Re: [spdx] [SCITT] EU CRA is very supportive of SBOM

[Dick Brooks]

Charlie,

 

The CE marks cited by the EU CRA will need to be stored someplace
trustworthy.

 

I can't think of a better choice than an internationally defined/adopted
SCITT Trust Registry to store TRUSTED  Cybersecurity Labels;

https://energycentral.com/c/iu/international-trust-registry-demonstration-su
ccess

 

If not a SCITT Trust Registry to store trusted "Cybersecurity Labels", i.e.
EU CE marks and the US Cyber Mark, then where should these important
artifacts be stored, where they can be trusted to be legitimate (not
forged/fraudulent) by a consumer?

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council - A Public-Private Partnership

 

Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products>  T

http://www.reliableenergyanalytics.com
<http://www.reliableenergyanalytics.com/> 

Email: d...@reliableenergyanalytics.com
<mailto:d...@reliableenergyanalytics.com> 

Tel: +1 978-696-1788

 

 

From: Hart, Charlie <charlie.h...@hal.hitachi.com> 
Sent: Wednesday, July 26, 2023 10:24 AM
To: spdx@lists.spdx.org; d...@reliableenergyanalytics.com
Cc: sc...@ietf.org; 'scrm-nist' <scrm-n...@nist.gov>; 'swsupplychain-eo'
<swsupplychain...@nist.gov>; Steve Springett <steve.spring...@owasp.org>
Subject: Re: [EXT][SCITT] EU CRA is very supportive of SBOM

 

Hi Dick and team. This and many other of your prior emails are a great case
for SBOMs. However, they do not make a case for SCITT in my opinion

 

SCITT today is sort of an open source Docusign. None of the cases for SBOM
require the extensive authentication features of SCITT. They do however
require a data store, which so far we haven't included.

 

SCITT will provide some great facilities for provenance and pedigree once
they hit the mainstream as requirements. But it will still need to be
data-aware.

 

I reviewed the use cases over the weekend and they all seem to have
requirements for query and traversal. I would like for us to consider the
utility of the standard to ensure useful applications can and will be built
using the SCITT framework. In that way we can influence a new best practice
of full authentication and computed trust standards.

 

Charlie

  _____  

From: SCITT <scitt-boun...@ietf.org <mailto:scitt-boun...@ietf.org> > on
behalf of Dick Brooks <d...@reliableenergyanalytics.com
<mailto:d...@reliableenergyanalytics.com> >
Sent: Wednesday, July 26, 2023 9:21 AM
To: spdx@lists.spdx.org <mailto:spdx@lists.spdx.org>  <spdx@lists.spdx.org
<mailto:spdx@lists.spdx.org> >
Cc: sc...@ietf.org <mailto:sc...@ietf.org>  <sc...@ietf.org
<mailto:sc...@ietf.org> >; 'scrm-nist' <scrm-n...@nist.gov
<mailto:scrm-n...@nist.gov> >; 'swsupplychain-eo' <swsupplychain...@nist.gov
<mailto:swsupplychain...@nist.gov> >; Steve Springett
<steve.spring...@owasp.org <mailto:steve.spring...@owasp.org> >
Subject: [EXT][SCITT] EU CRA is very supportive of SBOM 

 

Very encouraging language in the EU CRA for SBOM adoption and vulnerability
monitoring/reporting.

 

https://data.consilium.europa.eu/doc/document/ST-11726-2023-INIT/en/pdf
<https://secure-web.cisco.com/10ebuss75nvuZNXQOEBUaGQ35GOfh7zbUicAj9aAIUaulg
3WTZb04dG2xxn77G_LGM2mUYP35m2g3kRZZWOiN6DDjuNgYkemmX447HJ-4oZv48xwEYmpV5gL6a
lTg26kOU3RG7BDZNld4j_241wegS-fSIbPNKiMmw45V9lK7FKgqxmAcsetqfbIKoQY5Ljscsz3_3
VCjsoWD79twgoe41kNSSl3gtkyzWbzF0mf6cWVTPJI75Kd5-MWP9TEgMba1HFFeK_Hp5R6g5V2_s
5zwl2GiolM-2RiQ9c7bZ2Bra7-FZ3Ti2a2gmw2_q-Cm-fKctxrtU_lj-gHNKIH5GrSM6A/https%
3A%2F%2Fdata.consilium.europa.eu%2Fdoc%2Fdocument%2FST-11726-2023-INIT%2Fen%
2Fpdf>  

 

(37) In order to facilitate vulnerability analysis, manufacturers should
identify and document components contained in the products with digital
elements, including by drawing up a software bill of materials. A software
bill of materials can provide those who manufacture, purchase, and operate
software with information that enhances their understanding of the supply
chain, which has multiple benefits, most notably it helps manufacturers and
users to track known newly emerged vulnerabilities and risks. It is of
particular importance for manufacturers to ensure that their products do not
contain vulnerable components developed by third parties.

 

VULNERABILITY HANDLING REQUIREMENTS 

Manufacturers of the products with digital elements shall: 

1. identify and document vulnerabilities and components contained in the
product, including by drawing up a software bill of materials in a commonly
used and machine-readable format covering at the very least the top-level
dependencies of the product

 

CONTENTS OF THE TECHNICAL DOCUMENTATION

a description of the design, development and production of the product and
vulnerability handling processes, including: 

(a) complete information on the design and development of the product with
digital elements, including, where applicable, drawings and schemes and/or a
description of the system architecture explaining how software components
build on or feed into each other and integrate into the overall processing; 

(b) complete information and specifications of the vulnerability handling
processes put in place by the manufacturer, including the software bill of
materials, the coordinated vulnerability disclosure policy, evidence of the
provision of a contact address for the reporting of the vulnerabilities and
a description of the technical solutions chosen for the secure distribution
of updates;

 

 

NIST recommends using the IEC 29147:2018 standard for vulnerability
disclosure reporting (the SPDX V 2.3 Spec appendix K.1.9 covers these NIST
recommendations) this is also supported by the CycloneDX spec V 1.4 VDR
<https://secure-web.cisco.com/1GBqgYB7vn29URH1g2PbDsrsmBKmekMs09_FE2qmb-25iy
17ztnTMkQCWMc5_ezhTivzRU6KKe7gDBmYtrB9eNVDJWf6tPeoF5k6ePp9i6Cx93jwwtcEJRBMlY
iN7SICiXxqjdClQHSu0jKi5dGu6UmVjsiiz8CnDBAw-J2wEloWMfsbjLXVOwBxOGpUNPi3WsWPYp
mDoEuIUyULUdi9ojC0y3pL5oDGycPrARobZYREyaUTTDIfe1Oy7llJDG-dcWVWJ8N3XD6U6NutDR
7T1U4mDgfkxX73db9oQ498vxH3yaZkX3G_Xk3-Caey5B36f7e_pXa5R4ahOlexV-GPFSg/https%
3A%2F%2Fowasp.org%2Fblog%2F2023%2F02%2F07%2Fvdr-vex-comparison> :

https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecuri
ty/software-security-supply-chains-software-1
<https://secure-web.cisco.com/1okXcdzEkRAQotcSjveonF77utxVLSn4BC-rMaMenEpzaB
f9DZRbt7R12SDiktnukUyjpBzr2qIEr7ZhbQ4mkM7eADpkVG1wfJi8Gd63MnNCsflvX10kuEXzAC
yZD9emhB9NTdic8LeeTqRb0iLgh4Ak4gDY9kz2tpWJRfKbrb7wctDPeOjV2dyqBh_dczWAeRNeMq
mYJoqzldM-3mRcNGgHUz5Ta67cXyfGG6ZHBxt_xZt7UID5SVHcl-Ijg_2pX21nK4d7hieqSktDDg
FjHJq1jGisgSzX19RaGskmZQYwPKEYDzDTdIL7Z9lKvQPDuI5BRAVF1SyCJKqqQt4yJqA/https%
3A%2F%2Fwww.nist.gov%2Fitl%2Fexecutive-order-14028-improving-nations-cyberse
curity%2Fsoftware-security-supply-chains-software-1> 

AND

https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecuri
ty/software-security-supply-chains-0
<https://secure-web.cisco.com/1qW1nQGRCWPvibh5neQIPu804nRvSosOdwtrKoxZzepqdk
rzltERSzCqe-AoVmHolbZowB0nNIp9QAVAM02Ms8a2IG9-e5VxGeWNpJP4aXgobI9zlITMKaJlND
B9FPtib7vrsvVu85RbGaYC5XwIEuVwz1Tf9GCuMyqGO7ZS-oCindt5RP2rwKiLM5chAr0SW6nFE5
UCiLLB-zfvhkkHcnpVOK7EIsDTHC1Rrdu7cvFQ2_gp8qFJlDENmzxkOhegbSTDYuK5g5tW11cglt
Ozne-7Mkl-DDQLaGPa-a8mcKD8PFMMxjngnkyX0y9i2iKHicBDnpIAQUuLZYlulJTJZPA/https%
3A%2F%2Fwww.nist.gov%2Fitl%2Fexecutive-order-14028-improving-nations-cyberse
curity%2Fsoftware-security-supply-chains-0> 

 

I've written about how to use SBOM to monitor for software vulnerability
risks using a proactive "Left of Bang" approach, that seems to align well
with the EU CRA language:

https://energycentral.com/c/iu/how-use-sbom-software-vulnerability-monitorin
g
<https://secure-web.cisco.com/1XL_rx3KpX0nbx2AX0ZyPfLlh-ImVk9xVYEpkUJ703RVLw
11kjhC0GnP22HMX99yqUdyW80QbDN_-hgY5TLbiHtyrSuatTECSobnH8NCf28f9clbGoGXr4c9ov
UGZsHJgz8a0ObrD8CiWGM_VcTUHWEFg_98qdJOOjmJUozOXHiloUnkelLhZL2OVGCD_83fLFTGXz
N_Ci2h4bjP6kn948h6QWWfvXd_S01wmJQZ-t_1shB4WTEg1Ocvc9fDkkleQJkhQeWEnZhA_2g-i2
BYc_Yb6cRe1FJTG0Yg7IIaj-83P-L3NbyTpKMkE8y4j-Wpbw5SIDdjKuLhVnJQc81BDdw/https%
3A%2F%2Fenergycentral.com%2Fc%2Fiu%2Fhow-use-sbom-software-vulnerability-mon
itoring>  

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council - A Public-Private Partnership

 

Never trust software, always verify and report!
<https://secure-web.cisco.com/1g65Nwrhv04MTST_2g69Tvi98NETR_D3h2TXkMT0Qr_q1Q
tUMZy4Aavr9c9r_wcSGCoKrKIa3mz-fIx3vYKKOQHX-1f344FdikBMK9sTjgnK5JqQiV9h2f7XBJ
BkoOMlbFvlIXXyRusYN1qez13yH1W0Pb5U9Pd3wP8Gvgc84_dzY40HGyOSk_aJOTg3qMd9uxmFjz
hvZW38mknW4GhutNdNdv3SWfZzoF-iqXWQcfmgZvkOo4mhYBr5fJUuSH_OkjVO4jMI0z6CVWbInE
YDMW6TlH7qkno2psLLYAP5mK7lhBv58o2s7KdFQ0LY9Sxu2/https%3A%2F%2Freliableenergy
analytics.com%2Fproducts>  T

http://www.reliableenergyanalytics.com
<http://secure-web.cisco.com/1RApj1XP80CtdjMTm1czhULqLbih8jV9dsZExI4UiaZ_-e4
jFDZI-1DMNajDH8lbXiDxMOsFagI7GXjopV6A4z7PopxeoJihAqj1OeM5HHmDznBRIIq0N0ZIn8n
AwCI4DwSDEnMzF7tbAJQ-YidtedLF0EfJuwQ0CC_gc50vST3n8lviyN1xoD7zJvbZpt7ZpH_djE4
3VvyzbBPBnGBchvU75xvFeb9qzMErODIT0_cuhkEIQBtcbX_9xZjpCPiFze1cnvMld5LMaDlCVKu
j3JYhGTPMooawE3PGcEOtxiq5lXZ4zT6ueJ6n3NOjnjsog/http%3A%2F%2Fwww.reliableener
gyanalytics.com%2F> 

Email: d...@reliableenergyanalytics.com
<mailto:d...@reliableenergyanalytics.com> 

Tel: +1 978-696-1788

 

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1715): https://lists.spdx.org/g/spdx/message/1715
Mute This Topic: https://lists.spdx.org/mt/100371628/21656
Group Owner: spdx+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-