We have recently seen a huge increase in software supply chain attacks, leading to additional compliance requirements for software providers. We also hear a lot of new terms (SBOM, VEX, CSAF, etc) and standards popping up from different vendors and organizations. How do you keep up with this acronym soup?
In order to strengthen security, there is a general agreement that vendors should provide a “Software Bill of materials”, and that everything should be digitally signed and verifiable. In a perfect world, we should also be able to identify every single component of every single artifact and reason about the vulnerabilities that impact the final product. But is this currently possible? Given the complexity of the software supply chain, a bunch of competing SBOM standards like CycloneDX, and SPDX, new proposals for vulnerability and exploitability exchange standards like VEX, CSAF, … and different vulnerability scoring depending on the vendors, it seems we are still far from there.
In this webinar we will:
- Describe what SBOM is, how it is built, and what are the current challenges.
- Separate the chaff from the grain. What is important and what should you focus on when securing the software supply chain?
- Learn about vulnerability information exchange, matching, and why false positives and false negatives exist.
- Analyze how this all applies to the recent Log4j vulnerability.