It’s Time to Drop the SBOM

The first step to solving any problem is gathering as much information as you can. Unfortunately, today we’re basically flying blind when it comes to identifying and resolving latent software bugs in our systems. Software today is made up of dozens if not hundreds of distinct components. Like automobiles, these piece parts can come from many different vendors. And even the parts from those vendors are likely themselves made up of many sub-components from yet other vendors. But you can bet that Ford and Toyota have a complete and accurate list of each and every one of the components in their vehicles – knowing who made them, which lot or batch they were from, which revision of the part they have, and so on. Because at the end of the day, the auto maker is responsible for knowing this in case there’s a safety issue. This is not true for software makers… yet. Allan Friedman and his team at the National Telecommunications and Information Administration (NTIA, a part of the Dept. of Commerce) are trying to change that.

Allan Friedman is the Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration, which is part of the US department of Commerce,. There he coordinates cross-sector efforts to address key challenges in the cybersecurity ecosystem.

Further Info