SBOMs Unpacked: Myths, Risks, & Benefits with Cortez Frazier Jr. | Ep. 13 - Full Transcript | The Med Device Cyber Podcast

Welcome back to The Med Device Cyber Podcast. I am joined here by our co-host, Christian, and then our guest, Cortez from Fossa. How's your day going, Cortez? My day is going fantastic. I really appreciate you, Trevor and Christian, for having me on. Obviously, Trevor, you came and did a fantastic webinar for us, and so I'm super excited to be able to kind of return the favor a little bit. FYI, apparently there's a whole bunch of winter storms coming up here very, very quickly. As someone who lives in the South, I typically don't get to see snow that often, so I'm excited to maybe get an opportunity to build a snowman. We'll see. Where are you based out of? I am based out of Atlanta, Georgia. Very rarely do we get snow, but we got it a couple of weeks ago, which is pretty exciting. Yeah, I'm in the Phoenix area. I don't think it's ever snowed here in the valley. I think it snowed in like 1921 once, probably. Awesome. Well, thanks for being a guest, Cortez, and maybe tell us a little bit about what you do and what Fossa does. Yeah, I would love to kind of give a bit of a background and happy to go in as much detail as you'd like. So, obviously my name is Cortez. Thank you for the introduction. I'm a Principal Product Manager at Fossa. Fossa got its roots as a traditional, I'd say, SCA company, Software Composition Analysis. We started in the license compliance space, and then because we were already doing such high-quality component analysis, it was a very natural leap to then get into the security side of that. Also, very similarly, having already generated an accurate list of components and component relationships and license information vulnerabilities, that then is also a very nice transition and natural step into Software Bill of Materials, which I love when the regulation calls things like an inventory of bespoke assets that we have to try to understand. So that's Fossa at a high level. For my personal background, prior to working at Fossa, I worked as a Product Manager in a few other companies. Mostly Puppet, if you're familiar with that. They were kind of a DevOps and automation suite of tooling. And then prior to that is actually where I got my start in the cybersecurity space working for what was GE Power at the time, now Genovas. I was a cybersecurity architect there, so responsible for about 1,800 developers, about 600 applications. That's where I really started to get very intimate with some of the problems that my customers now deal with. And after doing that as a practitioner for a few years, I decided I will, for lack of a better term, go to the dark side and see if I can help make some of these products a bit better, rather than just complaining about them. So that's a bit of my background, but I look forward to diving much deeper into kind of what Fossa does, and how I think the SBOM and medical device security space in general is starting to grow. Cool. I think we'll zoom out for a second because this term SBOM, not everybody probably understands SBOM, but it's interesting because I've been involved with MedTech cybersecurity since like 2014, and even back then there was the SBOM, and people were doing SBOM, but it seems like now it's just becoming more of a, I guess, mandate that people do it. So can we just unpack like what exactly is an SBOM and what are some of the concerns with SBOMs? Because I know a lot of our clients and prospects don't want to make the SBOM public. They have some concerns about it. So what can we just, you know, I guess dissect that a little bit, unpack it? Yeah, let me take an initial leap, and then, Trevor, feel free to add any additional comments that you have from your end. So from my perspective, you're 100% right, Christian, that an SBOM stands for Software Bill of Materials. Bills of materials have been a thing for a long time. You've got different companies that have used this with various assets. I actually feel like Cybersecurity 101 is you cannot defend or protect something that you don't know exists. And so getting an accurate and up-to-date inventory is always priority number one. And so my read on how the industry has reacted is for a long time, a lot of people were maintaining these lists of both open-source and commercial components that they were using in very archaic ways. Typically Excel sheets, which I love Excel, it runs the world, no problems with that, but it is really difficult for people to ingest Excel sheets at scale and then be able to do any type of ongoing analytics about that. In particular, as we know, new vulnerabilities appear every day for existing open-source or closed-source packages.