Stanford Security Lunch

Abstract: The Software Bill of Materials (SBOM) is a listing of all dependencies and thus potentially all vulnerabilities in a product. Analogies have been made to safety as with materials safety data sheets and with general nutrition labels for cyber health for allergens. In this I argue that SBOM has the potential to significantly resolve the security lemons problem. I begin by defining the lemons market in security and privacy. I introduce SBOM for those not familiar with the initiative. SBOM makes the data available. But that is one of three parts of a solution. The data must exist; the data must be presented as actionable information; and consumers must care. We frame this argument using three summaries of results: first by illustrating SBOM contains data others find important; then illustrating that simply indicators can enable selections of secure products; and finally by showing that security-aware consumers will pay more for security. SBOMs may present an effective and viable option to resolving the lemons marker, but they are inadequate if that data are not integrated into usable communications. This paper seeks to draw from past research to argue for the potential for increased transparency, bringing together a range of experimental methods and results.

Bio: L Jean Camp is a Professor of Informatics and Computer Science in the Luddy School of Informatics, Computing, and Engineering at Indiana University. She is a Fellow of the Institute of Electrical and Electronics Engineers, a Fellow of the American Association for the Advancement of Science, and a Fellow of the ACM.   Jean Camp began her studies in electrical engineering and mathematics in North Carolina at Charlotte. After graduating, she was an engineer at the Catawba Nuclear facility, where she oversaw emergency systems and in-core thermocouples. She returned to graduate school and immediately discovered the subtlety of optical engineering; her MS thesis was on the use of free space and guided wave optical interconnects. She joined the Department of Engineering and Public Policy in Carnegie Mellon to complete her PhD in the policy implications of American competitiveness in optics and optical engineering. Yet Carnegie Mellon University in the early nineties was an explosion of Internet technologies, and her volunteer activities for Computer Professionals for Social Responsibility soon became vocation as well as avocation. Her early volunteer work was with the IEEE in working to provide technical insight into the hazard of building a systematically insecure Internet in what is now called the Crypto Wars. She graduated with one of the early dissertations on monetary transactions on the Internet, and became a Senior Member of the Technical Staff at Sandia National Laboratories in Livermore.  A short year later, as Internet commerce’s promise became a booming reality, she was recruited by Harvard's Kennedy School to study the implications of the information infrastructure. While at Harvard she was also a research affiliate in the Advanced Network Architecture Group at MIT. In addition to course instruction she taught executive education modules on the use of open source in public management, design for privacy, and Internet security.  Her course in the Kennedy School on engineering-economics was co-listed at MIT.  She was an early volunteer and advocate for the Government Open Code Consortium. As Internet commerce matured from emerging policy frontier to daily life, she departed Harvard to build and lead the security group in the newly-formed School of Informatics at Indiana University in Bloomington (IUB). She has continued to volunteer in the ACM Technology Policy Council and the IEEE USA Public Policy committees.  A career-long advocate of inclusion she has engaged over 100 students in research experiences for undergraduates and tens of masters students, as well as advising  a diverse and excellent cohorts of doctoral students.