agree - as the article goes though, this is for feds, though this will carry implications to CMMC and the like. I think it's great idea to hold SW devs accountable for their SBOM - we have fucked the chain so bad with who does what that we depend on. Right now, at least with the folks I deal with - it's simply 'go grab it from GitHub' no SBOM, no dependency check, devs don't even wanna code sign their own shit - gotta start somewhere. i dont want any more gov intervention but i will take the guidance they push for my own edification and pass it along
agree - as the article goes though, this is for feds, though this will carry implications to CMMC and the like. I think it's great idea to hold SW devs accountable for their SBOM - we have fucked the chain so bad with who does what that we depend on. Right now, at least with the folks I deal with - it's simply 'go grab it from GitHub' no SBOM, no dependency check, devs don't even wanna code sign their own shit - gotta start somewhere. i dont want any more gov intervention but i will take the guidance they push for my own edification and pass it along
(post is archived)