Hearing a lot of “SBOM is key in things like this #log4j issue” without anyone saying how they might use an SBOM *right now* during this phase of response.
Please don’t reply unless you are actually using SBOMs in your emergency response.
I’ve had quite enough of the theory crowd
Of course I understand that SBOMs are only an ingredient list of components & one needs exploitability info for any given product that uses a vulnerable package like #log4j to know if that product is vulnerable - so that’s my whole point.

HOW except via testing would you know?
So if testing is still the de facto method for determining exploitability of product A vs product B if they both use #log4j then WHY are people saying “SBOMs are key” *at this stage of response *?
Ok hopefully my wording was clear enough to avoid the condescension I usually get.
You can follow @k8em0.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more