All news with #sbom tag

CISA Launches Interactive Tool to Secure Software Buying

🛡️ CISA has released the Software Acquisition Guide: Supplier Response Web Tool to help IT leaders, procurement officers and software vendors strengthen cybersecurity across the acquisition lifecycle. The free, interactive platform digitizes CISA’s existing guidance into an adaptive format that highlights context-specific questions and generates exportable summaries for CISOs, CIOs and other decision-makers. Designed with secure-by-design and secure-by-default principles, the tool supports due diligence without requiring procurement professionals to be cybersecurity experts and aims to simplify risk-aware procurement decisions.

Skopeo for Google Cloud: Simplifying Container Workflows

📦 This post describes how Skopeo, a daemonless CLI for container images, can streamline image management with Artifact Registry and Google Cloud CI/CD. It outlines setup steps and five practical workflows—inspect manifests, registry-to-registry copying, listing tags, promoting images, and automated verification. The article also covers security integrations with tools like Cosign and Binary Authorization, and recommends Skopeo for faster, daemonless automation in Cloud Build and related environments.

CISA Launches Web Tool for Secure Software Procurement

🛡️ CISA released the Software Acquisition Guide: Supplier Response Web Tool, a free, interactive resource to help IT and procurement professionals assess software assurance and supplier risk across the acquisition lifecycle. The Web Tool converts existing guidance into an adaptive, question-driven interface with exportable summaries for CISOs and CIOs. It emphasizes secure-by-design and secure-by-default practices to strengthen due diligence and procurement outcomes.

Code Insight Expands to Cover Software Supply Chain Risks

🛡️ VirusTotal’s Code Insight now analyzes a broader set of software supply chain formats — including CRX, XPI, VSIX, Python WHL, NPM packages, and MCP protocol integrations. The tool inspects code logic to detect obfuscation, dynamic code fetching, credential theft, and remote command execution in extensions and packages. Recent findings include malicious Chrome and Firefox extensions, a deceptive VS Code extension, and compromised Python and NPM packages. This capability complements traditional signature- and ML-based classification by surfacing behavior-based risks.

CISA Seeks Update to SBOM Minimum Requirements Guidance

📝 CISA has issued a request for public comment on an updated guideline defining minimum elements for a software bill of materials (SBOM), intending to reflect advances in tooling and wider adoption since the 2021 NTIA document. The effort traces to President Biden’s EO 14028 and subsequent OMB guidance (M-22-18) requiring improved software supply chain security. Recent shifts in leadership and the OpenSSF’s announcement about the SBOM working group have reshaped the community landscape. Stakeholders may submit comments through October 3, 2025.

Microsoft’s open-source journey: from Linux to AI scale

🔎 Microsoft recounts its transition from an early Linux contributor in 2009 to one of the largest open-source supporters in cloud and AI today. The post highlights Azure as a top contributor to the CNCF, the 2015 launch of VS Code, the 2018 GitHub acquisition, and the role of AKS and managed PostgreSQL in enterprise deployments. It also describes COSMIC, explains how OpenAI’s ChatGPT runs at global scale on Azure infrastructure, and lists projects Azure teams are building in the open.

CISA Issues Draft SBOM Minimum Elements Guide for Comment

📣 CISA released a draft Minimum Elements for a Software Bill of Materials (SBOM) for public comment, updating the baseline to reflect advances in tooling and increased SBOM adoption since 2021. The guidance adds elements such as component hash, license, tool name, and generation context, and clarifies existing fields like SBOM author and software producer. Comments are open through October 3, 2025.

CISA Seeks Comment on Updated SBOM Minimum Elements

📝 CISA opened a public comment period on updated guidance for the Minimum Elements for a Software Bill of Materials (SBOM), with submissions accepted through October 3, 2025. The draft refines required data fields, strengthens automation and machine-readable support, and clarifies operational practices to help organizations produce scalable, interoperable, and comprehensive SBOMs. Stakeholders are encouraged to provide feedback via the Federal Register to inform a future final release.

Tackling the National Gap in Software Understanding

🔍 CISA, with partners including DARPA, OUSD R&E, and the NSA, is leading an interagency effort to close a national gap in software understanding that endangers critical infrastructure. A new Sandia National Laboratories report, The National Need for Software Understanding, describes the gap’s causes, risks, and options for remediation. CISA urges manufacturers to design software for independent analysis and invites experts and mission owners to engage on research priorities.

Microsoft launches Secure Future Initiative patterns

🔐 Microsoft announced the launch of the Secure Future Initiative (SFI) patterns and practices, a new library of actionable implementation guidance distilled from the company’s internal security improvements. The initial release includes eight patterns addressing urgent risks such as phishing-resistant MFA, preventing identity lateral movement, removing legacy systems, standardizing secure CI/CD, creating production inventories, rapid anomaly detection and response, log retention standards, and accelerating vulnerability mitigation. Each pattern follows a consistent taxonomy—problem, solution, practical steps, and operational trade-offs—so organizations can adopt modular controls aligned to secure by design, by default, and in operations principles.

OSS Rebuild: Reproducible Builds to Harden Open Source

🔐 Google’s Open Source Security Team today announced OSS Rebuild, a new project to reproduce upstream artifacts and supply SLSA-grade provenance for popular package ecosystems. The service automates declarative build definitions and reproducible builds for PyPI, npm, and Crates.io, generating attestations that meet SLSA Build Level 3 requirements without requiring publisher changes. Security teams can use the project to verify published artifacts, detect unexpected embedded source or build-time compromises, and integrate the resulting provenance into vulnerability response workflows. The project is available as a hosted data set and as open-source tooling and infrastructure for organizations to run their own rebuild pipelines.

Building Resilient ICT Supply Chains: Supply Chain Month

🔒 This April, CISA highlights the 8th annual Supply Chain Integrity Month focused on strengthening the resilience of global information and communications technology (ICT) supply chains. The agency promotes four weekly themes—Preparedness, Mitigation, Trust, and Transparency—and showcases practical resources such as the Supply Chain Risk Management Essentials and Threat Scenarios Report. CISA also emphasizes vendor evaluation with the Vendor SCRM Template, hardware transparency via the HBOM Framework, and consolidated software guidance to help organizations assess, mitigate, and communicate ICT supply chain risks.