In this episode, Matt Rose explains how a comprehensive SBOM can assist with the threat modeling of both existing and future software applications.

Learn More

- Webinar: Threat modeling and the software supply chain: Why it matters more than ever
- Blog: Threat modeling and the supply chain: An essential tool for managing risk
- Definition: What is threat modeling?

Episode Transcript

MATT ROSE: Hi, everyone. Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Today's episode is SBOM plus Threat Modeling or SBOM and Threat Modeling. I recently did a webinar with a Threat Modeling expert. You might have heard of him. His name is Chris Romeo. He is one of the industry leaders in Threat Modeling.

He does a lot of talking on Threat Modeling. And we talked about threat modeling and software supply chain or software supply chain security. But one of the things that kind of came out of the conversation is the process to not only create a threat model for a future application but for existing applications.

Continuous threat modeling, as you will. Something that already exists. How do you threat model something that's already in existence? Well, this got me thinking. With the Executive Order 14028 and the follow on memorandum associated with increasing the nation's cybersecurity resilience and self attestation and SBOMs.

Think of it this way, because threat modeling is a very, very important aspect and practice for securing your application. It's really two phases for a threat modelist, the design and then saying, what the heck could happen to this thing? But a lot of times it's only as good as the people that are doing the threat modeling, and there's always that "error is human" type aspect.

So thinking about an SBOM, if you do have a comprehensive SBOM in an industry recognized format like Cyclone DX or SPDX, it won't basically validate the completeness of your threat model that you're not missing any packages, first party code or frameworks or open source packages or even COT software as part of it.

So think about it this way. If you take the package that you've created, you run binary analysis against it, which then creates a SBOM in your chosen format - Cyclone DX, SPDX - now you have something that could really drive an appropriate and more comprehensive, more accurate threat model. So think about this: SBOMs are important, but SBOMs may have uses that you're not even thinking about it. Just understanding what's in there, but it could actually help springboard your whole program of threat modeling because now you have a foundational document to start your threat modeling in. You know all the frameworks, you know all the open source packages, and it allows you to threat model much more effectively than just hoping you've got everything and you don't have that "the error is human" aspect.

That's this episode. Hope you enjoyed it. I'm Matt Rose, Field CISO at ReversingLabs. Thank you for watching everybody.