Up until recently, almost the entire focus of SBOM messaging was on software developers. The reason for that – which I don’t argue with at all – was that SBOMs have to be both produced and used. Unless the software suppliers got onboard, it wouldn’t matter whether users want SBOMs or not – they won’t get them if they aren’t available in the first place. The users need to “pull” on the SBOM string, but there won’t be any string to pull on, if the suppliers aren’t “pushing” the SBOMs out on their end.
Well, that battle has been won. Software
developers are using SBOMs for their own vulnerability management purposes, and
heavily (as the 202 million calls from Dependency-Track to the OSS Index
vulnerability database – in one month - attest).
Now it’s time to get the users interested in receiving those SBOMs. That way,
the string will actually move, as opposed to being pushed from behind into a tangled
ball that doesn’t go anywhere, because nobody’s pulling on the other end.
But consumers aren’t interested in
having SBOMs so they can a) impress their children that they know something
about technology, too; b) print them out on waxy paper and use them to wrap
fish; or c) print them out on contact paper and use them to paper the walls of their
new den. They want to use them for vulnerability management purposes, so their
organizations can be more secure, and so they don’t have to run around for months
trying to find every instance of the next log4j.
In early April, Fortress Information
Security[i] put out a white
paper that was the first document (that I’ve seen) that discusses using
SBOMs, not producing them. And in another first, it’s aimed entirely at software
consumers (who can be assumed to know very little about SBOMs), rather than
software developers (who can be assumed to know a lot about them).
Now, Fortress has put together what
looks like it will be the first webinar describing how people like you and I can
use SBOMs to make our organizations more secure, rather than to wrap fish. While
I don’t know what will be in it, I’m sure it will be good. You can read about
the webinar (on Thursday, May 12 at 11 AM EDT) and sign up for it here.
See you there!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] Full
disclosure: I provide consulting services to Fortress, although I’m promoting
this webinar because it’s sorely needed.
No comments:
Post a Comment