OWASP looks to future-proof SBOMs with CycloneDX 1.6
The OWASP Foundation has released a new version of its CycloneDX standard for software bills of materials (SBOMs) that includes a cryptographic bill of materials (CBOM), a machine-readable approach to managing SBOMs with CycloneDX Attestations (CDXAs), and data to assess the environmental impact of AI development ... Read More
OWASP’s LLM AI Security & Governance Checklist: 13 action items for your team
Artificial intelligence is developing at a dizzying pace. And if it's dizzying for people in the field, it's even more so for those outside it, especially security professionals trying to weigh the risks the technology poses to their organizations ... Read More
The state of secrets security: 7 action items for better managing risk
The exposure risk of development secrets is becoming a problem of epidemic proportions, driven by the growing complexity of the software supply chain. Over the past four years, the incidence of exposed secrets has quadrupled, GitGuardian's 2024 State of Secrets Sprawl report has found ... Read More
Memory-safe languages and security by design: Key insights, lessons learned
For more than 50 years, software engineers have struggled with memory vulnerabilities, but it has only been in recent times that serious efforts have been undertaken to get a handle on the problem. One of the leaders in memory safety, Google, has released a new technical report containing some valuable ... Read More
Gartner outlines top cybersecurity trends — and (spoiler alert) AI is No. 1
Artificial intelligence will be the leading cybersecurity trend in 2024, analyst firm Gartner has predicted in a new release ahead of its upcoming Gartner Security & Risk Management Summit in Sydney, Australia. And, it said that security leaders need to prepare for the swift evolution of generative AI (GenAI), adding ... Read More
NIST updates supply chain guidance: 3 ways to pump up your CI/CD security
The final version of guidelines to help organizations secure their software supply chain has been released by the National Institute of Standards and Technology (NIST). The document, "Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines (NIST SP 800-204D)," delivers actionable measures software development organizations can use ... Read More
All SBOMs are not created equal: How to make them actionable
With some help from the federal government, software bills of materials (SBOMs) have become an important tool for security teams looking to secure their software supply chains. However, while SBOMs can provide transparency into the components that all combine in a complex process to make up a software package, one ... Read More
Lessons in threat modeling: How attack trees can deliver AppSec by design
As important as threat modeling is to securing applications by design, it is a process that can be time-consuming and arduous for an organization. It’s a grand exercise that requires a thorough examination of the components of a system. That means a threat modeler needs to analyze data flow, system ... Read More
Complexity and software supply chain security: 5 key survey takeaways
Organizations are struggling with software supply chain security. That fact was further exposed this month with the Enterprise Strategy Group's new study, “The Growing Complexity of Securing the Software Supply Chain.” ... Read More
5 software supply chain attacks you can learn from
While the notable software supply chain incidents of 2023 did not reverberate like the watershed attack on SolarWinds in 2020, they had plenty to teach security teams across software development, application security (AppSec), and risk management ... Read More
