[richbell]

I looked you up after posting that, so I am willing to eat crow. ;)

While I understand and agree with the larger thesis of your article, I feel like it sends the wrong message. I work at a large FI where it's common for applications to be developed by a vendor and then dumped into the environment as a massive .war file — the White House's push for SBOMs gave us significant ammunition to drive changes around in-house and vendor built apps. Is scanning all of this stuff with a SCA tool like Snyk, Xray, or Nexus Lifecycle going to give you 100% coverage and help you realize that an intern installed a vulnerable version of Elasticsearch on a VM without telling anyone? No. Are there going to be false negatives where the scans don't report the proper dependencies? Yes. But having an inventory of what you have is a great first step, even if it isn't 100% active or you don't know where it's deployed — as long as you're cognizant of those limitations.

> We just finished a set of fresh interviews with over 50 security leaders and they almost all spoke about that issue, they don't know where things are despite using Snyk and other tools because there is no linkage in their environment between the repo and the deployment.

I was the "war room" and heavily involved with Log4Shell remediation, so I completely agree and empathize with this experience. We were lucky to have a large suite of tools like Tenable, Aqua, Mergebase's open source log4j-detector, and an in-house built catalog of all servers and assets, which allowed us to piece together info and get a better understanding of the environment. We did multiple passes of environments with multiple tools. It was a greulling month of work, but it would have been even more so if we didn't have existing imperfect solutions.

[markcurphey]

Def don't need to eat crow. Never heard that phrase before funny. It's just my opinion. I often get it wrong and there are def a few ways to think about it here.

100% agree on getting more visibility and ammunition and 100% agree on having an inventory. I was leading the effort at the OSSF to create to the plan that was taken to the WH summit ;-)

I can't believe that there isn't a good tool for being able to scan production to match build outputs. Sounds like a good OSS tool project !