"If we receive a long list of components in an airplane, do we feel safe enough to fly in it? No. Like any complex systems, the resilience and security of
software systems depends on how components interact."
This quote from @shortridge resonates in my booooones about how SBOMs feel maybe useful, but not that much.
It's a long document, but worth a read on recommendations you might take to heart at your work, even if the USG doesn't.
"We believe SBOMs – and the fervor for it emanating from the federal government – is a palpable case of myopic thinking that should be forsaken if the federal government seeks to maintain credibility on software security."
Add comment