 |
| Image by author |
Ingredients: white beans 61%, water,
tomato purée 16%, sugar, sea salt, natural vinegar, corn starch, natural herbal
flavoring. Thus the back label of the jar, which on the front is called 'white
beans in tomato sauce'. Does this product fit into a low-salt diet? I wouldn’t
know, because luckily my health doesn't have to worry about that. But if it
ever becomes necessary, I would like to read on the label of any product
whether it contains salt, and preferably how much.
It's
purely a coincidence that I'm back in the canning business just like last week
- I'm not considering switching to that industry, nor have I been asked to
promote their products (eat fresh vegetables, people!). But I'm a fan of
metaphors, and a jar of vegetables turns out to be a rewarding object.
Usually
you won't care what else is in a jar of white beans in tomato sauce besides
white beans and tomato sauce, unless you have a specific reason, such as a
doctor's recommendation. And then you're happy that it's all on the label.
And
what turns out? It’s just the same in ICT. As long as everything goes well, no
one cares which programming language, which framework and which libraries are
used, which open source components are included or which platform the system
runs on. But when word starts circulating that a certain, widely used
ingredient contains a serious vulnerability, you all of a sudden want to know
whether that ingredient is in your systems. Because you want to switch to a
low-salt diet if necessary, or you want to replace the sea salt with regular
table salt, or perhaps you need to switch - temporarily or permanently - to
green beans.
For
ICT, what the label is for foodstuffs is the SBOM: the Software Bill of
Materials, the list of components that are incorporated into the product. When
it was announced in December 2021 that Log4j contained a serious vulnerability,
the world was in turmoil. Log4j is like a type of salt that is used in many
products. If one day you hear that contaminated salt has been used, as a
manufacturer you immediately want to know which of your products contain that
salt, so that you can recall the right products from the supermarkets and stop
your production process until you have a shipment of clean salt.
I
recently learned that the administrators of some systems assume that Security
knows which components are in which product and will alert them if something is
wrong with one of them. But of course it doesn't work that way. The Food and
Consumer Product Safety Authority doesn’t know which canning factory products contain
salt either. They can only sound the alarm if a bad batch has been delivered.
It is then up to the manufacturer to determine which products the salt may have
ended up in and to take the correct measures. It is the same with us, in IT.
Security knows if something is wrong, but the administrator needs to know
whether his system is affected and whether he needs to take action. Of course,
coordination will always take place in major situations, but you remain
responsible for your own system.
The
attentive reader may have noticed that above I always talked about systems and
products, while the s in SBOM stands for software. But why limit an ingredients
list to software? Hardware components can also be vulnerable, as Meltdown and
Spectre, both vulnerabilities in certain CPUs, made painfully clear in 2018. Of
course you want to know whether you have equipment that contains the vulnerable
processors. Well, fortunately there is also such a thing as the HBOM: the
Hardware Bill of Materials. Ideally, you would like to see all the components
in there, down to the smallest chip. I just don't know whether manufacturers
would be happy to cooperate, because competitors are of course reading along.
That does not necessarily have to be a problem, if you can rely on the
manufacturers having their BOMs in order
and also having linked their customer base to them and that communication is
well organized. You can agree all this contractually. In your CBOM.
And in the big bad world...
This section contains a selection of news articles I came across in the
past week. Because the original version of this blog post is aimed at readers
in the Netherlands, it contains some links to articles in Dutch. Where no
language is indicated, the article is in English.
- You
can of course use AI to make biological weapons. [DUTCH]
- AI steals AI articles from journalists.
- it's time to stop deepfakes.
- a hack led to the accidental release of a murder suspect.
- large
companies fear the AI Act, but Europe is keeping a tight rein. [DUTCH]
- an Indian hacking company is trying to prevent negative publications worldwide through judges.
- there is a risk involved in .lnk files.
- an update sometimes has the opposite effect.
- there is a fuss about verification by LinkedIn (and that leads to discussion in the comments below this
- article). [DUTCH]
- it would be a good idea to agree on a family password in the fight against deepfakes.
- The
Netherlands does not meet the deadline for the NIS2. [DUTCH]
.jpg)
No comments:
Post a Comment