Software Composition Analysis: The New Armor for Your Cybersecurity

A
Aggregage
Software Composition Analysis: The New Armor for Your Cybersecurity
Software Composition Analysis: The New Armor for Your Cybersecurity
Software Composition Analysis: The New Armor for Your Cybersecurity
Software Composition Analysis: The New Armor for Your Cybersecurity
The new armor for cybersecurity SOFTWARE COMPOSITION ANALYSIS:
CYBERSECURITY SUPPLY CHAIN SBOM SCA
Process and set of tools used to identify and manage the open- source and third-party software components and libraries used in software applications Open-Source Software constitutes 70-90% of any given piece of modern software solutions • Component Identification • License Compliance • Vulnerability Management • Dependency Management • Policy Enforcement • Reporting and Remediation KEY ASPECTS • Enhance security • Maintain license compliance • Mitigate risk GOALS SCA What is Software Composition Analysis? DEFINITION PREVALENCE
The value of SCA in your security strategy You can’t comply, secure and remediate open source if you’re not aware of where it exists in your organization
Cybersecurity is becoming a global movement
Emerging regulations to protect software users • Enhance supply chain security. The strategy includes initiatives to improve the security of the supply chains that support critical infrastructure, and federal systems to reduce the risk of cyberattacks and disruptions. • Improve incident response and recovery. The strategy emphasizes the need for effective incident response and recovery capabilities. • Promote cybersecurity workforce development. The strategy includes initiatives to address the cybersecurity skills gap — such as promoting cybersecurity education and training programs. • Strengthen partnerships with the private sector. The strategy highlights the private sector’s key role in cybersecurity and includes initiatives to enhance public-private partnerships — such as sharing threat intelligence, promoting best practices, and facilitating joint exercises and simulations. • Transparency in the use of third-party OSS components • Software Bill of Materials - mandatory • Process for remediation - mandatory • Concerns regarding liability exemptions for OSS developers • Going through Parliament
©2022 Revenera | Company Confidential Minimum SBOM Elements A Software Bill of Materials (SBOM) is a formal and queryable record containing the details and relationships of various components used in building software. https://www.ntia.gov/SBOM • Supplier info • SBOM author and timestamp • SBOM part component version • SBOM part other unique identifiers (purl, etc.) • SBOM part dependency relationship ( https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf )
Open source visibility and control are essential to maintain the security, license compliance, and code quality of automotive software applications and platforms Today’s connected vehicles Source: How Software Engineering is Changing the Automotive Industry
Enhancing your security posture through scan, analysis and SBOM management Recognize and manage risks associated with third-party and open-source software components Identify components Scan for vulnerabilities Assess your risk Receive remediation guidance and support Access dependency graphs Automate policy enforcement Generate a Software Bill of Materials
Key takeaways Put in place the right tooling to complement your tech stack and what works for your business. 1 Implement the right policies, processes and people. 2 Understand both the industry you’re in and the industry(s) you sell to. 3 Set yourself up to provide an inventory of the products you produce and/or procure for the next major vulnerability event (i.e. Log4j). 4 Do something; take the next step. 5
Software Composition Analysis: The New Armor for Your Cybersecurity
THANK YOU! Kendra Morton kemorton@revenera.com Russ Eling russ@ossconsultants.com Karl Rohrbach krohrbach@blackberry.com
1 of 16

Software Composition Analysis: The New Armor for Your Cybersecurity

Download to read offline
Software

Today’s technology leaders play a more strategic role in establishing cybersecurity strategy for their organizations. This webinar will teach you what you can do to prevent a hole in your software supply chain, so bad actors are unable to slip in and take advantage.

A
Aggregage

Recommended

Software Asset Management I Best Practices I NuggetHubSoftware Asset Management I Best Practices I NuggetHub
Software Asset Management I Best Practices I NuggetHubRichardNowack
233 views53 slides
Introduction to Software EngineeringIntroduction to Software Engineering
Introduction to Software EngineeringSweta Kumari Barnwal
298 views22 slides
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
648 views12 slides
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
21.5K views59 slides
Owasp Summit - Wednesday evening briefing masterOwasp Summit - Wednesday evening briefing master
Owasp Summit - Wednesday evening briefing masterDinis Cruz
273 views42 slides
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
834 views34 slides

More Related Content

Similar to Software Composition Analysis: The New Armor for Your Cybersecurity

Similar to Software Composition Analysis: The New Armor for Your Cybersecurity(20)

Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit566 views
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
Positive Hack Days819 views
Eric Anklesaria. Secure SDLC - Core BankingEric Anklesaria. Secure SDLC - Core Banking
Eric Anklesaria. Secure SDLC - Core Banking
Positive Hack Days1.8K views
Driving Risks Out of Embedded Automotive SoftwareDriving Risks Out of Embedded Automotive Software
Driving Risks Out of Embedded Automotive Software
Parasoft687 views
Planning for software quality assurance lecture 6Planning for software quality assurance lecture 6
Planning for software quality assurance lecture 6
Abdul Basit5.3K views
Building a QMS for Your SaMD Part IIBuilding a QMS for Your SaMD Part II
Building a QMS for Your SaMD Part II
EMMAIntl103 views
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
SBWebinars247 views
SOC for Cybersecurity OverviewSOC for Cybersecurity Overview
SOC for Cybersecurity Overview
Brian Matteson, CISSP CISA478 views
New Model to Achieve Software Quality Assurance (SQA) in Web ApplicationNew Model to Achieve Software Quality Assurance (SQA) in Web Application
New Model to Achieve Software Quality Assurance (SQA) in Web Application
ijsrd.com405 views
Sofware engineeringSofware engineering
Sofware engineering
nstjelja728 views
Analysis concepts and principlesAnalysis concepts and principles
Analysis concepts and principles
saurabhshertukde15.3K views
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE197 views
Software quality assuranceSoftware quality assurance
Software quality assurance
University of Sargodha1.6K views
SPM lecture2 Requirements Management and IdentificationSPM lecture2 Requirements Management and Identification
SPM lecture2 Requirements Management and Identification
Garm Lucassen2.6K views
Top 5 best practice for delivering secure in-vehicle softwareTop 5 best practice for delivering secure in-vehicle software
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software 811 views
SQA-Lecture-4.pptxSQA-Lecture-4.pptx
SQA-Lecture-4.pptx
SaritaAgrahari212 views
Ch 4 components of the sqa systemCh 4 components of the sqa system
Ch 4 components of the sqa system
Kittitouch Suteeca5.8K views
Quality Management and Quality StandardQuality Management and Quality Standard
Quality Management and Quality Standard
Murageppa-QA128 views
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
Ludovic Petit3K views
How to Build Software from Scratch in 5 Simple Steps.pdfHow to Build Software from Scratch in 5 Simple Steps.pdf
How to Build Software from Scratch in 5 Simple Steps.pdf
Baek Yongsun2 views

More from Aggregage

More from Aggregage(20)

The Future of Customer Loyalty: Rewards, Retention, Appreciation, and MoreThe Future of Customer Loyalty: Rewards, Retention, Appreciation, and More
The Future of Customer Loyalty: Rewards, Retention, Appreciation, and More
Aggregage22 views
Predictions You Can Rely On: How Data Drives Successful Financial ForecastingPredictions You Can Rely On: How Data Drives Successful Financial Forecasting
Predictions You Can Rely On: How Data Drives Successful Financial Forecasting
Aggregage91 views
The 4 Dysfunctions of Recruiting & How You Can Successfully Overcome ThemThe 4 Dysfunctions of Recruiting & How You Can Successfully Overcome Them
The 4 Dysfunctions of Recruiting & How You Can Successfully Overcome Them
Aggregage196 views
How to Design a Seamless & Personalized Digital Donor JourneyHow to Design a Seamless & Personalized Digital Donor Journey
How to Design a Seamless & Personalized Digital Donor Journey
Aggregage28 views
2 Retail Sectors That Are Completely Changing the Game: FMCG & Q-Commerce2 Retail Sectors That Are Completely Changing the Game: FMCG & Q-Commerce
2 Retail Sectors That Are Completely Changing the Game: FMCG & Q-Commerce
Aggregage20 views
Let's Get Physical: How to Blend Direct Mail Marketing with Your Digital Stra...Let's Get Physical: How to Blend Direct Mail Marketing with Your Digital Stra...
Let's Get Physical: How to Blend Direct Mail Marketing with Your Digital Stra...
Aggregage164 views
Banking on Loyalty: Holistic Financial Advice for Unparalleled Business GrowthBanking on Loyalty: Holistic Financial Advice for Unparalleled Business Growth
Banking on Loyalty: Holistic Financial Advice for Unparalleled Business Growth
Aggregage26 views
Keep the Competitive Edge and Reduce ChurnKeep the Competitive Edge and Reduce Churn
Keep the Competitive Edge and Reduce Churn
Aggregage91 views
Mastering Supply Chain Sustainability: Where Does ESG Fit In?Mastering Supply Chain Sustainability: Where Does ESG Fit In?
Mastering Supply Chain Sustainability: Where Does ESG Fit In?
Aggregage113 views
From Complexity to Clarity: Strategies for Effective Compliance and Security ...From Complexity to Clarity: Strategies for Effective Compliance and Security ...
From Complexity to Clarity: Strategies for Effective Compliance and Security ...
Aggregage53 views
Is Training the Right Solution?Is Training the Right Solution?
Is Training the Right Solution?
Aggregage347 views
How to Create Unique Customer Journeys to Optimize Business OutcomesHow to Create Unique Customer Journeys to Optimize Business Outcomes
How to Create Unique Customer Journeys to Optimize Business Outcomes
Aggregage91 views
Your Triple-Threat Solution for Resilient Planning and ExecutionYour Triple-Threat Solution for Resilient Planning and Execution
Your Triple-Threat Solution for Resilient Planning and Execution
Aggregage28 views
Gone in 8 Seconds: Overcoming Buyers' Shrinking Attention SpansGone in 8 Seconds: Overcoming Buyers' Shrinking Attention Spans
Gone in 8 Seconds: Overcoming Buyers' Shrinking Attention Spans
Aggregage72 views
Product Development Demystified: Launching Faster with Confidence through Hum...Product Development Demystified: Launching Faster with Confidence through Hum...
Product Development Demystified: Launching Faster with Confidence through Hum...
Aggregage51 views
Feedback Frenzy: Restoring Customer and Internal Alignment for Product SuccessFeedback Frenzy: Restoring Customer and Internal Alignment for Product Success
Feedback Frenzy: Restoring Customer and Internal Alignment for Product Success
Aggregage44 views
Preventing Employee Burnout in Restaurants & Hospitality: An Integrated ApproachPreventing Employee Burnout in Restaurants & Hospitality: An Integrated Approach
Preventing Employee Burnout in Restaurants & Hospitality: An Integrated Approach
Aggregage91 views
Cloud-Based Solutions: The Sky Is the Limit for Retail SuccessCloud-Based Solutions: The Sky Is the Limit for Retail Success
Cloud-Based Solutions: The Sky Is the Limit for Retail Success
Aggregage20 views
ERM Program Fundamentals for Success in the Banking IndustryERM Program Fundamentals for Success in the Banking Industry
ERM Program Fundamentals for Success in the Banking Industry
Aggregage43 views
The Power of Storytelling in Risk ManagementThe Power of Storytelling in Risk Management
The Power of Storytelling in Risk Management
Aggregage122 views

Recently uploaded

Neo4j y GenAI Neo4j y GenAI
Neo4j y GenAI Neo4j
10 views41 slides
Tridens DevOpsTridens DevOps
Tridens DevOpsTridens
9 views28 slides

Recently uploaded(20)

Neo4j y GenAI Neo4j y GenAI
Neo4j y GenAI
Neo4j10 views
Scala Left Fold Parallelisation - Three ApproachesScala Left Fold Parallelisation - Three Approaches
Scala Left Fold Parallelisation - Three Approaches
Philip Schwarz36 views
Why Cloud Services.pdfWhy Cloud Services.pdf
Why Cloud Services.pdf
Pi DATACENTERS6 views
How to Install and Activate Email-ResearcherHow to Install and Activate Email-Researcher
How to Install and Activate Email-Researcher
eGrabber17 views
Applying Platform Engineering Thining to Observability.pdfApplying Platform Engineering Thining to Observability.pdf
Applying Platform Engineering Thining to Observability.pdf
Natan Yellin10 views
Tridens DevOpsTridens DevOps
Tridens DevOps
Tridens9 views
Green Software Big PictureGreen Software Big Picture
Green Software Big Picture
Green Software Development17 views
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdf
Tiago Henriques66 views
El Arte de lo PossibleEl Arte de lo Possible
El Arte de lo Possible
Neo4j7 views
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...
marksimpsongw74 views
VBA work.pdfVBA work.pdf
VBA work.pdf
BlackCatComputers5 views
[PHPCon 2023] Blaski i ciebie BDD[PHPCon 2023] Blaski i ciebie BDD
[PHPCon 2023] Blaski i ciebie BDD
Mateusz Zalewski41 views
Winter '24 Release Chat.pdfWinter '24 Release Chat.pdf
Winter '24 Release Chat.pdf
melbourneauuser7 views
Les nouveautés produit Neo4j Les nouveautés produit Neo4j
Les nouveautés produit Neo4j
Neo4j26 views
Neo4j : Graphes de Connaissance, IA et LLMsNeo4j : Graphes de Connaissance, IA et LLMs
Neo4j : Graphes de Connaissance, IA et LLMs
Neo4j40 views
Cycleops - Automate deployments on top of bare metal.pptxCycleops - Automate deployments on top of bare metal.pptx
Cycleops - Automate deployments on top of bare metal.pptx
Thanassis Parathyras26 views
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - ParkerDSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker
Deltares6 views
DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...
DSD-INT 2023 FloodAdapt - A decision-support tool for compound flood risk mit...
Deltares5 views
Upgrading Incident Management with Icinga - Icinga Camp Milan 2023Upgrading Incident Management with Icinga - Icinga Camp Milan 2023
Upgrading Incident Management with Icinga - Icinga Camp Milan 2023
Icinga27 views
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Dive
confluent13 views

Software Composition Analysis: The New Armor for Your Cybersecurity

  • 5. The new armor for cybersecurity SOFTWARE COMPOSITION ANALYSIS:
  • 7. Process and set of tools used to identify and manage the open- source and third-party software components and libraries used in software applications Open-Source Software constitutes 70-90% of any given piece of modern software solutions • Component Identification • License Compliance • Vulnerability Management • Dependency Management • Policy Enforcement • Reporting and Remediation KEY ASPECTS • Enhance security • Maintain license compliance • Mitigate risk GOALS SCA What is Software Composition Analysis? DEFINITION PREVALENCE
  • 8. The value of SCA in your security strategy You can’t comply, secure and remediate open source if you’re not aware of where it exists in your organization
  • 9. Cybersecurity is becoming a global movement
  • 10. Emerging regulations to protect software users • Enhance supply chain security. The strategy includes initiatives to improve the security of the supply chains that support critical infrastructure, and federal systems to reduce the risk of cyberattacks and disruptions. • Improve incident response and recovery. The strategy emphasizes the need for effective incident response and recovery capabilities. • Promote cybersecurity workforce development. The strategy includes initiatives to address the cybersecurity skills gap — such as promoting cybersecurity education and training programs. • Strengthen partnerships with the private sector. The strategy highlights the private sector’s key role in cybersecurity and includes initiatives to enhance public-private partnerships — such as sharing threat intelligence, promoting best practices, and facilitating joint exercises and simulations. • Transparency in the use of third-party OSS components • Software Bill of Materials - mandatory • Process for remediation - mandatory • Concerns regarding liability exemptions for OSS developers • Going through Parliament
  • 11. ©2022 Revenera | Company Confidential Minimum SBOM Elements A Software Bill of Materials (SBOM) is a formal and queryable record containing the details and relationships of various components used in building software. https://www.ntia.gov/SBOM • Supplier info • SBOM author and timestamp • SBOM part component version • SBOM part other unique identifiers (purl, etc.) • SBOM part dependency relationship ( https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf )
  • 12. Open source visibility and control are essential to maintain the security, license compliance, and code quality of automotive software applications and platforms Today’s connected vehicles Source: How Software Engineering is Changing the Automotive Industry
  • 13. Enhancing your security posture through scan, analysis and SBOM management Recognize and manage risks associated with third-party and open-source software components Identify components Scan for vulnerabilities Assess your risk Receive remediation guidance and support Access dependency graphs Automate policy enforcement Generate a Software Bill of Materials
  • 14. Key takeaways Put in place the right tooling to complement your tech stack and what works for your business. 1 Implement the right policies, processes and people. 2 Understand both the industry you’re in and the industry(s) you sell to. 3 Set yourself up to provide an inventory of the products you produce and/or procure for the next major vulnerability event (i.e. Log4j). 4 Do something; take the next step. 5
  • 16. THANK YOU! Kendra Morton kemorton@revenera.com Russ Eling russ@ossconsultants.com Karl Rohrbach krohrbach@blackberry.com