Discover how the Silicon Valley Innovation Program is redefining cybersecurity through innovative collaborations between the government and the startup community, as discussed by leaders Melissa Oh and Anil John. Tune in to learn about the impactful role of Software Bill of Materials in enhancing software supply chain security and how it fosters a new era of technological progress.
Guests:
Melissa Oh, Managing Director, Silicon Valley Innovation Program (SVIP), DHS Science & Technology Directorate [@DHSgov]
On LinkedIn | https://www.linkedin.com/in/melissa-oh/
Anil John, Technical Director, Silicon Valley Innovation Program (SVIP), DHS Science & Technology Directorate [@DHSgov]
On LinkedIn | https://www.linkedin.com/in/aniljohn/
On Twitter | https://twitter.com/aniltj
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
This new episode of the 'Redefining Cybersecurity' podcast features a thought-provoking discussion on software development, supply chain security, and the innovative initiatives of the Silicon Valley Innovation Program (SVIP). The conversation was led by host Sean Martin, with insights from distinguished guests Melissa Oh, Managing Director at the Department of Homeland Security Science and Technology Directorate, and Anil John, Technical Director of the Silicon Valley Innovation Program.
Melissa Oh shared her extensive experience in public service and the innovative approach of the Silicon Valley Innovation Program in identifying emerging technology companies. Her background in Silicon Valley and dedication to solving DHS's pain points through collaboration with startups underscored the program’s mission of fostering innovation in the government sector.
Anil John, a public interest technologist, provided valuable insights into bridging the gap between the government and the startup community. His role in translating government needs into actionable solutions highlighted the importance of leveraging global talent to address local challenges and drive technological advancements in the public sector.
The discussion explored the Silicon Valley Innovation Program's unique selection process for startups, focusing on building products that have broad utility and can be readily adopted. The success story of the protobom project transitioning into an open-source tool exemplified the program's commitment to nurturing innovative solutions with real-world applications.
The significance of Software Bill of Materials (SBOM) in enhancing software supply chain visibility was emphasized, with a call to action for organizations to prioritize its inclusion in software development processes. By driving awareness and adoption of SBOM, the SVIP is empowering security leaders to enhance software security and visualization in the development pipeline.
Security leaders were encouraged to explore tools and technologies that enhance software security and visualization in the development pipeline. A call to action was made to participate in the SVIP demo week to learn about innovative solutions and capabilities and to drive the adoption of SBOM within organizations.
Key Questions Addressed
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
SVIP Demo Week 2024: https://www.dhs.gov/science-and-technology/svip-demo-week-2024
S&T at RSA Conference 2024: https://www.dhs.gov/science-and-technology/st-rsa
SVIP & CISA: Enhancing Software Security with SBOMs: https://www.youtube.com/watch?v=sNjVQaK5QW4
Protobom Project: https://openssf.org/press-release/2024/04/16/cisa-dhs-st-and-openssf-announce-global-launch-of-software-supply-chain-open-source-project/
Learn more about RSA Conference USA 2024: https://itspm.ag/rsa-cordbw
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Redefining Cybersecurity by Unlocking Government and Startup Collaboration While Enhancing Software Supply Chain Visibility | A Conversation with Melissa Oh and Anil John | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello, everybody. You're very welcome to a new redefining cybersecurity podcast on ITSP magazine. You're very welcome. And, uh, as you know, if you listen to the show, I get to talk about lots of fun, cool things with cool people who know much more than I do. And that's what makes it fun for me is I get to learn and hopefully share some of those learnings through thought provoking conversations with folks like Melissa and Anil.
Thank you for joining me today.
Melissa Oh: Thanks for having us.
Sean Martin: Glad to be here. It's going to be fun. It's going to be fun. It's a, it's a topic that continues to get a lot of attention. In fact, I just yesterday recorded an episode with Alan Friedman and Bob Lord, uh, two different perspectives on the same topic of secure by design and supply chain security and, and lots of different angles to take here.
And today I think for me, it's an exciting one because it starts to get [00:01:00] into, well, how do we actually begin to address. This big picture issue that we continue to talk about with some tools, I presume, to help us take some action. So I'm excited to get into the nitty gritty here. And, uh, before we do that, though, uh, Melissa and Anil, I'd like a few, few moments from you each to kind of share some of your background, what you're up to, maybe give an overview of your work.
Your role at SVIP and, and, uh, what the organization does. So Melissa, we'll start with you, please.
Melissa Oh: Great. Thanks, John. Um, well, great to be here. And, uh, um, Melissa, I'm the managing director for the Silicon Valley innovation program at the department of Homeland security. Science and technology, uh, directorate.
Um, and, uh, um, what we do within the Silicon Valley innovation program is to, uh, reach out to the startup community, identify, start, uh, innovative, uh, emerging technology companies that we could be partnering with and to help us solve DHS as pain points. I'm originally from Silicon Valley. And so, uh, when.
[00:02:00] September 11th happened. I was called into public service, um, and started at DHS about 20 years ago. So, um, being from Silicon Valley, going into government, being very different type of, uh, culture and mindset trying to bridge the two, uh, has been, uh, has been a fun journey and, uh, Between that and having been part of the cybersecurity division prior to my current role, it really helps us to, um, have a perspective on the need for innovative tools and technologies that can help us solve these, these difficult challenges.
Um, and so, In addition to, uh, working with CISA, uh, over at, uh, um, uh, within DHS, um, you know, we work with a number of the different department, uh, operational agencies. Um, so we, SVIP has a pretty broad mission, uh, to cover the rest of the department, but, um, in this area in particular, uh, cyber is, uh, near and dear.
Sean Martin: I can only imagine all the cyber conversations you have. Thank you for that, Melissa. Uh, John. Sorry, [00:03:00] Neil. John. Sorry.
Anil John: No worries. Um, Neil, John, technical director of the Silicon Valley Innovation Program. Um, I'm a public interest technologist whose day job happens to be just that. Um, and, uh, it is, um, You're you're asked about background.
Um, first job in government was as a technical lead for our federal identity and, um, credential and access management program at GSA made the transition over to DHS as the program manager for identity management. And data privacy. And then when Melissa started the Silicon Valley innovation more program, uh, convinced her and the rest of the S and T that they needed a technical director and they somehow bought off on it.
Uh, so my job these days is to, you know, translate, uh, government to the startup community, um, and translate, um, startup And technologies to our operational mission set, um, [00:04:00] as Melissa noted, um, a program is in the business of finding global talent in order to solve our local problems. And we are working with all of the operational components of DHS.
Um, and in this particular case, obviously with CISA focusing on supply chain security as well.
Sean Martin: And it might be, uh, might be a silly question, but When, when people think of government entities, they don't think speed, right? Uh, fast to market is not the first thing that comes to mind. Let's just say that, um, is the idea with this program to kind of help inject some of this innovative spirits and fast time to market with clear objectives and outcomes and maybe smaller bits instead of big, huge buckets, is that a good overview?
Melissa Oh: Yeah, you should be my salesperson. Um, John, um, that's, that's exactly it. That's, it's injecting a lot of the culture of kind of how do we get to, um, [00:05:00] solutions faster, um, and leveraging what's being developed in the commercial ecosystem, iterating more quickly. Being able to deliver, uh, solutions and products a little bit faster, working with the end users so that, uh, they're involved in sort of the, the, the solution before it reaches the very end, before it reaches market.
Uh, and, uh, and the goal with our program is to help shape those commercial products, baking in DHS's requirements into that so that by the time they reach the market, uh, DHS can be a buyer of, of that technology at the end of it.
Sean Martin: Okay. Now, another interesting point there. I'm going to stay here for a second because, so this is, Identifying solutions good for U.
S. companies as well as government entities. So not limited, you're not focusing on filling the government's needs, but it's, or internationally. So finding good technologies to solve, and in the case today we're talking about supply chain, so solving supply chain issues globally.
Melissa Oh: Exactly. [00:06:00] A lot of these challenges are not unique to DHS are not unique to the U.
S. And so the program does, uh, does work with U. S. And international startups, as Neil mentioned. Um, and, um, with the end game is that, uh, a lot of a lot of our pain points in the government are are similar to commercial retail enterprise travel and hospitality that, um, by, uh, by working together with the companies that are building those public facing types of technologies.
Um, we can, uh, we can benefit from that as well. It's a bit of low hanging fruit that we can, uh, leverage with the government funding that we have. Um, and, uh, and all end up with with, um, secure technologies as a result.
Anil John: And I'll simply note, um, you know, in addition to what Melissa noted, um, we do not want the start up and all the small business to pivot into government.
We want them to remain on the commercial road map and the engagement that we have with them results in a product skew [00:07:00] that is available, not just a government, but for the broader ecosystem as well. Now we have some, um, you know, abilities to go and then Acquire the technologies in a very fast manner.
But in general, the outcome should be a benefit to not just government agencies, but to the, the broader ecosystem. In this particular case, all of the software development ecosystem, not just in the U S but globally as well.
Sean Martin: Yeah. Rising, uh, rising tides, right? Yeah. Cause I remember I can look back at a time where I worked for a smaller organization at the time, but we had huge, huge, huge, Government contracts that took up a lot of effort from commercial endeavors, which kind of they fought it, fought the priorities, fought against each other, right?
So this, I love this idea that they're, it's a more collaborative approach. So software supply chain, I mean, people have heard me talk about this with lots of different folks, um, [00:08:00] your perspective on the current state of affairs, and then we're going to get into the program to kind of see how we can. Maybe change that as we move forward,
Anil John: I think it's I think I'm sure that I'm much more deeper experts in that than us that who have opined on this.
But what is what has been real over the last number of years is there has been vulnerabilities detected in components of software that have been deployed within the enterprise, whether that enterprise is in the public sector or the private sector. So understanding what goes into into software, the, the, the, uh, you know, the ingredients that make up a software package becomes very, very critical in identifying how to fix vulnerabilities in specific components when they arise.
And traditionally, it has been remarkably difficult to understand whether you are in the closed, uh, source ecosystem or whether in the open source ecosystem in what we call What [00:09:00] components exist? You don't have visibility into them. So it becomes really, really important first to ensure that you use some standards, ways, uh, standards based way of enumerating, uh, what are the components of software then also having tooling that can use that information, map it against vulnerabilities that come up and see what needs to be fixed.
And that's the ecosystem that I think we want to through the projects that we are working on with CISO. energize, help and move forward to provide much more visibility into the software, software supply chain ecosystem and what goes into software and what is, uh, what is what exists within the software that is deployed out there already as well.
Sean Martin: So Melissa, can you can you tell me a bit about the call it a cohort, right? Startup cohort for supply chain visibility and software supply chain visibility. It's, it's a year old tomorrow, I [00:10:00] think, happy birthday, or at least the press releases from the last day date tomorrow, Nick, last year, if that makes sense.
Um, so how, how did this program come together? Obviously you saw the need, but was it. Immediately obvious for some of the vendors in the ecosystem to say this is a great idea.
Melissa Oh: Well, I think, um, you know, we, we, for several years ago, we actually got together with CISA, um, and try to think through, you know, how can we help, how can we contribute to, uh, the need, um, knowing that SVIP, our business model is to help deliver capabilities on a much shorter timeframe, um, but there, you know, there's still being the need for longer term research and development that does need to occur in general.
So. We actually held an ideation workshop with CISA with a number of their stakeholders, as well as some thought leaders in the cyber security and software development community, to understand, okay, well, [00:11:00] where can the government contribute? What is? What is our role? What, what should we be, um, providing, um, and what can we, um, uh, contribute from funding, uh, uh, companies wise, um, to, to help with this effort?
And so through that ideation workshop, we, we yielded to this need for software, supply chain visibility tools. Uh, and then like you said, we, we put out a call for startups. We had a lot of applications, uh, from around the world. And, uh, and narrowed it down to the, the companies that we announced a, a year ago, right.
Right. As RSA was kicking off last year. So it was perfect timing.
Sean Martin: Was that shark tank like, uh, activity or is there a little more low key?
Melissa Oh: It's, uh, it's, it can be a bit shark tanky. Uh, but we do have, we, we have the companies, they submit their application. We review it. Um, Through a government panel. And if it's a good fit, we'll invite the companies in for a 15 minute pitch, a virtual pitch.
And that's when we get a chance to ask clarifying questions. Um, and that's where the sharks come in. Um, but, uh, maybe not so [00:12:00] sharky the, uh, and, um, and do really understand, break it down. What are they offering? What can they do? What are they? What are they already developing that we can help shape? Um, are they, are they going to be ready to reach the market in, in, um, in one to three years with their solution?
Uh, and, and can they work together? Can we work with them together? Uh, and so, yeah, then we, we got a great set of companies that, uh, collaboratively, Uh, develop something and super excited about what they're doing.
Anil John: And I'd also note that I think we also structured the solicitation to be beneficial to, uh, in, in some ways in producing capabilities and products that could be broadly usable, but we also did sort of a two tier approach.
One of them was. We wanted companies to, um, come to us with solutions that, uh, use software bill of materials, uh, SBOMs, um, um, whether it is for, you know, capabilities that generated SBOMs, [00:13:00] capabilities that provide visibility into SBOMs in software developer IDEs. In scene products or, uh, as part of the visualization, um, you know, uh, that, that, uh, an enterprise, um, uh, has access to, but we also required them to produce something that we thought was really, really important, which is a common open source building block that sort of addressed, uh, what we saw as, uh, you know, at least one of the challenges in the software bill of materials, uh, Uh, ecosystem, which is, uh, there are, I don't want to say competing, but there are, um, efforts that, um, that, that are, uh, that are looking at standards for S BOM that are distinct and different, uh, in particular, for example, Cyclone DX.
And, um, you know, SPDX and one of the things that we wanted to make sure through our contributions was make sure that the conversation became [00:14:00] about what are the components of software and what are the vulnerabilities that could be, uh, in there and not about arguments of the SBAM formats. So one of the things that we, uh, we are actually required in our solicitation was any cohort that we selected, any set of companies that we selected.
Yeah, verily go forth and build your visualization tools and things like that. But we also want you to work together on a open source, um, component that provided a neutral translation capability because the S bomb formats. And in particular, we want you to get it to a mature enough stage that it could be contributed to the global open source community software community as well.
So that was Our intention in order to Catalyze and seed the market with both the tools that were needed and also some building blocks That could be freely usable not just by the companies that we fund but by the global community as well [00:15:00]
Sean Martin: and in terms of the The scope. So I'm looking at some of the, some of the companies there and their offerings.
It, it seems to hone in on app development and pipeline and, um, involvement, um, looking at, and obviously DevSecOps, when you start to look at vulnerabilities and some of these things, um, is it, is the view contained to that CIDC, CICD, uh, Are you also expanding it out beyond that to kind of monitoring and response and audit and compliance to the bigger picture or what's the, what's the plan there?
Anil John: I think in talking to CISA, um, and, um, for us, for our program, there is no daylight between our requirements and the requirements of our operational partners. So, uh, I, I think. The capabilities that they were interested in ensuring that reach the market were things that were [00:16:00] enablers for software developers.
One, so from a framing from that perspective was how can we make this usable to the people who can actually have an impact on software supply chain security and also One of the communities with the, with the community of software developers. So there is a particular set of capabilities that we sort of articulated to them that could be integrated into the tools that a software developer uses, the ideas and the like.
Then there was the focus on system administrators that are obviously in the, uh, in that particular ecosystem as well. So how do you bring tools that provide visibility into the software supply chain for them? Then there was the. More of like the, you know, the generic visualization aspect of it. That is at the enterprise level.
Maybe, uh, an IT organization looking at across the software assets and seeing what, what exists where and things like that. So the framing was more about how do we actually help the enterprise and the people [00:17:00] inside it, rather than, uh, at least as part of this particular solicitation, more than anything.
You know, uh, I would say more abstract,
Sean Martin: Melissa. I don't know if you can, you can answer this, but, um, in terms of, so the programs there, you have tools and technologies available. Um, is it the vendor or the tool builders responsibility to push this into the market or, or does the program also have an arm or a program, a sub program, or, uh, to help kind of bring, bring some of these things together to help organizations realize.
They have a problem, they need the visibility, they need the assessment, they need the tools to control this.
Melissa Oh: It's a, it's a team sport, right? So the companies themselves are responsible for commercializing their product. They're in the best position to, uh, to actually take their solutions to market.
They're talking to, um, their [00:18:00] advisors on how best to do that. Um, but, but in order for us to help, Get these tools to the users, um, that need it. Uh, we do definitely work with CISA as well as ourselves. We do an outreach campaign to try and, um, build greater visibility of the capabilities that we're supporting and developing.
Um, to the, uh, we, we even have a demo week, SVIP demo week in May, uh, next month, May 21st, 22nd. So the companies are going to showcase what they're working on. And the goal is to get other government agencies, um, other, uh, state and locals, uh, and, um, any large providers, small and large providers to, to see what's available and to see how they can take these tools and use them, um, in, uh, in their, in their operations.
Sean Martin: Yeah, and I'll, I'll include a link in the show notes to, uh, to, uh, SVIP demo week. It looks like a fun thing. I don't know if I can go or not. That'd be fun. You want to see what's going on? Hope your listeners [00:19:00] can. Yeah, definitely. They're all invited for sure. Um, so you said the word operations, which I, I can't get away from a podcast.
We're thinking about how to operationalize all this stuff. So I'm wondering. So you're also a customer, right? Looking to buy some of this stuff. So how, how involved are you in helping to shape and guide how some of this stuff will fit large, complex, distributed, remote, I can list attribute on and on and on environments that are.
Let's, let's say it's probably complex compared to maybe a small medium organization that some of these organizations might, uh, be selling to. So how, how involved are you in helping to shape the capabilities of the applications to fit within the government space?
Melissa Oh: And you want to try?
Anil John: Yeah, I was simply going to mention, [00:20:00] I think, um, backing up a second. I think when you first started our conversation, I think you mentioned that it is traditionally very hard for innovative technologies, innovative tools to sort of end up within government as well. And one of the questions that you asked was basically is.
Is svip a program? Um that that helps do that. Uh, I think you know to provide a little bit more depth to uh, what uh, what melissa had shared on that one of the things that We do as part of the program is obviously Uh, ensure through the multiple faces of the program that we do everything from, um, validation of the technology, independent red teaming of the technology, uh, ensuring that, uh, as part of our independent testing and red teaming, uh, we make the product as ready as possible to be, uh, Deployed within a particularly a government environment, right?
So and if we and when you have operational [00:21:00] partners, one of the things that we work with them is what are the requirements for getting a authority to operate on a government network? And can we do? Um, can we bake in those tests into the red teaming that we do so that these products are fully ready to go on day one?
And yeah, We also have an opportunity in the later half of the phase where our operational components, the customers internally or the products themselves have the ability to operationally deploy the technology in a real environment and kick the tires on it before they make the acquisition decision.
And from a government perspective, from a DHS perspective, one of the advantages to going through SVIP is that because we have a Um, intensely competitive global solicitation on the front end of our solicit solicitation. We have the ability at the end of it, if after the red [00:22:00] teaming, after the validation of the technology, after everybody has taken a good look at it and know it works.
Any part of DHS has the ability to do a direct sole source, non-competitive buy of the technology. So we are. Uh, going by going through the process. I think we are shaping the product in order to make it available and useful. We are also providing a pathway for easy acquisition to components of DHS, and I would argue by us investing in ensuring that the products themselves are hardened and are ready.
It also gives confidence to commercial buyers of the technology that these products are ready for prime time as well. Those are the ways I think that we sort of enable. Adoption of these technologies.
Sean Martin: Ah, geez, we're gonna have government grade security. Now we're gonna see that in the marketing everywhere.
Anil John: Um, I think government grade security is, um, depending on who says that word, right, can mean one of many things. I [00:23:00] think we mean it in the truest public sense, which is that, uh, it is truly, um, uh, ready for prime time.
Sean Martin: I love it. And I'm joking, of course, only, only because I've come, come from a marketing background, um, military grade, government grade there.
So it's all fun and fun and games
Anil John: are the lowest bidder.
Sean Martin: Yes, yes, yes.
Anil John: All right. Um,
Sean Martin: as we're starting to come to a close here, I want to maybe ask about the, the, the outcomes. I'm hoping that as you embarked on this journey. There, there was a vision for what you want to accomplish. First milestone, a couple of years out, maybe five year plan.
Um, presumably source some money, fund some companies, get some things into market, acquire some for use beyond that, or [00:24:00] maybe some figures there, if you want to share some of those, but beyond that, what, what are the real objectives and outcomes that you're aiming for? And have you, have you started to realize some of that?
I'm thinking better visibility. I don't know how you measure some of this stuff, but better visibility, fewer compromises, are there any metrics or things that you can. Kind of speak to, to say we're working on our, on our plan and it's, it's coming through as, as we hope, or we, or we're not, and we need help.
Melissa Oh: We always need, we can always, we can always do better. Right. Um, and, uh, no, I, I, I think we're on, on a good trajectory for sure. You know, uh, the, the open source, uh, Translation tool that, uh, Anil mentioned, you know, we're excited to announce that, uh, uh, with open SSF and sys, uh, a couple of weeks ago, or, um, that, uh, it was launched and is now available.
So protobomb is actually one of our first phase one [00:25:00] transitions, uh, that we've had within SVIP. So that's, that's exciting. Um, and the companies, you know, We'll be continuing to develop their their capabilities and solutions and commercializing them. And, um, you know, in general, I think, uh, if if we can bring more awareness, more understanding to the value of S bomb in organizations, we also recently put out an S bomb explainer animated video for, uh, for, um, for those that are less familiar with the space.
But I'm sure your audience is very familiar with S bombs and software supply chain. But, um, there's a lot of A lot of organizations, schools that need to improve their cyber security profile, um, and that, uh, the, the more capabilities that are out there and available to them, um, the, the better off I think we'll all be from, um, from the, those that are intending bad, uh, and harm and, uh, uh, and trying to make money off of, um, people.
Anil John: [00:26:00] I, I think from the technical side, I think one of the things is for us, the Uh, we are not in the business of funding open source software for the sake of open source software. We are a mission focused agency, so part of the way that we structured our solicitation such that, um, the companies do have to produce real products that, that are a part of their reit that, that are broadly useful is, was good.
Uh, that is on trajectory as, uh, on a good trajectory as, uh, Melissa noted the. Them working together on the open source was a little bit something that was new for us. And we were incredibly happy with the collaboration that happened with that cohort of companies that saw the shared value of doing so.
And we are also incredibly pleased by the fact that it was submitted to the open SSF. And was accepted as a product, which means that now [00:27:00] that protobond project is now a official global open source with lots of eyes on it, contributors from across the world that can be leveraged because of its, uh, the type of license it has.
I believe it is Apache two. It can be both closed source and open source products can bake that in without any issues. I think that's a good success story and a worthwhile application of You know, uh, public sector funding in order to sort of raise the bar on, you know, security when it comes to software So I think we are on a good track and we hope to keep Keep it on the rails.
Sean Martin: Yeah, that's a that's a good achievement. I'm actually uh chatting with omkar From open ssf next week So i'll uh, we'll continue that conversation um Well, this is fantastic. I guess for my audience is primarily security leadership, uh, executives, [00:28:00] uh, practitioners as well. So what, what can we give to them as a call to action, something they can walk away with today?
How, how can they benefit from the work that you're doing here operationally or otherwise?
Anil John: So I think I'm going to echo the call that SZA is making on this. In general, I think even Regardless of the tools and technologies that we're funding, I think it is important for there to be a demand signal that is sent to the software developers that SBOMs are important, so that as part of the things that enterprises are consuming, that you are also expecting software building materials to be produced and delivered to them, so that at a minimum, You have, uh, the ability to have a sense of what is inside your software, uh, and I think that is the first and fundamental step.
I think that all enterprises need to, [00:29:00] um, step up to and do because it benefits them and it also sends a, uh, a clear signal to the software development community, whether it is closed source or open source, that this is this. This basic ingredient listing is an expectation. After that, of course. Um, you know, uh, uh, I would, I tuning our, uh, the co our, our funding, uh, hone here, uh, you know, we are building, uh, we are obviously funding companies that are building, uh, software vis in a software security, visualization integration into the development, uh, pipeline, uh, integration to software IDs.
Check them out. See if those products make sense. And even if their products don't make sense, look for some products similar to that so that they sort of fit in within your enterprise. I think it is really, really important that people sort of just have a responsibility in moving this ecosystem forward wherever you sit.
Melissa Oh: I [00:30:00] couldn't say it better.
Sean Martin: Come on, give it a go. I think you echoed Alan and Bob from my conversation with them yesterday in terms of how to plan and figure out how to start taking action and to me looking at the tools and understanding how they can fit into your environment is that Most likely next step.
Um, do you, do you have resources outside of the tools, uh, additional guides or anything else that, or other things from CISA folks can tap into to kind of say, move it from plan to tools? Um, picking a tool is cool, but you have to, you want to make sure it maps to the plan as well. So there's that kind of middle shim there in terms of how does this fit my organization and whatnot, other things like that.
Anil John: Absolutely. I think the best resource, at least within government at this point in time on any time, anything as bomb is sister dot gov slash as bomb, right? And this is [00:31:00] also holding on and engaging very actively in the software development community through, um, collaborations, workshops and the like. And I think all of that information is linked to from that website and the location.
I think that's a great resource. Great starting point for the advice that DHS and CISA are giving to the broader community on how to move this forward. And I don't think we could add anything more than everything is there. So we will simply point them, point everyone to that location.
Sean Martin: Love it. And I will point everybody to the demo week.
Because I presume there will be a lot of stories and scenarios and use cases and Q& A and all kinds of fun stuff. Even if you just sit and listen, I can, I can envision a lot of learning happening there. So I'll definitely point folks to that. And hopefully, hopefully they can join you there. Um, anything before we want to wrap?
I don't want to wrap. [00:32:00]
Melissa Oh: Thank you, Sean. Really appreciate the conversation and hope to see everyone at demo week.
Sean Martin: Absolutely. Thank you all.
Anil John: And thank you, Sean.
Sean Martin: Thank you both. And, uh, thank you everybody for. Listening and watching this episode of redefining cybersecurity and more specifically redefining software development, uh, with supply chain in mind, uh, S Bonds.
Our friends, the SBOMs, I think we all have to start walking around with shirts like Alan Freeman with the SBOM.
Anil John: He has dropped off many stickers for us as well.
Sean Martin: I need a sticker. I mean, I'm always a sucker for stickers. Anyway, thanks everybody for listening and watching. Uh, please stay tuned. Uh, a topic that continues to, uh, to take, take up, uh, Take up.
I don't want to take it. Say take up space, but it's an important topic that requires continued conversation. I'll put it that way. Some more to come on this and thank you, Melissa. Thank you, Neil for joining and we'll see you all soon.
Melissa Oh: Thank [00:33:00] you.