Duncan Sparrell

This guide provides information on the benefits of SBOM, common misconceptions and concerns, creation of an SBOM, distributing and sharing an SBOM, and role specific guidance. Also, the document provides information on SBOM related efforts, such as Vulnerability Exploitability eXchange (VEX), OpenC2, and digital bill of materials (DBOM).

“The goal of Vulnerability Exploitability eXchange (VEX) is to allow a software supplier or other
parties to assert the exploitability status of specific vulnerabilities in a particular product or set of
products.” Issuing VEX information allows developers, suppliers, and others to provide
information in a human-readable and machine-comprehensible format, regardless of whether or
not software is affected by a specific vulnerability. This allows downstream users to make their
own… Show more

“The goal of Vulnerability Exploitability eXchange (VEX) is to allow a software supplier or other
parties to assert the exploitability status of specific vulnerabilities in a particular product or set of
products.” Issuing VEX information allows developers, suppliers, and others to provide
information in a human-readable and machine-comprehensible format, regardless of whether or
not software is affected by a specific vulnerability. This allows downstream users to make their
own assessments of the risks associated with the vulnerability.

This document seeks to explain the circumstances and events that could lead an entity to issue
VEX information and describes the entities that create or consume VEX information. Whether,
and when, to issue VEX information is a business decision for most suppliers and possibly a
more individual decision for independent open source developers. This document identifies
factors that influence the decision. Show less

Presentation on the Open Cybersecurity Alliance (OCA) at the VEX Summit (https://vexsummit.org/schedule.html) hosted by Cisco and OASIS Open. The talk covers what the OCA is, why it is needed, and how it relates to SBOMs and VEX.

From the late 1970s onward, the global telecommunication industry has gone through several waves of regulatory and technological changes. Today, the very definition of telecommunication has changed. First, the traffic is no longer confined to voice and/or limited data services. Second, the boundary line between telecommunication and information sectors is increasingly blurred. Third, the parties that offer products and services for consumers, businesses and industrial users operate under… Show more

From the late 1970s onward, the global telecommunication industry has gone through several waves of regulatory and technological changes. Today, the very definition of telecommunication has changed. First, the traffic is no longer confined to voice and/or limited data services. Second, the boundary line between telecommunication and information sectors is increasingly blurred. Third, the parties that offer products and services for consumers, businesses and industrial users operate under different regulatory regimes, ranging from strict regulations to no regulations at all. Fourth, the merging of the physical and virtual worlds through immersive technologies opens new social, cultural and business dimensions. Finally, the post-covid environment has opened unprecedented avenues for virtual workplaces (E-work). Show less

This document specifies the minimum elements to create a Vulnerability Exploitability eXchange (VEX) document. These elements are derived from, but may not fully conform to, existing VEX documentation and implementations. It was drafted and debated by experts from across the security and software world, representing different sectors and backgrounds.

This resource provides the recommended NOT AFFECTED status justifications of a VEX document and offers the reader examples of when the different status justifications might be used. VEX documents may contain a justification statement of why the VEX document creator chose to assert that the product’s status is NOT AFFECTED. This document was drafted by stakeholders through an open and transparent, community-led process

This resource provides the recommended minimum data elements of a VEX document and offers a set of scenarios with proposed implementations. This document was drafted by stakeholders through an open and transparent, community-led process.

In recent years, there is a growing potential for the supply chain management application, especially in supply chain innovation. Blockchain as an emerging application model has been widely used in different industries. In the fields of finance, Internet of Things, social welfare and supply chain, there have been a lot of explorations and attempts of application. Among them, the supply chain field has become a "place of use" for blockchain technology due to its large market scale, multiple… Show more

In recent years, there is a growing potential for the supply chain management application, especially in supply chain innovation. Blockchain as an emerging application model has been widely used in different industries. In the fields of finance, Internet of Things, social welfare and supply chain, there have been a lot of explorations and attempts of application. Among them, the supply chain field has become a "place of use" for blockchain technology due to its large market scale, multiple trust subjects and multi-party collaboration. Supply chain is an early development and relatively high maturity of blockchain applications.

The supply chain can be seen as a network of suppliers, manufacturers, warehouses, distribution centers and channels. The core of the supply chain concept is to establish trust between subjects, collaborate and cooperate, form a chain of originally loose enterprises, and collect and integrate discrete chain information. As the scope of supply chain becomes more and more extensive, enterprises coordinate their own and external resources through effective chain management so as to meet market demand. In the future, as the application of blockchain in the field of supply chain tends to mature, blockchain technology is expected to promote and complete the disruptive innovation of the entire supply chain industry and help realize the deep integration of traditional industries with the new generation of information.

This workshop will discuss some of the current problems in the supply chain, as well as the new challenges encountered in the supply chain in the era of the epidemic, and how to propose solutions in using Blockchain technologies to solve these problems.

#bom #supplychain #cybersecurity Show less

Join us for a presentation by Duncan Sparrell about cybersecurity and the opportunities/challenges for Nerves and the Erlang/Elixir ecosystem in general. In May 2021 President Biden issued Presidential Executive Order(EO) 14028 on Improving the Nation’s Cybersecurity. The talk will begin with some cybersecurity basics, covering the environment, trends, and events that led to the EO. It will discuss why the Elixir/Erlang ecosystem, and OTP’s “let it fail” in particular, is well suited for… Show more

Join us for a presentation by Duncan Sparrell about cybersecurity and the opportunities/challenges for Nerves and the Erlang/Elixir ecosystem in general. In May 2021 President Biden issued Presidential Executive Order(EO) 14028 on Improving the Nation’s Cybersecurity. The talk will begin with some cybersecurity basics, covering the environment, trends, and events that led to the EO. It will discuss why the Elixir/Erlang ecosystem, and OTP’s “let it fail” in particular, is well suited for cybersecurity. OTP was an originally an acronym for “Open Telcom Platform”, but now stands for “One Tough Platform”. With increased focus on the safety impact of cyber-physical systems in the Internet of Things (IoT), there are large opportunities for Nerves as well as challenges. I’ll discuss how the EO will use the power of the federal purse to transform the software industry and the opportunities and challenges to our ecosystem. Much of the talk will focus on Software Bill of Materials (SBOM) – it’s recent history, why SBOMs are important, what the EO means to SBOMs for Nerves projects, the hex/rebar tools to create SBOMs, and what attendees can (and should) do in their Nerves projects. Show less

With COVID-19 as a backdrop, 2020 was the year that cybersecurity really came to the forefront. With the world mostly working from home and relying on the Internet more than ever, a plethora of security challenges arose that taxed an already overburdened IT industry. After things like the Solarwinds attack and hacks on public infrastructure such as in the energy sector, it became abundantly clear that we had to step up our efforts to more clearly automate sharing of threat data, understand what… Show more

With COVID-19 as a backdrop, 2020 was the year that cybersecurity really came to the forefront. With the world mostly working from home and relying on the Internet more than ever, a plethora of security challenges arose that taxed an already overburdened IT industry. After things like the Solarwinds attack and hacks on public infrastructure such as in the energy sector, it became abundantly clear that we had to step up our efforts to more clearly automate sharing of threat data, understand what packages where in our critical software, and even begin to automate remediation plans when vulnerabilities were detected.

In this panel discussion, we gather together a collection of subject matter experts in everything from SBOM (Software Bill of Materials) to threat detection sharing and remediation to give the audience a look into open software projects and standards that are at the leading edge of helping to secure our digital future. The panel will answer questions in their respective areas of expertise, and also touch on how their particular specialties overlap and collaborate in the fight against cybersecurity threats. We will leave time for audience questions and participation. Show less

Explains the underpinnings of the QuadBlockQuiz game and why elixir/BEAM/OTP is so good for cybersecurity.
Abstract at https://icfp21.sigplan.org/details/erlang-2021-papers/8/Lightning-Talk-QuadBlockQuiz-Supply-Chain-Edition
Video of presentation at https://youtu.be/ZEyv7KPSlq0

Reprise of RSAC game at BSidesLV - teaching supply chain cybersecurity

Telling scary stories around the campfire at BSidesLV - the story of my start in cybersecurity

Introduced and interviewed keynote speaker

Introduced and interviewed keynote speaker

Introduced and interviewed keynote speaker

Moderated panel on mitigating supply chain disruption

Introduced speaker, moderated Q&A

Created game for the Supply Chain Village at RSA Conference that demonstrated and taught supply chain cybersecurity

This talk explains the safety impact of cyber-physical systems in the Internet of things. It explains the advantages of quantitative risk analysis for security decision making while extolling the advantages of "One Tough Platform" for developing secure software. Duncan presents pitfalls to avoid and best practices to follow. He evangelizes OTP for cybersecurity and cyber-physical safety and
demonstrates open-source on a Raspberry Pi showing how future IoT will adapt to threats in… Show more

This talk explains the safety impact of cyber-physical systems in the Internet of things. It explains the advantages of quantitative risk analysis for security decision making while extolling the advantages of "One Tough Platform" for developing secure software. Duncan presents pitfalls to avoid and best practices to follow. He evangelizes OTP for cybersecurity and cyber-physical safety and
demonstrates open-source on a Raspberry Pi showing how future IoT will adapt to threats in real-time.
Show less

Healthcare is becoming more connected. Risks to patient and public safety are increasing due to
cybersecurity attacks. To best thwart cyberattacks, the Internet of health things (IoHT) must
respond at machine speed. Cybersecurity standards being developed today will enable future
IoHT systems to automatically adapt to cybersecurity threats in real time, based on a quantitative
analysis of reasonable mitigations performing triage to economically optimize the overall
healthcare… Show more

Healthcare is becoming more connected. Risks to patient and public safety are increasing due to
cybersecurity attacks. To best thwart cyberattacks, the Internet of health things (IoHT) must
respond at machine speed. Cybersecurity standards being developed today will enable future
IoHT systems to automatically adapt to cybersecurity threats in real time, based on a quantitative
analysis of reasonable mitigations performing triage to economically optimize the overall
healthcare outcome. This paper will discuss cybersecurity threats, risk, health impact, and how
future IoHT cybersecurity systems will adapt to threats in real time. Show less

The Trilateral Cyber Security Commission was formed to make recommendations to the
governments of the United States, Japan, and like-minded European countries individually
and collectively to improve the security of their information networks. Some of the most
critical challenges to all these countries are the economic and security risks of future 5G
networks. These rapidly developing networks will become a new and dominant form of critical
infrastructure. Unless the free market… Show more

The Trilateral Cyber Security Commission was formed to make recommendations to the
governments of the United States, Japan, and like-minded European countries individually
and collectively to improve the security of their information networks. Some of the most
critical challenges to all these countries are the economic and security risks of future 5G
networks. These rapidly developing networks will become a new and dominant form of critical
infrastructure. Unless the free market democratic countries can develop polices and take
actions in the near term, China is poised to dominate this emerging market and could use its
position to undermine the national security of its adversaries.

The Commission recommends the United States, Japan, and likeminded governments in Europe and elsewhere take a series of domestic and coordinated multilateral actions. The objectives are not only to protect their 5G networks, but also to support Western firms in competing fairly to deliver 5G solutions around the world. Show less

This resource summarizes the benefits of having an SBOM from the perspective of those who make software, those who choose or buy software, and those who operate it. It characterizes the security, quality, efficiency, and other organizational benefits, as well as the potential for the broader ecosystem across the supply chain.

This resource defines SBOM concepts and related terms, offers a baseline of how software components are to be represented, and discusses the processes around SBOM creation. With terminology and a background of the NTIA process, it serves as a detailed introduction to SBOM.

Abstract at https://us19.borderlesscyber.org/program-schedule/program/69/bc-track-improving-iot-safety-using-standards-to-improve-iot-security. Bio at https://us19.borderlesscyber.org/program-schedule/users/detail/1150/duncan-sparrell. The Prezi for the presentation is at https://prezi.com/view/uU4txAdyhXFkHFwiAIk3

Abstract at https://guidebook.com/g/rss2019/#/session/24575049. Bio at https://guidebook.com/g/rss2019/#/item/12745003/. Slides (in a non-building pdf) are available at https://www.rochestersecurity.org/wp-content/uploads/2019/10/Sparrell_CyberPhysicalSafety.Sparrell_reduced.pdf. The Prezi as presented is available at https://prezi.com/view/fCWEZVUbeuLG13zCu3GT/.

Open Command and Control (OpenC2) is a concise and extensible language to enable machine-to-machine communications for purposes of command and control of cyber defense components, subsystems and/or systems in a manner that is agnostic of the underlying products, technologies, transport mechanisms or other aspects of the implementation.

Open Command and Control (OpenC2) is a concise and extensible language to enable the command and control of cyber defense components, subsystems and/or systems in a manner that is agnostic of the underlying products, technologies, transport mechanisms or other aspects of the implementation. Stateless packet filtering is a cyber defense mechanism that denies or allows traffic based on static properties of the traffic, such as address, port, protocol, etc. This profile defines the Actions… Show more

Open Command and Control (OpenC2) is a concise and extensible language to enable the command and control of cyber defense components, subsystems and/or systems in a manner that is agnostic of the underlying products, technologies, transport mechanisms or other aspects of the implementation. Stateless packet filtering is a cyber defense mechanism that denies or allows traffic based on static properties of the traffic, such as address, port, protocol, etc. This profile defines the Actions, Targets, Specifiers and Options that are consistent with the version 1.0 of the OpenC2 Language Specification ([OpenC2-Lang-v1.0]) in the context of stateless packet filtering (SLPF). Show less

Modern software systems involve increasingly complex and dynamic supply chains. Lack of systemic transparency into the composition and functionality of these systems contributes substantially to cybersecurity risk as well as the costs of development, procurement, and maintenance. In our increasingly interconnected world, risk and cost impact not only individuals and organizations directly but also collective goods like public safety and national security. This talk will cover the advantages of… Show more

Modern software systems involve increasingly complex and dynamic supply chains. Lack of systemic transparency into the composition and functionality of these systems contributes substantially to cybersecurity risk as well as the costs of development, procurement, and maintenance. In our increasingly interconnected world, risk and cost impact not only individuals and organizations directly but also collective goods like public safety and national security. This talk will cover the advantages of having a Software Bill of Materials (SBoM) and the work underway in an NTIA Working Group on Software Transparency. Show less

The cost of cybersecurity is increasing while the impacts are worsening. The talk will present the underlying economics of today's cybersecurity industry and discuss how the existing drivers need to change to incent the desired behavior. Risk economics will be covered along with how other industries handle massive risk, minimal data, and chaotic actors using proven statistical techniques. Future cybersecurity systems will adapt to threats in real time based on the standards being developed… Show more

The cost of cybersecurity is increasing while the impacts are worsening. The talk will present the underlying economics of today's cybersecurity industry and discuss how the existing drivers need to change to incent the desired behavior. Risk economics will be covered along with how other industries handle massive risk, minimal data, and chaotic actors using proven statistical techniques. Future cybersecurity systems will adapt to threats in real time based on the standards being developed today. Instead of Fear, Uncertainty, and Doubt (FUD), spending decisions will be based algorithmically on proven scientific methods using security policy, risk tolerance, and the potential financial impact of the threat. Factor Analysis of Information Risk (FAIR) is a practical framework for understanding, measuring and analyzing information risk, and ultimately, for enabling well-informed decision making. The talk will give a brief introduction to FAIR and the standards related to it. Show less

https://us17.dryfta.com/en/program-schedule/program/5/defense-at-machine-speed

http://www.anycon.info/talksdefsec

slides available at https://prezi.com/gwudhjox8eev/anycon-lets-play-defense-at-cyber-speed/

A method of detecting security violations by monitoring IP address space usage at per interface level.

Specific examples from recent cases in voice communications illustrate the standardization process and various strategies used to reach common agreement. A specific case of standards spurred innovation is discussed.

Announcement of Wideband Packet Technology (subsequently used on many international cable and satellite routes and the basis for ITU standards G.764 and G.765).

This paper highlights the process leading to the standards on 32-kb/s ADPCM recognized by ANSI and the CCITT and gives an overview of the algorithm itself.