Software supply chain still dangerous despite new protections
- by nlqip
Despite the SBOM’s conceptual attractiveness as a simple tool for spotting potentially problematic software components, its value is still too limited to be helpful. “What I’m seeing is that SBOM is too nascent for department and agency proactive use,” Rebecca McWhite, cyber supply chain risk management technical Lead at NIST, said during the CISA conference.
Creating and updating software asset inventories is imperative
“I think the one area I’d say I’m pretty pessimistic about is SBOMs, which are probably the lowest priority thing in this whole space that I would recommend,” Lorenc said. “I think CISA has done a pretty good job explaining what benefits they do have, but for some reason, a lot of folks just latch on to SBOMs as this magical solution that will fix all of these issues.”
Lorenc thinks SBOMs should be a lower priority over more critical tasks, such as creating and updating software asset inventories, which he believes all too few organizations do well. “If you don’t even know what systems you’re running, it doesn’t make sense to query SBOMs for what’s inside those systems. And unless you have very, very, very good asset management in place, then SBOMs aren’t going to add much to your incident reporting.”
Source link
lol
Despite the SBOM’s conceptual attractiveness as a simple tool for spotting potentially problematic software components, its value is still too limited to be helpful. “What I’m seeing is that SBOM is too nascent for department and agency proactive use,” Rebecca McWhite, cyber supply chain risk management technical Lead at NIST, said during the CISA conference.…
Recent Posts
- Google says “Enhanced protection” feature in Chrome now uses AI
- Scammers target UK senior citizens with Winter Fuel Payment texts
- Malicious PyPI package with 37,000 downloads steals AWS keys
- Microsoft says recent Windows 11 updates break SSH connections
- Hands on with AI features in Windows 11 Paint and Notepad