Ep. 015 - Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel

00:21 - Kristin Demoranville (Host)

Welcome to the Bytes and Bites Podcast, where we explore the intersection of cybersecurity, technology and so much more in the food industry. I'm your host, Kristin Demoranville, and today we have a great guest for you. Marc Frankel, CEO and co-founder of Manifest Cyber Marc, is here to help us unpack the complex world of software bill of materials, or as they are more commonly known as SBOMs, and their critical role in securing our food systems. I hope you enjoy our conversation about the world of SBOMs and the food industry. Hi, Marc, Thanks for being here. Really appreciate your time. I will jump in with an introduction first.

01:02 - Marc Frankel (Guest)

Sure, absolutely. My name is Marc Frankel. I am the CEO and co-founder of a software supply chain security company called Manifest.

01:09 - Kristin Demoranville (Host)

Excellent. And how did you get to that co-founding-ness?

01:14 - Marc Frankel (Guest)

Not by accident. I can tell you that much that's good. So my co-founder, Daniel, and I met about 10, 11 years ago. We started at a company called Palantir on the same day together. He was this symbolic systems grad from Stanford. I had barely touched a keyboard in my life and so we were seated together during orientation. I was like cheating off of his computer. I had come from the finance world, I didn't have much of a background in tech, but he was this you know, very patient, very accommodating, really great teacher, and we stayed friends for about a decade.

01:42

We followed each other through Palantir, working on federal civilian intelligence community DOD stuff. He left for a company called Exabeam and then Defense Digital Service and ultimately CISA. I left for an attack service management company called Expanse, but we stayed in touch. And when the log4 shell vulnerability hit, I was at Palo Alto Networks that had acquired Expanse. Daniel was at the Pentagon and we both watched these large, mission-critical, sophisticated organizations unable to answer a simple question of where do we have a problematic component in our software supply chain? And that seemed like a problem, not just a problem worth solving, but a problem worth solving urgently. And those were our criteria for jumping in and taking the entrepreneurial leap together. So that was about two years ago now and we're still friends.

02:29 - Kristin Demoranville (Host)

That's good. It's very hard to maintain a relationship and be an entrepreneur and a co -founder. I know this from experience. It's definitely a journey, for sure, and sometimes you're heading towards Mordor and you just have to kind of steer away.

02:42 - Marc Frankel (Guest)

I spare a thought for anybody. You know, we hear stories of people who found companies based on folks that they met on Hacker News or, you know, y Combinator or whatever. I just I can't imagine going on this journey without somebody that I had the bedrock of a decade long friendship to rely on, and so I think that's a really, really important criteria for anybody who's you know, considering taking the plunge.

03:03 - Kristin Demoranville (Host)

Yeah, there's a lot of entrepreneurs, startups in the food industry, for sure, too, so I think a lot of them come out of families and friends, and I think that's the way to do it. I think you're right, Marc. Thanks for that intro, so let's jump into my favorite part of the podcast. Besides all the great information I get, tell me your favorite food and your favorite food memory. They do not need to be one in the same.

03:22 - Marc Frankel (Guest)

Wow, okay, so my favorite. I'll start with my favorite food memory, and it's not a good one. I know that you know probably most people they hearken back to, you know the Thanksgiving table or what have you, but my favorite food memory actually was an ice, and they're a local, I don't even know if you would call it a delicacy, but certainly a local. Food that they've eaten historically or traditionally is called hot carl. Food that they've eaten historically or traditionally is called hakar. It's fermented Greenlandic shark and it was clearly born out of times of difficulty and deprivation. It's not something that you would eat necessarily if you had other choices, but they catch a Greenlandic shark these things can live up to 300 years old and they fillet it basically and they hang. It's poisonous if you eat it raw, but they hang it in barns open air barns with flies and what have you on it for months until the lye or whatever the poison is kind of gets extracted out of it and it becomes these like little white. They chop them up into like little cubes and you eat them with a toothpick.

04:18

And my now wife, my then girlfriend, and I went to Iceland it was probably about eight or nine years ago now and we were like, hey, we just have to try this. We I went to Iceland it was probably about eight or nine years ago now and we were like, hey, we just have to try this, we have to try it for the memory. And so we went into a grocery store and we bought this, you know, hot. Carl grabbed the little toothpick and we ate it. And I still remember exactly where, on my tongue, the piece of hot Carl touched and it had the consistency of like it was like a gummy bear, I guess, like covered in Vaseline. It was really kind of vile. But it's those sorts of memories that are memorable, obviously, but that help you recall a time and a place in your life and an adventure that you went on. So I was really grateful to have that experience and it was definitely something unique, something that I won't soon forget.

04:57 - Kristin Demoranville (Host)

Obviously listeners can't see me and I'm making all kinds of cringe faces and, on top of the fact that it was shark and like it's just so, I mean, that's like I guess it's like a. Maybe I should start doing the worst food memory, but I feel like I don't. I don't think we want to talk about those stories, but I do like that. You had a travel food story, so we're going to call it that Marc, your favorite travel food story.

05:20 - Marc Frankel (Guest)

There you go, and then my favorite food is probably just so. There's a place in New York, on the Lower East Side, called Russ and Daughters. The bagels are good, but the smoked salmon is phenomenal, I would argue it's you know the best in the world. And so they slice it really, really thin, you put capers and you put you know onions and whatever else on it, and again it's more about, like you know, the memory or the experience than it is about the food itself. The food is good, but there's probably a limit to how good a piece of smoked salmon can be. But it's really just more about the community or the experience when I'm there, and so I'm either going with my parents, my siblings, the family that I grew up with, or I'm taking my kids, giving them that experience too. So it's a great bite of food. It's an even better memory and experience.

06:04 - Kristin Demoranville (Host)

Well, thank you for sharing that. That's great. I'm glad I and we're recording, obviously in the morning and you wouldn't know this, listeners, but I just ate breakfast. So I'm really glad I ate breakfast because otherwise I would be starving.

06:14 - Marc Frankel (Guest)

Well you're. You're always welcome up here to the Northeast.

06:17 - Kristin Demoranville (Host)

Well, it is. It is my home, you know, I am a Northeaster, so I understand. We do crave weird food when we're up there, for sure, including things like whoopie pies and you know all that fun stuff which I don't eat anymore.

06:28 - Marc Frankel (Guest)

But yes, Well, a time and a place for that too.

06:32 - Kristin Demoranville (Host)

Yeah, I think you're right, it's really the nostalgic kind of thing Having one is sort of like remembering childhood, you know that, like really over pungent, sweet spongy cake with the cream sauce yeah, it's definitely, definitely childhood. Or like proper farm stand ice cream. You know, mert, ice cream not soft. So yeah, that's definitely the whole nostalgic memories come flying back when you start thinking about all of that and where you were and the fact that it's probably summer and you got it all over yourself too, and all those memories are great. Thanks, Marc, this is great. So, going back to your company, and the reason why I wanted to have you on the show, is because we're going to talk about SBOMs and everybody's like what's that? That sounds horrible, it's not. Acronyms are weird, but I'm going to let you, Marc, explain what an SBOM is and how that intersects with the food industry, and most people who touch it in the food industry know what it is, but I want to make sure the rest of the listeners know. Since we have a mixed audience, take it away.

07:22 - Marc Frankel (Guest)

Yeah, I guess I would begin by saying that SBOMs are not scary. Most people who are familiar with SBOMs know that they're not scary. Most people who aren't, more or less. There's a tendency to break out in hives once they see their first piece of JSON and they're like oh my goodness, what am I supposed to do with this? And rightly so. Right. It's an intimidating thing for software. Bill of materials.

07:42

The two second non-technical, you know, explain it to a six-year-old version of this is that software is the only thing that we buy, that you don't get to know what's in it. The FDA, for a hundred years, has required general mills to disclose what's inside a box of cereal. Auto manufacturers have to have that sticker in the window of a new car that they sell, telling you that it has heated seats and you know a stereo surround system and you know automatic whatever's. When you buy a house, you get a home inspection. When you buy a t-shirt, it comes with a tag that says 80% cotton and 20% polyester. But when you and by you I mean the federal government or a fortune 500 company or any enterprise really purchases a piece of software, it just shows up in their environment with no list of ingredients, and for the first 40 to 50 years of software it wasn't okay, but it was an acceptable risk. Over the course of the last 15 to 20 years, with the explosion of open source software, software has gone from a guy in a hoodie typing away furiously at a keyboard creating something net new out of scratch, to something that resembles much more assembly like Lego bricks, effectively. And the problem with that is that when you have developers who are grabbing Lego bricks in this case, software applications from GitHub or from NPM or what have you, you don't have a sense for what is the provenance of these bricks that I'm bringing into my Lego house that I'm building, so to speak, and when you buy software.

09:11

There has become an urgent need for the US Department of State, the US Air Force, auto manufacturers, defense contractors, et cetera to begin requiring these lists of ingredients because of the meteoric rise of a threat factor known as software supply chain vulnerabilities or software supply chain. Basically, nation state actors and non-nation state actors Iran, China, North Korea, et cetera have woken up to the fact that large companies in the West and large federal agencies in the West consume software without asking what's inside, and so the software supply chain vulnerabilities have been on the rise by some accounts, 1300% over the last three years. Some of them have made headline news Some of your listeners may be familiar with, like SolarWinds, for instance, or the Log4Shell vulnerability. Log4shell by itself cost an estimated $10 billion in remediation costs. It was massive.

10:06

And it all stems from the fact that we don't know what's in the software that we build and buy. We don't have these lists of ingredients. The equivalent would be if the FDA put out a statement saying that there was an E coli outbreak in reasons, and the first thing you would do is you would go into your pantry and if you opened your pantry and all you saw were gray cardboard boxes, you know, just blank boxes with no ingredients on the labels. You'd have to call Monsanto and General Mills and Post and everybody, and you'd have to say, hey, does this thing that I bought have raisins in it? And that's exactly effectively what happened in the log for shell vulnerability.

10:39

There was a new vulnerability that was disclosed. Nobody had lists of ingredients, of what's inside the different software applications that we've bought, and so they had to call all of their vendors individually. The answer to we don't know what's in the software that we are consuming is a list of ingredients no different than the list of ingredients on the side of a box of cereal, except because it's a more technical artifact. We call it a software bill of materials, as opposed to just an ingredients label.

11:05 - Kristin Demoranville (Host)

That is probably the best way I've ever heard it described. Thank you for relaying it back into food, because I think everybody understands what you just said. I was thinking too, that it's not like you can actually print out a recipe of all the code. Necessarily, I mean you can, but are you going to understand it? It has to be labeled. This is the header. This is the header. This is the footer. This is this is how the little boxes green, you know, whatever, all the crazy design stuff on top of the actual functional aspects of it.

11:34

That's very daunting and wow, you know, and this is why it's such a beast of a situation, because it's huge, it's massive. Think about all the things that run on software, especially inside the food industry, which, as we know, has become a prime target for all kinds of cyberware attacks, and this is just one of those attack factors that we need to deal with better and more efficiently, I think I would say, because it's not that people aren't aware of it, it's just you don't know what you don't know. Like you said, you don't know that there's no labels on your raisin boxes in the pantry. Yeah, you know, you just know you have raisins, you know, that's it.

12:07 - Marc Frankel (Guest)

So that's exactly right. The problem is and this is not unique to software supply chain, this is universal, I would argue, across the cybersecurity industry is that oftentimes you get very technical, very, very smart people, yeah, who get very in the weeds with a concept and, before you know it, there's been a proliferation of acronyms and concepts and there can be a real hesitancy to jump into a new area of cybersecurity. You don't want to appear dumb, you don't want to appear like the newbie, you don't want to have basic concepts explained to you, and so, if we look at the SBOM industry, we've fallen victim to that exactly same thing, and not without reason. Right, there are good reasons why we have terms like Cyclone, dx, spdx, csaf, vex, open VEX.

12:51 - Kristin Demoranville (Host)

As the listeners blaze over. The listeners are all passing over now Exactly right.

12:56 - Marc Frankel (Guest)

And what I feel that we in the cybersecurity community do where I feel we do a disservice is that an SBOM is an extraordinarily valuable and powerful artifact, but it's one of its primary benefits is to non-technical people. So if you think about and I imagine that some of your listeners are probably in third-party risk management or IT security or IT risk or what have you vendor due diligence, et cetera, they are contorting themselves, bending over backwards to put out 200 page vendor due diligence questionnaires, asking everything under the sun from do you do background checks on your developers? Do you have a disaster recovery site 90 miles away? Do you have your SOC 2 type 2 compliance? Do you have any foreign investors on your cap table? But the one question they probably really want to be asking is what's inside this thing that we're about to trust our data to? And that's what an SBOM gives you.

13:46

And the problem is, if we develop as an industry, this technical jargon moat of you're not allowed to be in our club unless you understand these 50 esoteric concepts. Well, everybody in that TPRM, vendor due diligence, third-party risk governance, risk and compliance, hapsec, prodsec, devsecops, et cetera, everyone in those ecosystems who hasn't spent the last two years intimately familiarizing themselves with this terminology, all of a sudden feels excluded. So what we have invested heavily is in making SBOMs approachable to people who don't have a PhD in cyber risk management, because it can be a very valuable tool, but only very valuable if they feel like they know how to.

14:27 - Kristin Demoranville (Host)

Can you get a PhD in cyber?

14:29 - Marc Frankel (Guest)

risk management you can. As a matter of fact, I used to work with somebody who had one. It was daunting.

14:33 - Kristin Demoranville (Host)

Wow, that's really intense. Actually, I'm kind of scared of what their dissertation was. To be truthful, I don't want to know that necessarily. Yikes, absolutely no-transcript. Cybersecurity does, and IT does, and food safety and all these things. We're all on the same mission safe food for all, regardless of what our role is, and I think it's so important to continue to have conversations with different aspects of the business, including these types of things, because as we digitize, it's just becoming more apparent that we don't know what we don't know, and since the food industry loves to innovate, we'd love them for it we need to make sure that they're protected.

15:44

Are you worried about software supply chain security and managing your S-bombs? Don't stress. Let Manifest Cyber do the heavy lifting. As a leader in this field, manifest Cyber provides essential solutions to help enterprises meet the growing regulatory demands in the United States and the Cyber Resilience Act in the EU. In the United States and the Cyber Resilience Act in the EU. Trusted by Fortune 500 companies, medical device manufacturers, defense contractors, auto manufacturers, governments, financial institutions and, yes, even the food industry, manifest Cyber automates the entire SBOM life cycle. This ensures your organization can stay ahead of vulnerabilities like Log4 Shell, by securely generating, collecting, analyzing, alerting and sharing SBOMs. With Manifest Cyber, you'll be patching and remediating faster than you can say cybersecurity while smoothly meeting those regulatory requirements. For more information and to request your very own SBOM email info at manifestcybercom or find us on the web at manifestcybercom. Or find us on the web at manifestcybercom.

16:54

So, Marc, can you give top five things if you're concerned that you might have an issue with SBOMs in your company, like what to do, and I don't necessarily need to go into massive detail. I love this six-year-old explanations you're doing, because for myself as well, even though I am familiar with them, it helps. So thank you.

17:09 - Marc Frankel (Guest)

Sure, I have a six-year-old, so I have plenty of experience explaining things to six-year-olds. Excellent, it's a great question. First and foremost, I would say you need to check the regulations. There have been a raft of regulatory requirements over the course of the last three years, requiring SBOMs for different industries and different geographies, and so, to name a few, executive Order 14028, signed by President Biden I guess I've deviated from the six-year-old thing here for just a moment, but President Biden signed an executive order requiring anybody who sells software to the US federal government, enabling the US, us government to require SBOMs from those government contracts. Similarly, the FDA has started requiring SBOMs from medical device manufacturers, so they have said that they will refuse to approve any new software enabled medical devices unless the pre-Marcet submission is accompanied by an SBOM.

17:59

For your listeners, specifically the Cyber Resilience Act in the EU, which was and I'm not a EU legislative policy expert by any stretch of the imagination, but the enforcement will begin in two years. So if you have business operations that involve the generation of software in the EU much like GDPR, you know, touches just about everybody who interacts with the EU you may be required to produce those SBOMs to a regulator in as little as two years time. So step number one is check the regs. Do you operate in Europe? Do you touch any of these other regulated fields?

18:33

Step number two is check what your downstream customers are requiring. So it's a little bit different if you are physically putting together a box of cereal. But if you are in the food delivery, food manufacturer industry and you have software enabled assembly lines or you have quality control capabilities or you have anything that involves software, you may be required in the not too distant future by your customers to provide these SBOMs to them. So step number one is regulation. Step number two is the customer mandate. Step number three is to check your internal DevOps and DevSecOps capability. So do you, with every new version of every new software application that your company develops, do you have an SBOM? Do you have an inventory of what are the third-party and open source components that went into this piece of software, so that when something goes bump in the night and a new vulnerability is disclosed, you can be one click away from understanding?

19:26 - Kristin Demoranville (Host)

And before people go oh, my company doesn't develop software, you probably do, and you don't realize it because a lot of the Chuck E Cheese developed software. Right, that's terrifying, because I immediately thought of the mouse moving around and I thought well, that's probably a software built in the background. I'm not in the ball pit.

19:39 - Marc Frankel (Guest)

I'm equally cooped up out of the ball pit you know like I'm equally cooped up at the ball pit. But uh, but yes, every, every company, whether they want to be or not, is is in the software generation space these days. And then the I think I'm up to four, I don't recall specifically. But uh, the last one that I would close with is you're generating software, but your vendors are providing software to you. Go back, look at your third party risk management and vendor due diligence procedures. If it doesn't say in question.

20:07

Question 1A ought to be what's the name of your company, mr Vendor? Question 1B ought to be upload your SBOM. If you are buying software from a vendor who can't tell you, or who won't tell you, what's inside that software, you have a duty to your company to examine whether or not that's a vendor that you're comfortable doing business with and it's not in an effort to like be a jerk to AWS or Microsoft. You know right, it's the long tail companies that you work with that you have accumulated over the years that now touch business critical functions. Imagine, you know, the log for shell situation of having to call each one of them and say, hey, are you affected? The best time to start requiring SBOMs was 15 years ago. The second best time to start requiring SBOMs is today.

20:52 - Kristin Demoranville (Host)

Yeah, definitely, and I think a lot of people just need to take a look at third party risk management, and that doesn't necessarily mean on a cybersecurity front. There's enterprise third party risk management. You know, and what is your company actually doing? Are you managing your vendors? Are you asking questions? Are you being due diligent and to me, this is part of food safety culture you have to be due diligent. People are coming into your facilities, whether it's digitally or physically. They should be questioned at the door, and not just because you're an exclusive club, mainly because you're an exclusive club, but you have to have bouncers, and that's what this is. This is about protecting the food systems that we have, because we have to do it.

21:26

We now live in a world that is changed. This wasn't a question 20 years ago, necessarily, and now all of a sudden it's become that I think about like the chipsets for boards and things like that. I've watched them being made in factories before and I often question does anybody have what happens with the software that goes on this? Do we have like a list of things that go on this? And people always looked at me weird and I was like but I'm just curious, like, what are you doing? And the question always was it goes to the vendor and then they do what they want with it, but we made the board. Are we responsible? I don't know Like those kinds of things start to come in my mind for when I talk about SBOMs, because where does the responsibility really lie? I think it's both parties. I think it's the receiver and the giver for sure have to be responsible on both sides of the house for what they do with their software. It's basic hygiene really.

22:10 - Marc Frankel (Guest)

Yeah, we're getting to the point. I mean financial services. This is a very widespread and common practice. The defense industrial basis is becoming very widespread and common Medical device manufacturers, auto manufacturing, et cetera. You would never in a million years let an 18 wheeler through the front gates of your food production facility without asking who's the driver and what's inside this container. You know it just wouldn't happen.

22:35 - Kristin Demoranville (Host)

Yeah, and you wouldn't even let your driver in the door. They sit in like a caged area inside the warehouse, generally speaking.

22:42 - Marc Frankel (Guest)

Yeah, however, software became kind of a bit of a boiling frog problem, right? You know, all of a sudden now we start off with this like very slow adoption. Hey, we have software in these places, but the software was generated by IBM or whoever and you know they're responsible for every line of the code. Now, between 85 to 90% of software applications that are delivered you know that are sold are open source, are pieced together from open source, and that you know if you're not maintaining an inventory of that open source, you have effectively undaunted exposure. Something like 68% of cybersecurity professionals in a recent poll named software supply chain as their biggest blind spot.

23:22

This is a massive problem, and the nice thing about SBOM is that, particularly from a TPRM perspective, this is not a particularly hard solution for security professionals to implement. Right, you already have vendor due diligence questionnaires. You already have third-party risk management processes in place. Adding an additional, we have like a whole playbook for how to automate the process of requiring SBOMs. This doesn't have to be a scary thing. Oftentimes, where people get tripped up is it's just like, hey, that seems like a really niche, complicated, convoluted field and like I just don't even know where to be.

23:56 - Kristin Demoranville (Host)

I think that's because people try to boil the ocean when they just need to make a cup of tea One of my favorite quotes from a friend. It's true, though right. Because when you look at it as a whole it's like, oh my goodness, like this is so much. And then you're like you center it down to like that one warehouse that you're working with or that one particular facility you're in. It gets a little easier to deal with Because if you can get it to work in one of your production environments or your farm or any type of industry you're in, you'll be able to duplicate it. It should be fairly easy. It might be a little more nuanced in some places depending on what you have, if you have different regulations that are based on that, but generally speaking, you can duplicate the work. It's not like you're going to reinvent the wheel every time.

24:33

And I think that's what people get stressed about, because supply chain in general is so daunting, because you're looking at the whole supply chain. It's ginormous. You can't do that. You have to look at it and like, how does it affect me? And I always tell people get a whiteboard or something or a piece of paper and literally draw like your facility in the middle and then figure out everything that's around it and then go after it one at a time, you know, and then if you can attack a couple at a time, great. That's how you deal with supply chain really in like the most basic bare bones sense in terms of security and or management in general. And I'm sure there's some supply chain people on that are listening and they're like no, it's so much more complicated. No, it really isn't, like it really is that much of a breakdown. You don't have to make it difficult, you're just making it difficult. Don't make it difficult. You need to make it simple and especially with the food industry that's running in a rapid rate, they're forecasted out.

25:23

This is a lot of stuff going on. We're innovating, we're preparing for the future at all times. Nobody's got time to sit there and deal with the detailed, daunting tasks. So if they can replicate it and do it faster, they will, or if they can automate it in some capacity also will help. I mean, we have things like AI. I know open source is a scary thing, but that is going to help in this situation at some point, I'm sure, because it can analyze massive amounts of data which a human being can't do so. Marc, as I'm saying all that, I'm now wondering what does Manifest Cyber do in this world and how are you helping get through this? Because, clearly, this is something that everybody's going to probably either need help with or to scale up, or, if you're a small shop, or even if you're a big shop, you're going to need a little support because, again, like we said, you can't boil the ocean, you can only make that cup of tea.

26:08 - Marc Frankel (Guest)

Yeah, exactly right. Our goal at Manifest, basically, is to make S-bombs the easiest thing your organization does. Forget about Cyclone DX versus SPDX. Forget about version 1.5 versus 1.6. Forget about OpenVex versus CSAF. Forget about CPE to Perl matching.

26:25

We want to abstract all of this away so that organizations like your listeners can get to software supply chain security without again having to have a PhD in cyber risk management. And the way that we do that is a number of ways. One is we automate the SBOM generation process. So for your developers who are generating new software applications on the backend in the CI CD pipeline, we are automating every time they hit build, or every time they hit push or publish or whatever it generates, it stamps out a new S-bomb and that S-bomb flows into the manifest platform. So in an ideal world, no human hands touch this artifact.

27:00

And yet you ended up with an inventory of every third party open source proprietary component that went into the piece of software that they developed. That's step one. Step two is requiring SBOMs from your vendors, and here we've developed this SBOM outreach playbook which, by the way, it's not, like you know, a proprietary thing that you have to like. Go to Barnes and Noble and spend $50 on, like anybody who's listening. If you want it, we'll give it to you. We're all fighting the same fight of pushing for software spot chain transparency.

27:28 - Kristin Demoranville (Host)

I'll drop it in the show notes, the link to it.

27:29 - Marc Frankel (Guest)

There you go. What we realized was that meaningful hurdle to deploying an SBOM requirement to third parties was all the administrivia that surrounded it. What's the contract language that we put in an MSA? What's the one trust question that we add to our survey? What's the email that we write to our vendors explaining what it is we need and how we need it? What's the follow-up email? And so we've just created more or less like Mad Libs templates.

27:55 - Kristin Demoranville (Host)

That's awesome.

27:56 - Marc Frankel (Guest)

It's like dear vendor name Enterprise is requiring SBOMs because we are concerned about software supply chain visibility. You have blank many days, you know, and it's almost like Mad Libs Try not to put in. You know all the things that you would have put in the back of, like. You know your fifth grade bus ride home when you were doing Mad Libs, but the idea is to I mean, you could but you could, you'd probably be in big trouble.

28:27

You would. Yeah, yeah, dear Bozo, yeah, no, but the idea is to templatize this as much as we possibly can to make this the first customer that we ever had who required SBOMs. We needed to generate all of this from scratch. Every one of our customers thereafter ought to be able to build. So we've templatized the process of requiring SBOMs from your vendors. We even built a capability in our platform that we call AskBOM, to solicit SBOMs. If you know your vendor's email address, we'll take care of the rest.

28:47

And then, once you are generating SBOMs for your internal applications and requiring SBOMs from your third-party vendors, we are automating the analysis. Right. So you're still not touching the JSON file. We are comparing it to leading vulnerability databases the NVDs, the OSVs, the EPSSs and the KEBs of the world to analyze this some cases, really, the luminous JSON file to say, hey, here's where they have a component that matches a known software vulnerability. And then we are contextualizing that to tell you these are the ones that have been proven to be exploitable, or these are the ones that are likely to be exploitable and these are the ones that you probably don't really need to care about. And so we give you a walk-up, usable view of how good or bad should you feel about this SBOM in human, consumable language. And all of that is in service of the next time there's a log for shell or solar winds or an Apache struts or whatever. You're one click away from understanding which of my vendors and which of my software applications are affected, as opposed to 50,000 hair on fire phone calls.

29:56 - Kristin Demoranville (Host)

We'll be right back after a short break. I want to take this moment to thank all the listeners for your continued support. Don't forget to check out our new merch store on the website, where you can find various items like aprons, t-shirts, sweatshirts, hats and so much more. You can also schedule a meeting with me if you'd like to share your in-person thoughts and suggestions about the show. That link will be in the show notes. Or if you would prefer a less personal way to share your feedback, we also have an audience survey available in the show notes and on the website. Did you also know that Bytes and Bites Podcast has an Instagram and LinkedIn page? Check us out and give us a follow on both. Thank you for those who already do. Lastly, if you enjoyed the show, please rate us on your listening platform, believe it or not. This really helps the show and encourages others to find us as a listener. You are part of the show and your support is paramount. Thank you so much.

30:44

Now back to my conversation with Marc, and especially if you're doing food defense investigations or any type of food safety investigations, you will have probably at some point have to look at an SBOM just to understand what happened with the software if it ended up being some type of a cyber physical situation, and I think that's super important to be able to know where that is and be able to work with people who can probably translate it for you, because some of it won't be overly, as you say, easy to read. Basically, some of it will be a little bit more daunting. So being able to work with those teams and knowing which teams to go to is important too. And again, this goes back to having a strong third-party management team that actually knows your business and what you're doing, and that's super important. You touched on this a bit, Marc that we isolate a lot inside of our different silos, of course, and I think it's really frustrating to me that a lot of times when you work in certain aspects of security, you actually don't even really understand what the company is doing or what they are. Are they a manufacturing company, are they an entertainment company? Are they a food company or what are they? And I think it's super important, especially within food safety culture, that you identify and make sure everybody understands that we are making food, we are a food company, but we also are a food manufacturing company, as an example, and I know that seems really stupid to say, but people forget. People forget what they're doing because they get so isolated into.

32:07

I am running the numbers and accounting and finance and I am the HR person. I'm just dealing with people and I think some people forget the main mission is good, safe food for all, full stop, and as long as everybody goes to that beat of that drum, it runs smoother. Trust and believe it really does. And people are like oh, christian culture, oh, it's this whole, you know. Yeah, all right, get over it Like it is. This is what has to happen.

32:31

I would like to continue eating safe food. I'm sure Marc would like to feed his family and eat good too, and if it comes down to that, you have to actually start really working hard to make S-bombs easier to deal with for food. Yeah, do it. It's not a problem in that regard. It's just the again and everybody's like oh, no, it's probably too daunting. Again, boil the ocean, don't do that. You know, make the tea and you've created a platform that makes tea. It doesn't boil the ocean, which is great, and I really appreciate the fact that you've put it in common language and you really have kind of formed up that common language for people so they understand what it is and what it isn't, which is what regulations are supposed to do. Right, automotive is a great example. They created a language set that everybody can speak to. Now you're creating a language set for s-bomb, so it's not so daunting.

33:11

Granted, we have the worst acronym, I think, out there, but it's okay, we'll just, we're gonna roll with it. I mean, I'm sure there are worse ones out there, and if you heard any acronyms on the show today that you were like what was that? Don't worry about it, it's fine. I honestly, you can Google it if you want, but don't worry, it's, it's. I can't even keep track of all of them either, and all of the government acronyms too, on top of all the security ones and the IT ones. It gets a very yikes. And then the food industry as a whole has a ton of them as well. So, as humans, why are we doing this? Why do we do this to each other? Because this just creates confusion.

33:45 - Marc Frankel (Guest)

Well, it comes from a place of good intent and I think that that's important to remember is that you have people who have spent literally years, if not decades, in service of software supply chain security, and some of them will spend years, if not decades more, advancing the cause of software supply chain security. And if they hadn't defined Cyclone DX and SPDX and CSAF and OpenVex and whatever else, we wouldn't be able to make it easy and approachable, because there wouldn't be a thing to make easy and approachable. But, that being said, when it rises to the level of creating a barrier to entry, that's when you know a translation capability or a tool set to automate this and put it on Rails is warranted. I would advocate to anybody who's considering creating an acronym, anything with the word bomb in it. Probably not great, just from like a TSA perspective, but yes.

34:31 - Kristin Demoranville (Host)

I mean, how do you talk to people on the plane, Marc? You're like, yeah, I work with an S-bomb company. People are like what? Yeah, it's not the easiest thing to fly with.

34:41 - Marc Frankel (Guest)

Necessarily, we give away these little squishy bomb shaped balls with the letter.

34:46 - Kristin Demoranville (Host)

S on.

34:46 - Marc Frankel (Guest)

But when you're, you know, traveling with a backpack full of them to a conference Wow, that's intense, but yeah, I think. So. The last thing that I'll say just about the everybody has to remember their mission is we as a company are, I mean, we're driven by mission? We're not, we're not here to like buy something for a dollar and sell something for two. There's a whole field, you know, if you want to work in Excel, you're welcome to do that.

35:08

But the types of customers that we support the Air Force, department of Homeland Security, auto manufacturers, defense contractors, food security, et cetera everyone has a mission. They're contributing to the, not just the continued survival but the success of our way of light. And you said, you know, I want to make sure that I feed my children trustworthy food. I want to make sure when we go into a doctor's office they can access my kids' medical records. I want to make sure when I drive a car, that it can't be, you know, hijacked by somebody with, like, a really powerful transponder standing by the side of the highway.

35:44

All of these are becoming real world concerns as our world becomes more and more dependent on software. One of the best lines that I've ever heard is. The software supply chain is the most valuable supply chain that humanity has ever created and yet it's the one in which, arguably, we have done the least to provide visibility into. And so when I read things like major hospital systems can't access their medical records, or I speak to you and we contemplate the implications for food security, this has real world implication. And if the only thing that's stopping a major provider of this essential service from having visibility into their software supply chain is walk up usable tooling and templatized deployment mechanisms, we have a duty to create.

36:25 - Kristin Demoranville (Host)

Yeah, Well said, Well said. And I do think that the world is kind of spitting madly round, to put it a song, and I think that a lot of people get stuck on I call it the shiny especially when you go in and do a factory tour and they walk you the lines and it's like the VIP tour and they roll the red carpet out and you get to see all it and all you look at about what's coming off of the belt, kind of like those TV shows that you like inside the factory. Yeah sure, You're just like, oh, look at that stuff. And I always say stop getting stuck on the shiny, you need to start looking around it. You need to start seeing what's going on, how is it supported and put up. And that starts a lot with people, people process aspect rather than just attacking the tech, Because the tech is important to work with. But ultimately people are going to undo or make it better or make it worse or do all these things around it manipulate it in some way based on the processes they use at each facility. So it's not always a cookie cutter situation, it's more of an organic kind of living situation.

37:18

I think that's why supply chain management is so daunting because it's like this living organism that kind of keeps changing and adding things and removing things.

37:27

And now we have new ways of moving product and we have new types of software that are coming in, Then AI jumps in and then it's like all these things and it's just some people are just like whoa. And then I think to myself, how does the animal kingdom actually work? Right, Like all these animals live together. I was having this conversation with my partner yesterday. We were walking around our little lake and and he said do you think the birds talk to each other or do they talk to like the turtle or like the ducks? And I said I don't know, I think they just acknowledge each other, Right, Like they just kind of live in harmony, Like it's kind of there. I said us humans could really take a beat on that, because you know we should just live in harmony with it and that's. It kind of comes back down to that systems thinking aspect where you know everything's kind of in its holistic cycle and that's how the supply chain is.

38:04 - Marc Frankel (Guest)

It's a cycle ultimately, yeah, I love that because you know I've watched that modern Marvel show, right, and you're like, oh, wow, like look at all those candy bars, you know, coming off the factory line or whatever. It would be interesting to say like, hey, what's behind that door? Oh, that's accounting. Oh, can I see that? Nope, nope, not part of the tour. Like you know, you don't want to see those. You know big stacks, the reams of paper or the change control board meeting that was supposed to happen.

38:29 - Kristin Demoranville (Host)

Or the data center that was inside the woman's room.

38:32 - Marc Frankel (Guest)

Yeah, right, you know.

38:33 - Kristin Demoranville (Host)

I have. I at some point I should do some war stories, cause I got them on it going in and out of factories, and I'm sure you do too, Marc, when you've received CEO updates.

38:40 - Marc Frankel (Guest)

And it just goes to show you. You know, if anybody deserves visibility like we, have a duty to do this. We have a duty to get it right. Much like any of your listeners have a duty to make sure that they understand what's inside the 18-wheeler that pulls up to the front gate, they also have a duty to understand what's inside the software application that pulls up to the proverbial front gate of their network and, in the rapidly changing cyber threat landscape, to monitor those things, not just when you bought it, but every day thereafter. And it's kind of crazy that it's 2024 and that's not just common practice everywhere. But it's going to take hardworking individuals like yourself, like your listeners, to get us to a place where we can recover from the growth of open source software without an accompanying inventory.

39:23 - Kristin Demoranville (Host)

You know, I often say that a cyber attack is going to happen. It's just a matter of when, not if. Now we're really that far down this line now and staying resilient through it is what we're trying to do, meaning you don't lose your business, you don't have to fire your people, you can keep things moving, you can keep the food safe. So really in reality is, Marc, sboms are just trying to keep people resilient. That's just all it is. You know, as long as you know, then you could deal with it. If you don't know, then you got a problem and nobody wants that like bill that shows up in the mail from something you probably did 10 years ago and totally forgot about you know. It's like that kind of like oh, that anxious feeling, that horribleness, that shame that hits you like a ton of bricks or something to that effect. I think people need to look at it like that, where we're mitigating the shame of you not knowing and also we're making sure that when something does happen, that you can survive it. That's the important part, and I really think that that's what we need to talk about more inside of cybersecurity and in IT is how we're going to get you through this, because it's going to happen. Nobody's safe anymore from cyber attacks or scams or any type of ransomware or anything like that.

40:25

All the due diligence you do up front is going to keep you strong, and that's what we want you to do. We want you to be strong so you can survive that said virus or that said situation, or somebody fat fingered something and something happened on the line, or whatever happened. We want to make sure that you can get through it. And the nice thing, too, is that you're also providing help for your other factories that are in different companies, that are inside your company, because if you have really good handle on your S-bombs, that's going to be great for those other factories, because everybody makes food for everybody else's factories and you know it's a whole chain, it's a web.

40:55

So I think that you're helping a neighbor out almost if you do this correctly, right, and I think that's an incentive in itself. Feel free to use that, Marc, for your company taglines like helping a neighbor, because it's true, that's what you're doing, because you're ultimately helping others by making sure you're okay, and I think that that is again another thing that people don't think about that often. So, Marc, as we're coming to a close here, and I've really enjoyed this talk because I about the future of SBOMs and where you see the supply chain moving and I just want to know what you think the next couple of years are going to look like and what we should be on the lookout for.

41:27 - Marc Frankel (Guest)

Yeah, it's a great question. The next frontier of this, the equally scary frontier, is much like we consume software, unfortunately without asking what's in it, so too do we consume AI applications without asking what's in it. And if you had AI on your bingo card for this podcast, congratulations. Hopefully it was the center square and you win. You know everybody's talking about AI. Ai is eating the world. We're sprinkling AI fairy dust on everything.

41:53

The boring, unsexy, infrastructurally critical work of documenting which models does this AI application use and which data sets are those models trained on is absolutely essential. We only get one opportunity to close this barn door before the horses all run out of it. There are hundreds, if not thousands, of AI applications, I'm sure, in use in the food service industry every single day. For your listeners or for you, Kristin, ask yourself which models do they use and which data sets are they trained on? Where's that list? What happens if one of those data sets is found to be problematic? Either accidentally, because it biases against a certain race or a certain religion or a certain hair color or whatever, or intentionally, because the Chinas or the Russias or the North Koreans of the world poisoned a particular data set, or because it contains illegal information. I'll tell you one very quick and scary story and then hopefully we can end on a more positive note. But if we don't have an inventory of what's inside the stuff that we buy, writ large, doesn't matter if it's AI, doesn't matter if it's traditional software, doesn't matter if it's Raisin Bran. We are vulnerable when the upstream components are found to be problematic. The terrifying story that I will tell you is that the most common, the most popular text-to-image model you type in make me a picture of a cat wearing a sombrero and it generates a picture of a cat wearing a sombrero.

43:13

The most popular text-to-image model is called Staple Diffusion. It's in use very, very widely. Different applications use it. Staple Diffusion is trained on number of different data sets. One of them is called the Yon5B. Again, the names here don't really matter, but this training data set had 400 million text-to-image pairs, so it had a picture of a cat and it said the word cat, but it had a picture of pencil, so the word pencil.

43:34

Security researchers at Stanford in December discovered that this training data set contained over 1,600 images of child pornography. Accidentally, data set contained over 1600 images of child pornography. Accidentally. Nobody did this on purpose. This wasn't anybody's fault, right? This is an artifact of what happens when you hoover up at scale 400 million images and then put text labels on them.

43:55

So all of a sudden, it becomes this like rapid question of what did we train online on 5B? Oh, we trained stable diffusion. Where do we have stable diffusion deployed? Well, I don't know, because we haven't been requiring that from our AI.

44:07

And so the future, what I anticipate the future of the BOM, or the technology supply chain field to be, is going to be a concept known as AI, bom, artificial intelligence, bills and materials.

44:18

It's the exact same problem. We need a better name. We need a better name. I don't name these things, but it's the exact same problem as SBOM. It's the exact same problem of we found out that there was pencil shavings and a box of cereal. It's the exact same problem of whenever you have upstream components and downstream components, you have a duty to inventory the upstream components so that you know how to remediate when one of the downstream components is found to be wrong. And that's really where I feel the industry is going is transparency, not just for traditional software, not just for on-prem software, not just for artificial intelligence, but transparency across the technology supply chain, because otherwise we're going to end up in some pretty scary situations where our businesses are built on technologies that we don't have a full accounting of, and when that happens, you know there's going to be a lot of finger pointing and a lot of tough questions being raised.

45:06 - Kristin Demoranville (Host)

Yeah, and to end on a positive here yeah, can we end on a positive note? We will, I can get you there. I think what I heard in that was there's opportunity, especially within the food industry, specifically because they are already doing this work very well when it comes to food traceability and the new laws that are coming out with that, and I think that this is just one in the same. So if your organization is already on that journey, then culturally you're good. You're going to get there all the way through with SBOMs as well, because you're going to need it for that transparency aspect and that traceability aspect, because you're going to need to know what software is touching your product, whether it's the machine that's running to make your perfectly round cookies or whatever or something to that effect. And I think that's super important to acknowledge is because the food industry is really good at that, because they're doing it for the right reasons.

45:55

The mission, as you said, as a whole I will say this in a broad sense and a very optimistic sense I think the food industry is going to adopt very easily and very well to this. Other industries will struggle. I don't want to pick on anybody and I'm not going to, but there will be some industries that will have trouble with this because there's too much change, there's too much regulations, there's too much everything, and they won't. They'll be boiling the ocean instead of making their tea again. I think that that's what I like about the food industry is because the innovative nature, the constant change that's always there, so I think that they can roll through this. The food industry as a whole is really going to adopt this easily, and I'm sure you're already seeing that, Marc, in your own work, that when you have these conversations, especially with the food side, they're like oh yeah, okay, totally get that, that's good. Like that kind of thing happens.

46:37 - Marc Frankel (Guest)

We understand, yeah, absolutely that cultural muscle of of course we have to know where this thing came from and of course we have to know what's inside of it. We see it in automotive, we see it in manufacturing, we see it in food, we see it in pharmaceutical. Certainly, where we have a harder time is in verticals that are not as reliant on intimately understanding their supply chains writ large. They don't have that muscle, they don't have that institutional mantra of of course we have to know where all this stuff came from, and that's where it's harder to make the case. But no, I'm with you. I anticipate that food manufacturing will be an area that will adopt the concept of an SBOM. These are large, complex organizations. I'm not going to go so far as to say easily, but culturally and philosophically and ideologically, they're on board.

47:26 - Kristin Demoranville (Host)

Absolutely, and I think that is probably the best place to leave it. Marc, thank you very much for your time and being here, and I'm sure we'll have you back on the pod at some point, because this is going to constantly be a topic that we're going to have to bring up. It'd be nice if we could get an AI expert on with the same time with you and we can kind of hash that out. I think that'd be a fun time. Anyways, thank you very much, and all of Marc's information will be in the show notes too, so if you have any questions about his company or any of the other thoughts and feelings, please let him know.

47:51 - Marc Frankel (Guest)

Thanks for having me, Kristin.

47:58 - Kristin Demoranville (Host)

That's all for today's Bytes Bytes podcast episode. A big thank you to Marc Frankel for joining us and sharing his invaluable insights on S-bombs and cybersecurity in the food industry. All of Marc's information will be in the show notes. Don't forget to check out the new merch store on the website. Like, follow and subscribe to our social channels and wherever you listen to the podcast. Thank you for listening, as always, and remember stay safe, stay curious and we'll see you on the next one. Bye for now.