Register

About Tom Alrich

Tom Alrich is an independent consultant specializing in supply chain security of critical infrastructure. He is the founder and leader of the SBOM Forum, a group of SBOM professionals that is trying to remove obstacles currently preventing widespread use of SBOMs. He writes a popular blog on these topics.

Tom's Articles

Navigating industrial cyber threats with SBOMs, VEX, CSAF for enhanced supply chain resilience
Navigating industrial cyber threats with SBOMs, VEX, CSAF for enhanced supply chain resilience
A significant rise in cybersecurity threats and attacks, particularly targeting software supply chains, has led to heightened scrutiny and a pressing need to enhance the resilience of supply chains for software utilized across government and critical infrastructure sectors. Any vulnerability…
Did CISA do their homework?
Did CISA do their homework?
On November 10, CISA issued a blog post called “TRANSFORMING THE VULNERABILITY MANAGEMENT LANDSCAPE”. It got a lot of attention and widespread approval. It describes three techniques whose implementation will, according to the post, lead to “more efficient, automated, prioritized vulnerability management.”…
I’ve figured out why software users aren’t requesting SBOMs
Who will tame the CPE beast?
I confess that I and almost every other person who writes or speaks about software bills of materials has been misleading you for years. We have done this when we’ve spoken about SBOM as something that is well-defined. The two…
How can you make sure your connected devices are secure?How can you make sure your connected devices are secure
How can you make sure your connected devices are secure
One of my recent posts pointed out that many (and perhaps most) connected devices (aka IoT devices) are far from secure. Furthermore, it pointed out that because these devices are inherently “black boxes”, meant to be managed by the manufacturer and the…
I’ve figured out why software users aren’t requesting SBOMs
I’ve figured out why software users aren’t requesting SBOMs
I realized about a year ago that the reason why SBOMs aren’t being used by non-developers for vulnerability management purposes – even though the developers themselves are using them very heavily for those purposes, as shown previously – isn’t that…

More Tom's Articles

at long last
At Long Last
Prepping up for 2022, as OT industry focuses on federal government regulations, SBOMs
Prepping up for 2022, as OT industry focuses on federal government regulations, SBOMs

Join the Industrial Cyber Community

Get the latest breaking OT/ICS news, access the resources and participate in our ICS Forum.
Register