Introducing the First Virtual Conference for Product Security - Left to Our Own Devices: The Conference.
Introducing the First Virtual Conference for Product Security - Left to Our Own Devices: The Conference.
Tom Alrich

#7: Tom Alrich: VEXs and Supply Chain Cybersecurity

The Supply Chain Cybersecurity and SBOM thought leader shares his thoughts and insights

We sat down with the veteran consultant and blogger to learn from his vast experience about supply chain security, SBOMs, VEXs, and how they all tie together.

A few notes about the episode from our guest Tom Alrich

  • “NERC” stands for the North American Electric Reliability Corporation. They develop and audit the NERC CIP cybersecurity standards, among other standards for the power industry.
  • I said repeatedly that SBOMs are useless unless they can be read by a machine. That isn’t completely accurate. The JSON or XML code in which SBOMs and VEXes are written can certainly be read by human beings (and there are open source readers that will make the information more presentable). If there were say just ten components in the average SBOM, this would be a workable solution. However, the average SBOM has around 150 components, and many SBOMs have thousands of components. When dealing with those numbers, it’s almost impossible to really utilize SBOMs for software risk management, without an automated tool or a third-party service that utilizes such tools.
  • The URL for the Fortress Information Security white paper on consumption of SBOMs is here. Note you’ll have to provide your name, email address and industry to receive the paper, but that’s a small price to pay for this.
  • Regarding “low-quality SBOMs”, one thing that greatly reduces the quality of SBOMs is the naming problem, which I discussed in this post. 80% of component names in an SBOM will be useless for looking up vulnerabilities in the NVD. This is literally the biggest problem facing SBOMs. That’s why a group of us (including Steve Springett, whom I mentioned in the podcast, and who also has a Cybellum podcast available) is working on a solution to this problem. This problem is already solved from a technical point of view; it’s now really a political problem, but even that is soluble. I’m optimistic we’ll at least have the way to a solution identified soon. Then people inside the government will need to take up the banner so this can be addressed once and for all.
  • The Dependency-Track project is currently the only open-source tool that will ingest SBOMs and look up vulnerabilities for the components in vulnerability databases. It is being heavily used now by software suppliers, who use it for vulnerability management for components in their own products. It will soon ingest VEX documents (in the CycloneDX VEX format) as well.

About Tom Alrich

Tom Alrich is a well-known independent consultant and blogger about supply chain cybersecurity and software bills of material, for electric power and other industries. Tom has consulted in these areas since 2008, working previously for Honeywell and Deloitte. Since 2018, Tom has been an independent consultant.

Tom has especially focused on software supply chain cybersecurity in the past two years and has been an active volunteer participant and group leader in both the NERC Supply Chain Working Group and the US government’s Software Component Transparency Initiative, formerly under the NTIA, but now under CISA. His widely-followed blog is called Tom Alrich’s Blog. Tom lives in Evanston, Illinois and has a BA in Economics from the University of Chicago.