I propose to discuss, and ideally approve, two pull requests at Tuesday's meeting.
PR75 creates another subdirectory in use cases for broader supply chain use cases so that we can show the value of OSIM within the context of the broader supply chain use cases.
PR76 is the first of 13 use cases I propose to put in this directory. The text is virtually verbatim (but not entirely, some formatting and minor editorial changes to fit context of OSIM TC) from "Improving Risk Management Decisions with SBOM Data" which is a public domain document drafted by the CISA SBOM Community Working Group on BOMOPS.
I intend to submit the other 12 use cases as well but didn't want to go to the trouble if the whole idea was panned. We can discuss further at the meeting.
The 13 use cases are:
Most Mature / Broadest Applicability
-
Pre-deployment Common Vulnerabilities and Exposures (CVE) vulnerabilities: Discover vulnerabilities in software products before release.
-
Post-deployment CVE vulnerabilities: Discover vulnerabilities in software products after release.
-
Open source (OS) licensing risks: Determine if open source licensing of components presents risks to an organization.
-
EOL and non-maintained component alerting: Identify software packages near End of Life to plan upgrades or replacement.
-
Pre-purchase risk assessment: Assess software for risks prior to purchase or acquisition.
-
Component usage across an organization: Identify all software components used and their prevalence in an organization.
Moderately Mature / Moderate Applicability
-
Incident response: Identify all applications that depend on a component involved in a security incident.
-
Mergers and Acquisitions (M&A) and Investment risk assessment: Assess risks in target software prior to mergers, acquisitions, or investment by a third party.
-
Verification of accessory software: Verify that all accessory components are included with core software's SBOMs, and analyze accessories for security, licensing and compliance risks.
-
Differences in components between builds or versions: Discover how components differ between software builds or software versions.
Least Mature / Focused Applicability
-
Conformance with disparate Governance, Regulatory, and Compliance (GRC) specifications: Comply with disparate regulations and contract requirements for SBOMs or software inventories.
-
Integrity and threat management for Operational Technology (OT) and isolated networks: Standardize and streamline version and dependency management across network boundaries to minimize attack surface and other risks
-
Field servicing of software-enabled devices. To assist maintenance and troubleshooting, field service representatives compare a previously- generated SBOM of a device to data collected from an operationally deployed device.
------------------------------
Duncan Sparrell
Chief Cyber Curmudgeion
sFractal Consulting LLC
Oakton VA
703-828-8646
------------------------------