Episode 364 of the #osspodcast in which Kurt had bad shwarma, @joshbressers agrees that good shwarma is great, and we learn that it's also hard to know what's in your software even if you do #SBOM https://opensourcesecurity.io/2023/02/26/episode-364-using-sboms-is-hard/ TL;DR: We got different kinds of SBOM, SBOM drift, services and APIs, and then there some complicated problems on top of all that. Also legal obligations.
Episode 364 – Using SBOMs is hard
Josh and Kurt talk about SBOMs. Quite a bit has happened in the world of SBOMs in the last year or so. There are going to be different types of SBOMs, like build, source, or runtime. Each will tell…Open Source Security
Toon
•Josh Bressers
•Password mangers are great, if you can get people to use them. The fundamental problem with a password manager is for normal people, the experience is very bad. It's complicated, and clunky, and if they forget their master password it's all over
SSO as we use it today is also terrible. If you get locked out of your gmail account, it's pretty much over
Josh Bressers
•Of course we also need a way to multi-factor that SSO because if an attacker gains access you have huge problems, but that's a huge problem in itself
I think the single biggest advantage SSO gives us outside of the hilarious ease at which we can login, is the security of a proper SSO system
Josh Bressers
•But none of this is real or possible today. Having a few well run central SSO authorities won't be cheap. It would be a huge money sink I imagine. A bit like the post office
But we can dream 😀
In the meantime, we can keep using password managers