1
00:00:00,000 --> 00:00:12,800
Welcome to the Azure Security podcast, where we discuss topics relating to security, privacy, reliability and compliance on the Microsoft cloud platform.

2
00:00:14,700 --> 00:00:26,660
Hey everybody, welcome to episode 69. This week it is myself, Michael with Mark, and we have a guest, Adrian D'Aulio, who's going to talk to us about S-bomb software bill of materials.

3
00:00:26,660 --> 00:00:31,620
But before we get to Adrian, let's take a little wrap around the news. I'll kick things off.

4
00:00:31,620 --> 00:00:45,780
I've got a few items I'd like to talk about. The first one is a colleague of mine, Andreas Walter, has written a blog post, which is the summary of 2022 security investments in Azure SQL and SQL Server 2022.

5
00:00:45,780 --> 00:00:53,620
Nice succinct list, gives you a quick overview of some of the major changes that we've made in the SQL Server platform.

6
00:00:53,620 --> 00:01:06,620
Next one is in public preview. This is actually another one of Andreas's little babies, is Microsoft Purview integration and access policies for SQL Server 2022.

7
00:01:06,620 --> 00:01:18,620
This is actually really cool. You'll see over time that Microsoft will make more investments in Microsoft Purview, allowing you to set sort of global access policies and manage them in a sort of easier manner.

8
00:01:18,620 --> 00:01:23,620
So it's nice to see this as available now in SQL Server 2022.

9
00:01:23,620 --> 00:01:33,620
Still with a database bent, general availability. We now have encryption with customer managed keys for Azure Database for Postgres SQL Flexible Server.

10
00:01:33,620 --> 00:01:44,620
You know, having mentioned this on numerous occasions, a lot of the big changes that you're going to see across so many Azure services is more support for customer managed keys.

11
00:01:44,620 --> 00:01:58,620
Although I think we're probably getting to the end now, we're getting close. Use of AAD, Azure Active Directory for client authentication, as well as managed identities for client authentication, and also more support for private endpoints.

12
00:01:58,620 --> 00:02:05,620
So it's great to see that Azure Database for Postgres SQL Flexible Server now has support for customer managed keys for encryption of data arrest.

13
00:02:05,620 --> 00:02:18,620
Also in GA is Azure Active Directory authentication for Azure Database for MySQL Flexible Server. Again, like I just mentioned, it's these sort of big waves that we're seeing across the board.

14
00:02:18,620 --> 00:02:26,620
And obviously the database products are getting that love as well. So Azure AAD or client authentication for Azure Database for MySQL.

15
00:02:26,620 --> 00:02:38,620
Still talking about MySQL Flexible Server, we now have, again, in general availability Azure Database for MySQL Flexible Server now has data encryption with customer managed keys, just like Postgres SQL.

16
00:02:38,620 --> 00:02:47,620
So again, as I've already mentioned, great to see more and more products giving customers support, customers control, I should say, over their keys.

17
00:02:47,620 --> 00:02:59,620
And the last one, which has got absolutely nothing whatsoever directly to do with database products, we now have in GA, application security groups now have support within private endpoints.

18
00:02:59,620 --> 00:03:06,620
So when private endpoints first came out, it didn't have things like user defined routes and network security groups.

19
00:03:06,620 --> 00:03:12,620
Well, now, I think probably about a year ago now, that support was added.

20
00:03:12,620 --> 00:03:21,620
Well, now we've sort of followed up with the next level, which is application security groups. Application security groups are essentially an extension of network security groups.

21
00:03:21,620 --> 00:03:30,620
So again, it's really nice to see that private endpoints are getting sort of more of these network defenses. And that is all I have. Mark, over to you.

22
00:03:30,620 --> 00:03:50,620
Yeah, so in my world, a couple things of interest. First is that a couple of the architecture design session modules, Module 1, the end-to-end architecture, and Module 3 are ready and pretty much can be scheduled for delivery for folks that do have unified support.

23
00:03:50,620 --> 00:04:18,620
So that's been a big area of effort for me personally, getting these out there. There's somewhere in the 240 to 270 slide range for those two. So they are not small, but they cover the end-to-end view of security and principles and concepts and models and structured initiatives and how to deliver on those and reference plans on how to execute on modernizing your SOC and patching and backup and some of the end-to-end stuff.

24
00:04:18,620 --> 00:04:25,620
The identity and the other ones are going to be coming along with Modules 2 and 4 and whatnot.

25
00:04:25,620 --> 00:04:40,620
So that's something you can check out. The CISO workshop, that's sort of like our landing page for that right now. And of course the CISO workshop videos themselves, about four hours of recorded content is also there and available.

26
00:04:40,620 --> 00:04:57,620
One thing I wanted to highlight, because this came up a few times on discussions on Twitter, I'm starting to sound like some of the old-school Microsoft people from 20 years ago, like where I'm starting to cite the immutable laws and the newer laws of cybersecurity risk more and more.

27
00:04:57,620 --> 00:05:14,620
I'm going to pop a link to those into the show notes as well. We still see a lot of people kind of asking the same sort of FAQs in a way and saying, oh my gosh, it's a compromise. No, you're already admin. So it's not really a compromise if admin is already in the attacker's possession.

28
00:05:14,620 --> 00:05:28,620
And so that's another sort of piece there. And then some news news is my next task is to work on the Microsoft Cybersecurity Reference Architecture, or MCRA as many people call it.

29
00:05:28,620 --> 00:05:42,620
Effectively, that's one of the things I'm going to be focusing in on over the next few months. And so if you've got feedback or requests or, hey, we'd love to see something covered, feel free to ping me on LinkedIn or Twitter or one of the socials.

30
00:05:42,620 --> 00:05:50,620
But yeah, we're also throwing the links for the MCRA and the videos for it there as well. So that's all I got this week.

31
00:05:50,620 --> 00:05:57,620
By the way, for anyone out there who's not seen any of Mark's presentations, they're a work of art. They're actually a magnum opus. I mean, they're just huge.

32
00:05:57,620 --> 00:06:05,620
No, they're so much better than my slides. I mean, I'm actually, I don't know if this is a good thing or anything I should be proud of, but my slides are like Times New Roman on white.

33
00:06:05,620 --> 00:06:13,620
You know, I mean, that's basically it. But yours are actually kind of elegant and there's a lot of, I mean, they're incredibly dense as well.

34
00:06:13,620 --> 00:06:20,620
I mean, you definitely take the award for the most content per slide that I've ever seen, but it's good stuff, you know.

35
00:06:20,620 --> 00:06:25,620
I mean, so yeah, to anyone out there who's not seen Mark's work, you really should take a look at it.

36
00:06:25,620 --> 00:06:31,620
And I'm not just saying this to sort of pep him up a little bit. He doesn't need any more of that from me, but the work is just magnificent.

37
00:06:31,620 --> 00:06:37,620
And it's so broad and it's so deep and it's so insightful and it's just, and it's practical as well.

38
00:06:37,620 --> 00:06:45,620
And that's one thing I love. I'm not a fan of sort of theoretical security. I much rather prefer security that's, you know, been there, done that,

39
00:06:45,620 --> 00:06:53,620
learn from other customers, learn from ourselves, learn from our own environment and then sort of codify that into, you know, into material.

40
00:06:53,620 --> 00:06:59,620
So yeah, I would highly recommend anyone take a look at those slides and the accompanying material.

41
00:06:59,620 --> 00:07:05,620
And as for your comments about the immutable laws, I think you just called me old just then. Is that right?

42
00:07:05,620 --> 00:07:08,620
I got gray hair too, my friend.

43
00:07:08,620 --> 00:07:12,620
All right. So let's switch to our guest this week.

44
00:07:12,620 --> 00:07:20,620
So as I mentioned at the beginning, our guest this week is Adrian Diglio, who's here to talk to us about Software Bill of Materials.

45
00:07:20,620 --> 00:07:23,620
So Adrian, thank you so much for joining us this week.

46
00:07:23,620 --> 00:07:27,620
We'd like to take a moment and just give our listeners a brief background on who you are.

47
00:07:27,620 --> 00:07:31,620
Thanks for having me, Michael. Brief background on who I am.

48
00:07:31,620 --> 00:07:36,620
I lead the secure software supply chain team inside Microsoft.

49
00:07:36,620 --> 00:07:41,620
So I drive the central strategy for securing Microsoft's supply chain end to end.

50
00:07:41,620 --> 00:07:47,620
That's entirely focused on protecting the developer and protecting the developer's engineering system.

51
00:07:47,620 --> 00:07:53,620
Things like Azure DevOps and GitHub and the build system and release systems.

52
00:07:53,620 --> 00:08:01,620
As part of securing the supply chain, SBOMs have been a part of our overall strategy.

53
00:08:01,620 --> 00:08:09,620
And we've actually been involved in the SBOM space since 2019.

54
00:08:09,620 --> 00:08:19,620
We were part of the CISQ Consortium for Information and Software Quality SBOM initiative,

55
00:08:19,620 --> 00:08:23,620
where we were working on defining a new schema.

56
00:08:23,620 --> 00:08:38,620
And we were there working on this since 2019, which was actually two years prior to the US Presidential Executive Order 14.028 that was issued in 2021.

57
00:08:38,620 --> 00:08:50,620
The executive order is famous, of course, for mandating that SBOMs be provided for every piece of software sold to federal agencies.

58
00:08:50,620 --> 00:09:05,620
So that ensuring Microsoft's adherence and conformance to the executive order requirements and preparing us to meet those requirements has been a large part of my role here at Microsoft.

59
00:09:05,620 --> 00:09:12,620
OK, so I got to ask the like super basic question. What is an SBOM?

60
00:09:12,620 --> 00:09:21,620
Physically, an SBOM is a single machine readable file. So it's usually JSON or text or YAML.

61
00:09:21,620 --> 00:09:33,620
But it's a point in time snapshot that describes the various files and components that make up a specific version of software.

62
00:09:33,620 --> 00:09:43,620
The analogy that's usually drawn is that an SBOM is similar to an ingredients list on food packaging.

63
00:09:43,620 --> 00:09:51,620
So if you are allergic to something, you might want to be checking the ingredients list before you eat food.

64
00:09:51,620 --> 00:10:10,620
In the software world, we didn't have the same equivalent. And so SBOMs are now a way to provide transparency into the open source components that developers use that's embedded inside the software that they build.

65
00:10:10,620 --> 00:10:14,620
Gotcha. So it sounds like it's a fairly foundational component.

66
00:10:14,620 --> 00:10:23,620
It's not like it's a solution like, oh, I just bought an XGR and it popped out alerts. It's like a foundational thing that other things would use.

67
00:10:23,620 --> 00:10:33,620
Correct. And while the concept of SBOMs has been around for some time, they are really picking up steam just recently.

68
00:10:33,620 --> 00:10:48,620
So I think the industry is still going through the crawl, walk, run motions of getting used to SBOMs and figuring out how to distribute them from producer to consumer and those sorts of things.

69
00:10:48,620 --> 00:10:55,620
We want to live in a world where we have SBOMs for every single piece of software and every version of it.

70
00:10:55,620 --> 00:11:13,620
Okay. So now I'm going to take a slightly snarky tone for just a moment, but I mean, that sounds like it's a lot of work. So why is it important? What are the use cases and scenarios that make this something I would want to invest in as an organization or as someone that's learning it or what have you?

71
00:11:13,620 --> 00:11:33,620
So the benefits for a software producer. So there's two sides of benefits. There's benefits for the producer and benefits for consumers of software. For the producer, an SBOM provides you a baseline inventory of your dependencies that are deployed inside your application.

72
00:11:33,620 --> 00:11:48,620
So it kind of automatically captures your dependencies for you. And that's a fantastic thing for for baselining. But the real benefit of SBOMs is the transparency that they provide to your customers.

73
00:11:48,620 --> 00:12:02,620
And transparency is an element of trust. So by providing an SBOM, you are building trust with your customer base.

74
00:12:02,620 --> 00:12:17,620
Additionally, the SBOM contains other metadata about the components that are listed inside of it. Things like unique software identification values and cryptographic hashes.

75
00:12:17,620 --> 00:12:32,620
So because not all software is digitally signed, there are scenarios where you may want to rely on the hashes contained in the SBOM to validate the integrity of the software.

76
00:12:32,620 --> 00:12:43,620
So it's another way to help improve the security of the the integrity of the software, or at least enable customers to validate it.

77
00:12:43,620 --> 00:12:48,620
And then of course, there's the compliance with regulatory requirements.

78
00:12:48,620 --> 00:13:02,620
The executive order is not the only thing that is asking vendors to produce SBOMs. There's the FDA, Food and Drug Administration.

79
00:13:02,620 --> 00:13:26,620
All new medical devices need to be able to submit an SBOM to the FDA before they are reviewed and approved. And then medical device manufacturers need to submit the SBOM to the health care organizations afterward.

80
00:13:26,620 --> 00:13:38,620
Furthermore, there's there's new policy coming out of the European Union. UN regulation number 155.

81
00:13:38,620 --> 00:13:55,620
While this policy does not directly ask for something called an SBOM, it actually is concerning the approval of vehicles and the vulnerabilities of the components inside those vehicles.

82
00:13:55,620 --> 00:14:07,620
And I've talked to a number of vehicle manufacturers already, and they all believe that an SBOM is the way to satisfy the requirements in that UN regulation number 155.

83
00:14:07,620 --> 00:14:15,620
So it's gaining steam and adoption. Other countries around the world are watching closely to see how well this happens.

84
00:14:15,620 --> 00:14:26,620
And so we're starting to see more and more countries follow suit with requesting SBOMs because they want to understand their supply chain risk.

85
00:14:26,620 --> 00:14:34,620
They want to be able to answer the question, am I affected when the next log for J happens or spring for Shell?

86
00:14:34,620 --> 00:14:43,620
And they were never able to answer those questions before. And with SBOMs, they can. They can know if they're affected and what is affected.

87
00:14:43,620 --> 00:15:07,620
So there's there's numerous benefits on the consumer side, especially such as verifying that all the legal license compliance are there as well, because the SBOM lists, you know, what sort of open source dependencies you have and their license and their their version number.

88
00:15:07,620 --> 00:15:15,620
And so these are all things that that enterprises out there want to be able to manage effectively according to their own policies.

89
00:15:15,620 --> 00:15:29,620
All right. So following on from from Mark's comments, then your reply, you know, it's funny, I'm working with some customers, actually not not too long ago, who had no idea how prevalent open SSL was in their environment.

90
00:15:29,620 --> 00:15:43,620
And there'd been a nasty vulnerability. And yeah, it was it was for some customers, pretty catastrophic and almost impossible to understand what their posture was, because they just didn't know where open SSL was being used.

91
00:15:43,620 --> 00:15:48,620
And don't get me wrong, it's not just open SSL, it's many other products. As you mentioned before, this actually does sound a lot like a nutritional label.

92
00:15:48,620 --> 00:16:01,620
I remember many years ago, there was an idea sort of thrown around about non SBOM, but a nutritional label for security engineering was what sort of engineering processes you went through.

93
00:16:01,620 --> 00:16:12,620
And what sort of defenses do you put in the compiled on link code. So for example, stat protections and dress space layout randomization and the use of no execute those kinds of things.

94
00:16:12,620 --> 00:16:25,620
I'm not sure that everyone anywhere but it's a similar idea but it's but it's definitely not SBOM. So just want to reiterate one thing, make sure I'm correct on this. So the big driver behind this is the executive order around supply chain.

95
00:16:25,620 --> 00:16:41,620
Is that right? That's correct. That's, that's had the most push. Okay. And as early as June of this year 2023, critical software will need to be able to prove they are executive order compliant.

96
00:16:41,620 --> 00:17:03,620
And by September 2023, all other software sold to the federal government needs to be able to prove that they are executive order compliant. And it's, it's at those timelines that any federal agency will be able to request artifacts of conformance, including an SBOM.

97
00:17:03,620 --> 00:17:09,620
And so making them easily accessible is a goal of Microsoft's.

98
00:17:09,620 --> 00:17:26,620
Yeah, so you bring up that point. So what is Microsoft doing? So let's say I'm a product within Microsoft. Pick on doesn't matter what the product is. What processes does that team have to go through? And then what is the results and where can people find that information?

99
00:17:26,620 --> 00:17:46,620
So internal at Microsoft in the development workflow, our team created the SBOM generator that generates SPDX SBOMs. That's a software package data exchange. It's one of the common SBOM formats that's out there.

100
00:17:46,620 --> 00:17:52,620
And it's also an ISO standard, which is why Microsoft chose to adopt SPDX.

101
00:17:52,620 --> 00:18:06,620
And we created this tool that that outputted executive order compliant SBOMs and we integrated it into everybody's build pipelines across the company.

102
00:18:06,620 --> 00:18:23,620
And so today, these SBOMs are generated at every build for all the production pipelines and some teams have already started blazing the trail for including the SBOM in their compiled bits.

103
00:18:23,620 --> 00:18:42,620
So for PowerShell version 7.2 and newer and all accompanying modules, when you go install PowerShell on your machine, the SBOM is actually written to disk. The SBOM is included inside and that way it travels with the bits.

104
00:18:42,620 --> 00:19:04,620
And it makes sense for binaries, but there's other types of software like container images and there's software as a service and cloud services where the consumer won't have access to the bits and won't be able to grab the SBOM.

105
00:19:04,620 --> 00:19:16,620
So there are different SBOM delivery choices based on what type of software we're talking about. And we're working through that now.

106
00:19:16,620 --> 00:19:23,620
Just to continue that PowerShell example, that's a good one. So you're saying that the SBOM is actually like a resource in the binary?

107
00:19:23,620 --> 00:19:29,620
Correct. Yeah. So when you install it, it's in the folder, the directory.

108
00:19:29,620 --> 00:19:32,620
So is it a separate file? Is it actually in the binary?

109
00:19:32,620 --> 00:19:34,620
It's a separate file, yes.

110
00:19:34,620 --> 00:19:37,620
Okay. And I assume that file is digitally signed, right?

111
00:19:37,620 --> 00:19:40,620
We are working on that now.

112
00:19:40,620 --> 00:19:41,620
Okay.

113
00:19:41,620 --> 00:19:54,620
So yeah, PowerShell was a bit of a trailblazer because their customers were asking for it. So they went ahead and created the SBOM files and made them readily available.

114
00:19:54,620 --> 00:20:03,620
And I have a link that maybe we could provide in the notes of this session to share with everyone.

115
00:20:03,620 --> 00:20:10,620
Yeah, you bet. Okay. So I've installed PowerShell and there's a file in there that is the SBOM information.

116
00:20:10,620 --> 00:20:20,620
Now what? What do I do? So if I'm a federal agency or just a corporation who wants to understand what the bill of materials looks like for a component, now what?

117
00:20:20,620 --> 00:20:28,620
Does someone look at that? Are there tools that you run that say, hey, this component is out of this, you know, this part of this component is out of date or something like that?

118
00:20:28,620 --> 00:20:29,620
How does that work?

119
00:20:29,620 --> 00:20:42,620
That's a great question. The other side of this coin, you know, like step one is we need vendors everywhere to be generating SBOMs and making them available for consumption.

120
00:20:42,620 --> 00:20:54,620
Step two is, you know, enterprises need to or IT shops need to have some sort of an SBOM management capability.

121
00:20:54,620 --> 00:21:03,620
There are new tools popping up all over the place that do that where you can load in the SBOMs for your environment.

122
00:21:03,620 --> 00:21:12,620
And then these tools do vulnerability lookups of all of the open source components that are listed inside those SBOMs.

123
00:21:12,620 --> 00:21:21,620
So now consumers, not only do they know what components we're using, they can also look up and see if there's known vulnerabilities of these components.

124
00:21:21,620 --> 00:21:30,620
And so Microsoft has has done some interoperability testing with with two of these vendors that make the such products.

125
00:21:30,620 --> 00:21:42,620
So one of them is called SAG PM four and the other one is made by a company called Sybeats and the products called SBOM Studio.

126
00:21:42,620 --> 00:21:52,620
You know, both of them are great. Both of them allow you to, you know, import these SBOMs and do vulnerability lookups accordingly.

127
00:21:52,620 --> 00:21:56,620
Yeah, that's pretty cool. Right. I mean, it's all very well having the bill of materials.

128
00:21:56,620 --> 00:22:01,620
Now what? Yeah, that's that's actually really, really cool. That's that's good to see.

129
00:22:01,620 --> 00:22:07,620
So the other question is, you know, are we seeing this adoption industry wide?

130
00:22:07,620 --> 00:22:18,620
Yeah, the executive order is the main driving force for the rollout of software bill of materials prior to the executive order.

131
00:22:18,620 --> 00:22:32,620
And I think the whole reason why software bill of materials was included in the executive order is because of the work that the FDA was doing, asking for a software bill of materials for medical devices.

132
00:22:32,620 --> 00:22:41,620
And when they were rolling out this new requirement, they were socializing that requirement with the industry for quite some time.

133
00:22:41,620 --> 00:23:05,620
And the NTIA, National Telecommunications and Information Agency, got involved with the medical device industry and did two proof of concepts to prove out that software bill of materials are viable and useful and that they can be, you know, passed around and consumed with, you know, existing tools.

134
00:23:05,620 --> 00:23:14,620
And and it's because of all that predecessor work that the request for SBOMS was actually included in the executive order.

135
00:23:14,620 --> 00:23:21,620
I don't know that. That's actually pretty cool. That's actually pretty cool. I mean, as long as people can get hold of the SBOMS.

136
00:23:21,620 --> 00:23:36,620
I mean, if I buy some software, how will I know where the SBOM is? Or do I expect a file to pop up in the folder during installation? Or can I get the SBOM before I even install the application? How does that kind of work?

137
00:23:36,620 --> 00:23:46,620
You know, that may sway my decision as to whether I deploy this thing. If I find that, you know, it's got 27 known critical vulnerabilities in the package, perhaps I'm not going to install it.

138
00:23:46,620 --> 00:23:54,620
Is that scenario possible or is it really, you know, are there defined processes around how to get the SBOM from any particular installation of a software package?

139
00:23:54,620 --> 00:24:07,620
You bring up an excellent point. Everybody does expect that people will want to review an SBOM before choosing or selecting a given piece of software.

140
00:24:07,620 --> 00:24:21,620
As such, the SBOM actually needs to be contained outside of the binary. It needs to be available separately so that it can be reviewed prior to acquisition of the software.

141
00:24:21,620 --> 00:24:28,620
This kind of brings up kind of like an interesting point of where the industry is as a whole.

142
00:24:28,620 --> 00:24:37,620
We want the SBOM to be included in the bits that get shipped to customers so that it always travels with the software.

143
00:24:37,620 --> 00:24:49,620
But we also need to make it available out of band. Microsoft is currently considering ways where we would have like a repository of all of our SBOMs that you could search through and look through.

144
00:24:49,620 --> 00:25:00,620
There's been ideas brought up about marketplaces and should they show the SBOM there prior to you choosing something from out of the marketplace.

145
00:25:00,620 --> 00:25:18,620
There's a lot of opportunities and so there's a lot of cross coordination on figuring out what is the best experience that we need to have for our customers to make SBOMs like a first class citizen and, you know, natively support it in our work.

146
00:25:18,620 --> 00:25:27,620
Yeah, thanks for that. I think, you know, just listening to all of this and knowing that the executive order is relatively new, relatively new event.

147
00:25:27,620 --> 00:25:34,620
It's obvious that there's a lot of work going on here in the industry and it's great to see, you know, great to see Microsoft leading the way.

148
00:25:34,620 --> 00:25:43,620
So why don't we bring this thing to a close? So Adrian, one thing we always ask our guests is if you had just one thought to leave our listeners with, what would it be?

149
00:25:43,620 --> 00:25:52,620
Yeah, I just want to share that the tool that Microsoft created to generate SBOMs is now open source.

150
00:25:52,620 --> 00:26:04,620
So you can go search for, you know, the Microsoft SBOM tool on GitHub and it is, you know, a general purpose cross platform, cross Windows, Linux and Mac,

151
00:26:04,620 --> 00:26:13,620
build time SBOM generator that you can run in your CI workflows and it outputs SPDX SBOMs in JSON format.

152
00:26:13,620 --> 00:26:19,620
So anybody can freely go use that today and start generating SBOMs for your software.

153
00:26:19,620 --> 00:26:25,620
Yeah, that's great. I mean, I'm definitely going to take a look at it myself just out of interest more than more than anything else.

154
00:26:25,620 --> 00:26:29,620
But this is but yeah, just go start kicking the tires on it.

155
00:26:29,620 --> 00:26:36,620
So Adrian, thank you so much for joining us this week. I know you're a busy guy. This is an area that has certainly been of interest to me,

156
00:26:36,620 --> 00:26:43,620
even though my knowledge of it is relatively small, but certainly my knowledge of it now is a lot better than it was at the beginning of the podcast.

157
00:26:43,620 --> 00:26:48,620
So thank you very much. And to all our listeners out there, thank you so much for listening.

158
00:26:48,620 --> 00:27:03,620
We hope you found this podcast of use. Stay safe and we'll see you next time.

159
00:27:18,620 --> 00:27:20,620
Thank you.