Tom Alrich On All Things SBOM

<p>Tom Alrich dives deep on the items he works and writes about. For a long time it was NERC CIP, and he recently added SBOMs to his repertoire. We go deep and I think the business model portion may be the best and most accessible part of the episode.</p> <p>1:21 The 2 main SBOM formats. There differences and what will win.</p> <p>12:30 VEX ... identifying what vulnerabilities in the SBOM are exploitable</p> <p>24:00 What EO 14028 will require the USG to do with SBOMs in August</p> <p>34:00 Who and how SBOMs will be provided and used. Business models.</p> <p>Links</p> <p><a href="https://tomalrichblog.blogspot.com">Tom Alrich's Blog</a></p> <p><a href= "https://tomalrichblog.blogspot.com/2021/12/who-should-be-responsible-for-component.html"> Tom's Who Should Be Responsible article</a></p> <p><a href="https://friday.dale-peterson.com/signup/">Subscribe to Dale's ICS Security - Friday News & Notes</a></p>