, it’s, it seems to be a little more popular in Europe, I hear a lot of Europe, especially really promoting csef.
Tom Alrich
It’s popular with big companies. But if you n so when we did it, you know, and I was involved. In fact, I, I drafted the only document that the NGA ever published on Vax, which it was one page long. And what we did, we did it for CSF, so they could understand what Vex was, but they, they they put out this little speck, which has basically kind of listed the fields, but they left out the most important part, which I didn’t realize till later is that C SAF. I mean, if you look at their spec, for a CSF format itself, which is used for all sorts of vulnerability notifications, not just facts. It’s, it’s like 100, it’s probably 100 pages, there are no page numbers, but a very small tight, it is a bear, and there’s one set of one command that’s required, or one field I guess, or it’s really a couple of fields, but that’s required in every Vex document, and they left it out in the spec in this the fields, you know, the fields for Vex. And so and we will just kind of accepted that. But you know, but when you try to create it, you’ve got to use this product tree what’s called the product tree. And there are a million options for that. I mean, this specifying the product tree, it goes on For like 20 pages in that, in that 100 page document for CSAT. It’s about 20 pages. And it has a million options. And it’s very small type. And it would take you, you know, weeks months to understand that, and you probably might not ever do it. And so that’s the problem.
Dale Peterson
Yeah, but what about cyclone? Cyclone? DX seems to be much more, you know, it’s much more Yeah. But things move faster. They’re white, why isn’t there a cyclone DX FX format?
Tom Alrich
You know, there should be? Well, there is now because we do have that’s one forum, we created what we call tight specs. Because the problem is, unless you know, for a consumption tool, it has to know exactly what it’s going to consume. Sure, you know, otherwise, the number of use cases literally grows, at actually not just exponentially as the factorial of the number, number of options. And so you can easily get, you know, if you’ve got like 20 different independent options in that one, product tree field, which I’m sure there are, that translates into 2.4 quadrillion options. And and the the, in the end, you know, the consumption product would have to understand, to be able to understand each of those 2.4 quadrillion options. Now, my guess is there aren’t too many developers who are going to undertake a project where they have to deal with 2.4 quadrillion use cases. And that’s the problem. It has to be just tightly specked out. Yeah. And that’s what we did in the SPM. Forum.
Dale Peterson
So does that. So you’re saying that your book is already out of date? There is a veck specification now? Yeah,
Tom Alrich
we just did it. We just did it. Now it’s it, but it’s for this very narrow use case. Now, there are a couple other, there are several other Vex use cases that are different, like Red Hat has one, Cisco has one, they’re kind of pretty much similar. Now they’re both like, Omar Santos from Cisco is the chairman of the csef working group CSAT group. And Peter Lorre from Red Hat is on the board of CSAT. So they’re very tight with csef. But they, you know, the, the, the problem is the, you have big companies like Oracle, Red Hat, Cisco, Microsoft, Schneider Electric that develop lot, you know, they put lots of time into creating the Vex, you know, in order to create NCCF documents, because they’ve got people who can really spend full time doing it. And but the end users, you ask them, what tools do the end users use? There are no tools currently. And that’s why we were we’ve developing code for them that can ingest the CCF document. In fact, there’s no single simple parser just to say, in English, this is what the csef document says there’s nothing like that.
Dale Peterson
And I think that want to talk about service providers is kind of a an interim, at least in an interim solution. I think that’s going to be where the market will end up, or might differ on that. But just to kind of highlight this, you said on page 15. And I think almost the exact same sentence in multiple places, just to highlight how much you think Vex are important. It says the author believes that s bombs will not be distributed to end users in any meaningful way. Until current confusion over Vex can be resolved. Yeah, it’s showstopper problem. showstopper problem. Yeah. Okay. It’s
Tom Alrich
the only real showstopper that I can say, but
Dale Peterson
okay, well, here, here might be another show showstopper. Okay. Do asset owners ideal mainly in the OT world, as you know, do asset owners in the OT world want s bomb and Vex?
Tom Alrich
Well, you know, the thing is they don’t need them. They don’t know. In fact, Steve says that. I don’t know whether he’s done with you. But even when he gets interviewed, they often ask him, you’re not going to ask stupid questions like this. Well, where do you see s bomb and vex in the next 10 years? And but anyway, when he gets answered that question asked that question. He says, Well, I hope they’re not needed. Because that’s the point. You’re not nobody needs an S bomb. Nobody needs a Vax. What they need is the information they convey. Right? And, and really what I’m thinking now is it won’t you’re saying if the service providers in my book, that’s what I pretty much say, you know, it’s good. The service providers are going to do it. I don’t think there will be end user tools really, that you know, there will be commercially supported low costs per year, perhaps ever, you know, for end users but There will be a bit, I said in the book that, you know, the key will be a bunch of service providers who will cobbled together all this open source stuff, which they can make work, but big companies, you know, you know, who were there, their businesses insurance, their businesses, not, you know, creating, you know, open source tool chains that they can use vexes it, you know, so, so they just want to have, you know, they want one throat to choke, you know, if they don’t have, if they have a problem, they want to find, you know, get an answer. And, you know, they don’t want to have to submit it to some open source committees. So they, they’re not going to, there’s never, they’re never going to be satisfied with, you know, with with anything other than real commercial support. And I don’t think there will be so, but, you know, service providers can devote the time that’s needed to do that sort of stuff. But now I’m beginning to think really, it’s the suppliers themselves who really do this, because they should be doing it anyway. They should be. They should, obviously, they’re good. They are creating us moms, now they are looking at vulnerabilities. Well, why don’t they just, you know, and they’re the ones who determine whether the vulnerability is exploitable? Not, so they do the vaccines? Why not just share that information with all their users? You know,
Dale Peterson
well, well, you know, so that, so we’re getting, I think there’s some some answers to that. But, you know, when you think about it, they’re already dealing with a huge patching problem. They’re not a huge patching problem. They have a large number of patches to deploy, most asset owners I see are, let’s say not not doing real well, and deploying the ones that, that they already know about, let alone, multiply it by, you know, 50 or 100, or whatever number. Yeah. And then the other thing is, they seem very comfortable relying on the vendor to tell them what to patch. I don’t see a lot of them saying, I don’t trust you. You You’re hiding things from me. So why wouldn’t you just have a machine readable feed that goes into, let’s say, a vulnerability management system that says, I have I have this product, here’s what you need to patch? I don’t I don’t care about all these vexes, that tells me something’s not affected. I don’t care that there’s 10,000. Tell me about the 90 I need to patch and I really don’t want to know anything else. Why? Why would we? Why would end users ever want this stuff?
Tom Alrich
No. I mean, that’s the point they will? Well, they can they need to know the vulnerabilities anyway, you know, not just apply patch one patch to patch three. But, you know, they need to know the vulnerabilities, because there might be different ways they can deal with them.
Dale Peterson
But I need to know, the exploitable vulnerabilities horrible.
Tom Alrich
But yeah, but that’s actually not a big number. That’s the point that, and it’s really more than 95%. They’re not exploitable. It’s probably like 97 or 98%. And when you think about it, that is of every 40 vulnerabilities, you discovering components, only one is probably exploitable. And so, you know, it won’t be that many. And of course, the ones you know, you have these component vulnerabilities, like the log for J, open SSL, and you know, Apache struts, you know, which was behind the Equifax, Equifax breach. You know, those, those are all component vulnerabilities, and you really want to know about those. But But you’re right, I mean, it and it is really patch prioritization, which is probably the main benefit of all this. But, you know, the thing is, the whole idea of the transparency is, I mean, Veracode did a study, like in 2017. And they asked suppliers, are you patching components, vulnerabilities, and it was only like, 20%, even looked at him, even looked at the component vulnerabilities, let alone patch them. So now that was in 2017. Now, hopefully, it’s, I’m sure it’s much higher percentage now. But I mean, that’s the problem that they’re there. To be quite honest, the suppliers can’t be trusted to you know that with their own code. Well, even even their own code is a problem. They need to report more. I mean, some people don’t realize they think, Oh, well, the vulnerabilities are in the database there because people blew the whistle on supplier No, 99% of the components of the CVE that are out there reported by the supplier themselves. They’re blowing the whistle on themselves. You know, and that’s the point you there, but they have to report them. And that’s a big point I made in the book that, you know, if the supplier doesn’t report To vulnerabilities, they’re gonna look fine in the NVD, because there won’t be any vulnerabilities from Wow, boy, they’re great. But actually, there’s an anecdote and I know I have in the book that from Tom pace, I know who you were, you know? That right? Yeah. Net rise, right? Yeah, he’s an interesting guy. But he, you know, and this kind of got us going really, you know, early in our, the Yes, ma’am. Form and 2022. He can’t he talked to us, he described a device that well as a maker of networking devices that are used in critical infrastructure in the military. And, and this vendor, and they there’s a small one, not A, not Cisco. And they, they only, you know, they have like about 50 different devices. They’ve never reported a single vulnerability in any of their devices. And he, he analyzed the firmware in one of their devices, and knew about vulnerable components in that firmware. And he said that there were at least 40,000 vulnerable unpatched vulnerabilities in that one device, in the firmware in that one device. Okay, and but they’ve never reported a vulnerability. And so that’s the problem. device makers are not reporting vulnerabilities, I looked at the top 10 medical devices, maybe not not very important, just medical devices, you know, keeps you alive and stuff, you know, Frou Frou like that. And I looked at their them, yeah, and you can look up, they don’t, if you look them up in the CPE, in the NVD. You know, there’ll be a CPE number, if they’ve ever reported a single vulnerability there. Five of those top 10 medical device makers have obviously never reported a single vulnerability CVE. And three of those remaining five, have just reported like a few, you know, when they’ve got hundreds or 1000s of devices, and they’ve only reported a few vulnerabilities. And the other two were just these huge when Siemens was one I forget, you know, where you don’t know what, whether it’s medical devices or anything else. So you can’t really tell what it’s about. Yeah, but the point is, device makers in general. Now, there are some big exceptions like Cisco, and Schneider Electric or two that really are exceptions, but in general, device makers are not reporting vulnerabilities at all. And that’s a huge problem.
Dale Peterson
Well, I mean, we could we could go down the vulnerability disclosure, disclosure, rabbit hole. Well, I know. The book does, the book does cover that, but I think we
Tom Alrich
got it for s bombs, you have to, you know, that’s the thing. If you’re using F bombs for vulnerability management, which is what I’m doing, you have to, you know, you have to ultimately look at, well, our vulnerabilities have been reported in the first place. I mean, otherwise, it’s kind of a waste of time. Yeah.
Dale Peterson
But you kind of give the vendors a break a few times, like on page 114. You said, basically, to avoid ridicule, or outrage from old vulnerable components, you said, quote, a supplier should not feel obligated to list every component they know of in their s bomb. And users should not press the suppliers to do so. Now. Yeah, so that’s kind of like, well, you can just remove the really bad stuff. And,
Tom Alrich
you know, I mean, unfortunately, right now, they’re not being distributed all 10 users as moms are not. So I mean, and one of the reasons is that suppliers are what, you know, their lawyers are saying no, and well, you’re not going to believe that, because we’re gonna get sued for you know, these products, often, the thing is, old components are often there, every product has old components, and some of them, you know, the bigger the more complex the product is, the more components are there, because there’s something they, you know, they’re all kind of interlocked. And if you, if you try to replace one component, you’re going to have to replace 100 or 200, you know, and it’s very, very, you know, because they’re all, you know, they all rely on each other. And so, it’s a huge job to replace the components. So what they do need to do, is do what they call backporting patches, I’m sure you know, you know, where they, they go, you know, there are big vulnerabilities that come out. And even though the, the product might be way out of support, they will patch the big vulnerabilities rather than, you know, let their those out of support users be fall victim to whatever it is, you know, like, wanna cry, you know, there was, you know, that was the situation there. And so, they’re responsible practice you can provide, but the thing is that is not going to show up in the SVM, you’re all you’re gonna see is all these old components and people are gonna yell at you. So I don’t, you know, I don’t mind if they don’t include all their own components, right now the alternatives are, they’re not going to provide the damn thing at all. So what, you know, that’s the problem, we have to start somewhere. And I’m actually proposing now that, you know, I don’t think as long as we’re going to, you know, use it all until we until we’ve had like two or three years of experience, where basically everyone agrees, this is just a proof of concept. We’re doing it just for fun, we’re not going to use it to, you know, at least they say, the end user say, well, we’re not going to use it to make business decisions. And, and then, you know, so the lawyers then in the suppliers might say, Oh, well, okay, well, then maybe we can let this go out because we can’t get sued. You know, okay, well, let’s,
Dale Peterson
let’s jump to another one, like in on pages 158 and 163, you talk about compensating controls, and you even give the example of a firewall rule that prevents the device or app, the the vulnerability for being exploited. Right, you could have a firewall rule, and that this could allow a vendor to say not affected or not exploitable? This seems like a huge role. Because I mean, I think back to 2012. And in the ICS, the reaction for most ICS vendors was, Oh, that’s not that vulnerability isn’t an issue, because the bad guy shouldn’t be able to get there.
Tom Alrich
Well, you know, I don’t advocate doing that either. You know, I think what they it’s much better if they don’t say anything at all. They don’t they, they need to list the component, they just put no assertion in there and spdx or I forget what the term is. And in cyclone dx, we’re bait where you say, you know, there’s a component there, you know, maybe we don’t know the name, maybe we’re not going to tell you tough luck. But there’s a component there. And we’re not going to tell you move on, you know, that I mean, the problem is right now, the alternative is no F bomb at all. So what do you is it better to have a glass half full or glass that’s completely empty. I mean, that’s really what the choice is right now. Maybe in five years or 10 years, it will be different, you know,
Dale Peterson
let’s circle back then just to close one thing, and then we’ll talk about providers. Yeah. You know, we so we’ve had this discussion about, about where we are now and some of the exceptions and such. But you in the book, you are very strong proponent that the suppliers should provide a Vax, even if it’s not affected. So you say night, you said about 90% of the vulnerabilities in the components would be not exploitable or not affected? Well, that
Tom Alrich
that was the reason for Vex because of because there’s 95%, or more or not exploitable, and don’t want the end users getting all worried about them and swapping your health, because that was the main use case for vaccines usually keep the help desk from being swamped right after an S bomb was released. And people panicked about all these non exploitable vulnerabilities. So that was actually the main original use case.
Dale Peterson
Yeah, I mean, I guess I guess I’m less, I’m less excited about Vax. And I kind of go back to this idea of, if I’m an asset owner, I just want you to tell me what I should patch. And now
Tom Alrich
the thing is, I mean, you’re not an exploitable vulnerability. One thing, it’s not even going to appear, you know, you won’t know about an exploitable vulnerability until the supplier reports it and the supplier is never going to report it. Well, if they’re a device supplier, they’re never going to report that thing. Because hardly anyone does. But even if they’re a software supplier, like Oracle, they’re not going to be very responsible, it’s about their supplier, they’re not going to report it until they have a patch. And so it’s not, it’s no longer really an exploitable vulnerability, because there’s a patch available, you know, and so what, but you still want to get it out that the vulnerability is exploitable, because you want people to know, if in case they didn’t see the patch notification, you know, looking you know, there’s a patch out is a bad vulnerability, you need to do something about it. And you definitely want to avoid the silent fix. We saw that for years where the new version would come out and it would fix some very important things, but they didn’t include that in the notes. So the asset owner would say, Well, I
Dale Peterson
don’t need this new feature. I’m not going to deploy it not realizing there were some important security patches. Yeah. Okay, let’s let’s let’s finish up here with To me this is the most interesting part of the whole s bomb marketplace is how whatever set now you and I might disagree on the set of information No,
Tom Alrich
deal, okay. But
Dale Peterson
we, you know, there’s going to be some set of information that’s going to be useful for asset owners related to component patching. And if I’m an asset owner, I don’t want to go to my 20 or 50 vendors and try to bring all that in and deal with that myself. And I think if I’m a vendor, I don’t necessarily unless I’m just a huge vendor and can create a company to do this. I don’t want 10s of 1000s of customers coming at me with unique requests, I’d rather, you know, I’ve said this, in a few shows where I see there’s this big cloud on one side, which is the vendors, and there’s this even huge, you know, 10, or 100, or 1,000x. Cloud on the other side, being the asset owners, the end users. And I see there being the service providers in the middle mediating that information between the two. And I sort of gotten your book that you feel at least that’s going to be the first way it’s going to happen, maybe at some point end users are going to have tools. But yeah, is that where you are to that you see these service providers being the shorter term? When, whether that’s two Yeah, five years or whatever?
Tom Alrich
Yeah, but I think really, I mean, it really should be suppliers, because they have all that information already that well, they have to do is share it. You know, and MI may be reformatted a little, but I mean, they got they know about which vulnerabilities are exploitable, they can just feed that information to their end users. And so then you don’t, then the users don’t need an S, mom’s or x. And even these third party suppliers don’t now the problem is these third party vendors that the US still, not every supplier is going to do that, you know, because they’ll have to have certain tooling and stuff to do that. But I mean, they should have that tooling now just to deal with the problem with, you know, with component vulnerabilities. So I really think it should be them that they just feed that out. And I think it will be, you know, I say in the book that I think the suppliers are going to take responsibility, I use example pashing, you know, where they, they first, you know, the supplier started charging for security patches, you know, that you would have to get maintenance. And, you know, when you couldn’t get security patches, unless you paid for maintenance. Now, that was a really self defeating, had people realize how terrible that is? Oh, well, you know, because there’s a herd immunity thing. And if you have all these people who don’t have patches, because they’re not, they don’t want to buy maintenance, then it’s hurting everybody, you know, who has that software, so, and that kind of that message got pretty quickly learned. And, and after a while the saw, you know, you just expect if you buy any software, that you’re gonna get patches with it. And, and I think it’d be the same with s bombs, you know, well,
Dale Peterson
but imagine I’m an asset owner, I’m, you know, a manufacturer, and I have different DCS is in different plants around the world. And then I’ve got all sorts of other systems, I’ve got my OPC server, I’ve got my network components, I have all this stuff. I don’t want to I basically want to know, what do I, here’s my acid inventory. So they are pushing to have acid inventories, we’ve seen that in the OT space to develop acid inventories. And then they would want to be able to go out and say, I have product or application X version 2.6. What what do I need to patch? Or what vulnerabilities do I have? And then I’ll make the determination what whether I need to patch it or not, you know, because you’re not, you might not apply all patches, you might only apply 10% of the patches, because you have your own risk management thing. But I guess what I’d worry about you say the supplier should do this. I worry. And maybe this is where the protocol comes in. I worry if I go to Schneider Electric and I get one thing. And then I go to my OPC vendor and I get another thing and I go to historian and I get a third thing. And I’ve got to figure out how do I interface all that. I think if I’m an asset owner, it’s very appealing to me, if I go to one place, and send them my product name and my version and they can come back and say this is this is the status, and I can do that monthly or if I want to I can ping that thing daily. I see real value in that for as an asset owner.
Tom Alrich
Yeah, you mean in terms of knowing what what patches are available for that product and version,
Dale Peterson
in terms of in terms of only having to go to one place to go to a service provider as opposed to trying to establish and maintain all the different connectivity The options,
Tom Alrich
aren’t there service providers like that? No, I mean, I would think, not
Dale Peterson
not not an OT. I mean, the closest might be Fox Guard, Fox Guard does that for a few systems, they’ll do that. I think they did that for like the GE, Mark six and a few other things. But I could see real value in that. And then you talk about in the book, who’s going to pay for this. Ai, you can see this, you can see so many payment models, for example, a Schneider Electric could say, it’s going to cost me so much money to serve as my customers. And as you said, this is something that isn’t considered something I can charge them for. So maybe I just pass this whole responsibility to a third party, or maybe I electric, I’m big enough to create my own company to do this, but I am paying that, or
Tom Alrich
I would have to pay it. But as long as the supplier pays it, you know, I don’t think I think they should well, they they introduced the components. source of the problem. So they sure they want to be taking ownership of the, you know, fixing the problem.
Dale Peterson
Well, should should doesn’t really matter in business, I don’t think
Tom Alrich
well, but I think they but I also made in there the point that I think just like in patching, you know, it was the suppliers inevitably started bearing the costs now. But I also made in there, I point out a lesson I learned from Milton Friedman, when I was doing his economics courses a few years ago, I will say, and, and, you know, he said, You have to distinguish between the person who pays the cost in the economic sense, and the one who writes the check. And they’re often very different. You know, and then we’re usually talking about taxes where, you know, the, you know, the incidence of the tax, you know, the the effect falls on someone who may not be the person who pays the tax, you know, and so, just like you’re you have a house, you know, you when you buy a house, you know, you know, he said no one should complain about property taxes, because they don’t, they don’t pay them. They write the check. But the, you know, when you bought the house, you the property owner knew you and the property owner knew there were going to be taxes to be paid. And that was had to be factored into the you know, given them was competition, you had to be factored into the price of the house. And so you’ve already, you know, the the person you bought from paid the tax, you know, now, that’s kind of cold comfort. But anyway, you know, I mean, that’s the idea. So, and in this case, I think inevitably, you know, the I do think this falls on the both in terms of moral obligation. And in terms of actual economic impact, it’s going to fall on the supplier. And it should, you know,
Dale Peterson
well, it may be it should, but I could easily see a business case where well, let me let me get to this in a question. So we’ve got some customer or we got some vendors in this space. So fortress information security, who you worked with a dowless, finite state net rise, are sort of in this supply chain or s bomb world. How are they going to survive until this market becomes reality? Well,
Tom Alrich
they’ve got lots of venture capital, I guess, but you know, I’m not too worried about them. No, I mean, the problem is, it’s a very small market now, because their best ones are not being distributed and users. Now now companies like, you know, well, their site eats inside LM, and all these companies you you may not have heard of, but they’re, you know, they were primarily vendors, they’re doing very well. You know, I’m not whether they’re making money, you know, in an operational sense, I’m not sure, but they’re, you know, and, but for the these third party service providers, I’m looking forward for the end user space, that’s, they’re not there yet. And I, and that’s, you know, I was kind of hoping they might start appearing. And that’s why we’re going to we’re gonna do a full scale proof of concept. You know, the, as my forum will be doing, hopefully, later this year. And where, you know, we’re gonna have to create some third party service providers have their own entity, you know, because and it’s not going to be very hard either, but you know, it that’s there there is. I agree, it’s, it’s a question of whether they’re, they’re going to be rising but As far as the suppliers go, they’re, you know, they’re not going to be put out of business by producing this amount, because they’re doing them now anyway. So I’m not,
Dale Peterson
I’m not worried about the suppliers, I’m just saying these small companies and, and I keep waiting for one of them to really kind of, they have to a lot of them are creating custom s bombs for that customer creating s bombs for legacy products, they have the ability to pull things apart, and they’re charging money for this either for the asset owner, or sometimes for the vendor, who’s under pressure from an asset owner to do it. So that’s, that’s kind of how they’re paying the bills. But I could see some of them trying to be the service provider marketplace, especially, I think a key to that will be looking to see if they get investments. So for example, if Siemens made a sizable investment, VC investment in one of these and said, We’re going to allow you to be our portal for this sort of thing on an on a like a pilot project. To me, I am watching for that. I’m surprised we haven’t seen it yet. Like you i i would expect some service provider to appear in 2024.
Tom Alrich
Oh, I do. Yeah. In fact, I’m hammering on those companies to to do it. Yeah. And so no, I know, I agree. It’s gonna have to happen. But as I said, I think ultimately, it may be the suppliers themselves, which are going to be the service providers.
Dale Peterson
In You know, that’s certainly one model. And maybe maybe even that’s going to
Tom Alrich
be mixed. Yeah. Yeah. But no, I agree. It’s, it’s not a market failing, because there’s no market currently, you know, they’re, they’re not, you know, and it is kind of a chicken and egg problem. And that’s why we’re hoping to kind of jumpstart it with the proof of concept, by the way we’re working with now, do you? Well, okay. You know, husana type is are? Yeah, yeah. I mean, they’re the big, big dog in the, you know, the software composition analysis space, which is F bombs, you know, and they’ve been doing it for years. And, you know, but I think they will participate in in this, you know, they may very well create these tools themselves. Yeah, well, yeah, go ahead. I
Dale Peterson
got one last question for couldn’t, you know, it’s an area that I’ve just read about in the last couple of weeks. And I don’t have any insight on what’s going on with the end NVD, the National Vulnerability Database is, do you have any insight as to what’s happening there?
Tom Alrich
Well, it all fit? No, I mean, there was something that happened, I have an idea, you know, it’s been talked about. But the point is that, and in fact that today is two months from the day their output suddenly dropped. And we have yet to have an explanation of that. Nor do we have any idea of what the fix will be. And the only thing they’ve said, and Tanya Breuer, you know, the head of the MDD. Well, the NVD is part of this. And so she’s inist employee, but she’s in charge of the NPD Group there. And it’s only about 20 people. It’s not a very big group. She’s announced that there’s going to be a consortium. Now, that was something she dreamed up, which we talked to, we approached her, it’s been last year that’s been formed, did your specimen form and we, and we talked, we had she came and talked to us a couple of times. And during that our first talk, she, you know, got the idea, well, maybe we need to put together public private partnership, and she came up with the, you know, talk to the lawyers there. And they have these things, you know, and so she wants to put together this consortium. Well, and then then she, you know, and she said, Well, it’s going to be announced in the Federal Register, you know, next month, and you know, and then you know, and then so we’ll get going very soon, and then she just disappeared. And we didn’t hear any more about that. And then all sudden, it gets revived. Now, when this hat problem happens, and they put it on the the only thing I can say is that what we’re going to put together this consortium to solve the problem, well, the consortium will not be in place before nine months at ease at the earliest. And it may very well be yours. And then they got to deal with the problem. The problem with the NVD is it’s an ancient infrastructure. It’s written in these languages. I mean, it’s 20 years old, more than 20 years. And, you know, and she wanted to, you know, she said she wanted to help in people to commit to spend six months at a time at a minimum, helping them with their coding problems, and they would have to spend two or three months learning this ancient Lang which no one uses anymore. That’s a good career move I’ve ever heard one. And so, you know, that’s the problem. It’s a creaky old infrastructure, there’s all sorts of non redundancy, which obviously is the case, since they’re still having problems two months after this incident. So, but the, the interesting thing is the cve.org, you know, has all the data, the data in the NVD, all comes from, most of it comes from cmd.org. And that database is much more modern, it’s sitting there, it can be used now, like, Oracle has already moved over to using that instead of the NVD. And, you know, let’s just make that the database, then the NVD can still create stuff, you know, to create information that, which is what they’re doing now. And, and it can be added to the cve.org database, rather than have CVE. Right now, they’re all their information, even though they’re the source of obviously, all the vulnerability information that goes into the NVD. And they would just keep that information and NVD would add whatever they want to it. But, you know, it makes no sense to try to, I mean, the NVD isn’t gonna go away, you know, it can stay there, it’s got all this data, there’s no point in throwing it away. And so it can still be used, but, you know, let’s make the investment and cve.org. And, you know, the problem solved now the problem, then it’s no longer a technical problem. It’s a political problem, because you have two different departments. Yeah. Nbd is Department of Commerce and tv.org is part of DHS. So that’s the problem. But when there’s no
Dale Peterson
in your book, Tom all Rich’s book, the title right introduction to s bomb and Vex, you do talk about this consortium and some guidelines as to how it should be created. And, you know, you talk about it being a global consortium and a variety of other things. Oh,
Tom Alrich
well, that that’s not the end. VDP ya know, ultimately, there needs to be global vulnerability. Yeah, right. In fact, we’re, we’re
Dale Peterson
Yeah, but there’s there’s really a long I think it’s like 1015 pages in the book on what it should be, as, you know, a classic Tom, all rich, description. Very, very detailed. Tom, I really appreciate you being on the show. We’re coming up on an hour here, I guess as a finish. Where should people buy your I know, I bought the Kindle version on Amazon, but you have a place where you’d like people to buy introduction to s bomb and Vex, is there more money?
Tom Alrich
Any the only place you it’s available? Is this is Amazon. Amazon self published? No, actually, the you know, Amazon has people who self publish their get actually very good revenues. I mean, very good percentages, you know, for us, okay, well, I pretty good job. I
Dale Peterson
bought the Kindle copy. Very, very readable in Kindle. I’m sure the hardcopy is nice as well. And then, in terms of someone wants to reach out with you. Let’s say they read the book and they have some feedback. Where are you most active? Is it LinkedIn? That’s where I see you. But is that where you’re most active?
Tom Alrich
Yeah, you can reach me on LinkedIn, you can send me an email. But okay, yeah, no, I mean, or, and, you know, anybody who wants to join? Yes, mom forum is welcome to do it. They just send me an email, put them on the list. And
Dale Peterson
you also write an article every week. Right? You is it just one a week? Or how often are
Tom Alrich
usually two or yeah, I’m I’m still writing on, you know, NERC CIP, of course, and especially with the cloud problem, that’s, we could have a whole interview on that. That’s a big issue now. You know, and so, because I am doing work with one of the big C CS CSPs on that, but okay, yeah, well, so reading
Dale Peterson
and we’ll put it we’ll put a link to your articles in the show notes. Tom, thank you very much for being on the show. Congratulations on getting the book out. And I hope you you get a lot of readers of this book.