Software supply chain still dangerous despite new protections
- by nlqip
Despite the SBOM’s conceptual attractiveness as a simple tool for spotting potentially problematic software components, its value is still too limited to be helpful. “What I’m seeing is that SBOM is too nascent for department and agency proactive use,” Rebecca McWhite, cyber supply chain risk management technical Lead at NIST, said during the CISA conference.
Creating and updating software asset inventories is imperative
“I think the one area I’d say I’m pretty pessimistic about is SBOMs, which are probably the lowest priority thing in this whole space that I would recommend,” Lorenc said. “I think CISA has done a pretty good job explaining what benefits they do have, but for some reason, a lot of folks just latch on to SBOMs as this magical solution that will fix all of these issues.”
Lorenc thinks SBOMs should be a lower priority over more critical tasks, such as creating and updating software asset inventories, which he believes all too few organizations do well. “If you don’t even know what systems you’re running, it doesn’t make sense to query SBOMs for what’s inside those systems. And unless you have very, very, very good asset management in place, then SBOMs aren’t going to add much to your incident reporting.”
Source link
lol
Despite the SBOM’s conceptual attractiveness as a simple tool for spotting potentially problematic software components, its value is still too limited to be helpful. “What I’m seeing is that SBOM is too nascent for department and agency proactive use,” Rebecca McWhite, cyber supply chain risk management technical Lead at NIST, said during the CISA conference.…
Recent Posts
- Windows 10 KB5046714 update fixes bug preventing app uninstalls
- Eight Key Takeaways From Kyndryl’s First Investor Day
- QNAP pulls buggy QTS firmware causing widespread NAS issues
- N-able Exec: ‘Cybersecurity And Compliance Are A Team Sport’
- Hackers breach US firm over Wi-Fi from Russia in ‘Nearest Neighbor Attack’