|STAR Registry Milestone|
|The Cloud Security Alliance announced on Sep. 30 that its Security Trust Assurance and Risk (STAR) Registry, "a publicly accessible listing [that] documents the security and privacy controls provided by popular cloud computing offerings," now comprises 1000 cloud services. Those are evaluated according to the requirements of CSA's Cloud Control Matrix (CCM).|
|Software Bill of Materials Exchange|
|Last week, Bob Martin (MITRE) and Bill Curtis (Consortium for IT Software Quality, CISQ) presented a webinar introducing a Tool-to-Tool Software Bill of Materials (SBOM) Exchange, which is a proposed response to the Software Transparency initiative launched two years ago by the U.S. National Telecommunications and Information Administration (NTIA), which we've mentioned in past issued of The KIT.|
The Tool-to-Tool SBOM aims to support the ecosystem of software development, integration and management tools (IDEs, repositories, build orchestration, tests, DevOps, ...) that will need to create and consume data describing the components of software. During the webinar, Bob Martin listed nine usages of an SBOM:
About 40 organizations or key people became involved over time since this effort started in 2019. A specification will be proposed to the Object Management Group in December 2020 or March 2021, leading to approval in June or September 2021. This will pave the way toward fast-track adoption as an ISO standard by 2022 or 2023.
- Identification: how do you refer to a piece of software?
- Pedigree: how was it produced?
- Provenance: what was the chain of custody?
- Cryptographic proof that it was not altered
- Assuring its proper and legal use (intellectual property, licensing)
- Identification of vulnerabilities it may have inherited, and proof that known fixes have been applied
- Assurance of safety, security, resiliency
- SBOM-as-a-Service: ability to obtain an SBOM from a vendor through an API
- Supply chain sequence integrity
|Data Governance in the Cloud: Call for Contributors|
|OMG's Cloud Working Group is starting an activity to develop a white paper on data governance, which will complement (rather than repeat) the content of existing papers on security, privacy, cloud service agreements, and more. Jean-Claude Franchitti (Archemy) and Karolyn Schalk (IBM) are jointly leading this effort.|
The paper will include several use cases to explain to readers why data governance is needed in the first place, and even more critical when using cloud services. It will address the people and process requirements for data governance: how does an organization address this need (roles and responsibilities), how does it measure its success and maturity level, how does data governance "plays well" with existing compliance, record management, etc., policies and procedures. And it will provide a list of data governance concerns with pointers to other work addressing them.
We are calling on interested readers (or their colleagues) to contribute to this effort at whatever level of involvement they can afford: submitting relevant materials, drafting small sections of the paper, or acting as a reviewer. Please contact Claude Baudoin to volunteer!
|Upcoming Webinar: Recap of OMG September Meeting|
|On October 22, OMG Technical Director Jason Smith will present a free webinar in which you will see "an overview of recently approved specifications, learn where you can participate in open work in progress, see what's being discussed in the task forces and how you can get involved." Register here.|
"Virtual meetings are basically modern séances:
'Elizabeth are you here?'
'Make a sound if you can hear us.'
'Is anyone else with you?'
'We can't see you, can you hear us?' "