Right now software producers and consumers are actively implementing or pondering their Software Bill of Material (SBOM) plans. Providing visibility into contents of software or integrating that visibility into existing operations is — as of the Presidential Executive Order of May 12, 2021 — something that solution developers and business operators will be addressing. Most of the relevant resources allocated to supply chain or security operations are today focused on the details of this one step in automating visibility.
But it doesn’t stop there. As technology producers and consumers automate the sharing and application of this one set of attestations emergent properties begin to arise, and these will at several stages provide the promise of even greater value. This will continue to drive the development and adoption of systems based upon the technology framework being assembled globally to address the software supply chain, and these systems will continue to provide new value in the form of leaner operations or quicker incident response times, better customer/vendor relationships or more precise risk acceptance and transferal, more efficient identification of root causes of an expanding set of use cases.
Nobody yet knows all of the implications of these systems of visibility. Concerns about Intellectual Property (IP) control are top of mind among many stakeholders at the moment, supply chain security solutions may make those risks more manageable but many argue these same systems may make that problem less manageable. What the next-order effects operationalizing SBOMs will enable in security operations has been theorized but as yet not demonstrated. If SBOMs live up to some of their promise and free up development and operations resources, what will those market actors apply those savings of workforce or budget to?
As a commercial entity producing tooling to create and apply SBOMs, Cybeats provides me an interesting platform from which to experience this systemic transformation. The monthly panels Cybeats has been hosting of industry Ponder Leaders (“thought leaders” are really the folks pondering ahead of us on a topic ;~) provide a fascinating framework to iteratively pick apart the pieces of where we are and where we are going. We will be starting a series of weekly interviews on the details of the topics discussed on the monthly panels, and for better or worse you will be hearing from me here regularly as we all ponder together the shape of the curves we are riding together into the future.
I am looking forward to discussing, debating, proving, disproving, and otherwise — yes, pondering — the implications and implementations of these systems with you all.
March 19, 2024
Tern is an open source software composition analysis and SBOM generation tool that generates SBOMs from container images. However, upon running this tool and generating a CycloneDX SBOM, a problem arose.
Read More →March 4, 2024
As a member of the PCAST Working Group on Cyber-Physical Resilience, I was involved in crafting the recent report outlining crucial steps to fortify the intricate systems that underpin our daily lives. One of our key recommendations, "Recommendation 4B: Promote Supply Chain
Read More →December 15, 2023
Notably, the Health Information Sharing and Analysis Center (Health-ISAC) is entering into a partnership with Cybeats, a leading software supply chain intelligence company, marking a substantial advancement in healthcare cybersecurity.
Read More →