Wednesday, April 12, 2023

What about attestations?


I have come up with Alrich’s Law of Supply Chain Cybersecurity Innovation: No matter what you dream up as something that would be good to have in the world of supply chain cybersecurity, Steve Springett[i] has already dreamed it up and is in the process of implementing it in CycloneDX. It’s like I had made climbing the seven highest mountains in the world my life’s goal (you can tell I’m joking about this!) and as I summited each one of them, I found Steve sitting in a camp chair, pouring coffee from a thermos and enjoying the view.

So I wasn’t surprised when Steve recently posted on LinkedIn about attestations. He said the OWASP CycloneDX project will be adding to the already impressive list of capabilities built on the CycloneDX framework by providing the capability for a Bill of Attestations (and to see a complete list of BOMs currently supported, about to be supported in CycloneDX 1.5, which is due out this quarter, or planned for future versions of CycloneDX, look at this slide deck he recently posted on LinkedIn). The point is that organizations need to make attestations all the time to regulatory bodies, customers and others. Wouldn’t it be nice, both for the attestor and the recipient of the attestation, if there were a machine-readable format for providing attestations?[ii]

Soon there will be. And you can help Steve develop it as well! Details in the LinkedIn post.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[ii] Steve made sure to point out that the original idea for this came from Jeff Williams, founder of Contrast Security and originator of the OWASP Top 10.

No comments:

Post a Comment