[UPDATE July 23, 2023] I'm happy to announce the successful completion of the IETF SCITT Hackathon demonstration showing how a SCITT Trust Registry can be used to exchange trustworthy software supply chain information, such as SBOM and Vulnerability Disclosure Reports (VDR) and links to Cyber Security Trust Labels needed for a C-SCRM risk assessment. A SCITT Trust Registry works like a "Registry of Deeds", only trusted information is allowed in the SCITT Trust Registry, which software consumers can download.
Trey Herr, I would be happy to discuss any or all of these additional insights, if interested.
This article makes some good points, but it fails to mention some of the most accurate and current achievements and uses with SBOM, for example:
SBOM is vitally important for software consumers to proactively monitor for software risk, using a left of bang approach enabling a consumer to shrink the window of susceptibility when new vulnerabilities are reported
The SPDX Community within the Linux Foundation has actively engaged in SBOM interoperability testing over the past two years that has seen improvements in SBOM quality with each DocFest iteration. The SPDX Version 2.3 spec was recently updated to enable the linking of an SBOM with online, living Vulnerability Disclosure Reports that is updated by a software vendor when a new vulnerability is reported following NIST Guidance (see link in SPDX for NIST info). This "active online living VDR" enables a consumer to answer the question "Is my software vulnerable as of right now" whenever a new vulnerability is reported. NIST has taken a leadership role in helping the community understand how to apply SBOM and other supply chain activities aimed at assessing risk in the software supply chain. A big thank you to NIST for your hard work and superior guidance.
The Internet Engineering Task Force (IETF), Supply Chain Integrity, Transparency and Trust (SCITT) initiative is holding a hackathon on July 22-23 in San Francisco showing how a SCITT Trust Registry can be used to share trusted/verifiable SBOM and Vulnerability Disclosure Report artifacts and other information, i.e. Cybersecurity Trust Labels for IoT devices. A SCITT Trust Registry operates like a "Registry of Deeds" where only trusted information is allowed to be registered. Consumers query a SCITT Trust Registry to view verifiable, trusted, registered Cybersecurity information and Cybersecurity Labels for IoT devices and other software This will show actual running code, no simulators will be used.
The SBOM developer communities continue to evolve and enhance SBOM capabilities through advanced tooling and close collaboration. Many thanks to all of the contributors to the SPDX and CycloneDX SBOM communities and to the IETF SCITT work group for showing how to effectively share trusted SBOM's and other software supply chain artifacts using real running code by posting "Vendor Response File" (VRF) information in a trusted SCITT Registry. I also need to recognize the good work of CISA's ICT_SCRM Task Force for their contributions to advance SBOM adoption and use among small and medium businesses.