The famous last words of Florida Man throughout history. The final stand of active theorists immediately before each narrative fork. These words ring an ancient bell in the backs of our minds as our earliest ancestors recall Bloody Stupid Ug and their bright idea to bring fire into the cave. What could possibly go wrong?
Ventilation, Ug. We needed to invent ventilation, first, Ug.
As we look at the looming wave of Good Intentions and Really Bright Ideas associated with software supply chain security there are good reasons we find ourselves scanning for handy escape paths. Just in case. Many a fine idea that would in fact turn out helpful in the end also illustrated unknow failure states in associated systems. Like breathing.
Companies exist because it is possible to predict the cost of doing something within a known range of certainty. Increasing that certainty increases the productivity and profitability of a company, reducing certainty about costs reduces productivity and profitability. Companies across virtually all sectors are today eyeing with understandable uncertainty these new fangled Software Bills of Materials and other software supply chain artifacts in the process of being invented.
There are certainly things to do for most parties to get to the promised future where we will know where the software we use comes from. Hopefully for most companies this will be a small step buried in existing procurement and legal processes and largely go unnoticed. For many firms it will fit inside of ongoing retooling and have most of its impact on operational systems. In some cases it will bring strategic shifts that create risks and opportunities that executive teams may be well served to pay quite a bit of attention to.
What could possibly go wrong? The policies implemented by key players like the US federal government and associated private entities could get bogged down in academic or bureaucratic mire. The standards and methods and tools used could make early efforts more or less successful. It could take longer to realize benefits, there could be additional as yet unforeseen work to be undertaken, we could be missing something.
The words have been said, though. Even those of us who said it harbor our own concerns as we march forward to show the startled onlookers how well this will work. But we said it, so we can’t stop now. We are all going to find out one way or another, and the only thing absolutely certain is there will be some great clips to share on social media.
What could possibly go wrong?
March 19, 2024
Tern is an open source software composition analysis and SBOM generation tool that generates SBOMs from container images. However, upon running this tool and generating a CycloneDX SBOM, a problem arose.
Read More →March 4, 2024
As a member of the PCAST Working Group on Cyber-Physical Resilience, I was involved in crafting the recent report outlining crucial steps to fortify the intricate systems that underpin our daily lives. One of our key recommendations, "Recommendation 4B: Promote Supply Chain
Read More →December 15, 2023
Notably, the Health Information Sharing and Analysis Center (Health-ISAC) is entering into a partnership with Cybeats, a leading software supply chain intelligence company, marking a substantial advancement in healthcare cybersecurity.
Read More →