We have recently seen a huge increase in software supply chain attacks, leading to additional compliance requirements for software providers. We also hear a lot of new terms (SBOM, VEX, CSAF, etc) and standards popping up from different vendors and organizations. How do you keep up with this acronym soup?
In order to strengthen security, there is a general agreement that vendors should provide a “Software Bill of materials”, and that everything should be digitally signed and verifiable. In a perfect world, we should also be able to identify every single component of every single artifact and reason about the vulnerabilities that impact the final product. But is this currently possible? Given the complexity of the software supply chain, a bunch of competing SBOM standards like CycloneDX, and SPDX, new proposals for vulnerability and exploitability exchange standards like VEX, CSAF, … and different vulnerability scoring depending on the vendors, it seems we are still far from there.
In this webinar we will: