Keeping the Software Supply Chain Secure – BankInfoSecurity.com

Application Security , Endpoint Security , Internet of Things Security

IoT devices and software applications often use a range of components, including third-party libraries and open source code. All of those pose risks if vulnerabilities are discovered.

See Also: Business Case for PAM Playbook for CISOs

Ensuring devices and services are secure requires keeping track of the status of those software ingredients, promptly applying patches when available. But that can be challenging, says Steve Springett, creator of the open source project called Dependency-Track, a supply chain component analysis platform.

"Whenever you use third-party and open source software, you're ultimately using code that you didn't write yourself," Springett says. "In many cases, code can be slipped in, and you're not even aware that you were using it in the first place. Even when you include your first-level dependencies, those dependencies also have dependencies in many cases."

Dependency-Track, which is part of the Online Web Application Security Project, is a free application that helps identify out-of-date and risky software components by using a software bill of materials, which describes the exact software components that an application contains.

Springett also created CycloneDX, a vendor agnostic specification for creating a software bill of materials.

In this video interview with Information Security Media Group, Springett discusses:

Springett, creator of Dependency-Track, is a senior security architect with ServiceNow in Chicago.

Read the original:
Keeping the Software Supply Chain Secure - BankInfoSecurity.com

Related Posts
This entry was posted in $1$s. Bookmark the permalink.