Google's Internal Baseline for Software Security Compliance

Guest:

• Isaac Hepworth, PM focused on Software Supply Chain Security @ Google

Cooked questions:

• Why is everyone talking about SBOMs all of a sudden? Why does this matter to a typical security leader?
• Some software vendors don’t want SBOM, and this reminds us of the food safety rules debates in the past, how does this analogy work here?
• One interesting challenge in the world of SBOMs and unintended consequences is that large well resourced organizations may be better equipped to produce SBOMs than small independent and open source projects. Is that a risk?
• Is the SBOM requirement setting the government up to be overly reliant on megacorps and are we going to unintentionally ban open source from the government? 
• What is the relationship between SBOM and software liability? Is SBOM a step to this? Won’t software liability kill open source?
• How does Google prepare for EO internally; how do we use SBOM and other related tools?
• To come back to the food analogy, SBOMs are all well and good, but the goal is not that consumers know they’re eating lead, but rather that our food becomes healthier. Where are we heading in the next five years to improve software supply chain "health and safety"?

Resources:

• Full video of this episode (YouTube / LinkedIn)
• “Executive Order on Improving the Nation’s Cybersecurity”
• “M-22-18 Memorandum For The Heads of Executive Departments and Agencies“
• SLSA.dev 
• “How to SLSA Part 3 - Putting it all together”
• Assured Open Source Software
• NIST Secure Software Development Framework (SSDF)
• “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24)
• “2022 Accelerate State of DevOps Report and Software Supply Chain Security” (ep100)