In this conversation, Robert Martin of MITRE talks about how the software supply chain is highly complicated, due to an increasing number of things in society becoming cyber-enabled. He and MITRE created the System of Trust (SoT) so that organizations can consider the most important aspects of the software supply chain, giving a more holistic context into the chain’s subsets. The SoT’s goal is to promote transparency, allowing developers to see all of the players in the supply chain.

Martin explained how software is not written neatly end to end, but rather is built with drivers, dependencies, and frameworks that give the supply chain depth and magnitude. If software practitioners are not given visibility into this complicated picture, they will miss the software supply chain risks that pose a threat to their organizations. He stresses that Software Bills of Materials (SBOMs) should be included in this effort, but that practitioners should refer to the SoT in order to best utilize an SBOM, giving them the best chance of mitigating software supply chain risks.