I'm hoping the V 2.3 enhancements will provide the ability to tie an SBOM artifact directly to a vendor attestation regarding the vulnerability status of a product, described by an SBOM.
Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: Tony Turner <[email protected]> Sent: Friday, April 29, 2022 10:05 AM To: [email protected]; [email protected] Subject: Re: [EXTERNAL SOURCE] [spdx-tech] FYI: statements from S4 Please see my comments on this at https://www.linkedin.com/feed/update/urn:li:activity:6925613064541151232?com mentUrn=urn%3Ali%3Acomment%3A%28activity%3A6925613064541151232%2C69257972356 66395136%29 It was not as cut and dry as "we don't need SBOMs" and in the case of the workshop, there were scenarios where most people agreed the attestations were not sufficient. Context matters. - Tony Turner VP, Fortress Labs (R&D) Fortress Information Security _____ From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > on behalf of Dick Brooks via lists.spdx.org <[email protected] <mailto:[email protected]> > Sent: Friday, April 29, 2022 10:01:24 AM To: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > Subject: [EXTERNAL SOURCE] [spdx-tech] FYI: statements from S4 FYI: Tom Alrich recently posted an article containing observations from the recent S4 conference that are germane to this group and the V 2.3 work: people at S4 were saying was, "I don't need to track component vulnerabilities at all, in the software products my organization uses. I just need to get an attestation from the supplier that the software doesn't have vulnerabilities. Then I can show the attestation to my regulator, compliance department, or whoever's bugging me about how safe my software is. This will make them shut up, and I can go back to doing the other 9,999 things I have to do." I shared my own thoughts on Tom's article, which I link to here: https://energycentral.com/c/pip/sboms-and-attestations Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 IMPORTANT: The information transmitted is intended only for the person or entity to which it is addressed. The content may contain business confidential and/or proprietary information, and it may be reviewed and logged for archival purposes by parties at Fortress Information Security other than those named in the message header. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4477): https://lists.spdx.org/g/Spdx-tech/message/4477 Mute This Topic: https://lists.spdx.org/mt/90776401/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
