Last Friday, I taped (not the
right word anymore, of course) a podcast with Dale Peterson. It was put up today,
and you can listen to it here.
I want to thank Dale for inviting me to do this; it went very well. Dale has
been very interested in SBOMs for a while and asked some great questions. We
got into SBOM formats, VEXes, the EO, and especially how I see the SBOM
marketplace shaping up (my answer: It’s like the Web marketplace in 1995, right
after the Netscape IPO. Everyone knew the Web would be huge, but nobody could
have identified the companies that are big players nowadays. In fact, most of
them didn’t even exist then. The best is still to come on SBOMs, and there’s
lots of opportunity).
So you may find the podcast to be interesting. One
note: My “Road to Damascus” post that Dale and I discussed is here.
It’s about why I think most organizations won’t want to do software risk
analysis on their own, and I don’t think they should be forced to, either. I
think the suppliers should do it, or they should engage a third party
organization for that task (I named one organization that I know will be
offering that service in the podcast. There may be others that will offer it as
well, and if I hear of any, I’ll let you know. I will point out that this isn’t
a service that can be performed using an hourly consulting model).
So end user organizations (who
aren’t also software developers) don’t need SBOMs or VEXes; what they
need is the analysis that will help them identify the risks latent in the
components of the software they utilize. Most importantly, they need a list of exploitable
component vulnerabilities for every software product that they utilize. And
they need each of these lists updated regularly, ideally daily. In fact, once
the supplier or third party has the tooling in place, there won’t in principle be
a reason why they couldn’t update the analysis hourly – although that might be
a little cumbersome, given the number of possible users for the service (i.e.
ultimately every organization on the planet. I can’t speak for other planets at
this time).
Of course, many organizations will
still want to receive the SBOMs and VEXes themselves and do their own analysis.
So we still need tools aimed at consumers of software, which will let them
perform this analysis on their own. Those will come as well, although they’re
later in arriving than most of us had hoped.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment