Ep. 296 Securing the Federal Software Supply Chain: Why SBOMs aren't enough

One of the biggest trends in software development over the past 10 years is the shift from writing code to "assembling" code from off-the-shelf components.

During today's interview with Javed Hasan from Lineaje, we learned that 70% of that pre-assembled code is open source. In other words, an anonymous person in some countries modified software instructions.

This casual approach may be fine for small businesses, but an organization like the federal government must be highly cautious.

Hasan describes how his company was one of the first to work with the federal government to set standards for this existing code. These initial efforts began ten years ago and resulted in Executive Order #14028, which requires a Software Bill of Materials for any organization selling to the federal government. This initiative expanded in 2021-2022 when NIST published related guidelines.

These efforts are a good start. However, federal leaders must evaluate SBOM technology from many perspectives. For example, how to incorporate this mandate into air-gapped networks, legacy COTS, or even in a classified environment.

System administrators also need to know if they are exposed. Further, every organization has a varying definition of what "deep software transparency" is.

Hassan also discusses Lineage's innovative approach to creating "Gold open source" software, ensuring it is free of malware and vulnerabilities.

If you are interested in seeing a demonstration of how Lineaje can help with software forensics, there is an event at the Carahsoft office in Reston, Virginia, on January 30

= =

Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/

Want to listen to other episodes? www.Federaltechpodcast.com