Organizations like to maintain an inventory of the assets in the software they develop, but it can be a black box when it comes to the software they buy. Having an inventory of your software inventory used to mean asking suppliers to self-attest if they were following secure development practices such as having third parties evaluate and test the software.
When news of Log4j first surfaced, many enterprises spent weeks scouring their networks to determine whether they were exposed to the vulnerability—and if it was being actively exploited in their environment. With an inventory of their software artifacts provided by SBOMs, the assessment would have taken minutes not weeks. The mean time to detection and response window, a critical factor in threat mitigation, would have been dramatically reduced.
SBOMs are also an effective procurement tool, allowing organizations to assess the risk of new COTS applications they want to deploy by identifying hidden dependencies such as OpenSSL. Procurement practices are adopting more shift-left principles and bringing security into the process of software selection, much like software engineers are incorporating security into the software development process.
Applying the same discipline to legacy apps as COTS software by generating SBOMs for them can go a long way to address the security and risk management baked into them. A single standard provides visibility and control.Overall, SBOMs are crucial for improving software security, ensuring compliance and managing vulnerabilities throughout the software development life cycle.
Technology Technology Latest News, Technology Technology Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Source: ForbesTech - 🏆 318. / 59 Read more »
Source: ForbesTech - 🏆 318. / 59 Read more »
Source: ForbesTech - 🏆 318. / 59 Read more »