Vendors need to understand what they are shipping to the
customer, need to understand the risks in what is going out the door. You
cannot defend what you don’t know. Think about ingredients list on a box – if
you know you have an allergy, you can simply check the ingredients and make a
decision. Why should software/hardware we ship be any different?
There had been a bill before congress, requesting that there
always be an SBOM (SW Bill of Materials) for anything the US Government buys –
so they know what they are getting and how to take care of it. The bill was
DoA, but things are changing…
The Healthcare Sector has started getting behind that. Now
people in FDA and Washington are concerned about the supply chain. There should
not be health care way of doing this, automotive way of doing this, DoD way of
doing this… there should be one way.
That’s where the US Department
of Commerce comes in. We don’t want this coming from a single
sector.
Committees are the best way to do this – they are consensus
based. That means it is stakeholder driven, no single person can derail. Think
about it like “I push, but I don’t steer”.
We need Software Component Transparency. We need to compile
the data, share it and use it. Committee
kicked off on July 19 in DC. Some folks believe this is a solved problem, but
how do we make sure the existing data is machine readable? We can’t just say
‘use grep’. Ideally it could hook into tools we are already using.
First working group is tackling defining the problem. Another is working on case studies and state of practice. Others on standards and formats, healthcare proof of concept, and others.
We need more people to understand and poke at the idea of software transparency – it has real potential to improve resiliency across different sectors.
Posts
No comments:
Post a Comment