I'm with you on the rest of the thread, but what is the argument against a bill of materials? I think I like the idea, it would certainly make my work easier. It's a niche value, and probably wouldn't be useful for most people, but that's also true of nutrition labels.
-
-
Replying to @taviso
Superficially, it looks easy, since we are listing the major components of software already anyway, for license purposes. But a bill of materials will mean going down to a deep level, listing every little component, every theoretical dependency.
1 reply 0 retweets 1 like -
Replying to @ErrataRob @taviso
For example, everybody using a Linux kernel will have to list every device driver included in the kernel. The userland part will have to list every piece of software in userland.
2 replies 0 retweets 1 like -
Replying to @ErrataRob
I would expect a useful bom to just say "linux 3.12.8", your argument is that it's too complicated to codify how that should be formulated? I agree it's not simple, but it seems surmountable, no?
1 reply 0 retweets 2 likes -
Replying to @taviso
So when I report a vuln in a USB driver, does "linux 3.12.8" help? How do I know whether the vendor included that driver or not? If the bom is too high level, it's not much use. To be of use, it needs to be extremely low level, an overwhelming amount of effort.
2 replies 0 retweets 3 likes -
Replying to @ErrataRob
Ah, I see now - you see bom as a way to check if something contains a flaw just by looking at a table. You're right, that is clearly never going to work. I saw it differently, a way to speed up audits and assess attack surface.
1 reply 0 retweets 3 likes -
Replying to @taviso
While it would help your audits, it'll be a pox on corporate audits, filling them with information they cannot meaningfully act upon. Cybersec is already full of unactionable data companies cannot use, yet cannot bear to do without.
1 reply 0 retweets 1 like -
Replying to @ErrataRob
I agree it's of niche value - but wouldn't that argument also work against nutrition labels? Unactionable isn't the right word here, it would reduce the cost of an assessment. Sure, most people don't want that, but most people don't care how much fiber is in peanut butter.
2 replies 0 retweets 0 likes -
Replying to @taviso
I think we are still debating shallow vs. deep B.O.M.s here. Nutrition labels are extremely shallow and reflect arbitrary measurements. They don't measure radiation dosage, for example. If they did, bananas would become a lot less popular.
1 reply 0 retweets 1 like -
Replying to @ErrataRob @taviso
But proponents of software BOMs aren't asking for superficial lists, but detailed lists of everything that goes into a product.
1 reply 0 retweets 1 like
I see. In that case, we're in agreement, I don't think that's a good idea.
-
-
Replying to @taviso @ErrataRob
*coughs* interesting points, but I believe BOMs and nutrition labels are a good idea. Implementation complexities aside (for both), what viable alternatives exist to establish even the most minimum of requirements in some repeatable, quantitative fashion?
1 reply 0 retweets 2 likes -
Replying to @SushiDude @ErrataRob
Do you have an example of the bom that you're advocating for? I can imagine one that I think would be a good idea, maybe Rob is describing a charicature of what people are really suggesing!
3 replies 0 retweets 2 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.