Dawn of a New Era

This week, when I normally would have been on an SBOM community call, instead I happened to be listening to a Hidden Brain podcast, “Change your story, change your life”. The TL;DR of the episode is there is scientific evidence that looking on the bright side both makes you happier and you’ll live longer. The episode talks about defining the narrative of your life and that the tone of the narrative matters. I think this applies to projects and communities as well as to individuals. How it relates to SBOMs is there has been sadness associated with the completion of the weekly SBOM community calls. Instead, I’d like to declare it’s a good thing and it’s the beginning of a new era.

‍

The new era will be, personally for me, the sixth SBOM era. I was first introduced to the concept of SBOMs around the turn of the century, long before the SBOM term/acronym was coined. In fact, it was during the coining a different term/acronym – Security Operations Center (SOC). I had the privilege of leading the team that created the first SOC and personally coined the term. We were implementing classified DoD contracts, and they stipulated we know everything in our software, and to inform the DoD whenever we updated any software anywhere in the classified SOC we implemented. “Age of SBOM Denial” is what I call my first SBOM era as I resisted mightily, but ineffectively. We were forced to implement very comprehensive software transparency on a very large scale – and ending up very glad we did. 

‍

Once implemented, we uncovered lots of unanticipated benefits that all seem obvious now but blew my mind at the time. We found licensing issues (the nasty copyleft), security issues, software redundancy, version-mismatches, and a really lot of cruft. I’ve been an SBOM enthusiast ever since. I call this second era my “Age of SBOM Innocence”. Most who know me, justifiably consider me arrogant. I was even worst back then. I divided the world into two groups – the small number of people smarter than I was, and everyone else. IMHO, those smarter than me should see the value of software transparency, to quote my college Physics text, because it was “intuitively obvious to the casual observer”. After all, they were smarter than I was, and I saw the value. As to everyone else, they should just take my word for it.  Obviously, that didn't work out too well.

‍

The age of innocence lasted a number of years. I was a strong advocate of open source. I led the “&” of R&D and my team had to convince the AT&T lawyers to allow the use of open source. Basically, the lawyer's issue was they needed, in my words, a “throat to choke”. We successfully argued that by using open source, it became “our” software, and the throat to choke was mine, just like it would be if we’d written it ourselves. I still firmly believe this – you are using open source because it’s a better value than developing it yourself. I believe this philosophy means you should know something about the open source you are using. Although I was an advocate of software transparency, the Age of SBOM Innocence was mostly unsuccessful beyond the limited sphere under my control. 

‍

This era ended approximately a decade later when I went to a meetup and discovered “I am the cavalry”. I missed the very first meeting 13 years ago this week, but I did attend the second, at which I bent Josh Corman’s ear about software transparency, and he bent mine. Because he’s better than I am at recognizing the need for buzzwords, the term SBOM was coined. The “I am the cavalry” era helped spawn the NTIA Software Transparency Multistakeholder Working Groups. The NTIA era showed the value of software transparency and it significantly advanced SBOM awareness and spurred at least some adoption. This era is well documented (see https://www.ntia.gov/page/software-bill-materials ) and I think there is no doubt it was a success.

‍

The NTIA era morphed into the CISA era. Executive Order 14028 got many more agencies involved – including directing CISA to quarterback the SBOM effort. The community meetings moved from NTIA-hosted to CISA-hosted. The excellent work done (see https://www.cisa.gov/sbom ) speaks for itself, and like the NTIA era, the CISA era should be declared a success.

‍

Rather than bemoaning the end of an era, we should be proclaiming the dawning of a new era. We have come quite far. But we haven’t crossed the finish line yet. Quoting Gibson, "The future is already here – it's just not evenly distributed." Some are still in age of denial, but a lot fewer because of the community efforts. Many in the community are still in the age of innocence – people aren’t going to take our word for it. We need to get better at showing quantitative risk analysis showing the financial value of implementing software transparency. Hopefully this next era will be the age of adoption.

‍

I'm confident that this next era will be just as productive as the previous eras. We are beyond awareness, and moving into significant adoption. Implementation will take some time, but it’s obvious we’ll be better off for it. Hopefully, in the not-too-distant future, we will look back and wonder why it wasn’t “intuitively obvious to the casual observer” and “what took us so long?” Then all these ages will just be history.