Post B1940BbGZ8C4QS7JA0 by xchange@chaos.social
 (DIR) More posts by xchange@chaos.social
 (DIR) Post #B1940AgBzKXXZRPjCS by Tarah@infosec.exchange
       0 likes, 2 repeats
       
       If you have a risk register, and your organization does not have an SBOM for your built apps, the lack of an SBOM goes in your risk register. If you don't have a risk register, make one, and add your lack of SBOMs to it.
       
 (DIR) Post #B1940BbGZ8C4QS7JA0 by xchange@chaos.social
       0 likes, 0 repeats
       
       @Tarah but where would the lack of an risk register go?
       
 (DIR) Post #B194GcLCuXotzjRN6O by tezoatlipoca@mas.to
       0 likes, 0 repeats
       
       @Tarah A long time ago our build tool chain spit out a VDD, which amongst other useful knowledge about each build carried a comprehensive list of component libraries, modules etc. exactly what an SBOM is. When we migrated svn->git and nant->whatever we use now, they wanted to ditch that because it required a teeny bit of maint. I said "yeah, but we get an SBOM for free and (besides being good SCM) that's gonna matter to someone eventually." They ditched it. 1/
       
 (DIR) Post #B1956uQyt0mJAT4lCi by AwkwardTuring@infosec.exchange
       0 likes, 1 repeats
       
       @Tarah coming from ISMS & vuln Management: No SBOM - no vulnerability alerts. Have fun getting your shit hacked, friend.
       
 (DIR) Post #B19Cvct4aHcbC9LXFo by mweiss@infosec.exchange
       0 likes, 1 repeats
       
       @AwkwardTuring @Tarah but no alerts means everything is fine, right? 😉
       
 (DIR) Post #B19TvsNChqH4Rd92NU by Epic_Null@infosec.exchange
       0 likes, 2 repeats
       
       @xchange @Tarah Nowhere. You stick a piece of paper on the wall titled "Risk Register" and write "Inadequate Risk Register"