All news with #sbom tag

🛡️The EU Cyber Resilience Act (CRA) shifts focus from development practices to product safety, extending CE-like obligations to software, firmware, backend services and connected devices. It mandates SBOMs, minimum support lifecycles, and rapid reporting: organizations must have vulnerability and incident processes in place by Sept 11 and report exploited flaws within 24 hours, with full reports in three days. Many vendors and CIOs remain unprepared, particularly around automated SBOMs, open source obligations, and the wider conformity assessments the law introduces.

🔒 Kaspersky Container Security (KCS) is presented as a comprehensive platform that reaches beyond registry image scanning to secure container workflows across development and production. The Product Security Team uses KCS in CI/CD pipelines, registry correlation, and cluster runtime monitoring to tie findings to specific artifacts, pipelines, and scan times. KCS computes risk ratings, supports SBOM processing, and produces reports in SARIF, CycloneDX, SPDX and standard formats to integrate with AppSec and internal tooling.

🔍 A G7 Cybersecurity Working Group paper published on 12 May defines minimum elements for software bills of materials (SBOMs) tailored to AI systems, aiming to boost transparency across AI supply chains. It outlines seven clusters — Metadata, System Level Properties, Models, Dataset Properties, Key Performance Indicators, Infrastructure and Security Properties — to guide producers and users. The guidance stresses clusters are non-mandatory, that SBOMs alone are insufficient, and recommends linking SBOMs to vulnerability, advisory and tooling ecosystems.

🔍 The US Cybersecurity and Infrastructure Security Agency (CISA), working with G7 cyber partners, released supplemental minimum elements for an AI software bill of materials to document models, datasets, software components, providers, licenses, and other dependencies. The guidance extends traditional SBOM concepts into AI and is positioned to support procurement and vendor-risk assessments while remaining non‑exhaustive and non‑mandatory. Security teams should press vendors for model provenance, training and update practices, and runtime controls, but must recognize AI SBOMs provide visibility rather than assurance.

⚠️ TrueSec reports a malicious supply-chain compromise in the Python Package Index package litellm version 1.82.8. The published wheel contains a malicious .pth file named litellm_init.pth (34,628 bytes) that the Python interpreter executes automatically on every startup, without requiring any explicit import of the module. This behavior enables silent, persistent code execution on affected systems and increases the risk to downstream projects and production environments. The incident underscores the urgent need for SBOMs, SLSA, and SigStore adoption to harden supply-chain defenses.

🔒 Supply chain attacks now bypass traditional defenses by exploiting trusted vendors, open-source components, cloud services, and MSP tools, creating cascading impact across distributed environments. Map and inventory all dependencies, classify them by criticality, and continuously evaluate supplier posture using SBOMs, patch cadence, and incident response readiness. Apply Zero Trust controls: MFA, least privilege, segmentation, and just-in-time access, and centralize unified telemetry across endpoints, identity, network, email, and backups to detect anomalies faster. Finally, design recovery playbooks, immutable backups, and automated restore testing to shorten downtime when compromise occurs.

🔒 Supply chain security has shifted from a technical concern to a board-level business priority, driven by high-profile incidents and emerging regulation such as the European Cyber Resilience Act. CSOs must confront pervasive open-source risk—highlighted by Log4Shell—and adopt SBOMs, tooling and processes that reduce false positives. Automation, integration with developer workflows and rapid supplier communication are essential to limit fines and protect customer trust.

🔍 AWS announces general availability of AWS Transform custom's comprehensive codebase analysis transformation, delivering up-front deep static analysis that documents architecture, technical debt, code metrics, and migration plans to preserve institutional knowledge and reduce documentation overhead. The transformation supports any language — including Python, Java (Maven and Gradle), Node.js, and .NET — and scales to codebases exceeding one million lines. Behavior analysis is available in early access. To run it locally, install the AWS Transform CLI and execute: atx custom def exec -n AWS/comprehensive-codebase-analysis -p. The service is available in US East (N. Virginia) and Europe (Frankfurt).

🔒 CISA warns that unsupported edge hardware and software pose systemic risks and highlights Binding Operational Directive BOD 26-02 as a federal step to identify, replace, and patch end-of-support (EOS) devices. The article introduces OpenEoX, an OASIS OPEN, machine-readable JSON standard that standardizes product lifecycle information and integrates with SBOMs and CSAF. By enabling producers to publish EOS milestones and consumers to automate lifecycle tracking, OpenEoX aims to reduce exposure and streamline vulnerability management. The piece urges rapid, communitywide adoption to close doors on threat actors exploiting outdated products.

🔐 Taylor Lehmann outlines five CISO priorities for 2026, urging leaders to align compliance work with broader operational resilience rather than treating regulation as the only objective. He emphasizes securing the AI supply chain with end-to-end provenance and tools such as SLSA and SBOM, and strengthening identity management for humans and agents. Lehmann also calls for defenses that operate at machine speed and for improved AI governance through context, advanced testing, and red teaming.

🔒 Application security is shifting from relying solely on SAST, DAST, SCA and MAST to a posture-centric model that emphasizes posture, provenance and proof. The article recommends Application Security Posture Management (ASPM) as the control plane to correlate scanner outputs, enforce policy and prioritize actionable risks based on reachability and exposure. It urges stronger supply-chain controls—SLSA attestations, signed SBOMs and VEX—plus runtime protections such as IAST and RASP, and AI and language policies driven by recent NIST and NSA/CISA guidance.

📄 A Software Bill of Materials (SBOM) is a structured, machine-readable inventory that records every component and dependency inside a software product. An SBOM improves visibility across complex supply chains and helps vendors and buyers quickly identify affected systems after incidents such as SolarWinds or Log4j. U.S. policy and forthcoming European rules are driving wider adoption, and the NTIA defines minimum elements and acceptable formats (SPDX, CycloneDX, SWID). Generating SBOMs via Software Composition Analysis or build tooling and integrating them into DevSecOps processes is now considered best practice.

🔒 Chainguard’s quarterly pulse, The State of Trusted Open Source, analyzes anonymized usage and CVE data across a large customer base and catalog of container images to reveal where real production risk concentrates. The report finds Python leading the modern AI stack, while roughly half of production runs on a diverse longtail of images beyond the top 20. Importantly, 98% of remediated CVE instances occurred in that longtail, and compliance drivers like FIPS adoption materially influence image choices. Chainguard also highlights fast remediation performance, averaging under 20 hours for Critical CVEs.

🔒 Manufacturers must prioritize a secure software development life cycle (SSDLC) to protect production and supply chains from costly cyberattacks. High-profile incidents, including the Jaguar Land Rover shutdown, show how credential compromise and malicious components can cascade through suppliers and halt operations. The piece outlines SSDLC building blocks — security by design, secure coding, dependency management with SBOMs, hardened release pipelines, and vulnerability management — and recommends requiring verifiable evidence such as IEC 62443-4-1 certification and continuous maturity assessments from vendors.

🛡️ Sonatype reports that 13% of Log4j downloads in 2025 — roughly 40 million of 300 million Maven Central downloads analyzed — remain vulnerable to the CVSS 10.0 Log4Shell flaw first disclosed four years ago. The vendor describes this as corrosive risk, where fixes exist but unsafe versions continue to spread because consumers don’t upgrade or transitive dependencies reintroduce bad releases. Sonatype highlights noisy SCA alerts, set-and-forget dependencies and poor selection criteria as root causes. It urges using SCA and artifact repositories to map exposure, automating upgrade PRs, enforcing repository guardrails and adopting new metrics to reduce unnecessary risk.

🔒 Modern supply-chain incidents like the Chalk and Debug hijacks show that impact goes far beyond direct financial theft. Response teams worldwide paused work, scanned environments, and executed remediation efforts even though researchers at Socket Security traced the attackers' on-chain haul to roughly $600. The larger cost is operational disruption, repeated investigations, and erosion of trust across OSS ecosystems. Organizations must protect people, registries, and CI/CD pipelines to contain downstream contamination.

🔍 To secure modern software you must know what's inside it, and a Software Bill of Materials (SBOM) provides that transparency. An SBOM should be machine-readable, include component, version, license and patch data, and be generated automatically in CI/CD using standards like SPDX, CycloneDX or SWID. The article reviews eight tools — including Anchore, FOSSA, GitLab and Mend — that generate, analyze and manage SBOMs across the build, registry and runtime lifecycles.

⚖️ CISOs are increasingly exposed to personal and even criminal liability as regulators such as the SEC, DOJ and international authorities press executives to disclose accurate cyber risk and incident information. Rising IoT/OT device vulnerabilities — with vulnerability-based breaches up 34% year over year and accounting for roughly 20% of breaches — are driving mandates like Executive Order 14028, NIS2 and the Cyber Resilience Act. Organizations are updating governance, improving asset inventories and adopting device intelligence tools like SomosID to correlate inventories, SBOM data and vulnerabilities, helping to support compliance and reduce executive exposure.

🔐 A coalition of 21 agencies from 15 countries, led by CISA and the NSA, published joint guidance titled A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity on September 3. The document defines SBOM concepts, clarifies roles for producers, choosers and operators, and urges cross-border adoption. It promotes harmonized technical implementations and integration of SBOMs into security workflows to reduce complexity and improve supply chain risk management.

🔐 CISA, in partnership with the NSA and 19 international agencies, released joint guidance titled A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity. The guidance defines an SBOM as a formal record of software components and supply chain relationships and explains how SBOMs provide essential visibility into dependencies. It outlines benefits for producers, purchasers, operators, and national security organizations and urges adoption of aligned technical approaches, standardized metadata, and automation to improve vulnerability management and strengthen global software supply chain resilience.