I’m pleased to report that Cybellum, an
Israel-based company whose mission is “…to enable manufacturers and their
suppliers to develop and maintain products that aren’t just safe, but are also
secure”, has just posted a podcast I taped with them a few months ago. I’m quite pleased with
the results, which are due as much to their good questions as to anything I
said.
The podcast – which is only 26
minutes long – ended up being very focused on what I believe is the biggest
issue preventing widespread adoption of SBOMs by end user organizations (i.e. organizations
whose primary mission isn’t developing software for other organizations. Developers
are already heavily
using SBOMs for their internal purposes, thank
you very much): the current lack of tools and scalable third-party services to
utilize SBOMs and VEX documents for software risk management purposes, as well
as the relative dearth of written guidance on how non-developers can use SBOMs.
I’ll warn you that, if you’d
rather hear happy stories about how SBOMs and VEXes are already being widely
used and how it will just take a little more of what we’re currently doing to
reach component security nirvana, perhaps you need to look for another podcast.
There is a huge amount of work to be done, and even what I know to be in the
pipeline at the current moment is totally inadequate to address what’s needed.
However, I’m also quite optimistic
that what’s needed will come, and in the not-distant future. I’m optimistic
because – as a student of Milton Friedman during his heyday at the University
of Chicago – I believe that free markets will ultimately both a) allow consumer
demand for SBOMs to rapidly grow from its current close-to-nonexistent level,
and b) “monetize” the so-far-nascent (at best) sub-markets for tools and
services for widespread distribution and utilization of SBOMs for vulnerability
risk management purposes.
I also want to point out that the previous
podcast in this same series featured Steve
Springett, the creator of Dependency-Track (which I mention in the podcast, and
have referred to multiple times
in these posts) and leader of the OWASP CycloneDX project (Steve is also the
brains behind the current effort to solve the naming
problem, one of the primary inhibitors of
widespread production and utilization of SBOMs).
I recommend you also listen to
that podcast, since Steve provides some very good insights into the current and
future state of SBOMs and VEXes. In my opinion, Steve is the
intellectual leader of the SBOM and VEX communities. The rest of us are just trying
to visit the places where he’s already arrived, made a big difference, then
moved on to his next challenge.
Any opinions expressed in this
blog post are strictly mine, and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment