I don't mind the idea of a SBOW, internal and external applications, as compromised libraries are nothing new. Same for deprecated/unsupported libraries that have no place in a production environment. In the grand scheme, what's not good is that the fed has it's hand in regulating entirely way too many industries when it can't even be trusted to regulate itself.
agree - as the article goes though, this is for feds, though this will carry implications to CMMC and the like. I think it's great idea to hold SW devs accountable for their SBOM - we have fucked the chain so bad with who does what that we depend on. Right now, at least with the folks I deal with - it's simply 'go grab it from GitHub' no SBOM, no dependency check, devs don't even wanna code sign their own shit - gotta start somewhere. i dont want any more gov intervention but i will take the guidance they push for my own edification and pass it along
(post is archived)