From 754d1b43db7ab4a6c1bd558c846071f205d4ebc9 Mon Sep 17 00:00:00 2001 From: Randall Date: Sat, 20 Aug 2022 19:44:25 -0700 Subject: [PATCH] Add `Current Barriers to Adoption` section --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 9c941fd..43240b5 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,14 @@ The Federal Government exists at every point of the Software Delivery Lifecycle, - ![](https://www.nist.gov/sites/default/files/styles/2800_x_2800_limit/public/images/2021/07/09/software-verification-timeline.png) - [Minimum Standards for Federal Government End Users](https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/recommended-minimum-standard-vendor-or-developer) +## Current Barriers to Adoption + +- Community Adoption + - Every single software supplier must provide a comprehensive, accurate, and up-to-date SBOM for every single software product they offer, commercial or open-source. If a supplier does not provide a complete, accurate, and up-to-date SBOM; then downstream consumers will have a harder time meeting SBOM requirements and identify vulnerabilities in their software. +- Standards Diversion + - There are many different standards for SBOMs, and vendors are free to choose the best one for their use case. This can cause certain interoperability issues between certain formats, depending on the situation. +- SBOM Security + - SBOMs need to be secured from tampering and tampering attacks. This is currently usually done through DevSecOps tooling, performing integration checking and digital signature verification. Currently, there is limited guidance and open-source tooling available to ensure that SBOMs are secure. ## **Prior Work**