There are already so many words and concepts in information security: why do we need another one? And indeed ‘attestation’ is already used in several industry contexts with many subtly different meanings: what do we gain by overloading it?

Attacks targeting the software supply chain are on the rise. Indeed, data from the Mend Open Source Risk Report shows a steady quarterly increase in the number of malicious packages published in 2022, with a significant jump in Q3, which jumped 79 percent from Q2. The European Cybersecurity Agency (ENISA) predicts that supply chain attacks will increase fourfold by 2022.

On December 8th, Clinton Herget and Simon Maple, Field CTOs at Snyk, had the opportunity to chat with Corey Quinn, Chief Cloud Economist at The Duckbill Group, podcast host, curator of “Last Week in AWS”, and snarky Twitter personality. Their conversation took a lot of fun turns, from ranting about the hour-long line to get coffee at AWS re:Invent, to Corey proclaiming that “SBOMs are a fantasy” (there’s more context to that… keep reading).

Red Hat OpenShift is an enterprise Kubernetes container platform. It lets you build Docker images and use them to deploy your applications on a cloud-like environment (even if it’s not really on the cloud, rather a simulated cloud environment). Images built in OpenShift can be easily pushed into JFrog Artifactory – JFrog’s leading universal repository manager.

That’s an excerpt from the fact sheet accompanying the May 2021 Executive Order on Improving the Nation’s Cybersecurity (EO). It refers to one of seven ambitious measures in the EO: shoring up security of that notorious playground for hackers, the software supply chain. Knowing that organizations lack visibility into the components that comprise their connected assets, bad actors can have a field day exploiting vulnerabilities to penetrate networks and take control.

With an average of 500 components in an application, it’s difficult to know what’s in your software. The right security tools and expertise are here to help. A software Bill of Materials (SBOM) is an inventory of what makes up a software application: the “ingredients list” of everything in it. There’s pressure today for companies to make SBOM information available, and it has implications for who is liable when there are issues in the software.

PA Consulting recently joined forces with RKVST to host a Hackathon, looking to identify new and innovative propositions for digital supply chains. Could the teams of PA consultants and analysts identify opportunities to help their clients using RKVST technology? Short answer: YES! Many of today’s business challenges can be addressed with a reliable evidence ledger. If you want the long answer, read on.

During our recent webinar hosted by Device Authority’s Tyler Gannon and Imagination Technologies Marc Canel (Does new IoT security legislation make Zero Trust the only strategy?). We ran a poll asking attendees about their understanding of SBOM; one of the options was “SBOMs are a roadmap to the attacker”.

Supply chain risk continues to make headlines, from Solarwinds and Kaseya to last week’s announcement of a patch for the OpenSSL vulnerability, and the latest cybersecurity review from the U.K.’s National Cyber Security Centre highlights the serious threats posed by supply chain attacks.