Tom Alrich's Blog

Friday, December 1, 2023

We have a winner!

In our last OWASP SBOM Forum meeting before Thanksgiving, we started by discussing CISA’s new Request for Comments on their recent docum...

Wednesday, November 22, 2023

NERC CIP: The new SAR for cloud services

There is widespread agreement in the NERC CIP community that it’s time – in fact, way past time – to fix the biggest problem with the CIP st...

Wednesday, November 15, 2023

How will we know when SBOMs take off?

In last week’s meeting of the SBOM Forum, toward the end of the meeting we somehow got onto the topic of whether SBOMs are succeeding in t...

Friday, November 10, 2023

The Global Vulnerability Database won’t be a “database” at all

I have written about a Global Vulnerability Database before, by which I meant a database that would be funded and run internationally. Ho...

Tuesday, November 7, 2023

When will there be VEX tools?

Today, a very refreshing email was sent to the CISA VEX Workgroup mailing list: We're a small startup from Germany trying to establish...

Saturday, November 4, 2023

CISA is asking the wrong questions

CISA recently published a white paper on “Software Identification Ecosystem Option Analysis”. This paper is almost a textbook example of...

Friday, October 27, 2023

You’ve got a new VEX format? Great! How will it be used?

Red Hat came out with their new VEX format this week and described it in this blog post (Pete Allor of Red Hat also discussed it in today...

View web version

About Me

Tom Alrich

View my complete profile

Powered by Blogger.