Why complex binary analysis is an essential tool for TPSRM
Pat Opet, CISO at JPMorganChase, recently posted an open letter regarding third-party software risk that was a call to action. In it, he describes the non-negotiable software supply chain risks that are inherent in the software procurement process and issues a clear plea to suppliers: “We need your action.” ... Read More
What is the xBOM?
The software supply chain has never been more complex — or more critical to secure. For years, the Software Bill of Materials (SBOM) has been the go-to tool for documenting components within software, offering much-needed visibility into what’s under the hood. It is called out by Executive Order 14028, as ... Read More
Verizon 2025 DBIR: Third-party software risk takes the spotlight
It’s that time of year again: Verizon Business has released the 2025 edition of the Data Breach Investigations Report (DBIR), its 18th-annual report on cybercrime. The DBIR is famous for how well it captures the current state of things, analyzing tens of thousands of security incidents to understand the current ... Read More
The race to secure the AI/ML supply chain is on — get out front
The explosive growth in the use of generative artificial intelligence (gen AI) has overwhelmed enterprise IT teams. To keep up with the demand for new AI-based features in software — and to deliver software faster in general — development teams have embraced machine learning-based AI coding tools ... Read More
CVEs lose relevance: Get proactive — and think beyond vulnerabilities
Application security (AppSec) would not have existed for the past 25 years without the Common Vulnerabilities and Exposures (CVEs), the numbering system used for identifying discovered vulnerabilities in software. After the creation and adoption of the system in 1999, major companies such as Microsoft quickly began contributing CVE discoveries, using ... Read More
Crypto malware attacks: 23 supply chain incidents set off alarms
Bank robbers, it has long been said, rob banks because that’s where the money is. Increasingly for cybercriminals and nation-state threat actors, the infrastructure and applications supporting cryptocurrency are where the money is. And indeed, the global cryptocurrency market cap as of March 24 stood at $2.99 trillion, according to ... Read More
The year in ransomware: Security lessons to help you stay one step ahead
Operation Cronos, a Europol-led coalition of law enforcement agencies from 10 countries, announced in February that it had disrupted LockBit — one of the most prolific ransomware gangs in the world — at “every level” of its operations. Being responsible for 25% to 33% of all ransomware attacks in 2023, ... Read More
Why shift left alone can’t manage your software risk
Application security wouldn’t be what it is today without “shift left,” the concept that security practices should be handled much earlier in the software development lifecycle (SDLC). Shift left brought about new era strategies such as DevSecOps that made security a priority for developers as well as AppSec teams, pushing ... Read More
CISA SBOM-a-rama: 4 key takeaways for software security teams
Since 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been a proponent of software bills of materials (SBOMs) as a tool that can help secure the software supply chain. The policy grew out of the White House’s 2021 Executive Order 14028 and was developed further with the National ... Read More
The SBOM has a long history — but what’s next is what matters
Software bills of materials (SBOMs) are having their day — they're even government-mandated at times. In September 2023, the U.S. Food and Drug Administration issued its final version of “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” The guidance corresponds to the 2023 Consolidated Appropriations Act, ... Read More
