Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Software Bill of Service

    This message was posted by a user wishing to remain anonymous
    Posted 08-08-2023 06:42 PM
    This message was posted by a user wishing to remain anonymous


    Have people been receiving Software Bills of Service when requesting diligence documentation from their tech vendors? If so, what are you doing with these? Do you have a way to import the information on these to be used later? We are looking for a way to export the information from these documents to be used later in case there happens to be a breach (or something similar) so we can quickly search all of these fourth party vendors.


  • 2.  RE: Software Bill of Service

    Posted 08-17-2023 02:09 PM

    Hello, thank you for your question.

    I think you're referring to software bill of materials (SBOM). With this assumption as a jumping off point, here is what I recommend… First, SBOMs are described as a "nested inventory that make up software components."

    How they would be used by the organization or the consumer? This information can be used in Sourcing's RFP process for selecting a vendor towards software product creation.

    A software bill of materials, or SBOM, sheds light on an application's contents and code origins, and, when paired with vulnerability management tools, can help identify vulnerabilities and highlight risk for subsequent mitigation.

    • The reasons a person would want to retain such information – Damage and risk mitigation
    • The cost of not locating and addressing a security vulnerability only serves to highlight and stress the need for SBOMs; the reputational fallout can be devastating to a company when a supply chain attack occurs. Pulling in code from unknown repositories increases the potential for vulnerabilities that can be exploited by hackers. Two recent cyberattacks, namely the SolarWinds and log4j attack, affected supply chain software vendors. Risk Mitigation

    In order to identify software application dependencies, risk needs to be identified and evaluated from the start to finish in software supply chain management.

    According to the blog cited below - SBOMs are important because they:

    I can't provide information on capturing and reporting that data because of the variation of systems and your organization's capabilities.

    Make sure to loop in your organization's cybersecurity team for identifying which information should be captured and reported in the event of a breach or other cybersecurity event.





    I'd love to hear other members' thoughts.