The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Richard Brooks's picture
Co-Founder and Lead Software Engineer, Reliable Energy Analytics (REA)

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,660 items added with 761,572 views
  • Apr 29, 2022

S4 is a great litmus test for the "wisdom of crowds" theory. Here we have a collection of great minds in the cybersecurity industry, truly critical thinkers with real world experience dealing with risk and mitigation daily, combined with all types of other people that are there to "convince you" of something; buy this product, believe this theory, drink the kool-aid, etc.  So I'm not surprised that some of these critical thinkers would "dig deeper" into some of the claims being made at S4, and the article attached (link below) does indeed challenge one of the main stream beliefs that people like Tom Alrich and others want you to believe. 

I believe that you cannot pull anything over on smart people that apply critical thinking skills to situations, and the "wisdom of the S4 crowd" as shown in this article, which supports my assertion. The tell-tale line is this:

people at S4 were saying was, “I don’t need to track component vulnerabilities at all, in the software products my organization uses. I just need to get an attestation from the supplier that the software doesn’t have vulnerabilities. Then I can show the attestation to my regulator, compliance department, or whoever’s bugging me about how safe my software is. This will make them shut up, and I can go back to doing the other 9,999 things I have to do.”

Some wise observers, no doubt the real practitioners  have pierced the veil by stating the obvious; they are dependent on their suppliers to indicate if a software product is safe from risk and the evidence they provide, "the attestation", MUST clearly demonstrate that the vendor did indeed check each SBOM component in their software product for vulnerabilities and other risks.  I agree, a "believable attestation" should serve as sufficient evidence to silence auditors. However, saying that an attestation alone is sufficient may be challenged by an auditor if the attestation fails the "believability test". 

So, is the S4 crowd correct in their observations that an attestation from a software vendor is sufficient evidence to prove due diligence and adherence to cybersecurity controls - YES if the attestation is believable, meaning that it clearly shows that a software vendor performed their duties in searching for and addressing each reported vulnerability at the SBOM component level. Does such an attestation exist? YES, it's called an SBOM Vulnerability Disclosure Report (SBOM VDR), that lists the vulnerability search results of each SBOM component along with vendor findings and exploitability status for each reported vulnerability.  

Many thanks to Dale Peterson for providing the cybersecurity community with this magnificent opportunity to validate the wisdom of crowds at S4.


No discussions yet. Start a discussion below.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network® is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »