Part of EnergyBiz® Network »
Utility Management Group
Senior decision-makers come together to connect around strategies and business trends affecting utilities.
Post
1000’s of Vendors, 1000’s of Products, 1000’s of SBOM’s 1000’s of attestations – Oh my!
image credit: Photo by Nick Fewings on Unsplash
Imagine your boss comes to you and says “I need you to collect attestation letters and SBOM’s for each of our software products in use.” Two artifacts doesn’t seem like a lot, until you consider that some computing environments have thousands of products from lots of vendors. This turns out to be a big problem – so what do you do?
You could send out an email to each of your vendors saying “Give me your SBOM and self-attestation for each of your products that I have installed.” And then you receive 100 responses from your 100 vendors containing SBOM’s and self-attestations for each of the 10 products you have installed, resulting in 100x10x2 separate artifacts = 2000 artifacts. But what happens if those 2000 artifacts are all different and you have to decipher each one to determine if it meets “expectations”. You should expect to see lots of different responses, if no guidance is given upfront on the specific details describing what vendors should provide, including specific formats, and how to provide them, i.e., email, http download, etc. This can be a daunting task.
Are you ready to quit yet? I’ve heard quiet quitting is quite popular these days.
There must be a better way, and there is.
You can make your life much easier by sending that email to your vendors along with a template of the information you are expecting them to return to you that contains “links” to each of the required artifacts in the format you specify, such as the open source, free to use Vendor Response File format. This would ensure that each vendor provides you with the same information in a common, machine readable format for each of their product SBOM’s and self-attestations. This “template” is machine readable so you can run it through a program that automatically retrieves and catalogs each of the various artifacts, which now follow a consistent format, making it much easier to retrieve and analyze the information. This would eliminate some of the challenges associated with giving your boss the report on all of your software products, reducing or eliminating the need to interpret differently formatted SBOM’s and self-attestation letters, because you gave explicit directions for each vendor to follow. No doubt there will be some rogue responses, but hopefully your vendors are understanding of your challenges and complies with your request to provide common formats for SBOM’s and self-attestations and the means to acquire each of these artifacts using automated tools.
Additional information describing the open-source Vendor Response File is available here.
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
No discussions yet. Start a discussion below.
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.
Your access to Member Features is limited.
Sign in to Participate