What Happens When Teams Use Different Tools for SBOMs and Vulnerability Data?
When engineering, security, and compliance teams use different tools—and each relies on their own “source of truth”—vulnerability management falls apart. In this video, Mike Hatherall, Lead Solutions Architect at Finite State, shares what he commonly sees: overlapping data, missed vulnerabilities, and slow patch decisions. Teams end up debating whose data is right instead of acting on risk.
•1:14•HD•0 views
What Happens When Teams Use Different Tools for SBOMs and Vulnerability Data?
Transcript
Can you describe what happens when each team is using different tools or has a different “source of truth” for SBOMs or vulnerability data?
Yeah. So we typically see that when these teams use different tools or they've got a different source of truth for the data, everything just becomes a mess. Everything overlaps. We've got overlapping information.
Engineering is looking at one scanner. The security team, they're looking at a different scanner.
You have compliance that maybe are looking for a spreadsheet that maybe they've had from last quarter.
These compliance teams, they really do love their spreadsheets. So, you can easily lose track of kind of visibility and you can lose track and trace of vulnerability. And it just makes the audits and the patch decisions, it makes it so much more harder because everybody ends up debating which source of truth is is the source of truth, if you understand what I mean. They end up debating which kind of set of truth is the one that they should go with. As I said, because everybody uses something different, the answer is always different and it's harder to make a decision on how you're actually gonna move forward.