I have come up with Alrich’s Law
of Supply Chain Cybersecurity Innovation: No matter what you dream up as
something that would be good to have in the world of supply chain
cybersecurity, Steve Springett[i] has already dreamed it up
and is in the process of implementing it in CycloneDX. It’s like I had made
climbing the seven highest mountains in the world my life’s goal (you can tell
I’m joking about this!) and as I summited each one of them, I found Steve
sitting in a camp chair, pouring coffee from a thermos and enjoying the view.
So I wasn’t surprised when Steve recently
posted
on LinkedIn about attestations. He said the OWASP CycloneDX project will be adding
to the already impressive list of capabilities built on the CycloneDX framework
by providing the capability for a Bill of Attestations (and to see a complete
list of BOMs currently supported, about to be supported in CycloneDX 1.5, which
is due out this quarter, or planned for future versions of CycloneDX, look at this
slide deck he recently posted on LinkedIn). The point is that organizations need
to make attestations all the time to regulatory bodies, customers and others.
Wouldn’t it be nice, both for the attestor and the recipient of the attestation,
if there were a machine-readable format for providing attestations?[ii]
Soon there will be. And you can
help Steve develop it as well! Details in the LinkedIn post.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] For more on Steve, see these two posts: https://tomalrichblog.blogspot.com/2023/01/300-million.html and https://tomalrichblog.blogspot.com/2022/06/the-first-complete-sbom-tool.html
[ii] Steve
made sure to point out that the original idea for this came from Jeff Williams,
founder of Contrast Security
and originator of the OWASP Top 10.
No comments:
Post a Comment