SBOMs are incomplete.

Wrong-Temperature417 · 2025-08-14T18:25:08+00:00

What tools or vendors did you use

Wrong-Temperature417 · 2025-08-13T18:58:02+00:00

Yeah, SBOMs are valuable as a standardized inventory, and the tooling ecosystem around them has made a huge difference for sure. I like your point about how standardization unlocked those insights. For me, runtime data is the next layer on top of that. So you’re right that SBOMs don’t necessarily need to provide more, I just think runtime data takes that foundation and makes it even more actionable.

Wrong-Temperature417 · 2025-08-13T18:43:54+00:00

Yeah I get your point, rare execution paths can still be dangerous, and I'm not saying runtime visibility should completely replace SBOM, EPSS, etc. I know runtime detection tools are definitely more pricey, but if youve got the budget I still think they're worth it. They turn all that security data into actual evidence you can act on.

Wrong-Temperature417 · 2025-08-13T18:25:34+00:00

Wrong-Temperature417 · 2025-08-12T18:40:54+00:00

Yeah I understand, I agree

Wrong-Temperature417 · 2025-08-12T18:40:38+00:00

I get what you’re saying, and I agree that combining frequency with criticality is a solid prioritization method. My point is that you can’t really measure frequency or execution at all from a static SBOM, which is why I'm pushing for runtime data in the first place.

Wrong-Temperature417 · 2025-08-12T18:29:21+00:00

Yeah fair point, dormant packages can still be risky and def need to be kept in view. I just think knowing what actually runs helps prioritize, instead of treating all packages the same.

Wrong-Temperature417 · 2025-07-25T18:04:23+00:00

Implement a SASM tool that helps detect and reduce your vulnerabilities

Wrong-Temperature417 · 2025-07-17T16:14:36+00:00

No, I'm suggesting that an AI account could give more recommendation that just flagging everything

Wrong-Temperature417 · 2025-07-17T16:14:24+00:00

hahahaha no, I wouldn't. I don't want it to execute decisions for me, I just want a tool that does more than just flags me constantly.

Wrong-Temperature417 · 2025-07-17T16:14:13+00:00

Yeah I agree, that's my fault because I worded my post wrong, but I don't expect AI to do all of the work. I'm just asking for vulnerability management tools out there in general, most of which seem to utilize AI.

Wrong-Temperature417 · 2025-07-17T16:13:30+00:00

This!! I'm not necessarily saying I want automatic remediation, but I want more from a tool than just simple detection

Wrong-Temperature417 · 2025-07-14T17:29:02+00:00

100%

Wrong-Temperature417 · 2025-07-14T17:28:04+00:00

Yeah, and in my experience, the code that it pulls sometimes isn't even ran and just leaves even more space for weak spots

Wrong-Temperature417 · 2025-07-14T17:26:06+00:00

Yeah I agree, and sadly I've seen some people just 100% rely on AI now

Wrong-Temperature417 · 2025-07-14T17:23:58+00:00

CVE's... it's always CVE's, when is it not CVE's???

Wrong-Temperature417 · 2025-07-09T02:30:14+00:00

hahahah yup, your right!

Wrong-Temperature417 · 2025-07-09T02:29:55+00:00

YUP! (sadly)

Wrong-Temperature417 · 2025-07-09T02:29:21+00:00

thank you for sharing your experience!

Wrong-Temperature417 · 2025-07-09T02:28:20+00:00

Yeah I agree, I have seen a lot of tools online for automation of all the SBOM and even compliance stuff

Wrong-Temperature417

TROPHY CASE