ICYMI: SEI has announced the details for the SBOM Harmonization Plugfest, including 8 targets in different languages.

More details below, including FAQ and timetable. SBOM submissions due on December 10.

Video of info session: https://www.youtube.com/watch?v=V4ZRXF8YMzM

All details: https://resources.sei.cmu.edu/news-events/events/sbom/participate.cfm

@kurtseifried @joshbressers

definitely tracking RH, etc.

Is there a better term for what I'm describing for proprietary SW?

And Kurt - been intrigued by 0patch and other shim solutions since meeting @mkolsek years ago at RSA. Super cool idea. (except it does extreme violence to a lot of assumed trust models...)

@kurtseifried @joshbressers in particular, paid support for commercial software that is no longer supported by the OEM.

("support" is another challenge)

@kurtseifried @joshbressers

building on my RSA talk https://www.rsaconference.com/USA/agenda/session/All%20Good%20Things%20End%20of%20Life%20and%20End%20of%20Support%20in%20Policy%20and%20Practice

Anyone seen any solid research on third party software support? (or even vacuous research?) What do we know about the scale, scope, and focus of the industry? Anyone know any experts? Or even have some experience with vendors?

Very exciting news - Microsoft is now publishing automation-friendly security advisories in CSAF format. CSAF allows for more detail and different groupings that just CVEs, and allows orgs to share advisories on security issues that do not have CVEs.

https://msrc.microsoft.com/blog/2024/11/toward-greater-transparency-publishing-machine-readable-csaf-files/

“If we need to give up the entire [cyber insurance] business, we are prepared to do so…”

But the article still describes Munich Re’s drop in cyber insurance market share as “slight” — headlines don’t always paint the whole picture.

https://www.theinsurer.com/reinsurancemonth/munich-re-willing-to-walk-away-from-business-after-excluding-cyber-war-from-entire-portfolio/

h/t @patrickcmiller

@patrickcmiller interesting bouncing between the clear statement of immediate threats (ransomware, BEC) and the national security level threats. I’ll have to read the actual report. Thanks for sharing.

@patrickcmiller counterpoint: large bets without concrete evidence or strategy is, in fact, “hype”