Thursday, May 5, 2022

Finally – an SBOM webinar for the rest of us

Up until recently, almost the entire focus of SBOM messaging was on software developers. The reason for that – which I don’t argue with at all – was that SBOMs have to be both produced and used. Unless the software suppliers got onboard, it wouldn’t matter whether users want SBOMs or not – they won’t get them if they aren’t available in the first place. The users need to “pull” on the SBOM string, but there won’t be any string to pull on, if the suppliers aren’t “pushing” the SBOMs out on their end.

Well, that battle has been won. Software developers are using SBOMs for their own vulnerability management purposes, and heavily (as the 202 million calls from Dependency-Track to the OSS Index vulnerability database – in one month - attest). Now it’s time to get the users interested in receiving those SBOMs. That way, the string will actually move, as opposed to being pushed from behind into a tangled ball that doesn’t go anywhere, because nobody’s pulling on the other end.

But consumers aren’t interested in having SBOMs so they can a) impress their children that they know something about technology, too; b) print them out on waxy paper and use them to wrap fish; or c) print them out on contact paper and use them to paper the walls of their new den. They want to use them for vulnerability management purposes, so their organizations can be more secure, and so they don’t have to run around for months trying to find every instance of the next log4j.

In early April, Fortress Information Security[i] put out a white paper that was the first document (that I’ve seen) that discusses using SBOMs, not producing them. And in another first, it’s aimed entirely at software consumers (who can be assumed to know very little about SBOMs), rather than software developers (who can be assumed to know a lot about them).

Now, Fortress has put together what looks like it will be the first webinar describing how people like you and I can use SBOMs to make our organizations more secure, rather than to wrap fish. While I don’t know what will be in it, I’m sure it will be good. You can read about the webinar (on Thursday, May 12 at 11 AM EDT) and sign up for it here. See you there!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] Full disclosure: I provide consulting services to Fortress, although I’m promoting this webinar because it’s sorely needed.

No comments:

Post a Comment