Hearing a lot of “SBOM is key in things like this   #log4j issue” without anyone saying how they might use an SBOM *right now* during this phase of response.
Please don’t reply unless you are actually using SBOMs in your emergency response.
I’ve had quite enough of the theory crowd
                    
                                    
                    Please don’t reply unless you are actually using SBOMs in your emergency response.
I’ve had quite enough of the theory crowd
                        
                        
                        Of course I understand that SBOMs are only an ingredient list of components & one needs exploitability info for any given product that uses a vulnerable package like   #log4j to know if that product is vulnerable - so that’s my whole point.
HOW except via testing would you know?
                    
                                    
                    HOW except via testing would you know?
                        
                        
                        So if testing is still the de facto method for determining exploitability of product A vs product B if they both use   #log4j then WHY are people saying “SBOMs are key” *at this stage of response *?
Ok hopefully my wording was clear enough to avoid the condescension I usually get.
                    
                
                Ok hopefully my wording was clear enough to avoid the condescension I usually get.
 
                         Read on Twitter
Read on Twitter 
                                     
                                    