Two weeks ago, Steve Springett (leader of the OWASP CycloneDX
and Dependency Track projects, and recently elected OWASP board member) and I
recorded a podcast with Deb Radcliff, whose podcasts are widely followed in the
software development community and are sponsored by CodeSecure. The podcast is called “VEXing
SBOMs”, and you can find it here.
Briefly, here are the main topics that we covered:
1.
We discussed use cases for SBOM and VEX.
2.
Steve discussed how SBOMs have become a natural
part of the build pipeline.
3.
I pointed out that IMHO the number one reason
why SBOMs are not being distributed to and used by software end users (i.e.,
the 99.9% - or so - of public and private organizations worldwide whose primary
business is not software development) is the fact that there are
currently no strict specifications for VEX on the two original VEX “platforms”:
Common Security Advisory Framework (CSAF) and CycloneDX.
4.
I also noted that Anthony Harrison of the OWASP
SBOM Forum has recently remedied that problem. This is a key step toward the
goal that the SBOM Forum hopes to achieve before the end of 2024: starting a
proof of concept in which end users benefit from the “full stack” of software component
vulnerability management, namely utilization of SBOM and VEX to allow end users
to learn about exploitable component vulnerabilities in their software, and
ultimately to be able to quickly answer the question, “Where on our network are
we vulnerable to (insert name of “celebrity vulnerability” du jour)?”
You can read more about the proof of concept in Part 3 of my book (see below).
5.
Steve described the OWASP Transparency Exchange API
project, which is described in this
draft document. In my opinion, this will be the key enabler of distribution and
use of SBOMs and VEX documents.
Thanks for inviting us, Deb!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
My book "Introduction to SBOM and VEX"
is now available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment