In addition to Dick's "believable attestation", or Reagan's favorite
Russian proverb "doveryay, no proveryay" ("trust but verify"), the idea of
attestation applies only to organizations that do no software development.
As soon as they hire one coder, passing the buck goes out the door.On Fri, Apr 29, 2022 at 10:01 AM Dick Brooks < [email protected]> wrote: > FYI: Tom Alrich recently posted an article containing observations from > the recent S4 conference that are germane to this group and the V 2.3 work: > > > > *people at S4 were saying was, “I don’t need to track component > vulnerabilities at all, in the software products my organization uses. I > just need to get an attestation from the supplier that the software doesn’t > have vulnerabilities. Then I can show the attestation to my regulator, > compliance department, or whoever’s bugging me about how safe my software > is. This will make them shut up, and I can go back to doing the other 9,999 > things I have to do.”* > > > > I shared my own thoughts on Tom’s article, which I link to here: > > https://energycentral.com/c/pip/sboms-and-attestations > > > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: [email protected] > > Tel: +1 978-696-1788 > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4482): https://lists.spdx.org/g/Spdx-tech/message/4482 Mute This Topic: https://lists.spdx.org/mt/90776317/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
