SlideShare a Scribd company logo

Software Bill of Materials

Download as DOCX, PDF
Petar Radanliev
Petar Radanliev

Generative Pre-Trained Transformers, Natural Language Processing and Artificial Intelligence and Machine Learning (AI/ML) in cyber software vulnerability management: automations in the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX)

Engineering
1 of 6
Generative Pre-Trained Transformers,Natural LanguageProcessingand Artificial IntelligenceandMachine Learning (AI/ML) inSoftware Vulnerability Management: Automations in the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX) Petar Radanliev1, David De Roure1, Omar Santos2 1Department of Engineering Science, University of Oxford, *corresponding author email: petar.radanliev@eng.ox.ac.uk, david.deroure@oerc.ox.ac.uk 2Cisco Systems, RTP, North Carolina, United States, email; osantos@cisco.com Preprint summary: Since the issuance of Executive Order 14028 on Improving the Nation's Cybersecurity in 2023, cybersecurity professionals in the UK and the USA have been struggling with the challenge of Software Bill of Materials (SBOM) compliance. In the USA (U.S.), there has been a significant effort in ensuring compliance, but in the UK, the compliance with the Executive Order 14028 is not seen as a priority. This is probably because many UK based developers think that the compliance mechanism is only valid in the U.S. The truth is, the Executive Order 14028 applies to companies that operate or work with the U.S., and many UK based software developers either operate in the U.S., or their products are used in the U.S. This means that many UK software developers need to be compliant with the Executive Order 14028, and yet, there is very little discussion (if any) among the UK software development community on this topic. The first stage in this would be to connect with the U.S. agencies that work in this area, and to start developing a strategy on how this could be communicated in the UK industry and academic software developers’ communities. Second stage is to ensure that vendors, customers, and users understand the value of SBOMs. At present, the U.S. is in stage two, and the UK hasn’t really engaged with stage one yet. Looking at the U.S. as the most advanced country in the SBOM adoption, despite the readiness of software developers in preparing SBOMs, vendors, customers, and users are still uncertain about the implementation process and the value of the received reports. This is predominately because SBOMs have produced overwhelming amount of information and cybersecurity professionals are unable to process the data and check for all the potential vulnerabilities that can be found in SBOMs. This would likely be a problem in the UK as well, once the requirements for compliance with Executive Order 14028 becomes more obvious, and once the developers reach the same level of compliance with their counterparts in the U.S. To address this pressing issue, we present a Preprint that explores the potential of Artificial Intelligence and Machine Learning (AI/ML) in automating SBOM and Vulnerability Exploitability eXchange (VEX) compliance. Our research delves into categorising data and proposing solutions grounded in the FAIR principles (Findable, Accessible, Interoperable, and Reusable). 1 Introduction The UK and the U.S. are in a special relationship that requires compliance with cybersecurity regulations and strong cyber diplomacy. The Executive Order 14028 that imposes compulsory requirement for Software Bill of Materials (SBOM), has exposed the need for deeper collaboration between the UK and the U.S. cybersecurity agencies. This Preprint discusses the requirements for a new, comprehensive cyber policy that prioritises
cybersecurity as a top national priority for the UK. Both countries - the UK and the U.S. - have individually developed their forward-looking cybersecurity strategy to protect their critical infrastructure, businesses, and citizens from evolving cyber risks. The UK has somehow fallen behind in following the U.S. requirements for Software Bill of Materials (SBOM) and cyber vulnerabilities. This exposes a gap in the UK and the U.S. cyber diplomacy and requires a new strategy that builds on existing collaborative efforts and shared expertise in countering cyber threats. To bring the UK back on track with compliance with standards, legislations, and regulations in the U.S., and to strengthen the UK and the U.S. collective defence capabilities, the new strategy must place priority on improving information sharing, intelligence collaboration, and collaborative cybersecurity exercises. This is particularly relevant and important in light of the difficulties SBOMs present in assuring software supply chain security. This necessitates active participation in multilateral forums, that advance cyber policy and advance global norms for cyberspace, while also encouraging responsible state behaviour, and address vulnerabilities in a coordinated fashion. The UK and the U.S. need to set the standard for promoting cyber resilience by creating a secure digital future not only for the UK and the U.S., but through coordinated efforts, the new strategy must also provide opportunities for engagement with the larger international community. The first step in doing this is by addressing the complexities of managing SBOMs and cyber vulnerabilities with the guiding principles of transparency, cooperation, and international stability in cyberspace. When the level of cooperation and collaborations has been re-established once again, the problem of managing the vast volume of new vulnerabilities will be imposed on UK cybersecurity professionals. This Preprint is designed to identify the solutions that would reduce the burden on U.S. cybersecurity professionals today, and the workloads on UK cybersecurity professionals in the future. The solutions investigated in this Preprint are based on using Generative Pre-Trained Transformers, Natural Language Processing, Artificial Intelligence, and other Machine Learning algorithms in Software Vulnerability Management. The objective of the Preprint is to identify how such tools can be used for automations in the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX). 2 Preprint on the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX) This Preprint focuses on the crucial domain of cyber vulnerability management, where compliance with SBOM and VEX plays a central role. While software developers have actively embraced SBOMs, their adoption by end-users remains a challenge. The automation of this process emerges as a critical need due to the staggering estimate of 270 million monthly requests for vulnerability indices, with projections of doubling every year and a half. This Preprint aims to explore how AI/ML can transform and modernise SBOM and VEX compliance, opening the way for standardisation between the UK and the U.S. cybersecurity agencies, compliance with regulations that differentiate in national standards and legislations, while preserving and enhancing robust cybersecurity practices.
3 Methodology To achieve our objectives, we undertook a comprehensive research approach, conducting 20 Preprint interviews and 3 workshops. We also leveraged secondary data sources from U.S. cybersecurity agencies, such as CSAF, NTIA, CISA, NIST. The data sources included video recordings, working papers, and draft reports. By combining different data, approaches, and methods, we carefully analysed the data and derived insights from multiple sources. 4 Challenges in Cyber Vulnerability Management U.S. cybersecurity agencies have focused on cybersecurity vulnerability management, security fixes and patches. One of the leading tools in the U.S. cybersecurity arsenal is the Common Vulnerability Scoring System Calculator (CVSS). However, CVSS was designed long before many of the current vulnerabilities existed. The CVSS limitations include scaling problems, and diverse data communication formats, and current advancements in AI and ML have enabled computer scientists to overcome many similar problems in other areas of research. Even if we wanted to keep things are they are in vulnerability management, the complexity of manual patching and updates becomes evident with the volume of vulnerabilities that need to be risk assessed to control the threat level and the vulnerability exploitability. Hence, this presents a very clear need for automation in SBOM vulnerability management. 5 The importance of VEX Bridging the gap in vulnerability discovered and vulnerability exploitability assessment, the significance of automation in SBOM and VEX is even more obvious, because we need to address software supply chain cyber risks. SBOMs provide essential information about software components and dependencies, and this is the reason we can see many more vulnerabilities, because we now understand the components used in different software products, but not all vulnerabilities are exploitable. In most cases, cybersecurity professionals are risks assessing vulnerabilities that are not exploitable on the systems they use. This highlights the importance of VEX, which offers transparency and an updated view of vulnerability statuses. However, fact that this legislation is seen by developers as only applicable to the U.S., creates a disadvantage to cybersecurity professionals based in the U.S. Since U.S. has imposed the requirement to developers to produce SBOMs, all vendors are required to check SBOMs for potential vulnerabilities. Their cybersecurity counterparts in other countries have no such requirements, and software is often sold and used in the form of Black Box applications. If developers do not provide SBOMs, the cybersecurity professionals have nothing to check for vulnerabilities. This not only exposes the end-user to cyber risks, but it creates significant challenges in the standardisation of automation and scaling of SBOM risk assessment. 6 The Executive Order and SBOM Adoption The executive order 14028 mandates federal agencies to request SBOMs, accelerating the influx of SBOMs into the market. While software developers in the U.S. have by now become already familiar with SBOMs, vendors, customers and the end-users struggle to harness their
potential. This emphasises the need for a cost-effective automated tool that would provide a visibility and automated risk assessment, including an estimation of vulnerability exploitability. Such cost-effective automated tool would facilitate transparency and enable vendors, customers, and the end-users to visualise and understand better the exploitability of the vulnerabilities in the SBOMs. In effect, such cost-effective automated tool would enhance vulnerability management to a level where vendors, customers, and end users would start requesting SBOMs from software developers, because they would understand the value of SBOM reports. At present, the value of these reports is not fully understood, and SBOMs are seen as a burden, and not as a mechanism for vulnerability management. 7 Strategy for UK Cyber Diplomacy and technical solutions for compliance with the Executive Order 14028 7.1 First, let’s ensure we understand what Cyber Diplomacy is. International relations in the context of cyberspace are the primary objective of cyber diplomacy. Cyber diplomacy has become essential for influencing standards, regulations, and cooperation in the cyber domain as the digital world becomes more interconnected and interconnected with international politics. To handle cybersecurity concerns, promote trust, and avert potential conflicts, this involves interactions between nation-states and other stakeholders. To promote responsible behaviour and guarantee stability in cyberspace, cyber-diplomats engage in discussions, negotiations, and the creation of agreements. Cyber diplomacy aims to achieve a careful balance between utilising the potential provided by digital technologies and tackling the security risks they provide by promoting cooperation and understanding. Its ultimate objective is to establish a digital environment that is more secure and safe. 7.2 Second, let’s discuss the importance of Cyber Diplomacy between the UK and the U.S. The UK and the U.S. have a strong and cooperative collaboration in cyber diplomacy, which reflects the shared values and objectives of these two powerful countries. They recognise the value of working collaboratively to combat new cyber threats and advance a secure cyberspace given the vital roles both nations play in the digital world and their strong cybersecurity capabilities. To address challenges like cyber espionage, malicious cyber activity, and the safeguarding of key infrastructure, regular high-level discussions, bilateral agreements, and information-sharing systems are set up. Their cooperation has been further strengthened by joint initiatives in cyber defence, intelligence sharing, and cybercrime investigations. Additionally, the UK and U.S. regularly participate in multilateral forums to help establish global standards and guidelines for cyberspace, highlighting the importance of responsible state behaviour and adherence to international law. This cyber-diplomatic alliance not only strengthens both countries' cybersecurity capacities, but it also helps the larger international endeavour to create a more secure and stable online environment.
7.3 What are the problems we identified in the UK approach to Cyber Diplomacy with the U.S.? In the area of SBOM and VEX, the UK and U.S. cyber-diplomatic relationship needs to be strengthened. We reviewed the participation of UK industry and academic experts in the UK efforts on Cyber Diplomacy and compliance with the Executive Order 14028, and we found no UK representatives to the events organised by U.S. cybersecurity agencies. We found representatives from the German Bundestag, from France and many other EU member states, we also found strong presentence from Chinese companies, e.g., Huawei and others, but we could not find any engagement of UK security agencies, academics or industry representatives in the events organised by U.S. agencies in relation to standardisation of the US efforts on SBOM and VEX. This triggered our interest in developing further our collaborative relationships with the organisations that participate in SBOM and VEX, including the Common Security Advisory Framework (CSAF), the National Institute of Standards and Technology (NIST), and other organisations that work in this area e.g., NTIA, CISA. This engagement included attendance to the events organised and attended by U.S. security agencies, including the RSA Conference and the CERT Vendor Meeting, the DEF CON and Black Hat conferences, and we are making plans for presence on the Texas Summit. 8 AI/ML Solutions for SBOM and VEX Automation Drawing from the FAIR principles, we propose AI/ML-based solutions to automate SBOM and VEX compliance. The AI/ML-based solutions include integration of unique product IDs and automatic asset management that enables seamless processing of advisories. This AI/ML-based is based on the pre-requirement for implementation of CSAF and VEX documents in JSON format, and the use of digital signatures to enhance security and reliability. The proposed solutions are designed in compliance with existing efforts from industry, such as the Dependency-Track model, which emerges as a promising open-source tool for ingesting, analysing, and generating real-time intelligence reports from SBOMs and VEX documents. 9 Collaborations and Future Perspectives on Cyber Diplomacy between the UK and the U.S. The success of implementing AI/ML solutions for SBOM and VEX automation relies on collaborations with the UK and the U.S. government agencies, security agencies, academia and industry stakeholders. The Preprint underscores the need for extensive, automated, and cost-effective tools to manage vulnerability exploitation. Government-imposed penalties in the UK (to reach stage 1) and incentives in the U.S. (to reach stage 2) may also influence end- users' adoption of automated tools. 10 Conclusion This Preprint on Cyber Diplomacy in cybersecurity, offers practical insights into automating SBOM and VEX compliance with the Executive Order 14028, through the power of AI/ML. By harnessing the FAIR principles and applying the new AI/ML tools based Generative Pre- Trained Transformers, and Natural Language Processing, cybersecurity practitioners can
navigate the complexities of cyber vulnerability management, ensuring a safer digital landscape for organisations and users alike. Collaborative efforts between academia, government, and industry will undoubtedly open new opportunities for creating a collaborative, more secure and resilient future. Our engagement with CSAF, NIST, NTIA, CISA, and our presence on the RSA, DEF CON, Black Hat, and Texas Summit, will temporarily improve the gaps in UK and U.S. cyber diplomacy, but a more formalised approach remains to be developed by the relevant UK cybersecurity and cyber-diplomacy agencies.

Recommended

Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application SecuritySaadSaif6
 
Unit III AssessmentQuestion 1 1. Compare and contrast two.docx
Unit III AssessmentQuestion 1 1. Compare and contrast two.docxUnit III AssessmentQuestion 1 1. Compare and contrast two.docx
Unit III AssessmentQuestion 1 1. Compare and contrast two.docxmarilucorr
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Davide Cioccia
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeIan Lee
 
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRifDhy22
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security FrameworkNorbi Hegedus
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEoin Keary
 

Recommended

Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application SecuritySaadSaif6
 
Unit III AssessmentQuestion 1 1. Compare and contrast two.docx
Unit III AssessmentQuestion 1 1. Compare and contrast two.docxUnit III AssessmentQuestion 1 1. Compare and contrast two.docx
Unit III AssessmentQuestion 1 1. Compare and contrast two.docxmarilucorr
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Davide Cioccia
 
Master Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeMaster Thesis Security in Distributed Databases- Ian Lee
Master Thesis Security in Distributed Databases- Ian LeeIan Lee
 
RIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdfRifDhy22
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security FrameworkNorbi Hegedus
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEoin Keary
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdfssuserc3d7ec1
 
SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...
SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...
SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...ijccsa
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps IntegrationEnov8
 
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...IJNSA Journal
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inmaribethy2y
 
Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentVESIT/University of Mumbai
 
Turning the Tables on Cyber Attacks
Turning the Tables on Cyber AttacksTurning the Tables on Cyber Attacks
Turning the Tables on Cyber Attacks- Mark - Fullbright
 
A Resiliency Framework For An Enterprise Cloud
A Resiliency Framework For An Enterprise CloudA Resiliency Framework For An Enterprise Cloud
A Resiliency Framework For An Enterprise CloudJeff Nelson
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability ManagementIRJET Journal
 
web security
web securityweb security
web securityMyprivateresearcher.com
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Securityreuben_mathew
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateKashif Ali
 
Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)Cisco Service Provider Mobility
 
Secureview 3
Secureview 3Secureview 3
Secureview 3Felipe Prado
 
Research Paper TopicITS835 – Enterprise Risk Managemen.docx
Research Paper TopicITS835 – Enterprise Risk Managemen.docxResearch Paper TopicITS835 – Enterprise Risk Managemen.docx
Research Paper TopicITS835 – Enterprise Risk Managemen.docxaudeleypearl
 
Key elements of security threat
Key elements of security threatKey elements of security threat
Key elements of security threatAraf Karsh Hamid
 
Artificial Intelligence and Quantum Cryptography
Artificial Intelligence and Quantum CryptographyArtificial Intelligence and Quantum Cryptography
Artificial Intelligence and Quantum CryptographyPetar Radanliev
 
Artificial Intelligence and Quantum Cryptography
Artificial Intelligence and Quantum CryptographyArtificial Intelligence and Quantum Cryptography
Artificial Intelligence and Quantum CryptographyPetar Radanliev
 

More Related Content

Similar to Software Bill of Materials

2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdfssuserc3d7ec1
 
SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...
SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...
SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...ijccsa
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps IntegrationEnov8
 
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...IJNSA Journal
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesCompTIA
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inmaribethy2y
 
Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentVESIT/University of Mumbai
 
Turning the Tables on Cyber Attacks
Turning the Tables on Cyber AttacksTurning the Tables on Cyber Attacks
Turning the Tables on Cyber Attacks- Mark - Fullbright
 
A Resiliency Framework For An Enterprise Cloud
A Resiliency Framework For An Enterprise CloudA Resiliency Framework For An Enterprise Cloud
A Resiliency Framework For An Enterprise CloudJeff Nelson
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability ManagementIRJET Journal
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Securityreuben_mathew
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateKashif Ali
 
Research Paper TopicITS835 – Enterprise Risk Managemen.docx
Research Paper TopicITS835 – Enterprise Risk Managemen.docxResearch Paper TopicITS835 – Enterprise Risk Managemen.docx
Research Paper TopicITS835 – Enterprise Risk Managemen.docxaudeleypearl
 
Key elements of security threat
Key elements of security threatKey elements of security threat
Key elements of security threatAraf Karsh Hamid
 

Similar to Software Bill of Materials (20)

2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf
 
SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...
SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...
SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...
 
3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration3 Misconceptions Ruining The DevSecOps Integration
3 Misconceptions Ruining The DevSecOps Integration
 
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for Businesses
 
Include at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words inInclude at least 250 words in your posting and at least 250 words in
Include at least 250 words in your posting and at least 250 words in
 
Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability Assessment
 
Turning the Tables on Cyber Attacks
Turning the Tables on Cyber AttacksTurning the Tables on Cyber Attacks
Turning the Tables on Cyber Attacks
 
A Resiliency Framework For An Enterprise Cloud
A Resiliency Framework For An Enterprise CloudA Resiliency Framework For An Enterprise Cloud
A Resiliency Framework For An Enterprise Cloud
 
A Study on Vulnerability Management
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability Management
 
web security
web securityweb security
web security
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Security
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
 
Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)
 
Secureview 3
Secureview 3Secureview 3
Secureview 3
 
Research Paper TopicITS835 – Enterprise Risk Managemen.docx
Research Paper TopicITS835 – Enterprise Risk Managemen.docxResearch Paper TopicITS835 – Enterprise Risk Managemen.docx
Research Paper TopicITS835 – Enterprise Risk Managemen.docx
 
Key elements of security threat
Key elements of security threatKey elements of security threat
Key elements of security threat
 

More from Petar Radanliev

Artificial Intelligence and Quantum Cryptography
Artificial Intelligence and Quantum CryptographyArtificial Intelligence and Quantum Cryptography
Artificial Intelligence and Quantum CryptographyPetar Radanliev
 
Artificial Intelligence and Quantum Cryptography
Artificial Intelligence and Quantum CryptographyArtificial Intelligence and Quantum Cryptography
Artificial Intelligence and Quantum CryptographyPetar Radanliev
 
PhD Thesis - Dr Petar Radanliev
PhD Thesis - Dr Petar RadanlievPhD Thesis - Dr Petar Radanliev
PhD Thesis - Dr Petar RadanlievPetar Radanliev
 
The Rise and Fall of Cryptocurrencies
The Rise and Fall of CryptocurrenciesThe Rise and Fall of Cryptocurrencies
The Rise and Fall of CryptocurrenciesPetar Radanliev
 
Ethics and Responsible AI Deployment.pptx
Ethics and Responsible AI Deployment.pptxEthics and Responsible AI Deployment.pptx
Ethics and Responsible AI Deployment.pptxPetar Radanliev
 
Artificial Intelligence: Survey of Cybersecurity Capabilities, Ethical Concer...
Artificial Intelligence: Survey of Cybersecurity Capabilities, Ethical Concer...Artificial Intelligence: Survey of Cybersecurity Capabilities, Ethical Concer...
Artificial Intelligence: Survey of Cybersecurity Capabilities, Ethical Concer...Petar Radanliev
 
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...Petar Radanliev
 
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...Petar Radanliev
 
Artificial Intelligence and Quantum Cryptography: A comprehensive analysis of...
Artificial Intelligence and Quantum Cryptography: A comprehensive analysis of...Artificial Intelligence and Quantum Cryptography: A comprehensive analysis of...
Artificial Intelligence and Quantum Cryptography: A comprehensive analysis of...Petar Radanliev
 
Red Teaming Generative AI and Quantum Cryptography
Red Teaming Generative AI and Quantum CryptographyRed Teaming Generative AI and Quantum Cryptography
Red Teaming Generative AI and Quantum CryptographyPetar Radanliev
 
Petar Radanliev, PhD Thesis
Petar Radanliev, PhD ThesisPetar Radanliev, PhD Thesis
Petar Radanliev, PhD ThesisPetar Radanliev
 
Red Teaming Generative AI/NLP, the BB84 quantum cryptography protocol and the...
Red Teaming Generative AI/NLP, the BB84 quantum cryptography protocol and the...Red Teaming Generative AI/NLP, the BB84 quantum cryptography protocol and the...
Red Teaming Generative AI/NLP, the BB84 quantum cryptography protocol and the...Petar Radanliev
 
Introduction to Cyber Diplomacy
Introduction to Cyber DiplomacyIntroduction to Cyber Diplomacy
Introduction to Cyber DiplomacyPetar Radanliev
 
Dance Movement Therapy and Wearable Sensors
Dance Movement Therapy and Wearable SensorsDance Movement Therapy and Wearable Sensors
Dance Movement Therapy and Wearable SensorsPetar Radanliev
 
Dance Movement Therapy in the Metaverse: A New Frontier for Mental Health
Dance Movement Therapy in the Metaverse: A New Frontier for Mental HealthDance Movement Therapy in the Metaverse: A New Frontier for Mental Health
Dance Movement Therapy in the Metaverse: A New Frontier for Mental HealthPetar Radanliev
 
Software Bill of Materials and the Vulnerability Exploitability eXchange
Software Bill of Materials and the Vulnerability Exploitability eXchange Software Bill of Materials and the Vulnerability Exploitability eXchange
Software Bill of Materials and the Vulnerability Exploitability eXchange Petar Radanliev
 
The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...
The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...
The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...Petar Radanliev
 
The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...
The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...
The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...Petar Radanliev
 

More from Petar Radanliev (20)

Artificial Intelligence and Quantum Cryptography
Artificial Intelligence and Quantum CryptographyArtificial Intelligence and Quantum Cryptography
Artificial Intelligence and Quantum Cryptography
 
Artificial Intelligence and Quantum Cryptography
Artificial Intelligence and Quantum CryptographyArtificial Intelligence and Quantum Cryptography
Artificial Intelligence and Quantum Cryptography
 
Cyber Diplomacy
Cyber DiplomacyCyber Diplomacy
Cyber Diplomacy
 
PhD Petar Radanliev
PhD Petar RadanlievPhD Petar Radanliev
PhD Petar Radanliev
 
PhD Thesis - Dr Petar Radanliev
PhD Thesis - Dr Petar RadanlievPhD Thesis - Dr Petar Radanliev
PhD Thesis - Dr Petar Radanliev
 
The Rise and Fall of Cryptocurrencies
The Rise and Fall of CryptocurrenciesThe Rise and Fall of Cryptocurrencies
The Rise and Fall of Cryptocurrencies
 
Ethics and Responsible AI Deployment.pptx
Ethics and Responsible AI Deployment.pptxEthics and Responsible AI Deployment.pptx
Ethics and Responsible AI Deployment.pptx
 
Artificial Intelligence: Survey of Cybersecurity Capabilities, Ethical Concer...
Artificial Intelligence: Survey of Cybersecurity Capabilities, Ethical Concer...Artificial Intelligence: Survey of Cybersecurity Capabilities, Ethical Concer...
Artificial Intelligence: Survey of Cybersecurity Capabilities, Ethical Concer...
 
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
 
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
Dr Petar Radanliev, PhD Thesis Department of Computer Sciences, University of...
 
Artificial Intelligence and Quantum Cryptography: A comprehensive analysis of...
Artificial Intelligence and Quantum Cryptography: A comprehensive analysis of...Artificial Intelligence and Quantum Cryptography: A comprehensive analysis of...
Artificial Intelligence and Quantum Cryptography: A comprehensive analysis of...
 
Red Teaming Generative AI and Quantum Cryptography
Red Teaming Generative AI and Quantum CryptographyRed Teaming Generative AI and Quantum Cryptography
Red Teaming Generative AI and Quantum Cryptography
 
Petar Radanliev, PhD Thesis
Petar Radanliev, PhD ThesisPetar Radanliev, PhD Thesis
Petar Radanliev, PhD Thesis
 
Red Teaming Generative AI/NLP, the BB84 quantum cryptography protocol and the...
Red Teaming Generative AI/NLP, the BB84 quantum cryptography protocol and the...Red Teaming Generative AI/NLP, the BB84 quantum cryptography protocol and the...
Red Teaming Generative AI/NLP, the BB84 quantum cryptography protocol and the...
 
Introduction to Cyber Diplomacy
Introduction to Cyber DiplomacyIntroduction to Cyber Diplomacy
Introduction to Cyber Diplomacy
 
Dance Movement Therapy and Wearable Sensors
Dance Movement Therapy and Wearable SensorsDance Movement Therapy and Wearable Sensors
Dance Movement Therapy and Wearable Sensors
 
Dance Movement Therapy in the Metaverse: A New Frontier for Mental Health
Dance Movement Therapy in the Metaverse: A New Frontier for Mental HealthDance Movement Therapy in the Metaverse: A New Frontier for Mental Health
Dance Movement Therapy in the Metaverse: A New Frontier for Mental Health
 
Software Bill of Materials and the Vulnerability Exploitability eXchange
Software Bill of Materials and the Vulnerability Exploitability eXchange Software Bill of Materials and the Vulnerability Exploitability eXchange
Software Bill of Materials and the Vulnerability Exploitability eXchange
 
The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...
The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...
The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...
 
The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...
The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...
The Rise and Fall of Cryptocurrencies: Defining the Economic and Social Value...
 

Recently uploaded

(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGSIVASHANKAR N
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 

Recently uploaded (20)

(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 

Software Bill of Materials

  • 1. Generative Pre-Trained Transformers,Natural LanguageProcessingand Artificial IntelligenceandMachine Learning (AI/ML) inSoftware Vulnerability Management: Automations in the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX) Petar Radanliev1, David De Roure1, Omar Santos2 1Department of Engineering Science, University of Oxford, *corresponding author email: petar.radanliev@eng.ox.ac.uk, david.deroure@oerc.ox.ac.uk 2Cisco Systems, RTP, North Carolina, United States, email; osantos@cisco.com Preprint summary: Since the issuance of Executive Order 14028 on Improving the Nation's Cybersecurity in 2023, cybersecurity professionals in the UK and the USA have been struggling with the challenge of Software Bill of Materials (SBOM) compliance. In the USA (U.S.), there has been a significant effort in ensuring compliance, but in the UK, the compliance with the Executive Order 14028 is not seen as a priority. This is probably because many UK based developers think that the compliance mechanism is only valid in the U.S. The truth is, the Executive Order 14028 applies to companies that operate or work with the U.S., and many UK based software developers either operate in the U.S., or their products are used in the U.S. This means that many UK software developers need to be compliant with the Executive Order 14028, and yet, there is very little discussion (if any) among the UK software development community on this topic. The first stage in this would be to connect with the U.S. agencies that work in this area, and to start developing a strategy on how this could be communicated in the UK industry and academic software developers’ communities. Second stage is to ensure that vendors, customers, and users understand the value of SBOMs. At present, the U.S. is in stage two, and the UK hasn’t really engaged with stage one yet. Looking at the U.S. as the most advanced country in the SBOM adoption, despite the readiness of software developers in preparing SBOMs, vendors, customers, and users are still uncertain about the implementation process and the value of the received reports. This is predominately because SBOMs have produced overwhelming amount of information and cybersecurity professionals are unable to process the data and check for all the potential vulnerabilities that can be found in SBOMs. This would likely be a problem in the UK as well, once the requirements for compliance with Executive Order 14028 becomes more obvious, and once the developers reach the same level of compliance with their counterparts in the U.S. To address this pressing issue, we present a Preprint that explores the potential of Artificial Intelligence and Machine Learning (AI/ML) in automating SBOM and Vulnerability Exploitability eXchange (VEX) compliance. Our research delves into categorising data and proposing solutions grounded in the FAIR principles (Findable, Accessible, Interoperable, and Reusable). 1 Introduction The UK and the U.S. are in a special relationship that requires compliance with cybersecurity regulations and strong cyber diplomacy. The Executive Order 14028 that imposes compulsory requirement for Software Bill of Materials (SBOM), has exposed the need for deeper collaboration between the UK and the U.S. cybersecurity agencies. This Preprint discusses the requirements for a new, comprehensive cyber policy that prioritises
  • 2. cybersecurity as a top national priority for the UK. Both countries - the UK and the U.S. - have individually developed their forward-looking cybersecurity strategy to protect their critical infrastructure, businesses, and citizens from evolving cyber risks. The UK has somehow fallen behind in following the U.S. requirements for Software Bill of Materials (SBOM) and cyber vulnerabilities. This exposes a gap in the UK and the U.S. cyber diplomacy and requires a new strategy that builds on existing collaborative efforts and shared expertise in countering cyber threats. To bring the UK back on track with compliance with standards, legislations, and regulations in the U.S., and to strengthen the UK and the U.S. collective defence capabilities, the new strategy must place priority on improving information sharing, intelligence collaboration, and collaborative cybersecurity exercises. This is particularly relevant and important in light of the difficulties SBOMs present in assuring software supply chain security. This necessitates active participation in multilateral forums, that advance cyber policy and advance global norms for cyberspace, while also encouraging responsible state behaviour, and address vulnerabilities in a coordinated fashion. The UK and the U.S. need to set the standard for promoting cyber resilience by creating a secure digital future not only for the UK and the U.S., but through coordinated efforts, the new strategy must also provide opportunities for engagement with the larger international community. The first step in doing this is by addressing the complexities of managing SBOMs and cyber vulnerabilities with the guiding principles of transparency, cooperation, and international stability in cyberspace. When the level of cooperation and collaborations has been re-established once again, the problem of managing the vast volume of new vulnerabilities will be imposed on UK cybersecurity professionals. This Preprint is designed to identify the solutions that would reduce the burden on U.S. cybersecurity professionals today, and the workloads on UK cybersecurity professionals in the future. The solutions investigated in this Preprint are based on using Generative Pre-Trained Transformers, Natural Language Processing, Artificial Intelligence, and other Machine Learning algorithms in Software Vulnerability Management. The objective of the Preprint is to identify how such tools can be used for automations in the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX). 2 Preprint on the Software Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange (VEX) This Preprint focuses on the crucial domain of cyber vulnerability management, where compliance with SBOM and VEX plays a central role. While software developers have actively embraced SBOMs, their adoption by end-users remains a challenge. The automation of this process emerges as a critical need due to the staggering estimate of 270 million monthly requests for vulnerability indices, with projections of doubling every year and a half. This Preprint aims to explore how AI/ML can transform and modernise SBOM and VEX compliance, opening the way for standardisation between the UK and the U.S. cybersecurity agencies, compliance with regulations that differentiate in national standards and legislations, while preserving and enhancing robust cybersecurity practices.
  • 3. 3 Methodology To achieve our objectives, we undertook a comprehensive research approach, conducting 20 Preprint interviews and 3 workshops. We also leveraged secondary data sources from U.S. cybersecurity agencies, such as CSAF, NTIA, CISA, NIST. The data sources included video recordings, working papers, and draft reports. By combining different data, approaches, and methods, we carefully analysed the data and derived insights from multiple sources. 4 Challenges in Cyber Vulnerability Management U.S. cybersecurity agencies have focused on cybersecurity vulnerability management, security fixes and patches. One of the leading tools in the U.S. cybersecurity arsenal is the Common Vulnerability Scoring System Calculator (CVSS). However, CVSS was designed long before many of the current vulnerabilities existed. The CVSS limitations include scaling problems, and diverse data communication formats, and current advancements in AI and ML have enabled computer scientists to overcome many similar problems in other areas of research. Even if we wanted to keep things are they are in vulnerability management, the complexity of manual patching and updates becomes evident with the volume of vulnerabilities that need to be risk assessed to control the threat level and the vulnerability exploitability. Hence, this presents a very clear need for automation in SBOM vulnerability management. 5 The importance of VEX Bridging the gap in vulnerability discovered and vulnerability exploitability assessment, the significance of automation in SBOM and VEX is even more obvious, because we need to address software supply chain cyber risks. SBOMs provide essential information about software components and dependencies, and this is the reason we can see many more vulnerabilities, because we now understand the components used in different software products, but not all vulnerabilities are exploitable. In most cases, cybersecurity professionals are risks assessing vulnerabilities that are not exploitable on the systems they use. This highlights the importance of VEX, which offers transparency and an updated view of vulnerability statuses. However, fact that this legislation is seen by developers as only applicable to the U.S., creates a disadvantage to cybersecurity professionals based in the U.S. Since U.S. has imposed the requirement to developers to produce SBOMs, all vendors are required to check SBOMs for potential vulnerabilities. Their cybersecurity counterparts in other countries have no such requirements, and software is often sold and used in the form of Black Box applications. If developers do not provide SBOMs, the cybersecurity professionals have nothing to check for vulnerabilities. This not only exposes the end-user to cyber risks, but it creates significant challenges in the standardisation of automation and scaling of SBOM risk assessment. 6 The Executive Order and SBOM Adoption The executive order 14028 mandates federal agencies to request SBOMs, accelerating the influx of SBOMs into the market. While software developers in the U.S. have by now become already familiar with SBOMs, vendors, customers and the end-users struggle to harness their
  • 4. potential. This emphasises the need for a cost-effective automated tool that would provide a visibility and automated risk assessment, including an estimation of vulnerability exploitability. Such cost-effective automated tool would facilitate transparency and enable vendors, customers, and the end-users to visualise and understand better the exploitability of the vulnerabilities in the SBOMs. In effect, such cost-effective automated tool would enhance vulnerability management to a level where vendors, customers, and end users would start requesting SBOMs from software developers, because they would understand the value of SBOM reports. At present, the value of these reports is not fully understood, and SBOMs are seen as a burden, and not as a mechanism for vulnerability management. 7 Strategy for UK Cyber Diplomacy and technical solutions for compliance with the Executive Order 14028 7.1 First, let’s ensure we understand what Cyber Diplomacy is. International relations in the context of cyberspace are the primary objective of cyber diplomacy. Cyber diplomacy has become essential for influencing standards, regulations, and cooperation in the cyber domain as the digital world becomes more interconnected and interconnected with international politics. To handle cybersecurity concerns, promote trust, and avert potential conflicts, this involves interactions between nation-states and other stakeholders. To promote responsible behaviour and guarantee stability in cyberspace, cyber-diplomats engage in discussions, negotiations, and the creation of agreements. Cyber diplomacy aims to achieve a careful balance between utilising the potential provided by digital technologies and tackling the security risks they provide by promoting cooperation and understanding. Its ultimate objective is to establish a digital environment that is more secure and safe. 7.2 Second, let’s discuss the importance of Cyber Diplomacy between the UK and the U.S. The UK and the U.S. have a strong and cooperative collaboration in cyber diplomacy, which reflects the shared values and objectives of these two powerful countries. They recognise the value of working collaboratively to combat new cyber threats and advance a secure cyberspace given the vital roles both nations play in the digital world and their strong cybersecurity capabilities. To address challenges like cyber espionage, malicious cyber activity, and the safeguarding of key infrastructure, regular high-level discussions, bilateral agreements, and information-sharing systems are set up. Their cooperation has been further strengthened by joint initiatives in cyber defence, intelligence sharing, and cybercrime investigations. Additionally, the UK and U.S. regularly participate in multilateral forums to help establish global standards and guidelines for cyberspace, highlighting the importance of responsible state behaviour and adherence to international law. This cyber-diplomatic alliance not only strengthens both countries' cybersecurity capacities, but it also helps the larger international endeavour to create a more secure and stable online environment.
  • 5. 7.3 What are the problems we identified in the UK approach to Cyber Diplomacy with the U.S.? In the area of SBOM and VEX, the UK and U.S. cyber-diplomatic relationship needs to be strengthened. We reviewed the participation of UK industry and academic experts in the UK efforts on Cyber Diplomacy and compliance with the Executive Order 14028, and we found no UK representatives to the events organised by U.S. cybersecurity agencies. We found representatives from the German Bundestag, from France and many other EU member states, we also found strong presentence from Chinese companies, e.g., Huawei and others, but we could not find any engagement of UK security agencies, academics or industry representatives in the events organised by U.S. agencies in relation to standardisation of the US efforts on SBOM and VEX. This triggered our interest in developing further our collaborative relationships with the organisations that participate in SBOM and VEX, including the Common Security Advisory Framework (CSAF), the National Institute of Standards and Technology (NIST), and other organisations that work in this area e.g., NTIA, CISA. This engagement included attendance to the events organised and attended by U.S. security agencies, including the RSA Conference and the CERT Vendor Meeting, the DEF CON and Black Hat conferences, and we are making plans for presence on the Texas Summit. 8 AI/ML Solutions for SBOM and VEX Automation Drawing from the FAIR principles, we propose AI/ML-based solutions to automate SBOM and VEX compliance. The AI/ML-based solutions include integration of unique product IDs and automatic asset management that enables seamless processing of advisories. This AI/ML-based is based on the pre-requirement for implementation of CSAF and VEX documents in JSON format, and the use of digital signatures to enhance security and reliability. The proposed solutions are designed in compliance with existing efforts from industry, such as the Dependency-Track model, which emerges as a promising open-source tool for ingesting, analysing, and generating real-time intelligence reports from SBOMs and VEX documents. 9 Collaborations and Future Perspectives on Cyber Diplomacy between the UK and the U.S. The success of implementing AI/ML solutions for SBOM and VEX automation relies on collaborations with the UK and the U.S. government agencies, security agencies, academia and industry stakeholders. The Preprint underscores the need for extensive, automated, and cost-effective tools to manage vulnerability exploitation. Government-imposed penalties in the UK (to reach stage 1) and incentives in the U.S. (to reach stage 2) may also influence end- users' adoption of automated tools. 10 Conclusion This Preprint on Cyber Diplomacy in cybersecurity, offers practical insights into automating SBOM and VEX compliance with the Executive Order 14028, through the power of AI/ML. By harnessing the FAIR principles and applying the new AI/ML tools based Generative Pre- Trained Transformers, and Natural Language Processing, cybersecurity practitioners can
  • 6. navigate the complexities of cyber vulnerability management, ensuring a safer digital landscape for organisations and users alike. Collaborative efforts between academia, government, and industry will undoubtedly open new opportunities for creating a collaborative, more secure and resilient future. Our engagement with CSAF, NIST, NTIA, CISA, and our presence on the RSA, DEF CON, Black Hat, and Texas Summit, will temporarily improve the gaps in UK and U.S. cyber diplomacy, but a more formalised approach remains to be developed by the relevant UK cybersecurity and cyber-diplomacy agencies.