Episode 61 · March 18, 2025 · 41m listen · 6,795 words · ~34 min read
SBOMs Unpacked: Myths, Risks, & Benefits with Cortez Frazier Jr. | Ep. 13 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 61 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of The Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa are joined by Cortez Frazier Jr., a Principal Product Manager at Fossa, to discuss the critical role of the Software Bill of Materials (SBOM) in modern medical device cybersecurity. Cortez brings a unique dual perspective, having worked as a Cyber Security Architect at GE Power, where he managed security for hundreds of applications, before moving into product management to help build better security tools. His company, Fossa, specializes in Software Composition Analysis (SCA), which evolved from managing open-source license compliance to comprehensive security and SBOM generation. The conversation centers on the transition of SBOMs from a niche concept to a regulatory necessity, driven by major supply chain incidents like SolarWinds and subsequent government mandates, including the White House Executive Order and new FDA requirements.
The core of the discussion unpacks the practical challenges and misconceptions surrounding SBOMs. A major argument addressed is the resistance from some manufacturers who fear that publishing an SBOM is akin to providing a 'playbook for attackers' or exposing valuable intellectual property. The hosts and guest collectively debunk this idea, arguing that true IP lies in the proprietary code and its unique implementation, not in the commodity open-source components it utilizes. They emphasize that security through obscurity is an outdated and ineffective strategy; if an SBOM reveals a long list of unpatched, critical vulnerabilities, the problem isn't the disclosure but the underlying poor security posture. The podcast frames SBOM transparency as a powerful forcing function for better security hygiene throughout the development lifecycle.
Beyond just creating an SBOM, the episode delves into the more complex problem of what to do with it. With SBOMs often revealing a 'sea of vulnerabilities,' the conversation shifts to effective prioritization strategies. Cortez outlines a multi-tiered approach to move beyond simply chasing high CVSS scores. A more mature strategy involves leveraging data like the CISA Known Exploited Vulnerabilities (KEV) list and the Exploit Prediction Scoring System (EPSS) to focus on threats that are actively being exploited in the wild. The 'holy grail' of analysis, as Cortez describes it, is reachability—determining whether the application's code actually calls the specific vulnerable function within a third-party library. This context-aware approach dramatically reduces noise and allows teams to focus on risks that are genuinely exploitable. The discussion concludes by highlighting the unique difficulties in the medical device space, such as the high cost of post-market remediation for deployed devices and the challenge of identifying 'SOUP' (Software of Unknown Provenance), making proactive SBOM management and vulnerability triage essential from the earliest stages of development.
Key takeaways from this episode
A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of all software components in a product, which has become a regulatory necessity for medical devices.
The concern that an SBOM is a 'playbook for attackers' is largely a misconception; a transparent and clean SBOM is a sign of a strong security posture, not a liability.
The primary challenge with SBOMs is not generation, but the effective prioritization of the numerous vulnerabilities they uncover to avoid getting lost in 'a sea of vulnerabilities.'
Effective vulnerability prioritization should move beyond basic CVSS scores to focus on evidence of active exploitation, using resources like the CISA KEV catalog and EPSS scores.
Reachability analysis is the most advanced form of vulnerability triage, determining if a vulnerable function within a third-party library is actually callable by the application's code.
For medical devices and embedded systems, managing 'SOUP' (Software of Unknown Provenance) is a significant challenge that can complicate SBOM accuracy and security management.
Unlike easily updated SaaS applications, patching medical devices in the field is logistically complex and expensive, making proactive security during development paramount.
In addition to security vulnerabilities, SBOMs are critical for managing open-source license compliance, as certain 'copyleft' licenses can legally obligate a company to open-source its proprietary code.
Trevor: Welcome back to the Med Device Cyber podcast. I'm joined here by our co-host Christian and then our guest Cortez from Fosa. How's your day going Cortez?
Cortez: My day is going fantastic. I really appreciate you Trevor and Christian for having me on. Um, you know, obviously Trevor you came and did a a fantastic webinar for us and so I'm super excited to be able to kind of return the favor a little bit. Um, FYI apparently there's a whole bunch of winter storms um coming up here very very quickly and so that I'll as someone who lives in the south I typically don't get to see snow that often so I'm excited to maybe get an opportunity to build a snowman. We'll see.
Christian: Where where are you based out of?
Cortez: Um I'm based out of Atlanta, Georgia. Um and so yeah, very very rarely do we get snow. But we got it a couple of weeks ago, which was pretty exciting.
Christian: Yeah, I'm in Phoenix area. I don't think we get uh in the valley. I don't think it's ever snowed here in the valley.
Trevor: I think it's snowed in like 1921 once.
Christian: Probably yeah.
Christian: Awesome. Well, thanks for being a a guest uh Cortez. And um maybe tell us a little bit about what what you do and what Fosa does.
Cortez: Yeah, I would love to to kind of give a a bit of a background and you know happy to go in as much detail as you like. So um obviously my name's Cortez, thank you for the introduction. I'm a principal product manager um on at Fossa. Um Fossa is um got its roots as a uh traditional I'd say SCA company, software composition analysis. Um we started um in the license compliance space and then because we were already doing such high quality component analysis, it was a very natural leap um to then get into uh the security side of that.
Cortez: Um also very similarly, having already generated an accurate list of components and um component relationships and license information vulnerabilities, that then is also uh a very nice transition and natural step um into software bill materials which um I I love when the regulation um calls things like an inventory of bespoke assets um that we have to to try to uh to understand. And so, um that that's Fossa at a high level.
Cortez: Um for my personal background, prior to working at Fossa, um I worked as a product manager in a few other companies. Um I'm I'm mostly puppet. Um if you're familiar with that, they were kind of a Devops and automation I'm a suite of tooling. Um and then prior to then is actually where I got my start in the cyber security space working for what was GE Power at the time, now GE Vernova. Um I was a cyber security architect there.
Cortez: So responsible for about um 1800 developers, about 600 applications. It's where I really started to get very intimate with some of the problems that are my customers now deal with. Um and after doing that as a practitioner for a few years, I decided I will for lack of a better term go to the dark side and see if I can help make some of these products a bit better um rather than just complaining about them. So, um that's a bit of my background but but yeah I I look forward to diving much deeper um into kind of what Fossa does and you know how, um I I think this uh the the SBOM and medical device security space in general starting to grow.
Christian: Cool, I think I think we'll zoom out for a second uh cuz this term S bomb not everybody probably understands S bomb. Uh but it's interesting because I've been involved with Medtech cyber security since like 2014 and and even back then there was the S bomb and people were doing S bomb but it seems like now it's just becoming more of a I guess mandate that people do it. So could we can we just unpack like what exactly is an S bomb and and, you know, what are some of the concerns with S bombs? Cause I know a lot of our clients and prospects don't want to make the S bomb public, you know, they have some concerns about it. So what can we just uh you know, I guess dissect that a little bit, unpack it.
Cortez: Yeah, let me uh take an initial pass then, you know, Trevor, feel free to add any additional comments that you have from your end. So from from my perspective, you're 100% right, Christian that a S bomb stands for software bill materials. Bill materials have been a thing for a long time, right? You know, you got um different companies have used this and and various assets. I've actually I feel like Cyber security 101 is you cannot defend or protect something that you don't know exists. And so getting an accurate and up-to-date inventory is always priority number one. And so, um my read on how the industry has reacted is for a long time a lot of people were maintaining these lists of um both open source and commercial components that they were using in very, you know, archaic ways, right? Typically Excel sheets, which I love Excel, it runs the world, no problems with that. Um but it is really difficult um for people to digest Excel sheets at scale and then be able to do any type of ongoing analytics um about that.