Right now software producers and consumers are actively implementing or pondering their Software Bill of Material (SBOM) plans. Providing visibility into contents of software or integrating that visibility into existing operations is — as of the Presidential Executive Order of May 12, 2021 — something that solution developers and business operators will be addressing. Most of the relevant resources allocated to supply chain or security operations are today focused on the details of this one step in automating visibility.
But it doesn’t stop there. As technology producers and consumers automate the sharing and application of this one set of attestations emergent properties begin to arise, and these will at several stages provide the promise of even greater value. This will continue to drive the development and adoption of systems based upon the technology framework being assembled globally to address the software supply chain, and these systems will continue to provide new value in the form of leaner operations or quicker incident response times, better customer/vendor relationships or more precise risk acceptance and transferal, more efficient identification of root causes of an expanding set of use cases.
Nobody yet knows all of the implications of these systems of visibility. Concerns about Intellectual Property (IP) control are top of mind among many stakeholders at the moment, supply chain security solutions may make those risks more manageable but many argue these same systems may make that problem less manageable. What the next-order effects operationalizing SBOMs will enable in security operations has been theorized but as yet not demonstrated. If SBOMs live up to some of their promise and free up development and operations resources, what will those market actors apply those savings of workforce or budget to?
As a commercial entity producing tooling to create and apply SBOMs, Cybeats provides me an interesting platform from which to experience this systemic transformation. The monthly panels Cybeats has been hosting of industry Ponder Leaders (“thought leaders” are really the folks pondering ahead of us on a topic ;~) provide a fascinating framework to iteratively pick apart the pieces of where we are and where we are going. We will be starting a series of weekly interviews on the details of the topics discussed on the monthly panels, and for better or worse you will be hearing from me here regularly as we all ponder together the shape of the curves we are riding together into the future.
I am looking forward to discussing, debating, proving, disproving, and otherwise — yes, pondering — the implications and implementations of these systems with you all.