Wednesday, February 9, 2022

My guest “appearance” on Dale Peterson’s podcast


Last Friday, I taped (not the right word anymore, of course) a podcast with Dale Peterson. It was put up today, and you can listen to it here. I want to thank Dale for inviting me to do this; it went very well. Dale has been very interested in SBOMs for a while and asked some great questions. We got into SBOM formats, VEXes, the EO, and especially how I see the SBOM marketplace shaping up (my answer: It’s like the Web marketplace in 1995, right after the Netscape IPO. Everyone knew the Web would be huge, but nobody could have identified the companies that are big players nowadays. In fact, most of them didn’t even exist then. The best is still to come on SBOMs, and there’s lots of opportunity).

So you may find the podcast to be interesting. One note: My “Road to Damascus” post that Dale and I discussed is here. It’s about why I think most organizations won’t want to do software risk analysis on their own, and I don’t think they should be forced to, either. I think the suppliers should do it, or they should engage a third party organization for that task (I named one organization that I know will be offering that service in the podcast. There may be others that will offer it as well, and if I hear of any, I’ll let you know. I will point out that this isn’t a service that can be performed using an hourly consulting model).

So end user organizations (who aren’t also software developers) don’t need SBOMs or VEXes; what they need is the analysis that will help them identify the risks latent in the components of the software they utilize. Most importantly, they need a list of exploitable component vulnerabilities for every software product that they utilize. And they need each of these lists updated regularly, ideally daily. In fact, once the supplier or third party has the tooling in place, there won’t in principle be a reason why they couldn’t update the analysis hourly – although that might be a little cumbersome, given the number of possible users for the service (i.e. ultimately every organization on the planet. I can’t speak for other planets at this time).

Of course, many organizations will still want to receive the SBOMs and VEXes themselves and do their own analysis. So we still need tools aimed at consumers of software, which will let them perform this analysis on their own. Those will come as well, although they’re later in arriving than most of us had hoped.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment