FYI: Tom Alrich recently posted an article containing observations from the recent S4 conference that are germane to this group and the V 2.3 work:
people at S4 were saying was, “I don’t need to track component vulnerabilities at all, in the software products my organization uses. I just need to get an attestation from the supplier that the software doesn’t have vulnerabilities. Then I can show the attestation to my regulator, compliance department, or whoever’s bugging me about how safe my software is. This will make them shut up, and I can go back to doing the other 9,999 things I have to do.” I shared my own thoughts on Tom’s article, which I link to here: https://energycentral.com/c/pip/sboms-and-attestations Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4475): https://lists.spdx.org/g/Spdx-tech/message/4475 Mute This Topic: https://lists.spdx.org/mt/90776317/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
