PragiX

?????? ???? ?? ?????? ?????? $%!* ???????? – ?? ?????????? ???????? In our previous discussion, we explored what an SBOM (Software Bill of Materials) is, its contents, and its intended users. Now, let’s examine how to effectively utilize an SBOM once you have one. To use an SBOM, you first need to acquire or create one. Numerous open-source and commercial solutions are available, with CycloneDX and SPDX being the most prominent formats. CycloneDX, managed by OWASP, is often favored for vulnerability management, while SPDX, overseen by the Linux Foundation, is typically used for license compliance. Both formats are effective, and conversion tools exist. When it comes to using an SBOM, consider these three essential actions: ??. ??????????????????????: Actively seek SBOMs from vendors. Engage through calls, social media, or involve your procurement team. While it can be challenging for smaller organizations, more vendors are providing SBOMs for their products. ??. ????????????????: Development teams can quickly generate SBOMs for their software using various tools tailored to their programming languages or architecture. ??. ??????????????????: After generating an SBOM, it should be uploaded to a central management system. Establish a workflow for SBOM approval from legal, licensing, and cybersecurity teams before entering QA and production. ??. ????????????????: Once uploaded to a tool like Dependency Track, you’ll gain immediate insights into vulnerabilities, licenses, and the status of software components. ??. ???????????????????? ????????????????: Integrated SBOMs can be automatically updated to reflect emerging issues. This proactive approach helps organizations identify hidden vulnerabilities before vendors report them. With your SBOMs in place, you can proactively notify cybersecurity, risk management, and application teams of any critical vulnerabilities. This aligns with requirements from regulatory bodies, including the US Executive Branch, FDA, DoD, and EU’s Digital Operational Resilience Act (DORA). The SBOM is a vital asset in your cybersecurity, risk, legal, application portfolio, and procurement strategies—embrace it and leverage its potential. ???????? ??????????: ?????? ???? ???? ?? $%!* ?????? ???? ???????? #cio #ciso #procurement #sbom #appdev #secdevops #devops #cyberinsurance #risk #productmanagement #dora #fda #cisa #nis2 #csf #softwaresupplychain

?????? ?????? ?????? $%!* ???????? - ?? ???????????????? ???????????? ???????? Previously, PragIX provided a high-level overview of SBOM files. Now, let's explore why SBOMs are essential. They matter to more than just techies; roles across legal, product management, and security are involved. Here are key reasons to consider: ??) ??????????: If your company develops software, SBOMs are crucial for protecting your intellectual property. Open-source libraries, often used, may expose your IP under certain licenses. ??) ??????????: If you've procured software that misuses open-source libraries, your organization could face legal risks. An SBOM helps identify these issues early. ??) ??????????: To meet security requirements for clients, identifying vulnerabilities in your software is critical. SBOMs make this easier. ??) ??????????????????????: Ensuring safe products is part of your role. Avoid software with outdated libraries, licensing problems, or vulnerabilities. ??) ??????????????????: Integrate SBOMs into your build process to assess licensing and vulnerability risks quickly. Stay updated on safer versions. ??) ???????? / ?????????? ??????????: Collaborate with procurement and development teams to promote SBOM adoption. ??) ?????????????????????? ?????????????????? ????????????????: Review your software for identifiable vulnerabilities, even if they aren't reported in NIST NVD. ??) ???????????????? ??????????: Ineffective software management can lead to penalties that disrupt operations and damage your company’s reputation. ??) ?????????????? ??????????: Understand the risks associated with your products to discuss necessary updates with clients, preventing potential account losses. If you're working with the U.S. federal government, providing SBOMs for software and firmware is mandatory. This is specified by CISA, the DoD, FDA, and Executive Branch. Additionally, in Europe, compliance with DORA requires financial organizations to utilize SBOMs to manage risk effectively with significant penalties for failure to comply. ???????? ????: ???????? ?????? $%!* ???? ?? ???? ???????? ???? ???????? ???????? ?? ?????? ????? #cio #ciso #procurement #sbom #appdev #secdevops #devops #cyberinsurance #risk #productmanagement

???????? ?????? $%!* ???? ???? ???? ????????? Previously we touched on the ????????. Now lets do a brief dive into its contents from the perspective of the CycloneDX SBOM format. 1) The ???????? contains critical information, information that is mandatory, information that may be optional, and sometimes information that are best left out of the ????????. 2) The ???????? ?????????????? ?????????????? provides details on the type of ????????, version of that type, and a unique ID of the ???????? 3) The sub section, ????????????????, provides info on what was used to create the ????????, what type of component the ???????? is about (container, library, framework, etc). ???????????????? also provides a hash and the type of hash of the software / component that the ???????? is providing details on 4) The subsection, ????????????????????, lists all of the elements used to create the software the ???????? is about. Often this is Opensource libraries but could include containers, applications, frameworks, and others. Included type, name, version, hashes, PURL (more on a future posting), license info, and other details 5) The subsection ????????????????????????, provides a listing of what components have direct dependencies on other components. Each component listed in this section, must first be in the Components section. So what is missing. 1) Indirect or ???????????????????? ????????????????????????. These are the dependencies that are secondary or a dependency of a dependency. these components are not listed in the ???????? and are a hidden risk, but methods are available to augment this data 2) ???????????? ???????????????????? ???? ???????????? ???????? of the actual software and components the ???????? is about 3) Any ???????????? ???????? ?????????????????????? used in the components...or of the software the ???????? is describing (separate tools are used to detangle that risk) 4) ??????????????????????????????- while this can be in an ???????? ...that is like providing a weather report that is out of date. ?????????????????????????????? need to be reevaluated every day as new vulns are discovered. 5) ?????????? ?????????????????? ???????????????? 6) Possible ???????????????????? 7) ?????????? ?????????????????????? 8) ???????????????????? Information for all components 9) ???????????? for all components Note: Great tools to open and view ????????s include Visual Studio, SYFT, SPDX Viewer, CycloneDX Viewer, Looker, and Tern ???????? ????: ?????? ?????? ?????? ???????? - ?? ???????????????? ???????????? ???????? #cio #ciso #procurement #sbom #appdev #secdevops #devops #cyberinsurance #risk #productmanagement

???????? ?????? $%!* ???? ???? ????????? To answer that question, PragIX is releasing a series of short and sweet postings that dive into critical information or concepts of the SBOM. These will deliver key information related to the ????????, ??????, ??????, ??????, ??????????, ?????? ???????? of SBOM's. ?The information will be provided in smaller digestible information bites with a composite article after we complete this series. Whether you are a procurement specialist, product manager, cyber practitioner, risk manager, play an internal legal, information technologist, application developer, or many other roles then the SBOM is important to you. So What the $%!* is an SBOM? ??) An SBOM helps you identify, quantify, and evaluate RISK ??) The information within the SBOM typically details information that allows the user of the SBOM to make decisions related to LOV (Licensing, Obsolescence, and Vulnerabilities) ??) Key artifacts in an SBOM include components information that covers names, versions, download repositories, versions, hashes (a type of fingerprint to uniquely identify the component), repositories components were downloaded from, component licenses, etc. ??) An SBOM is a type of specially formatted text file that describes the construction of software ??) The Specially formatted text file can be in many formats, but typically they would be JSON, XML, or CSV formats. ???????? ????: ?????? ?????? ???????? ???? ???????? ?????? $%!* ???? ???????? ?????????? ?????????

https://lnkd.in/eyKF2Dvb

https://lnkd.in/epTMzC5P

https://lnkd.in/ePa7Uzg7

?????????????? ????. ????????????????: ?????????????? ?????????????? ?????????? ?????? ???????????????????? ?????????????????????????? LinkedIn is a vast collaborative community that enables people to connect, share, and discuss ideas (any ideas). The problem is that LinkedIn is a vast collaborative community that enables people to connect, share, and discuss ideas (any ideas). Its sheer size can be overwhelming and often dilutes the quality of interactions by squelching and obstructing value with noise overload. While inclusivity and opinion may be important in life, should it command the driver’s seat over innovation and business progress? Is it time to consider more curated communities that focus on specific interests, particularly in a globally distributed context? A shift is on the horizon where quality will take precedence over quantity. Communities that focus on business, innovation, collaboration, and expertise hold a greater power to do good. All of the memes, virtue signaling, political discourse in the world cannot bring change. By communities intentionally exclude discussions on politics, religion, gender, and social issues…instead focusing on direct impact and execution of business-related collaboration and innovation holds a key for success. Imagine a space where individuals, small businesses and medium-sized enterprises, and critical but lower decibel voices are empowered to better compete. Imagine a more level playing field, fostering effective and adaptable business practices. Imagine the ability to elastically grow, shrink, engage, disengage as may be right for you or your organization. Does this make sense. What are your thoughts?

PragIX is happy to announce the release of our first Video related to Pragmatic Cyber Security, Risk Management, Audit, Compliance, AI, Digital Transformation, ERP and other critical domains. This Video: Organization: PragIX Advisory Services Series: Cyber Security Sub Series: Vulnerability Scanning Title: The Greenbone Vulnerability Scanner Sub Title: An Introduction. #cyber #vulnerability #greenbone #ciso #risk #pragix https://lnkd.in/evdKJPfa

The PragIX brain is coming, are you ready? https://lnkd.in/e8iRyHqk