S4 is a great litmus test for the "wisdom of crowds" theory. Here we have a collection of great minds in the cybersecurity industry, truly critical thinkers with real world experience dealing with risk and mitigation daily, combined with all types of other people that are there to "convince you" of something; buy this product, believe this theory, drink the kool-aid, etc.  So I'm not surprised that some of these critical thinkers would "dig deeper" into some of the claims being made at S4, and the article attached (link below) does indeed challenge one of the main stream beliefs that people like Tom Alrich and others want you to believe. 

I believe that you cannot pull anything over on smart people that apply critical thinking skills to situations, and the "wisdom of the S4 crowd" as shown in this article, which supports my assertion. The tell-tale line is this:

people at S4 were saying was, “I don’t need to track component vulnerabilities at all, in the software products my organization uses. I just need to get an attestation from the supplier that the software doesn’t have vulnerabilities. Then I can show the attestation to my regulator, compliance department, or whoever’s bugging me about how safe my software is. This will make them shut up, and I can go back to doing the other 9,999 things I have to do.”

Some wise observers, no doubt the real practitioners  have pierced the veil by stating the obvious; they are dependent on their suppliers to indicate if a software product is safe from risk and the evidence they provide, "the attestation", MUST clearly demonstrate that the vendor did indeed check each SBOM component in their software product for vulnerabilities and other risks.  I agree, a "believable attestation" should serve as sufficient evidence to silence auditors. However, saying that an attestation alone is sufficient may be challenged by an auditor if the attestation fails the "believability test". 

So, is the S4 crowd correct in their observations that an attestation from a software vendor is sufficient evidence to prove due diligence and adherence to cybersecurity controls - YES if the attestation is believable, meaning that it clearly shows that a software vendor performed their duties in searching for and addressing each reported vulnerability at the SBOM component level. Does such an attestation exist? YES, it's called an SBOM Vulnerability Disclosure Report (SBOM VDR), that lists the vulnerability search results of each SBOM component along with vendor findings and exploitability status for each reported vulnerability.  

Many thanks to Dale Peterson for providing the cybersecurity community with this magnificent opportunity to validate the wisdom of crowds at S4.