Cloud Controls Matrix

Hi All,

The Linux Foundation recently published a Software Bill of Materials (SBOM) and Cybersecurity Readiness Report

This report talks extensively about SBOM readiness as well as
the level of SBOM production and consumption. These questions
were designed to identify where organizations are in their SBOM
journey, ranging from no interest to planning to various stages
of adoption. Because SBOM readiness was the best overall identification of SBOM adoption,
we consolidated responses to this
question into three categories: SBOM procrastinators, SBOM
early adopters, and SBOM innovators. Respondents self-selected
the category they were reported under. For details on how
these categories mapped to SBOM readiness responses, see the
Methodology section of this report.

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------

In the context of 'cloud security' and SBOM:

This paper indicates "The most pressing issue [is] the need for industry consensus on best practices to integrate the production and consumption of SBOMs into software development". I think this holds doubly true in a cloud environment. Do we even agree that a "bill of materials" is the key factor when trusting a SaaS? How does an SBOM inform the development and trust of pure cloud offers composed of other cloud offers? My sense is that the basic SBOM components discussion, although interesting in its own right, isn't particularly informative to the more cloud specific hurdles facing cloud assurance frameworks.

At another point the paper indicates, "The primary purpose of SBOMs is to uniquely and unambiguously identify components and their relationships to one another" (emphasis mine). 

I think these relationships are the area with the most potential in SBOM4cloud. A structured format for articulating and evaluating the relationships and data flows between cloud, and internal, components is a prerequisite for risk management, threat modeling, or vendor security assessments. Structured solutions in this space will enhance automated assessment frameworks and also inform human assessments. I think this an under-defined space with large opportunities for a cloud focused organization to lead in. 


------------------------------
Max Pritikin
Principal Engineer
Cisco
------------------------------

Original Message:
Sent: Feb 08, 2022 02:29:25 AM
From: Michael Roza
Subject: Linux Foundation Software Bill of Materials (SBOM) and Cybersecurity Readiness

Hi All,

The Linux Foundation recently published a Software Bill of Materials (SBOM) and Cybersecurity Readiness Report

This report talks extensively about SBOM readiness as well as
the level of SBOM production and consumption. These questions
were designed to identify where organizations are in their SBOM
journey, ranging from no interest to planning to various stages
of adoption. Because SBOM readiness was the best overall identification of SBOM adoption,
we consolidated responses to this
question into three categories: SBOM procrastinators, SBOM
early adopters, and SBOM innovators. Respondents self-selected
the category they were reported under. For details on how
these categories mapped to SBOM readiness responses, see the
Methodology section of this report.

------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------