I agree, Chris,
Just got out of a meeting with Rusty. SAG-PM already supports retrieval of SBOM’s from rkvst – out of the box, no changes needed. An SBOM URL is provided to customers via an open source Vendor Response File, along with other required evidence data: https://github.com/rjb4standards/REA-Products/blob/master/SAGVendorResponseSAMPLE.xml <SAG:SBOM type="cycloneDX" version="1.2" format="XML" DigitalSignatureURL="https://softwareassuranceguardian.com/REDACTED";>https://softwareassuranceguardian.com/REDACTED</SAG:SBOM> <SAG:KnownVulnInfoURL DocFormat="XML" DigitalSignatureURL="">https://raw.githubusercontent.com/rjb4standards/REA-Products/master/SAGVulnDisclosureSAMPLE.xml</SAG:KnownVulnInfoURL> <SAG:SDLCPolicyURL>https://softwareassuranceguardian.com/REDACTED</SAG:SDLCPolicyURL> <SAG:SDLCEvidenceDataURL>https://softwareassuranceguardian.com/REDACTED</SAG:SDLCEvidenceDataURL> Thanks, Dick Brooks <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: Christopher Gates <[email protected]> Sent: Friday, February 4, 2022 3:40 PM To: Michael Richardson <[email protected]>; [email protected]; [email protected]; [email protected] Subject: Re[2]: [OPSAWG] SBOMs and version non-specific MUD files There are already public databases with both secured and public SBOMs https://sbom.rkvst.io/publicsboms Christopher Gates -------------------------------- Director of Product Security www.velentium.com <http://www.velentium.com/> (805)750-0171 Las Vegas, NV (GMT-8) Our new book is now shipping: Medical Device Cybersecurity for Engineers and Manufacturers U.S. <https://us.artechhouse.com/Medical-Device-Cybersecurity-A-Guide-for-Engineers-and-Manufacturers-P2128.aspx> | Worldwide <https://uk.artechhouse.com/Medical-Device-Cybersecurity-A-Guide-for-Engineers-and-Manufacturers-P2073.aspx> Amazon <https://www.amazon.com/Medical-Device-Cybersecurity-Engineers-Manufacturers/dp/1630818151/ref=sr_1_1?dchild=1&keywords=Axel+Wirth&qid=1592335625&sr=8-1> & Digital <https://us.artechhouse.com/Medical-Device-Cybersecurity-for-Engineers-and-Manufacturers-P2174.aspx> Security Book Of The Year! <https://engineering.tapad.com/the-best-information-security-books-of-2020-e7430444fbd4> “If everyone is thinking alike, then somebody isn't thinking.” -George S. Patton "Facts are stubborn things." -John Adams, 1770 ------ Original Message ------ From: "Michael Richardson" <[email protected] <mailto:[email protected]> > To: [email protected] <mailto:[email protected]> ; [email protected] <mailto:[email protected]> ; [email protected] <mailto:[email protected]> Sent: 2/4/2022 12:30:41 PM Subject: Re: [OPSAWG] SBOMs and version non-specific MUD files Dick Brooks <[email protected] <mailto:[email protected]> > wrote: > The predominant "SBOM delivery channel" I see is through access controlled > customer portals where customers can download SBOM's Vulnerability > Disclosures and other artifacts needed to perform a NIST C-SCRM risk > assessment for Executive Order 14028. For hospitals, sure. For baby monitors, maybe not. -- Michael Richardson <[email protected] <mailto:[email protected]> > . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide Disclaimer: The information and attachments transmitted by this e-mail are proprietary to Velentium, LLC and the information and attachments may be confidential and legally protected under applicable law and are intended for use only by the individual or entity to whom it was addressed. If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message and attachments is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and delete this message from your system immediately hereafter.
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
