An SBOM is a great thing... for projects that have dependencies. My employer has gone in too hard on trying to have as many stampable "we do X!" as they can to be safe and good and please other businesses, even in cases where it makes no sense. My little division works in a very special environment that has effectively zero available third party libraries. This has been true for over a decade - we are our own special corner. And yet! We must now have a SBOM (it's blank) and do a scan for known third party vulnerabilities (always zero) and pass an license compatibility check (no licenses but the one we put on our own stuff) and so on and so on. It's not that onerous, but it's extremely annoying to know that we are forced to waste some small slice of our time and effort keeping green flags for so many checkmarkables that we could not possibly fail. All this, and the cherry on top is that each component we make (none of which bring in any third party code) has to pass all these individually, and then the final product again has to pass them all - the final product made entirely and exclusively of the components we are already (pointlessly) checking.
Yes, compliance team, I understand the importance of validating third party code and the possibility of security issues! We just don't have any!
p
An SBOM is a great thing... for projects that have dependencies. My employer has gone in too hard on trying to have as many stampable "we do X!" as they can to be safe and good and please other businesses, even in cases where it makes no sense. My little division works in a very special environment that has effectively zero available third party libraries. This has been true for over a decade - we are our own special corner. And yet! We must now have a SBOM (it's blank) and do a scan for known third party vulnerabilities (always zero) and pass an license compatibility check (no licenses but the one we put on our own stuff) and so on and so on. It's not that onerous, but it's extremely annoying to know that we are forced to waste some small slice of our time and effort keeping green flags for so many checkmarkables that we could not possibly fail. All this, and the cherry on top is that each component we make (none of which bring in any third party code) has to pass all these individually, and then the final product again has to pass them all - the final product made entirely and exclusively of the components we are already (pointlessly) checking.
Yes, compliance team, I understand the importance of validating third party code and the possibility of security issues! We just don't have any!
More options
Context Copy link