Plaintext: Why SBOMs Are Still Hard
Welcome to Dark Reading in Plaintext, brought to your inbox this week by Deloitte Cyber & Strategic Risk. In this issue of Plaintext, we look at the state of SBOMs and consider the benefits (and demerits) of ChatGPT. If you enjoy Plaintext, please share with friends and colleagues!
What’s Happening in SBOM Land? This is the year of the SBOM, for better or for worse, says Phylum's Pete Morgan . Executive Order 14028 requires software inventories to be automatically generated if they’re to be used in Federal agencies and presented to the appropriate agencies by Sept. 14, 2023. The US Food & Drug Administration is mandating that all medical devices running software must create and maintain a software bill of materials (SBOM), and the FDA will start enforcing that rule Oct. 1, 2023.
But there is still a lot of confusion. Generating an SBOM itself is easy, but generating a comprehensive and accurate one that is useful is still pretty hard. There is some uncertainty about which dependencies should be reflected in SBOMs and which ones don’t need to be included. Or how broad SBOMs should be, what format they should use, and how they should be submitted to the federal agencies and other software consumers. Some clear standards would be nice.
Some software makers may also be nervous because of what the SBOM may reveal about their products, Josh Corman, the Vice President of Cyber Safety Strategy at Claroty and co-founder of the group I Am The Cavalry, said during SBOM-a-rama, the Cybersecurity and Infrastructure Security Agency (CISA)’s daylong conference earlier this month.
"We all have a lot of tech debt and legacy security debt. And really, some people are afraid to share potential license violations [or] unfixable security issues where it would be cost prohibitive to remediate those known vulnerabilities." Josh Corman, I Am The Cavalry
Dark Reading in Plaintext is brought to you by?Deloitte Cyber & Strategic Risk.
Know your customer
A 360-degree view of the customer enables organizations to predict consumer needs and deliver customized products and services at the right time, via the right channel. Download the whitepaper today.
Is Generative AI Good? Or Bad? It seems to depend on who you ask. Security vendors are rolling out new chatbot-like features and capabilities. Researchers are exploring how ChatGPT and related tools can be abused to develop malware and craft cyberattacks. A new class action lawsuit alleges that OpenAI training ChatGPT with data scraped from all over the Internet means the “information can be exploited and used to perpetrate identity theft, financial fraud, extortion, and other malicious purposes.” Here is a real-world look at how the security conversation is starting to deepen, with sober assessments from enterprise users and analysts.
What We Are Reading
领英推荐
What We Heard On-Air
Tune in to our on-demand webinar?“Secrets to a Successful Managed Security Service Provider Relationship” to hear how security teams work with MSSPs.
"Over the past 12 months the cyber insurance market has been changing, driven in part by these massive cyber threats we're starting to see." Brittany Deaton, Solutions Engineer, Sophos
From Our Library
Check out some of the latest reports from our?Dark Reading Library.
On That Note
Remember pig butchering, a particularly cruel form of social engineering scam that we mentioned recently?
Ira Winkler posted a short checklist on how to tell if that connection requestis from a legitimate or fake account: “…generally have a young Asian woman as a profile pic, with an Anglican name, with an Ivy League education, and is likewise a business executive…” ?When you connect to fake accounts, you put your peers at risk since they see you listed as a shared connection and may not realize this is not a real account. Report and Block instead of connecting!?
Dark Reading in Plaintext is brought to you by?Deloitte Cyber & Strategic Risk.
Founder & CEO, Group 8 Security Solutions Inc. DBA Machine Learning Intelligence
8 个月Your post is valued, thanks!
Cybersecurity & Risk Management | AI-Powered Regulatory Compliance | SG 100 Women in Tech | Published Author & TEDx Speaker | Featured in Forbes ???? | Advocate for Responsible Cyber | Techstars 2024
1 年Ah, the challenges of Software Bill of Materials (SBOM)! SBOMs are hard primarily because of the diverse, complex, and ever-evolving nature of software ecosystems. Managing dependencies, ensuring transparency, and addressing the various layers of software products makes creating a comprehensive SBOM non-trivial. Plus, different stakeholders have varying perspectives on what should be included and how it should be structured. Achieving consensus while ensuring security and compliance further complicates the task. Furthermore, it's essential to understand that achieving a perfect SBOM from the outset is unrealistic. Instead, it's a journey. The goal is continuous improvement, striving consistently over time to enhance accuracy and comprehensiveness. Like many things in cybersecurity and software development, it's about iterative refinement, learning, and adapting to ensure the best possible outcomes.
thinking good i hope a go up more more progresed at Thnks for email Hadi Mirtaghian god bless you all your family and friend and all ather
1 年All the best wishes all ??
Co owner of The Rybec Group, Royal Engineers Veteran ISO 27001 Lead Implementer/Auditor, Cyber security awareness training. All thoughts are my own.
1 年Anthony H. more SBOM reading material . ????