Eleanor Saitta on Nostr: [@raito](https://nixos.paris/@raito) Why would CISOs want to create a liability ...
[@raito](https://nixos.paris/@raito)
Why would CISOs want to create a liability relation with entities that by definition have no damn money?
That term is first aimed at internal risk management infrastructure, which understands supply chain risk more generally, to make and communicate the problem and make resources appear. Secondarily, it's aimed at commercial software vendors, who do have money and need to get their shit together. Third, it's a term the security community as a whole uses to think about the problem.
Independent FOSS devs are part of the software supply chain in exactly the way rocks are part of the mineral supply chain, for better and worse.
[@whitequark](https://mastodon.social/@whitequark) [@rst](https://mastodon.social/@rst) [@tinker](https://infosec.exchange/@tinker) [@AndresFreundTec](https://mastodon.social/@AndresFreundTec)
Why would CISOs want to create a liability relation with entities that by definition have no damn money?
That term is first aimed at internal risk management infrastructure, which understands supply chain risk more generally, to make and communicate the problem and make resources appear. Secondarily, it's aimed at commercial software vendors, who do have money and need to get their shit together. Third, it's a term the security community as a whole uses to think about the problem.
Independent FOSS devs are part of the software supply chain in exactly the way rocks are part of the mineral supply chain, for better and worse.
[@whitequark](https://mastodon.social/@whitequark) [@rst](https://mastodon.social/@rst) [@tinker](https://infosec.exchange/@tinker) [@AndresFreundTec](https://mastodon.social/@AndresFreundTec)