Talk:Software supply chain: Difference between revisions

Software: Computing Unassessed

This article is within the scope of WikiProject Software, a collaborative effort to improve the coverage of software on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.SoftwareWikipedia:WikiProject SoftwareTemplate:WikiProject Softwaresoftware articles ??? This article has not yet received a rating on Wikipedia's content assessment scale. ??? This article has not yet received a rating on the project's importance scale. This article is supported by WikiProject Computing.

Computer science Unassessed

This article is within the scope of WikiProject Computer science, a collaborative effort to improve the coverage of Computer science related articles on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer scienceWikipedia:WikiProject Computer scienceTemplate:WikiProject Computer scienceComputer science articles ??? This article has not yet received a rating on Wikipedia's content assessment scale. ??? This article has not yet received a rating on the project's importance scale. Things you can help WikiProject Computer science with: Here are some tasks awaiting attention: Article requests : Requested articles/Applied arts and sciences/Computer science, computing, and Internet Cleanup : Computer science articles needing attention Computer science articles needing expert attention Copyedit : Computing Expand : Computer science Infobox : Computer science articles without infoboxes Maintain : Timeline of computing 2020–present Photo : Find pictures for the biographies of computer scientists (see List of computer scientists) Computing articles needing images Stubs : Computer science stubs Unreferenced : WikiProject Computer science/Unreferenced BLPs Project-related : Tag all relevant articles in Category:Computer science and sub-categories with {{WikiProject Computer science}}

A "software" bill of materials (BOM) is called a list of dependencies, or a list of dependent packages. The BOM terminology is widely used in supply chain, but, afaik, largely obscure in software affairs. Also, some (most?) references given in the page are actually linking back to materials that associated with regular supply chain BOMs, not software ones. While being fairly knowledgeable in both software and supply chain, I have never this term used anywhere. Not sure who came up with with page, but I believe it does not belong here. --Joannes Vermorel (talk) 13:50, 26 February 2020 (UTC)[reply]

It's certainly an issue of current interest and research. UL 2900 includes SBOM instructions. NTIA, FDA, DoD, Mitre and others are actively working on guidelines in this area for the US government. CodeCurmudgeon (talk) 16:58, 26 February 2020 (UTC)[reply]

I haven't had a chance to work in the newer materials yet, but I'll start gathering a few resources here until I have a chance to work on the article. CISQ is working with OMG to have an SBOM that works with NTIA https://www.it-cisq.org/software-bill-of-materials/ CodeCurmudgeon (talk) 22:52, 26 February 2020 (UTC)[reply]

Bob Martin of Mitre did this presentation at the Software Supply Chain Assurance Forum (hosted by NIST, DoD, DHS) last spring https://csrc.nist.gov/CSRC/media/Projects/cyber-supply-chain-risk-management/documents/SSCA/Spring_2019/8MayAM2.3_Software_Bill_of_Materials_Robert_Martin_05_08_19_clean.pdf CodeCurmudgeon (talk) 22:54, 26 February 2020 (UTC)[reply]

NTIA survey of existing SBOM formats (meaning SBOM is indeed in use enough to have multiple formats) https://www.ntia.doc.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_2019_0904.pdf CodeCurmudgeon (talk) 22:55, 26 February 2020 (UTC)[reply]

NTIA working group paper Framing Software Component Transparency: Establishing a Common Software Bill of Material (SBOM), NTIA Multistakeholder Process on Software Component Transparency, Framing Working Group https://www.ntia.gov/files/ntia/publications/framingsbom_20191112.pdf CodeCurmudgeon (talk) 22:57, 26 February 2020 (UTC)[reply]

Another good source of information for this is proceedings from the SSCA aka Software Supply Chain Assurance forum hosted by NIST as well as DoD, DHS, Mitre, and GSA. It's held a few times each year and is free and open to the public. I'll be pulling some of this material as well as the NTIA materials. https://csrc.nist.gov/Projects/cyber-supply-chain-risk-management/SSCA CodeCurmudgeon (talk) 23:00, 26 February 2020 (UTC)[reply]

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ 134.247.251.245 (talk) 13:50, 26 July 2022 (UTC)[reply]