The money is in the service that flags stuff in the registry, which you can sell N times to N companies that now have both embedded and vendor security teams. The companies now need to self host the registry and the scanner to see what’s out of compliance, otherwise they can’t be a vendor for anyone else. And their embedded security team basically siphons cash away from corporate, functioning as an engine of harassment for devs trying to get work done, while working as middlemen for the upstream security vendor.
Since none of this is particularly effective or efficient, money is made from someone’s perspective, but mostly it functions like a “cost of doing business” tax that you can’t avoid
Since none of this is particularly effective or efficient, money is made from someone’s perspective, but mostly it functions like a “cost of doing business” tax that you can’t avoid