I delivered this presentation (link below Read More) to the Amherst Security Group on June 20 describing the CISA Secure Software Attestation Form, the CISA Software Assurance Buyers Guide and the CISA RSAA portal that software and product vendors use to upload their secure software attestation form and other artifacts, such as SBOM and Vulnerability Disclosure Reports (VDR), which can be shared with all US Government Agencies as part of the EO 14028 and OMB M-22-18 "secure software approval process" (Secure by Design).
We also, briefly, discussed the social benefits of having a product "Trust Registry" where consumers can check a products "Trust Score" and view known vulnerabilities in a product as of right now (like a CARFAX report) indicating the "trustworthiness" of a digital product, such as a software app, before purchasing and installing a product. The higher the "Trust Score", the more trustworthy a product is, providing consumers greater confidence that a product is secure before purchasing and installing.
Never trust software, always verify and report!โข
Enjoy...