Sunday, October 30, 2022

Where’s them SBOMs, now that we really need them?

  Practitioners of the black arts of software security are collectively sighing and saying, “Here we go again”, since the announcement [i]...
Thursday, October 27, 2022

The White House gets into the labeling business

Last week, the White House held a workshop to discuss developing a program for securing IoT devices, scheduled to start in 2023 and to appl...
Monday, October 24, 2022

How can you make sure your connected devices are secure?

One of my recent post s pointed out that many (and perhaps most) connected devices (aka IoT devices) are far from secure. Furthermore, it...
Thursday, October 20, 2022

What should be in an SBOM for cloud services?

Since the beginning of the NTIA Software Transparency Initiative, there was always an understanding (sometimes explicitly articulated in mee...
Monday, October 17, 2022

...and you thought securing software was hard…

In case you haven’t noticed, I’ve written a lot about software supply chain security in the past couple of years. I’ve focused on this top...
Tuesday, October 11, 2022

How do you prioritize vulnerabilities to patch?

My most recent post quoted Tony Turner saying (in response to a previous post of mine) that SBOMs aren’t being used much by non-developers...
Tuesday, October 4, 2022

Here’s the REAL reason why software users aren’t requesting SBOMs

My last post discussed the fact that software users clearly aren’t demanding SBOMs from their suppliers now; the post described my idea for...