Any organization that isn't tracking this already, public and private sector, needs to boot their CIO and hire a competent one.
don't disagree at all - but this is a very big issue. The major factor here is the proliferation of FOSS and the fact there really isn't a 'SW supply chain.' Another thing growing this is a requirement for FOSS to support and deliver SBOMs, which is relatively new in the grand scheme of things. The hard truth is this administration and EO all sorts of money at the issue but the fact remains, we need **competent **folks not more overhead
I don't mind the idea of a SBOW, internal and external applications, as compromised libraries are nothing new. Same for deprecated/unsupported libraries that have no place in a production environment. In the grand scheme, what's not good is that the fed has it's hand in regulating entirely way too many industries when it can't even be trusted to regulate itself.
agree - as the article goes though, this is for feds, though this will carry implications to CMMC and the like. I think it's great idea to hold SW devs accountable for their SBOM - we have fucked the chain so bad with who does what that we depend on. Right now, at least with the folks I deal with - it's simply 'go grab it from GitHub' no SBOM, no dependency check, devs don't even wanna code sign their own shit - gotta start somewhere. i dont want any more gov intervention but i will take the guidance they push for my own edification and pass it along
(post is archived)