Last week, I put up an upbeat post
that pointed out that SBOMs are already a great success among software
suppliers, since they are using them heavily (literally hundreds of millions of
times a month, and billions of times a month if you want to count “use” in a
different way) to learn about vulnerabilities in products they’re building. I
noted that this was happening in the absence of any significant use by
consumers, and I further noted that this wasn’t because at least some suppliers
aren’t ready to supply them to their customers, but because their customers
aren’t asking for them.
I didn’t go into detail on why
consumers aren’t asking for SBOMs now, although I’ve dropped various hints in
my posts – lack of free or low-cost tools to utilize SBOMs for vulnerability
management, lack of support for SBOMs from vendors of vulnerability and
configuration management software, lack of available VEX documents to notify
consumers of non-exploitable component vulnerabilities, etc. But I did attribute
the fact that so many software suppliers had in recent years “gotten religion”
on the need to take responsibility for preventing or fixing vulnerabilities due
to components in their software, to the fact that they knew SBOMs were coming. Moreover, they knew their customers were soon going to know about vulnerabilities found in
components in their software and continually ask when they were going to fix them.
However, I realized today that
there’s a kind of contradiction between those two ideas: That SBOMs aren’t
being significantly utilized by consumers today and that suppliers are anticipating
they will be heavily utilized by consumers in the near future. I resolve
this by saying that suppliers are wrong if they anticipate SBOMs will be
heavily used in say the next 2-3 years, but I anticipate they will be after
that. I added a couple of paragraph's to last Monday's post to clarify this point.
I have a list of about 8 serious impediments
(and there are many less-serious ones as well) to widespread SBOM use. I’m
happy to say that one of them is on the road to being resolved,
and the informal group responsible for that is now deciding what’s the next
impediment we’ll take on. Anyone who’s already familiar with SBOMs and would
like to join that effort should drop me an email.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
I neglected to mention that I added a couple of paragraphs to last week's post about this change.
ReplyDelete