Reply to post: Re: SBOM = Pass the buck

SBOM is a 'massive galaxy of mess' for supply chain security

Richard 12 Silver badge

Re: SBOM = Pass the buck

Yes and no.

It's not possible for any software house to even start managing the risk unless they know which components are in their products.

So far, all the tools are really about ensuring compliance with licensing terms. Not "unexpected change".

Though this is a far smaller problem for precompiled software as the toolchains have to do dependency management in order to actually operate, so "unexpected change" tends to be more visible.

"Web" apps seem to be built assuming daily upstream changes, making "malicious" change far easier to hide among the hundreds of other daily changes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon