December 8, 2023
In this Episode:
Marcel Brown: December 8th, 1975. Paul Terrell opens the Byte Shop in Mountain View, California, one of the first retail computer stores in the world. Paul Terrell and the Byte Shop are most famously known for ordering the first 50 computers from Steve Jobs and Steve Wozniak’s fledgling Apple Computer Company in 1976.
Edwin Kwan: A Bluetooth authentication bypass vulnerability has been discovered to be impacting Apple, Android, and some Linux devices. The bug allows attackers to connect to devices and inject keystrokes to execute arbitrary commands.
Katy Craig: Today we’re diving into a game-changer for consumer software transparency: the launch of the BOM Maturity Model by the OWASP Foundation. Simply put, this model is a big win for consumers who want to know more about the software that we use daily.
Olimpiu Pop: Software Bills of Materials, SBOMs, are those labels that we need to stick on our delivered software packages. How should it happen? For now, at least in the Java ecosystem, there is no way of delivering the label together with the package.
Shannon Lietz: We’re all talking about Bill of Materials these days. It’s an important concept for all of us, for a lot of reasons, in particular software buyers. Anyone who’s out there who’s buying something from a supplier should be interested in what is in that actual product.
Trac Bannon: OWASP has just introduced the Software Bill of Materials Maturity Model. In general, I’m not a fan of maturity models. They’re often inflexible, arbitrary, and don’t consider context. I’m partial to health measures or indexes that can and should fluctuate when situations change. That said, there is merit in providing guidance given the slow rate of adoption and even the lack of understanding by the software industry.
From Sourced Network Productions in Washington, DC, it’s 5:05. I’m Hillary Coover. Today is Friday, December 8th, 2023. Here’s the full story behind today’s cybersecurity and open-source headlines.
The Stories Behind the Cybersecurity Headlines
Bluetooth Authentication Bypass Vulnerability in Apple and Linux
This is Edwin Kwan from Sydney, Australia.
The bug allows attackers to connect to devices and inject keystrokes to execute arbitrary commands. It doesn’t require special hardware and can be exploited from the Linux machine using a regular Bluetooth adapter. The flaw was reported to Apple, Google, Canonical, and Bluetooth SIG. The security researcher who reported the issue is holding off from releasing the vulnerability details and proof of concept until everything has been patched.
The vulnerability has been present since at least 2012 and it tricks the Bluetooth host machine state into pairing with a fake keyboard without user confirmation. While Linux fixed the issue back in 2020, many Linux distributions including Ubuntu, Debian, Fedora, Gentoo, Arch, and Alpine left the fix disabled by default, leaving them vulnerable. Apple has acknowledged the report but hasn’t provided a patch timeline.
– GitHub: https://github.com/skysafe/reblog/tree/main/cve-2023-45866
– The Register: https://www.theregister.com/2023/12/06/bluetooth_bug_apple_linux/
This Day, December 8, in Tech History
December 8th, 1975. Paul Terrell opens the Byte Shop in Mountain View, California, one of the first retail computer stores in the world. Besides that important distinction, Paul Terrell and the Byte Shop are most famously known for ordering the first 50 computers from Steve Jobs and Steve Wozniak’s fledgling Apple Computer Company in 1976.
As the story goes, the Steves initially intended the Apple I to be a kit where buyers would solder together the chips onto the circuit boards themselves. Terrell requested that instead they deliver fully assembled computers as he was having trouble selling other kits to people couldn’t put them together themselves. By insisting on a fully assembled computer, even though the Apple I still lacked a case, power supply, and keyboard, Terrell helped shape the future direction of Apple and the entire personal computer industry. The Apple II was the first personal computer to be manufactured and sold as completely assembled units, making them accessible to the average user, thus igniting the personal computer revolution.
December 9th, 1968. Douglas Engelbart and his team of researchers present a 90-minute public technology demonstration including such innovations as hypertext, videoconferencing, and most famously, the computer mouse. This is the first public demonstration of the mouse, witnessed by about 1,000 computer professionals in attendance.
December 9th, 1987. The Christmas tree worm begins to affect IBM mainframe computers around the world. The worm was delivered by email and drew a Christmas tree text graphic on the user’s monitor and searched out other network users to email. Named Christma Exec, because IBM’s systems only supported 8 character filenames, it was the world’s first widely disruptive computer worm. While the worm was not intentionally destructive, the volume of emails it created could disrupt a user’s work and began to overload email systems. It reached IBM’s VNet email network on December 15th, and two days later, had crippled it to the point they had to shut it down to eradicate the worm.
Also on December 9th, 1987, Microsoft releases version 2.0 of Windows. The most notable feature of Windows 2.0 was that the application windows could overlap each other, unlike in Windows 1.0. The terminology of minimize and maximize was also introduced in Windows 2.0. Windows 2.0 was a relatively obscure operating system, as the popularity of Windows did not really take off until version 3 in the 1990s. However, interestingly, Microsoft officially supported Windows 2.0 until December 31, 2001, a span of 14 years. All that being said, Windows 2.0 is probably more important in computer history for being the version of Windows that prompted Apple’s famous lawsuit against Microsoft for copyright infringement of the Macintosh operating system.
That’s your technology history for this week. For more, tune in next week and visit my website, thisdayintechhistory.com.
– This Day in Tech History: https://thisdayintechhistory.com/12/08
And now, it’s Point of View Friday, featuring Trac Bannon, Katy Craig, Shannon Leitz, and Olimpiu Pop, with their perspectives on the launch of the BOM Maturity Model by the OWASP Foundation. We’ll start with Trac Bannon.
Tracy (Trac) Bannon
OWASP BOM Maturity Model: Is It Valuable?
OWASP has just introduced the Software Bill of Materials Maturity Model. In general, I’m not a fan of maturity models. They’re often inflexible, arbitrary, and don’t consider context. I’m partial to health measures or indexes that can and should fluctuate when situations change. That said, there is merit in providing guidance given the slow rate of adoption and even the lack of understanding by the software industry.
Hello, this is Trac Bannon reporting from Camp Hill, Pennsylvania.
While the Biden administration’s executive order in 2021 mandated the use of SBOMs for companies doing business with the US government, there’s been a lack of similar requirements in the private sector. Presumably, OWASP published this guidance to improve the situation.
Taking a closer look, is it effective and timely? The SBOM maturity model is a detailed and thorough model, but this complexity might make it hard for some companies, especially the smaller ones, to use it effectively. The complexity could be a double-edged sword. I do think it’s a step in the right direction if groups continue to adopt and automate SBOM practices.
Using this new model isn’t without its hurdles. Beyond the complexity, Implementing SBOMs is not free. The intricacies in implementing will hinder groups with limited resources or expertise in SBOM management. This means organizations must invest in training and tools. For smaller entities, this can be a significant hurdle.
Then there is the challenge and cost of integration into existing practices. Aligning the model with DevSecOps practices may require substantial adjustments or even temporarily disrupt current value streams.
What remains to be seen is how SBOMs will evolve with the advancements in AI, ML, and generative AI tech. Commercial groups are already working on using this tech to enhance the accuracy of SBOM creation and analysis. It’s still in its nascent stages.
All this said, the OWASP SBOM Maturity Model is a promising framework. Its success, however, depends on its adaptability, ease of implementation, and the speed at which it’s embraced by industry.
Something to noodle on.
– New Stack: https://thenewstack.io/why-maturity-models-are-fundamentally-broken/
– Cybersecurity Dive: https://www.cybersecuritydive.com/news/sbom-adoption-businesses-supply-chains/690005/
– OWASP: https://www.einpresswire.com/article/665343822/owasp-launches-bom-maturity-model-new-benchmark-for-sbom-quality
– OWASP: https://scvs.owasp.org/bom-maturity-model
OWASP BOM Maturity Model: A Benefit for Consumers
Today we’re diving into a game-changer for consumer software transparency: the launch of the BOM Maturity Model by the OWASP Foundation. Simply put, this model is a big win for consumers who want to know more about the software that we use daily. With the increasing need for software transparency, organizations are now equipped with a tool to evaluate the quality of software bills of materials, or SBOMS.
This is Katy Craig in San Diego, California.
Here’s how the BOM maturity model benefits us as consumers:
1. Ensuring compliance. This model allows for a rigorous assessment of SBOMS. This means the software we use will adhere to strict organizational policies and meet diverse data requirements, ensuring higher quality and security standards.
2. Optimizing workflow. The model streamlines the generation and consumption of BOMs, or Bills of Materials. For us, this translates to using software that’s less prone to errors and inefficiencies, saving time and reducing risks.
3. Future-proofing. The model compares current and future BOM formats, aligning with evolving industry standards. This ensures the software we use will not become outdated, maintaining our digital security.
In a nutshell, the OWASP BOM maturity model is a significant advancement for us, the consumers. It ensures that the software we rely on is not only transparent, but also adheres to the highest quality and security standards. This is a big leap forward in our digital safety and empowerment. Stay tuned for more updates on how this model revolutionizes software transparency.
This is Katy Craig. Stay safe out there.
OWASP BOM Maturity Model: Is it too soon?
Even though in the northern hemisphere winter is coming, in the cybersecurity legislative space, it feels more like spring: multiple rapid changes in all areas and geographies. The most important players in the space are US and the EU.
It all started 3 years ago almost to the date when log4shell opened Pandora’s box. Unfortunately the ripple effects can be seen today. If, in 2020, a third of the log4j downloads contained a vulnerable version, today, the percentage decreased to a fifth. Not much improvement, right?
As the maturity of the industry, that stated loud and clear that “software is eating the world,” failed to appear, the governmental bodies stepped in to regulate the space. Multiple legislative acts asked for improved cyber security of software. In the US, CISA, the National Telecommunication and Information Administration, were mandated to find a solution.
This is how software labeling came on stage. Software Bills of Materials, SBOMs, are those labels that we need to stick on our delivered software packages. I am thinking about this for a long time. How should it happen? For now, at least in the Java ecosystem, there is no way of delivering the label together with the package, the JAR in this case. It usually is an external file that I need to keep together, or maybe wrap in an archive. The complexity is even more than that.
What happens with the transitive dependencies? How big will the file be? How much information do I need to have and how does this get to the end consumer? If I’m a user of Android, how can I read a label of the operating system? If I am a iOS user, how can I read the label of the operating system? Do I turn the phone and find it next to the design in California produced in Taiwan label? To talk about the maturity model at this point is very, very premature.
To develop maturity models, need to have at least a couple of iterations that would allow us to draw some conclusions. Or at this point, the only software product that use and has something close to what libraries were used is Slack, but still a long way to go.
Don’t get me wrong. It is useful to have some kind of checklist that acts as a recipe. But that cannot be called a maturity model.
Olimpiu Pop stated his opinion from Transylvania, Romania.
For extra opinions and resources, 505updates.com is the place to go.
OWASP BOM Maturity Model: Win, Lose, or Draw?
Hi, this is Shannon Leitz reporting from San Diego, California. We’re all talking about Bill of Materials these days. It’s an important concept for all of us, for a lot of reasons, in particular software buyers. Anyone who’s out there who’s buying something from a supplier should be interested in what is in that actual product.
At some stage, we were introduced to Bill of Materials because of critical safety related to medical devices. The Bill of Materials concept was important to keep people alive. That’s the really critical thing we should take away is that the Bill of Materials shouldn’t disappear on us. We should have transparency in Bill of Materials.
If you think about how this got introduced to us, Deming was a really great pioneer, when he worked for Toyota, trying to introduce this concept of a bill of materials. And It has worked really well for us with car manufacturers.
Ultimately, the Win, Lose, or Draw for this is that buyers win with greater transparency and a detailed understanding of what is in their software and hardware that they buy for information technology and digitization .
The lose is, technically, those that supply hardware and software and technology, where they don’t budget for security, they don’t provide back the benefit to the buyer. And ultimately that transparency is what unlocks the ability for us to get software trust and accountability to the forefront .
The current situation we’re all in is the draw. We have a lot of confusion about why Bill of Materials is critical . And that is actually a sad part of the state of affairs.
When we introduced this concept into medical devices, it was really clear what our why was for. We were trying to keep people alive by introducing Bill of Materials. If we look further out and try to adapt Bill of Materials to other software suppliers, other hardware suppliers, It’s the right thing to do. It needs to be more crisp about why we’re doing this, and what the actual use cases are that drive the benefit from having Bill of Material transparency.
There’s absolutely a need. There’s absolutely a benefit. As we work our way through these use cases as buyers, having a Bill of Materials is where we’re going to be able to hold our suppliers more accountable. We’ve gotten to the point where we’ve gotten better at doing some of those things and they, they transcend.
Ultimately, the current state situation, we need to stop being distracted by which format this or which format that. We need to really get into the work of what’s the why. Medical device safety, absolutely the right thing to do, and Josh Corman was right to go after that, thankfully.
Now it’s up to all of us as buyers to really start to establish these use cases that drive the benefit and value back out of what a Bill of Material is really meant to be.
This is Shannon Leitz reporting from San Diego, California on the Win, Lose, or Draw.