Welcome to Part III of our blog post miniseries on The Quest for SBOMs and the Legend of the SBOM'd Substation. We continue this week with the third installment from this series, inspired by the epic S4x24 main-stage presentation delivered by Matt Wyckhouse, Founder & CEO of Finite State, and Alex Waitkus, Principal Power Delivery Cybersecurity Architect at Southern Company. 

If you missed the last post in the series, you can find it here.

On to Level 2: Vendor Valley - A Dicey Negotiation

Our journey into the heart of SBOM acquisition, the so-called 'Vendor Valley,' resembled a strategic game fraught with negotiation hurdles and diplomatic maneuvering. Our sage guide advises that the statistical odyssey of securing an SBOM—can average 60 days spanning a dozen exchanges, a testament to the resilience and patience required in this quest.

Our supply chain security adventurers, embodying the spirit of persistence, navigated through a sea of emails and meetings, facing a stark 72% refusal rate from vendors. Yet, the rejection fueled a fiercer resolve, with each 'no' honing the edge of determination. The occasional beacon of success, the SBOMs procured, illuminated the path forward, complemented by direct firmware testing to bridge the gaps. As regulations shifted, promising a new era of transparency, the landscape of Vendor Valley began to transform, marking a shift towards a more open and secure future.

Screen Shot 2024-03-28 at 11.18.09 AM

Side Quests: Case Studies in SBOM Drama

Embedded within Vendor Valley were side quests, each a narrative of challenges, innovations, and victories. These 'Case Study Chronicles' unveiled the multifaceted nature of SBOM collection, from navigating legal swamps to persuading the denizens of Non-Compliance Nook. Creative tactics and sheer tenacity were the keys to unlocking the doors of vendor cooperation, providing a roadmap for those who dare to follow in our footsteps.

Screen Shot 2024-03-28 at 11.20.21 AM

Level 3: Deciphering Runes - The SBOM Enigma

Emerging from Vendor Valley, our heroes faced the daunting task of deciphering the SBOMs themselves. Our adventurers likened this challenge to unearthing ancient scripts filled with cryptic runes—each SBOM a complex puzzle piece, often incomplete or inaccurately documented. They highlighted the diversity in formats and the glaring gaps within the data, akin to piecing together an archaeological puzzle without a legend.

Tools like the Finite State Platform and Dependency Track became the adventurers' lexicons, translating the obscure language of SBOMs into actionable intelligence. Supported by community-driven initiatives, the quest for comprehension gained momentum, turning the bewildering array of SBOM hieroglyphs into a navigable map of our digital landscape.

Screen Shot 2024-03-28 at 11.24.26 AM

Level 4: Crossing the Chasm - Verifying SBOM Truths

The acquisition of SBOMs was only the beginning. The true test lay in verifying the veracity of these documents. Our adventurers drew parallels to a spellbook promising grandeur but lacking substance. The task at hand was not merely to collect but to test each SBOM against the stark reality of the digital realm.

Independent verification emerged as a critical endeavor. With some vendors granting access to firmware and software for analysis through platforms like Finite State, inconsistencies were brought to light. This process was not about asserting superiority but about fostering crucial conversations and ensuring that the SBOMs stood as reliable testaments to software integrity.

Screen Shot 2024-03-28 at 11.27.08 AM

The Journey Continues

As our intrepid adventurers navigated through the thickets of negotiation, deciphered the runes of SBOM documentation, and crossed the chasm of verification, the quest for SBOM transparency and security pressed on. Each level conquered, from Vendor Valley to the enigmatic depths of SBOM interpretation, represented a stride towards a more secure digital future. The path, marked by victories and challenges, offered a blueprint for navigating the complex terrain of operational technology security.

In this odyssey of SBOM acquisition and analysis, our heroes forged a path illuminated by persistence, innovation, and the collective effort of a community dedicated to securing the cyber world—one SBOM at a time.

Check back soon for our installment in this series, when our adventurers take on Level 5: The Vulnerability Hoard!