.svg)
.svg)
Request a demo
Thank you. We will be in touch with you shortly.
Request a demo
Thank you. We will be in touch with you shortly.
Download Product Brochure
Download Cybeats Marketplace Brochure
Software Transparency Call to Action
I wholeheartedly support the points made by Patrick Opet, CISO of JP Morgan Chase in his open letter to third-party suppliers. I have made many of these same points in the past, but the CISO of one of the largest banks carries a lot more weight.
He makes the point “There is a growing risk in our software supply chain and we need your action”, and to do this “Software providers must prioritize security over rushing features” and “Security practitioners must work collaboratively to prevent the abuse of interconnected systems” as well as collectively “We must establish new security principles and implement robust controls”.
I want to home in on those points in the context of my favorite topic – software bill of materials (SBOM). I maintain that software transparency is one of those “new” (albeit I’ve been evangelizing it for over 20 years) security principals we need to establish. And that “implement robust controls” will include maintaining an inventory of complete, high-quality SBOMs at every stage in the supply chain both upstream and downstream of where you sit in the global supply chain. Since almost everybody is in the middle somewhere, this translates to maintaining the inventory of the SBOMs from your suppliers, and feeding SBOMs to your customers, as well as using them yourself.
Maintaining the inventory, by itself, does not increase security. You must use the inventory. It should be used as part of software development to ensure high-quality components are used to the letter’s point: “Software providers must prioritize security over rushing features”. It should be used by our Product Security Incident Response Team (PSIRT) to lower your PSIRT costs (see Cassie Crossley’s “Software Supply Chain Security”). Most importantly it should be used as part of your vulnerability management program – both proactively as new vulnerabilities are announced, and reactively when incidents occur.
Maintaining a compete, high-quality SBOM inventory is just one step in accomplishing “Security practitioners must work collaboratively to prevent the abuse of interconnected systems” but it’s a necessary first step.
.png)
.svg)
See Cybeats Security Platform in Action Today
We shortened our vulnerability review timeframe from a day to under an hour. It is our go-to tool and we now know where to focus our limited security resources next.
.svg)
SBOM Studio saves us approximately 500 hours per project on vulnerability analysis and prioritization for open-source projects.
