Managing the risks of your software supply chain requires more than a basic understanding of the software components that make up your applications. My wife and I have four children, which means we’ve done a ton of shopping at Costco over the years. First it was diapers, then cereal, then every other kind of food, all of which provided significant savings for our family of six.

With a software Bill of Materials (SBOM), you can respond quickly to the security, license, and operational risks that come with open source use. A software Bill of Materials (SBOM) is a list of all the open source and third-party components present in a codebase. An SBOM also lists the licenses that govern those components, the versions of the components used in the codebase, and their patch status, which allows security teams to quickly identify any associated security or license risks.

Will NIST’s cybersecurity labeling for consumer software and IoT products help us achieve better security? Our experts weigh in. If one of the goals of President Biden’s May 2021 “Executive Order on Improving the Nation’s Cybersecurity” is fulfilled, you’ll be able to look for a quality and security assurance label on any software product you consider buying.

Census II examines the most popular components of free and open source software and highlights the issues affecting the security of these libraries. Last week, the nonprofit Linux Foundation and Harvard’s Lab for Innovation Science published Census II of Free and Open Source Software—Application Libraries. This report identifies more than 1,000 of the most widely deployed open source application libraries.

With challenging cybersecurity requirements on the horizon for automotive companies in 2022, security teams can look to BSIMM12 for guidance. For security teams in the automotive industry, 2021 was an extremely busy year. Cybersecurity became a requirement for market access and compliance, so the entire industry faced a challenging timetable. The security groups in automotive companies are experiencing “forced growth” brought about by rigorous cybersecurity compliance requirements.

For a variety of reasons, some more obvious than others, it’s unreasonable to expect federal and local governments to develop the software that supports their day-to-day operations. So they turn to solutions provided by private companies. This is really a win-win situation; the government gets access to best-of-breed solutions developed by experienced companies, and the vendor secures funds that help spur innovation that’s available to the public and private sector alike.

I love the boundless possibilities of modern software development. Anyone with a computer and an internet connection can code. More than any other time in human history, each of us has the power to build something in software, to realize whatever we can imagine. At the same time, a thriving ecosystem of open source software components allows us to stand upon the shoulders of giants, to quickly assemble huge building blocks of existing functionality that can rocket us toward our own goals.

As the pace and complexity of software development increases, organizations are looking for ways to improve the performance and effectiveness of their application security testing, including “shifting left” by integrating security testing directly into developer tools and workflows. This makes a lot of sense. Defects, including security defects, can often be addressed faster and more cost-effectively if they are caught early.

Learn more about CVE-2021-4034, a newly discovered vulnerability in PolKit software used in major Linux distributions.