Why don't cybersecurity risk management fields copy over across all projects that share a repository in the SBoM module? Do I have to copy over information from the other project or is there an easy way to move this data?

Lee Chickering
Lee Chickering

When performing Software Bill of Materials (SBoM) or cybersecurity risk management in one project, it might seem logical that the same information should apply across all projects sharing a repository. However, this is not always the case. While some Software of Unknown Pedigree (SOUP) dependencies might have the same risk management information, others may not. This is because different projects may use the same dependency for different purposes, leading to varying risk profiles.

For example, a dependency used for securing data transmission in one medical device might be used for encrypting stored patient data in another. The security impact and related SBoM fields would differ based on the intended use of the dependency. A vulnerability that poses a major level of concern in one scenario due to potential harm to the patient might have a different level of concern in another scenario where the risk is limited to data exposure.

Ketryx assumes that the intended use for individual dependencies is not shared across projects, and therefore, the accompanying fields cannot be shared either. If a dependency does have the same intended use across projects, the relevant fields would need to be manually copied over.

In summary, while some risk management information might be consistent across projects, it is crucial to assess each dependency within the context of its specific use case to ensure accurate and effective risk management.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request



Article is closed for comments.