Tidelift VP of product Lauren Hanford sat down with daBOM podcast to discuss the TACOS framework and why SBOMs are just the beginning to a more secure open source software supply chain. Below are some of our selected highlights from the podcast episode—to hear more about Lauren’s career journey, the role SBOMs play in cybersecurity, government initiatives, and more, listen to the entire episode on daBOM.

So, you’ve got an SBOM—what now?

DJ Schleen: What are people doing with SBOMs? What kind of data are you extracting to help the community?

Lauren: A lot of what I’m working on these days, you could think of as SBOM enrichments. At this point, it’s generally going to be a best practice that you do need a way to centralize SBOMs into a single view.

But what I’m really interested in providing—with the TACOS framework—is what I would call SBOM enrichments. It’s starting with that index of packages that you’re using; that’s going to be both direct and transitive packages. Then it’s taking a look at what are the different secure development practices that went into building out that open source at that moment in time. In other words, you can create a record of the practices that were in place when that SBOM was committed by your application team.

Illuminating the SBOM: the TACOS framework

DJ Schleen: You mentioned TACOS. What is TACOS?

Lauren: TACOS stands for the Trusted Attestation and Compliance for Open Source framework. We worked really hard to get it to fit into that acronym in order to play well with GUAC and SLSA. 

In the same way that SLSA is giving folks a concrete way to see, what is the provenance, and what steps were in place as the software was built? What are the different security implements along the way? TACOS is giving a broader record of practices including:

• Did the project have a security policy in place?
• Who’s the security contact?
• Did they have 2FA enabled on the package manager?
• Did they have 2FA enabled on the source repository?
• And other pieces of material like that.

The data structure can feed into tools like GUAC, alongside other metadata that then gives customers a way to navigate that metadata. TACOS is a structured format that is about the build practices of the open source maintainer.

The TACOS framework and maintainer attestations

DJ Schleen: There’s also an attestation system for TACOS. What are you attesting to? 

Lauren: A lot of this information that is in TACOS can only be attested to by the actual maintainer. So knowing that 2FA was enabled, knowing if a security policy is truly in place and if it’s right. It’s a little bit of a “yes and” off of some of the OpenSSF scorecard pieces that are taking a scraping automated approach to discovering some of this metadata.

What we’re doing within TACOS is taking a more manual approach. We’re working directly with maintainers and we’re actually incentivizing the collection of that data. The attestation itself is coming from the maintainer themselves, and then we’re able to bundle and normalize that through what would end up being a JSON file that comes out of TACOS.

We’re also creating a record of what packages are asking for income to do this secure development work.

What about White House Executive Order 14028?

DJ Schleen: When we talk about the industry in general, how are you seeing the effects of Executive Order 14028, this information that you need to share out to the federal government?

Lauren: There’s almost a reaction of unbelievability. I do think that directionally it’s right, we need it, but it does feel like it’s going from zero to a hundred really fast. That’s been hard for people. When I’m thinking about this from that user experience place, I recognize that it can feel really overwhelming.

I thought something that was really pragmatic about the memorandums that came out, putting the teeth behind the secure software development framework [NIST SSDF], it seemed like a pretty practical approach to me. It was recognizing a lot of the things that folks are already doing or they’re on some journey with it, things like SBOMs or even roles and responsibilities in the software development lifecycle. Because it’s broader than “just” generating an SBOM, which in and of itself is challenging. It takes not just tooling or time, it takes organizational will, it takes coordination across a lot of different teams potentially. You’re competing for time with a lot of different initiatives that are native to the business.

What’s missing for open source, and what I think the NIST SSDF recognizes, is that there is no organizational structure set up for maintainers to do secure development work. Who is ensuring that this set of developers have the compliance, security, operational, and financial support they need to do development work in a secure manner?

— — — 

To hear more about Lauren’s love for the X-Files, why SBOMs matter for security teams, Log4Shell and the maintainer impact, and more, listen to the podcast episode on daBOMB. 

Learn more about TACOS, the Tidelift Subscription, and how Tidelift can help your organization manage SBOMs and align with open source compliance.