Request a demo

See Cybeats in action. Fill out the form and our team will be in touch with you shortly.
Upcoming Webinar: The SBOM Economic Boom. Register now!

Cybeats Provides Highlights from Episode 6 of its Live Webinar Series; Software Bill of Materials and the Future of Automation in Software Engineering

February 24, 2022

TORONTO, February 24, 2021 – Scryb Inc. (“Scryb'' or the “Company”)(CSE: SCYB, OTCQB: SCYRF, Frankfurt:EIY) is pleased to provide its 6th live webinar episode highlights titled‘State of Cybersecurity Industry: SBOMs Illustrate the future of CI/CD pipelines’, which was moderated by Evegniy Kharma,VP of Cybersecurity Solution Architecture at Herjavec Group. Speakersincluded Chris Blask - VP Strategy at Scryb,Sanket Panachamia, Lead Architect for Emerging Technologies at Unisys Global,Stuart Phillips, Product MarketingDirector at Cyber Interos, and Dragos Ruiu, Ceo of Dragos Tech. Below ishighlighted excerpts from 6th Live Webinar:

Q1. What came before SBOMs?What led up to it? How was software inventory previously tracked?

Sanket Panchamia (3:00)

‘SBOM’s have been here for a while, it’s not a new term, but beforethere was no standard way to share thisinformation to your downstream customer as to what goes inside your package.It’s essentially nothing but aningredient list, we’ve had readme files and pdf documents as to what goesinside your software. That at thetime, and until now, was the current state of SBOMS, until we had thisexecutive order that taught us how wewant to share that information and how to create these SBOMS to share with downstream customers. In essence,there was no standardization, just documents being shared before. There was no good way ofaggregating or managing those PDF files. Typically, the PDF files were createdby people not involved in the entiresoftware development life cycle (SDLC).It was done by folks who deliverthe software, so sometimes it could be error-prone or not complete.’


Q2. Where does SBOM need to be generated in CI/CD (Continuous Software Development) pipelines?

Dragos Riui (12:05)

‘I think for CI/CD stacksit should, in an ideal world, be built as part of your softwareand part of your

build process.As you update everything, your SBOM should be one of the deliverables of yourCI/CD pipeline everytime you releasea new build because it’s constantly mutating.If you’re goingto snapshot it at periodic intervals you're almostguaranteed to be out of date and it's probably a process that is going to be error-prone. Automating it inthe long term is the final real solution, trying to remove some of the drudgery and tracking from humansand provide tools, so that they can be delivered to their customers and their customers and so ondown the chain. I personally think that if you're going to use snapshots you're probably doing more workthan you ought to. It really needs a machine approach to the problem.’


Stuart Phillips (7:45)

‘Log4j is prevalentin most Java software that has logging and you are able to look at thedownloads and information provided,but a lot of the software can be downloaded anonymously. The challenges are [...] trying to figure out which versions areavailable and which are obsolete. If I had an SBOM and the way that an SBOM is supposed to work, I shouldbe able to very quickly run a simple query across the software and applications that we’re using within theorganization and know what versions of Log4j are there, if they are the obsolete versions, and be able toprioritize those for patching, updating, mitigation, or replacement. […] It should be very simpleto do that and right now it is very difficult.’


Chris Blask (10:30)

‘SBOM’s are anattestation at a given point in time about a thing [...] a lot of thoseattestations come down to things thatare just operational; ‘how can I track the contingencies’, ‘its taking toolong’, ‘its taking too much time’, ‘its costingtoo much’. ‘Can I be more profitable, productive, and competitive if I add this systemof tracking?’ SBOM is the tip of the icebergwe happen to see now, but it's coming for a long time and there's more to it.’



Q3: Do you think ModernDevOps practice shouldbe responsible for creating SBOM?

Stewart Phillips (22:00)

‘Well in therecent executive order, they highlight SBOMS directly, so we see that there isa drive to SBOM, in fact if you look at the CISA announcement about Log4j, they said if we had SBOM this would be easierto deal with, so there is definitely a push from the US Federal Government andfrom other organizations to driveSBOM … if I can't sellto the Air Force, FAA, state or local governments unless I have a SBOM,that’s a big driver and it also levels the playing field because now everybody has to do it.’


Dragos Ruiu (27:05)

‘I think adistinction should be made about where it lives right now and where it shouldlive, because right now, this kind of materialis bread and butter for security audits.Every security audit,one of the

standard items is, let’s checkif you have any outdatedversions. Right now, a lot of that responsibility,

especially insmaller organizations is going to outside consultants and folks doing thesecurity audits, so when the contractcalls for you to ask your vendor if you have done your security audit, part ofthat is checking your SBOM and looking for vulnerable components, etc - that is going into the auditing functionright now. Where should it be - that's a different question, I think youneed to bring it into DevSecOps and the mainline workflowof the whole R&D Team’


Sanket Panchamia (28:15)

‘At some pointthis whole DevOps practice - it’s more moving towards the automation side ofthings. Previously, untilSeptember there was no standardization of SBOM and now you have SPDX as one of the formats that’s being ISO-certified through which you can createand share SBOMs with your downstream customers. And now, since that standardhas come, there's a lot of automation around it. Yes, it’s a responsibility of your DevSecOps team tomake sure your SBOM is complete, and it does not have vulnerabilities that are known, at least not the high-endcritical ones, but many companies are movingtowards automating this, so there's not one responsible person, it's aprocess in place where it’s becomingpart of their practice, it’s something that just happens, you really dont worryor have to think about it. That’s howpeople are thinking about this now, the whole concept of creating SBOMS and the responsibility for it.’


Stuart Phillips (42:10)

‘I can know withabsolute certainty what versions of software have what versions of Log4j, theway we do it now, most companies in development, they would have to go through and test or look in the logs or have to run some Log4j vulnerabilityassessment tool against the various versions of software in order to create some sort of reliable rules. So Ithink using SBOM internally for your own processes could have a significant reduction in costsand a significant improvement in quality and product.’


Q4: How are you lookingto tie all these supplychain attestations into the existingCI/CD pipeline?

Sanket Panchamia (47:05)

‘GeneratingSBOMS is one thing which is solving one spectrum of the problem, I thinksharing is a completely differentgame altogether. How do you make sure that you share that information to your customersand in a continuous manner?We are moving towards SAS and continuously evolving software packages, so how do you make sure that theSBOMs that you generate and share are up to date? When we talk about SBOMs, it's not just the software, it's theinfrastructure that goes behind it, the environmentthat you've created it into, and the vulnerabilities associated with thosebecause it matters at the end of the day. When you are lookingat vulnerabilities, it’s not just what’s in the packagebut even the periphery around it, so it's a make orbreak for the whole supply chain attestations. There is some serious thought put into it now, eversince I’ve gotten into this world, the whole concept of SBOMs and sharingattestations was a byproduct of your development cycle, but now that it's gained tractionit's

become more mainstream, its something that’sconsciously been lookedinto as to how do you create

these attestations, how do you share them, how do you standardize them, and once you have all of that, how do you put them into your existingCI/CD pipeline. I'm pretty sure most organizations are on the CI/CD pipeline, it's not new for them, sothey are trying to automate things, not having to do this manually,but get a process and practice in place, just let it happen and not have to worry about it.’


Q4: What are the benefitssoftware houses are pursuing with CI/CD development?

Dragos Ruiu (50:30)

‘Things like Veracode and Static Analyzers, there’s a lot of toolsthat can be built into the CI/CDpipelines that are of higheffort and intensity on a one-off basis. Using older and more manual-builtprocesses, I think you can put in alot of automation for your developers that will save you a lot of securitychecks down the line, staticanalyzers being the first and most visiblecomponent. But, there'salso lots of things that you get fairly cheaply as opposed todoing it by having a separate Q.A. department or by having more older, manual processes, and that tome is the sales pitch that most people will pay attention to […]From my perspective, as an external snapshot of the company, I see almosteverybody switching to that philosophy, I don’t see many people holding back on that.’


About Cybeats

Cybeats deliversintelligent security applications for software supplychains and IoT connected devices,autonomously detecting and eliminating cyber threats in real-time. Cybeats- Software made certain.

Website: www.cybeats.com

SUBSCRIBE: For more information, or to SubScrybto the Company’s mail list,visit: https://www.scryb.ai


About Scryb

Scryb is a platform that powersbusinesses and technologies with applied intelligence, real-time analytics, and actionable insights. Theplatform boasts proven adaptability across diverse markets, from digital health and diagnostics tocybersecurity and manufacturing. The cloud-based platform is composedof crucial elementsincluding sensor technology, IoT, predictive analytics, and computer vision.

For more information, pleasevisit our websiteat: http://scryb.ai



W. Clark Kent President

Office. 647-872-9982

TF. 1-844-247-6633

Email: info@scryb.ai

Forward-looking Information Cautionary Statement

Exceptfor statements of historic fact, this news release contains certain"forward-looking information" within the meaning of applicable securities law. Forward-looking information is frequently characterized by wordssuch as "plan", "expect", "project", "intend", "believe", "anticipate", "estimate" and other similarwords, or statements that certain eventsor conditions "may" or "will" occur. Forward-looking statements are based on the opinions and estimates at the date the statements aremade, and are subject to a variety of risks and uncertainties and other factors that could cause actual events orresults to differ materially from those anticipated in the forward-looking statements including, but not limited to delays or uncertainties with regulatory approvals, including that of the CSE. Thereare uncertainties inherent in forward-looking information, including factorsbeyond the Company’s control. Thereare no assurances that the commercialization plans for the technology describedin this news release will come intoeffect on the terms or time frame described herein. The Company undertakes no obligation to update forward-looking information ifcircumstances or management's estimates or opinions should change except as required by law. The reader is cautioned not to place undue reliance onforward-looking statements. Additional information identifying risks anduncertainties that could affect financial results is contained in the Company’s filingswith Canadian securities regulators, which filingsare available at www.sedar.com