Podcasts about materials sbom

Thank you to the folks at Sustain (https://sustainoss.org/) for providing the hosting account for CHAOSSCast! CHAOSScast – Episode 109 In this episode of CHAOSScast, host Georg Link is joined by Cali Dolfi, Senior Data Scientist at Red Hat, and Brittany Istenes, FINOS Ambassador. The discussion delves into the importance of measuring open source community health and the role of Software Bill of Materials (SBOM) in ensuring software security and compliance. They talk about the rising threats in open source software, the need for standardizing SBOMs, and how organizations can leverage these tools to proactively manage risks and project health. Also, they touch on practical steps being taken at Red Hat and other organizations to address these challenges. Hit download now to hear more! [00:00:21] Our guests introduce themselves and their backgrounds. [00:01:55] Georg explains the rise of malicious packages (700%) and the risks of neglected open source components. [00:04:36] What is a SBOM? Brittany explains SBOMs as a list of all software components and libraries in each application and automation and tooling adoption is discussed. [00:06:08] Cali outlines the lack of consensus on SBOM fields and formats and advocates for including upstream repo links to assess project health. Brittany mentions companies being cautious about publicizing SBOMs due to IP concerns. [00:09:12] Georg gives a historical overview about SBOMs began as tools for license compliance and how SBOMs now cover more including cybersecurity, post U.S. Executive Order 14028 (May 2021). [00:15:51] Georg shares three pillars of SBOM strategy: License compliance, Security, and Project Health and how CHAOSS Metrics can be combined with SBOMs to move from reactive to proactive strategies. [00:16:59] Brittany emphasizes risk analysis and good design from project inception and proactive open source strategies save effort later. [00:18:43] Cali talks about using project health metrics and advocates for tracking maintainer activity, patch frequency, and project responsiveness. [00:21:28] Brittany stresses internal engineering education on project health and risk and developer smush understand what makes a project “healthy.” [00:22:55] Georg talks about how open source has evolved and details using CHAOSS metrics for risk assessment and CI/CD integration. [00:27:36] Cali shares Red Hat's efforts to define what makes a project vulnerable and how it's focused on detecting and sunsetting unmaintained dependencies. [00:31:37] Brittany emphasizes risk from version mismatches and misinterpreted CVEs and mentions a CHAOSS doc to read, “Metrics for OSS Viability” by Gary White. [00:34:17] We end with Georg sharing some upcoming events: CHAOSScon North America, June 26 and Open Source Summit North America, June 23-25. Value Adds (Picks) of the week: [00:36:08] Georg's pick is building a platform for his dog to look out the window. [00:37:06] Brittany's pick is spending time with Georg and Cali. [00:38:12] Cali's pick is her great support system since having ACL surgery. *Panelist: * Georg Link Guests: Cali Dolfi Brittany Istenes Links: CHAOSS (https://chaoss.community/) CHAOSS Project X (https://twitter.com/chaossproj?lang=en) CHAOSScast Podcast (https://podcast.chaoss.community/) podcast@chaoss.community (mailto:podcast@chaoss.community) Georg Link Website (https://georg.link/) Britany Istenes LinkedIn (https://www.linkedin.com/in/brittany-istenes-91b902152/) Brittany Istenes GitHub (https://github.com/BrittanyIstenes) Cali Dolfi LinkedIn (https://www.linkedin.com/in/calidolfi/) State of the Software Supply Chain (Sonatype) (https://www.sonatype.com/state-of-the-software-supply-chain/introduction) CHAOSScast Podcast-Episode 103: GrimoireLab at FreeBSD (https://podcast.chaoss.community/103) CHAOSS Community: Metrics for OSS Viability by Gary White (https://chaoss.community/viability-metrics-what-its-made-of/) CHAOSScon North America 2025, Denver, CO, June 26 (https://chaoss.community/chaosscon-2025-na/) Open Source Summit North America, Denver CO, June 23-25 (https://events.linuxfoundation.org/open-source-summit-north-america/) Fintech Open Source (FINOS) (https://www.finos.org/) Cyber Resilience Act (European Commission) (https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act) Rising Threat: Understanding Software Supply Chain Cyberattacks And Protecting Against Them(Forbes) (https://www.forbes.com/councils/forbestechcouncil/2024/02/06/rising-threat-understanding-software-supply-chain-cyberattacks-and-protecting-against-them/) Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity (The White House) (https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/) Types of Software Bill of Material (SBOM) Documents (https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf) OpenSSF Scorecard (https://openssf.org/projects/scorecard/) OSS Project Viability Starter (CHAOSS) (https://chaoss.community/kb/metrics-model-project-viability-starter/) Show Me What You Got: Turning SBOMs Into Actions- Georg Link & Brittany Istenes (https://lfms25.sched.com/event/1urWz) Special Guests: Brittany Istenes and Cali Dolfi.

W 41. odcinku Brew zagłębiamy się w najgorętsze tematy ze świata technologii! Zbliżamy się do 1000 subskrybentów - podrzućcie w komentarzach swoje pomysły, jak powinniśmy to uczcić! Jeden z nas nadaje z alpejskich warunków polowych, ale nie zwalniamy tempa!

Get your FREE Cybersecurity Salary Guide: https://www.infosecinstitute.com/form/cybersecurity-salary-guide-podcast/?utm_source=youtube&utm_medium=podcast&utm_campaign=podcastIn this episode of Cyber Work, Ken Zalevsky, founder and CEO of Vigilant Ops, joins us to discuss the importance of a Software Bill of Materials (SBOM) in the medical device industry. Zalevsky shares how SBOMs provide transparency and critical security insights, akin to the ingredients list on food packaging, to help identify and defend against vulnerabilities. We also delve into Zalevsky's extensive career in healthcare cybersecurity, starting from his early tech interests influenced by his father to his pivotal role at Bayer Healthcare. The discussion covers the impact of legacy systems, current security trends, the integration of AI in medical device security, and valuable insights for those looking to build a career in this crucial sector. Tune in to learn more about medical device security and the latest in cybersecurity trends, and get some expert advice straight from a seasoned professional.00:00 Understanding SBOMs in medical devices04:20 The evolution of medical device security07:22 Ken Zalevsky's journey in cybersecurity09:28 Challenges in medical device security13:06 The role of SBOMs in cybersecurity15:56 Implementing SBOMs in organizations18:28 Ken Zalevsky's role at Vigilant Ops22:01 Technical aspects of SBOMs27:14 Legacy devices and security measures28:24 Manufacturer's role in device security30:07 Healthcare industry's response to security threats30:42 Impact of major breaches on policy34:13 Generative AI and machine learning in healthcare security40:22 Skills and certifications for healthcare security careers46:46 Career advice and educational paths49:04 About Vigilant Ops and their services52:15 Outro– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast/?utm_source=youtube&utm_medium=podcast&utm_campaign=podcastAbout InfosecInfosec's mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ's security awareness training. Learn more at infosecinstitute.com.

News includes Phoenix now including DaisyUI which has sparked mixed reactions, Erlang/OTP 28.0-rc2 release introducing priority process messages, the EEF Security Working Group's roadmap called Aegis, a new LiveViewPortal library for embedding LiveView pages in any website, upcoming improvements in Elixir that will spawn more OS processes for compiling dependencies potentially doubling performance, Sean Moriarity's keynote about designing LLM Native systems, and more! Show Notes online - http://podcast.thinkingelixir.com/247 (http://podcast.thinkingelixir.com/247) Elixir Community News https://gigalixir.com/thinking (https://gigalixir.com/thinking?utm_source=thinkingelixir&utm_medium=shownotes) – Gigalixir is sponsoring the show, offering 20% off standard tier prices for a year with promo code "Thinking". https://bsky.app/profile/samrat.me/post/3lksxzzjqss2t (https://bsky.app/profile/samrat.me/post/3lksxzzjqss2t?utm_source=thinkingelixir&utm_medium=shownotes) – Phoenix now comes with DaisyUI, a decision that has sparked mixed reactions in the community. https://github.com/phoenixframework/phoenix/issues/6121 (https://github.com/phoenixframework/phoenix/issues/6121?utm_source=thinkingelixir&utm_medium=shownotes) – The GitHub issue discussing the addition of DaisyUI to Phoenix, showing the community's divided opinions. https://github.com/phoenixframework/phoenix/issues/6121#issuecomment-2739647725 (https://github.com/phoenixframework/phoenix/issues/6121#issuecomment-2739647725?utm_source=thinkingelixir&utm_medium=shownotes) – José Valim's explanation of the decision to include DaisyUI in Phoenix. https://security.erlef.org/aegis/ (https://security.erlef.org/aegis/?utm_source=thinkingelixir&utm_medium=shownotes) – EEF Security Working Group released their objectives and roadmap as the Aegis of the ecosystem. https://podcast.thinkingelixir.com/245 (https://podcast.thinkingelixir.com/245?utm_source=thinkingelixir&utm_medium=shownotes) – Previous podcast episode featuring the Erlang Ecosystem Foundation (EEF). https://x.com/erlangforums/status/1902297914791358669 (https://x.com/erlangforums/status/1902297914791358669?utm_source=thinkingelixir&utm_medium=shownotes) – Announcement of Erlang/OTP 28.0-rc2 release. https://erlangforums.com/t/erlang-otp-28-0-rc2-released/4599 (https://erlangforums.com/t/erlang-otp-28-0-rc2-released/4599?utm_source=thinkingelixir&utm_medium=shownotes) – Forum discussion about the Erlang/OTP 28.0-rc2 release. https://github.com/erlang/otp/releases/tag/OTP-28.0-rc2 (https://github.com/erlang/otp/releases/tag/OTP-28.0-rc2?utm_source=thinkingelixir&utm_medium=shownotes) – GitHub release page for Erlang/OTP 28.0-rc2, which includes a source Software Bill of Materials (SBOM). https://www.erlang.org/eeps/eep-0076 (https://www.erlang.org/eeps/eep-0076?utm_source=thinkingelixir&utm_medium=shownotes) – Erlang Enhancement Proposal (EEP) 76 introducing priority messages, a key feature in OTP 28. https://www.youtube.com/watch?v=R9JRhIKQmqk (https://www.youtube.com/watch?v=R9JRhIKQmqk?utm_source=thinkingelixir&utm_medium=shownotes) – Sean Moriarity's keynote at Code BEAM America 2025 about designing LLM Native systems. https://www.cybersecuritydive.com/news/AI-project-fail-data-SPGlobal/742768/ (https://www.cybersecuritydive.com/news/AI-project-fail-data-SPGlobal/742768/?utm_source=thinkingelixir&utm_medium=shownotes) – Report showing AI project failure rates are on the rise, with 42% of businesses scrapping most AI initiatives. https://tech.doofinder.com/posts/live-view-portal (https://tech.doofinder.com/posts/live-view-portal?utm_source=thinkingelixir&utm_medium=shownotes) – Introduction to LiveViewPortal, a JavaScript library for embedding Phoenix LiveView pages into any website. https://github.com/doofinder/liveviewportal (https://github.com/doofinder/live_view_portal?utm_source=thinkingelixir&utm_medium=shownotes) – GitHub repository for LiveViewPortal. https://elixirforum.com/t/liveviewportal-embed-liveviews-in-other-websites/70040 (https://elixirforum.com/t/liveviewportal-embed-liveviews-in-other-websites/70040?utm_source=thinkingelixir&utm_medium=shownotes) – Elixir Forum discussion about LiveViewPortal. https://bsky.app/profile/ftes.de/post/3lkohiog4uv2b (https://bsky.app/profile/ftes.de/post/3lkohiog4uv2b?utm_source=thinkingelixir&utm_medium=shownotes) – Announcement of phoenixtestplaywright v0.6.0 release. https://github.com/ftes/phoenixtestplaywright (https://github.com/ftes/phoenix_test_playwright?utm_source=thinkingelixir&utm_medium=shownotes) – GitHub repository for phoenixtestplaywright with new features like cookie manipulation and browser launch timeout options. https://bsky.app/profile/david.bernheisel.com/post/3lkoe4tvc2s2o (https://bsky.app/profile/david.bernheisel.com/post/3lkoe4tvc2s2o?utm_source=thinkingelixir&utm_medium=shownotes) – Announcement about Elixir's upcoming improvement to spawn more OS processes for compiling dependencies. https://github.com/elixir-lang/elixir/pull/14340 (https://github.com/elixir-lang/elixir/pull/14340?utm_source=thinkingelixir&utm_medium=shownotes) – Pull request for concurrent dependencies compilation in Elixir, potentially improving performance by 2x. https://goatmire.com/ (https://goatmire.com/?utm_source=thinkingelixir&utm_medium=shownotes) – Explanation of the name "Goatmire," which is a loose translation of Getakärr, the historical name for Varberg. Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel on Bluesky - @david.bernheisel.com (https://bsky.app/profile/david.bernheisel.com) - David Bernheisel on Fediverse - @dbern@genserver.social (https://genserver.social/dbern)

Please enjoy this encore of Word Notes. A formal record containing the details and supply chain relationships of various components used in building software.  Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of Word Notes. A formal record containing the details and supply chain relationships of various components used in building software. 

News includes the release of Elixir 1.18.2 with various enhancements and bug fixes, a new experimental SQL sigil for Ecto that brings automatic parameterized queries, a recent GOTO 2025 talk featuring Saša Jurić on code reviews. We talked with Jonatan Kłosko about his work on PythonX, a new library for executing Python code inside Elixir, the Fine library for working with C++ NIFs, and much more! Show Notes online - http://podcast.thinkingelixir.com/244 (http://podcast.thinkingelixir.com/244) Elixir Community News https://gigalixir.com/thinking (https://gigalixir.com/thinking?utm_source=thinkingelixir&utm_medium=shownotes) – Visit Gigalixir.com to sign up and get 20% off your first year. Or use the promo code "Thinking" during signup. https://github.com/elixir-lang/elixir/releases/tag/v1.18.2 (https://github.com/elixir-lang/elixir/releases/tag/v1.18.2?utm_source=thinkingelixir&utm_medium=shownotes) – Elixir 1.18.2 was released with enhancements to Code.Fragment and Regex, plus bug fixes for CLI, ExUnit, IEx.Autocomplete, and mix deps.update. https://github.com/elixir-lang/elixir/releases/tag/v1.18.1 (https://github.com/elixir-lang/elixir/releases/tag/v1.18.1?utm_source=thinkingelixir&utm_medium=shownotes) – Elixir 1.18.1 included bug fixes for Kernel, ExUnit.Case, mix compile.elixir, mix escript.build, and Mix.Shell, especially related to error handling and Windows compatibility. https://www.erlang.org/news/174 (https://www.erlang.org/news/174?utm_source=thinkingelixir&utm_medium=shownotes) – Erlang OTP 28 RC-1 is out with a new source Software Bill of Materials (SBOM) on the Github Releases page. https://github.com/elixir-dbvisor/sql (https://github.com/elixir-dbvisor/sql?utm_source=thinkingelixir&utm_medium=shownotes) – A new experimental SQL sigil for Ecto brings an extensible SQL parser to Elixir with automatic parameterized queries. https://groups.google.com/g/elixir-ecto/c/8MOkRFAdLZc (https://groups.google.com/g/elixir-ecto/c/8MOkRFAdLZc?utm_source=thinkingelixir&utm_medium=shownotes) – The experimental SQL sigil for Ecto is being discussed on the Elixir-Ecto mailing list. https://www.youtube.com/watch?v=AYUNI2Pm6_w (https://www.youtube.com/watch?v=AYUNI2Pm6_w?utm_source=thinkingelixir&utm_medium=shownotes) – New talk from GOTO 2025 with Saša Jurić and Adrienne Braganza Tacke on "Small PRs, Big Impact - The Art of Code Reviews." https://alchemyconf.com/ (https://alchemyconf.com/?utm_source=thinkingelixir&utm_medium=shownotes) – AlchemyConf is coming up March 31 - April 3 in Braga, Portugal. https://www.gigcityelixir.com/ (https://www.gigcityelixir.com/?utm_source=thinkingelixir&utm_medium=shownotes) – GigCity Elixir and NervesConf are happening in Chattanooga, TN, USA with NervesConf on May 8 and the main event on May 9-10. https://www.elixirconf.eu/ (https://www.elixirconf.eu/?utm_source=thinkingelixir&utm_medium=shownotes) – ElixirConf EU will be held May 15-16, 2025 in Kraków & Virtual. https://goatmire.com/#tickets (https://goatmire.com/#tickets?utm_source=thinkingelixir&utm_medium=shownotes) – Goatmire tickets are on sale now for the event happening September 10-12, 2025 in Varberg, Sweden. Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Discussion Resources https://dashbit.co/blog/dashbit-plans-2025 (https://dashbit.co/blog/dashbit-plans-2025?utm_source=thinkingelixir&utm_medium=shownotes) https://github.com/thewca/wca-live (https://github.com/thewca/wca-live?utm_source=thinkingelixir&utm_medium=shownotes) – Speed cubing software https://dashbit.co/blog/running-python-in-elixir-its-fine (https://dashbit.co/blog/running-python-in-elixir-its-fine?utm_source=thinkingelixir&utm_medium=shownotes) https://hexdocs.pm/pythonx/Pythonx.html (https://hexdocs.pm/pythonx/Pythonx.html?utm_source=thinkingelixir&utm_medium=shownotes) https://github.com/livebook-dev/pythonx (https://github.com/livebook-dev/pythonx?utm_source=thinkingelixir&utm_medium=shownotes) https://bsky.app/profile/josevalim.bsky.social/post/3liyrfvlth22c (https://bsky.app/profile/josevalim.bsky.social/post/3liyrfvlth22c?utm_source=thinkingelixir&utm_medium=shownotes) – Jose said “We said we will focus on interoperability for 2025 and we are ready to share the first results.” https://github.com/elixir-nx/fine (https://github.com/elixir-nx/fine?utm_source=thinkingelixir&utm_medium=shownotes) – “Fine” is a new package related to the elixir-nx organization. It's a C++ library enabling more ergonomic NIFs, tailored to Elixir. https://peps.python.org/pep-0703/ (https://peps.python.org/pep-0703/?utm_source=thinkingelixir&utm_medium=shownotes) – Discussion about removing the Python GIL Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel on Bluesky - @david.bernheisel.com (https://bsky.app/profile/david.bernheisel.com) - David Bernheisel on Fediverse - @dbern@genserver.social (https://genserver.social/dbern)

Please enjoy this encore of Word Notes. A formal record containing the details and supply chain relationships of various components used in building software.  Learn more about your ad choices. Visit megaphone.fm/adchoices

Josh Marpet is a seasoned entrepreneur and a renowned authority in the field of information security, compliance, and risk management. With a rich background in law enforcement, Josh has translated his diverse experiences into shaping security protocols in various high-risk environments. He serves as the Chief Strategy Officer at Cyturus, where he drives advancements in compliance process products. Notably, Josh contributes to the esteemed IANS faculty and co-hosts the well-known Paul's Security Weekly podcast. His efforts also extend to organizing BSides Delaware, further cementing his influence and dedication to the cybersecurity community.He shares his diverse career journey from law enforcement to tech support and finally into cybersecurity leadership. Listeners gain insight into his work with compliance frameworks like CMMC and SPDX, and his strategic approach at Cyturus, focusing on "dynamic risk monitoring" as a forward-thinking solution for mitigating risks. This episode also delves into the global regulatory landscape, comparing U.S. frameworks with those abroad and discussing AI regulation insights. As always, the conversation is enriched with amusing anecdotes and expert advice, making it not only educational but also engaging.TIMESTAMPS:0:00 - Exploring Security, Compliance, and Innovation3:05 - Reviving In-Person Tech Conferences Post-COVID Challenges11:58 - From Tech Support to Cybersecurity and Compliance19:12 - The Challenges and Importance of Software Bill of Materials24:25 - The Global Regulatory Landscape and Its Impact on AI Development28:37 - HIPAA Compliance Challenges for Lawyers and Medical Startups30:00 - Dynamic Risk Monitoring as a Compliance and Revenue Driver34:32 - The Impact of Podcasts on the Cybersecurity Community40:14 - Exploring Unique Bars and Crafting Cybersecurity-Themed CocktailsSYMLINKSCyturus Website - https://cyturus.comOfficial website for Cyturus, a leader in compliance process products and solutions, focusing on dynamic risk monitoring and governance.Josh Marpet on LinkedIn - https://www.linkedin.com/in/joshuaviktor/Josh Marpet's professional LinkedIn profile for networking and insights.Paul's Security Weekly - https://securityweekly.comOne of the top cybersecurity podcasts, providing news, insights, and discussions on emerging threats and best practices in security.SPDX (Software Package Data Exchange) - https://spdx.devOfficial resource for SPDX, an ISO-certified standard for managing Software Bill of Materials (SBOM).CycloneDX - https://cyclonedx.orgA standard designed for the SBOM, with a focus on integration with CI/CD pipelines and automated systems.Executive Order 14028 - https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/U.S. Executive Order mandating the use of Software Bill of Materials (SBOM) for federal software contracts to improve cybersecurity.Helen Oakley - https://www.linkedin.com/in/helen-oakley/Profile and resources related to Helen Oakley, a professional working on AI Bill of Materials.NIST AI RMF (Risk Management Framework) - https://nist.gov/ai/rmfU.S. NationCONNECT WITH USwww.barcodesecurity.comBecome a SponsorFollow us on LinkedInTweet us at @BarCodeSecurityEmail us at info@barcodesecurity.com

In this episode, we're diving deep into the world of Software Bill of Materials (SBOM)—basically, the recipe for your software, minus the secret sauce. If you've ever wondered what's really under the hood of your favorite apps (or been caught off guard by a sneaky ingredient), this one's for you. We're breaking down why you should care about SBOMs, how they're becoming a must-have in your vendor vetting process, and what it all means for the future of tech. Think of it as your crash course in making sure your software isn't serving up any nasty surprises. More info at HelpMeWithHIPAA.com/472

Guest: Chris Hughes, President / Co-Founder, AquiaOn LinkedIn | https://www.linkedin.com/in/resilientcyber/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesIn this episode of The Redefining CyberSecurity Podcast, host Sean Martin connects with Chris Hughes, a seasoned author and consultant in cybersecurity. The primary focus is on the intricacies of vulnerability management and software supply chain security, particularly in an era where software pervades every aspect of modern life.Chris Hughes emphasizes the paramount importance of understanding what is in the software we consume. Software Bill of Materials (SBOM) has emerged as a focal point, akin to ingredient lists in the food industry, highlighting the need for transparency. Hughes argues that transparency is not just about knowing the components; it extends to understanding the risks associated with those components. He illustrates his point by referencing infamous incidents like the Log4j vulnerability, which unveiled the critical gaps in our knowledge of software components.The conversation also shifts towards the broader challenges in software supply chain security. Hughes discusses the government's push for self-attestation and the role of third-party validators in ensuring software security. While acknowledging the complexities and potential bottlenecks, he underscores the necessity for a balanced approach that combines self-attestation with external validation to foster a secure software ecosystem.Additionally, Hughes addresses the concept of Secure by Design, advocating for practices that embed security into the software development lifecycle right from the outset. He notes the historical context of this concept, which dates back to the Ware Report, and argues for its relevance even today. Secure by Design entails building security measures inherently into products, thereby reducing the need for perpetual patching and vulnerability management.Internal risk management within organizations also gets spotlighted. Hughes insists that organizations should maintain an inventory of the software and components they use internally, evaluate their risks, and contribute to the open-source communities they rely on. This comprehensive approach not only helps in mitigating risks but also fosters a resilient and sustainable software ecosystem.On the topic of platform engineering, Hughes shares his insights on its potential to streamline software development processes and enhance security through standardization and governance. However, he is candid about the challenges, particularly the need to balance standardization with the diverse preferences of development teams.As the discussion wraps up, Hughes and Martin underline the importance of focusing on contextual risk assessment in vulnerability management, rather than merely responding to static severity scores. Hughes' advocacy for a more nuanced approach to security, balancing immediate risk mitigation with longer-term strategic planning, offers listeners a thoughtful perspective on managing cybersecurity challenges.Top Questions AddressedHow can organizations ensure transparency and security in their software supply chains?What strategies can be implemented to address the challenges of vulnerability management?How can platform engineering and internal governance improve software security within organizations?___________________________SponsorsImperva: https://itspm.ag/imperva277117988LevelBlue: https://itspm.ag/attcybersecurity-3jdk3___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

Guest: Chris Hughes, President / Co-Founder, AquiaOn LinkedIn | https://www.linkedin.com/in/resilientcyber/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesIn this episode of The Redefining CyberSecurity Podcast, host Sean Martin connects with Chris Hughes, a seasoned author and consultant in cybersecurity. The primary focus is on the intricacies of vulnerability management and software supply chain security, particularly in an era where software pervades every aspect of modern life.Chris Hughes emphasizes the paramount importance of understanding what is in the software we consume. Software Bill of Materials (SBOM) has emerged as a focal point, akin to ingredient lists in the food industry, highlighting the need for transparency. Hughes argues that transparency is not just about knowing the components; it extends to understanding the risks associated with those components. He illustrates his point by referencing infamous incidents like the Log4j vulnerability, which unveiled the critical gaps in our knowledge of software components.The conversation also shifts towards the broader challenges in software supply chain security. Hughes discusses the government's push for self-attestation and the role of third-party validators in ensuring software security. While acknowledging the complexities and potential bottlenecks, he underscores the necessity for a balanced approach that combines self-attestation with external validation to foster a secure software ecosystem.Additionally, Hughes addresses the concept of Secure by Design, advocating for practices that embed security into the software development lifecycle right from the outset. He notes the historical context of this concept, which dates back to the Ware Report, and argues for its relevance even today. Secure by Design entails building security measures inherently into products, thereby reducing the need for perpetual patching and vulnerability management.Internal risk management within organizations also gets spotlighted. Hughes insists that organizations should maintain an inventory of the software and components they use internally, evaluate their risks, and contribute to the open-source communities they rely on. This comprehensive approach not only helps in mitigating risks but also fosters a resilient and sustainable software ecosystem.On the topic of platform engineering, Hughes shares his insights on its potential to streamline software development processes and enhance security through standardization and governance. However, he is candid about the challenges, particularly the need to balance standardization with the diverse preferences of development teams.As the discussion wraps up, Hughes and Martin underline the importance of focusing on contextual risk assessment in vulnerability management, rather than merely responding to static severity scores. Hughes' advocacy for a more nuanced approach to security, balancing immediate risk mitigation with longer-term strategic planning, offers listeners a thoughtful perspective on managing cybersecurity challenges.Top Questions AddressedHow can organizations ensure transparency and security in their software supply chains?What strategies can be implemented to address the challenges of vulnerability management?How can platform engineering and internal governance improve software security within organizations?___________________________SponsorsImperva: https://itspm.ag/imperva277117988LevelBlue: https://itspm.ag/attcybersecurity-3jdk3___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

Mit dem Inkrafttreten des Cyber Resilience Act 2027 wird die Software Bill of Materials (SBOM) für Unternehmen verpflichtend. Die SBOM ist ein detailliertes Inventar aller Bestandteile einer Softwareanwendung und ermöglicht einen lückenlosen Überblick über die eingesetzten Komponenten. Der VDMA empfiehlt Unternehmen, sich frühzeitig vorzubereiten, um digitale Produkte weiterhin erfolgreich verkaufen zu können. In der neuesten Folge des VDMA Industrie Podcasts spricht Tobias Pfeiffer, Product Security Officer bei Festo, über die Chancen und Herausforderungen der Einführung einer SBOM. Maximilian Moser, Referent Industrial Security, Product Security, OT-Security des VDMA, betont die Notwendigkeit, kleine und mittelständische Unternehmen zu unterstützen. Der VDMA bietet seinen Mitgliedsunternehmen zahlreiche Angebote, insbesondere durch den Arbeitskreis Industrial Security. Bereiten Sie sich rechtzeitig auf den Cyber Resilience Act 2027 vor und nutzen Sie die Vorteile der SBOM für Ihr Unternehmen! Produktion: New Media Art Pictures

Welcome to Automating Quality, the life sciences-centric show that bridges the gap between automation and quality management systems. This episode is the second in a two-part series discussing the Software Bill of Materials (SBOM) with guest Joseph Silvia. In this episode, we discuss the definition of AIBOM, how it differs from SBOM, and take an educated guess at their future. Joseph is the CEO of MedWareCyber, a consulting firm specializing in FDA readiness, cybersecurity, and software readiness for the medical devices industry. He is extremely knowledgeable about the regulatory landscape, and we frequently refer to him for his regulatory expertise.   Key Takeaways; 01:05 Introducing guest Joseph Silvia 02:20 What is the concept of AIBOM? 04:23 Why AIBOM and SBOM should be separate discussions 07:45 How does open-source software impact those bills of material 11:22 How do you assess the risk of an AIBOM?   Contact us at solabs-podcast@solabs.com

Welcome to another episode of the Business Ninjas Podcast, where we uncover the strategies and stories behind successful business leaders. In this episode, we're thrilled to have Ken Zalevsky, the dynamic CEO of Vigilant Ops, join us for an in-depth conversation.Ken Zalevsky has been at the forefront of cybersecurity innovation, leading Vigilant Ops with a vision to protect businesses from the ever-evolving threats in the digital world. With his extensive experience and insights, Ken shares how Vigilant Ops is revolutionizing the cybersecurity landscape and providing robust solutions to safeguard sensitive data.**In this episode, we cover:**- The Importance of Software Bill of Materials (SBOM) in Cybersecurity- AI-Powered Email Scams- Maximizing Security in Software Development- How to Protect Against Phishing Attacks- Decoding Software Vulnerabilities- How Vigilant Ops Stays Ahead of Cyber Threats, and moreJoin us for an engaging and informative discussion that offers valuable takeaways for entrepreneurs, business leaders, and anyone interested in cybersecurity.

Welcome to Automating Quality, the life sciences-centric show that bridges the gap between automation and quality management systems. This episode is the first in a two-part series discussing the Software Bill of Materials (SBOM) with guest Joseph Silvia. We explore the history of SBOM, its current importance for the FDA, and how to ensure you have an SBOM in place when implementing or developing medical devices.   "Joseph is the CEO of MedWareCyber, a consulting firm specializing in FDA readiness, cybersecurity, and software readiness for the medical devices industry. He is extremely knowledgeable about the regulatory landscape, and we frequently refer to him for his regulatory expertise.   Key Takeaways 01:10 Introducing today's guest: Joseph Silvia 02:35 What is an SBOM? 04:24 What is the history of SBOM? 05:50 Now, the government is getting involved and SBOM is picking up steam. 06;35 What is the FDA's expectation on this topic for the medical devices industry? 09:03 When implementing or developing a device, how do you ensure that you have an SBOM in place to support it? 11:38 Who is responsible for SBOM within organizations? 14:37 Where can listeners learn more about this topic?   Reach Joseph at jsilvia@medwarecyber.com Contact us at solabs-podcast@solabs.com

In this episode of The Security Podcast of Silicon Valley, host Jon McLachlan sits down with Dr. Georgianna Shea, the Chief Engineer at MITRE and Chief Technologist at the Foundation for Defense of Democracies. Dr. Shea shares her extensive experience in cybersecurity, from her work with the Department of Defense to her current role in influencing national security policy. Discover her insights on the importance of resilience in cybersecurity, the significance of Software Bill of Materials (SBOM), and how AI and quantum computing are shaping the future of cyber defense. Tune in for an inspiring conversation with one of the industry's leading experts.

If you care about nutrition, you check the ingredients of your food. If you care about your IT infrastructure, you check the Software Bill of Materials (SBOM) of the tech. At least that's the future that Thomas Pace hopes for. Right now, SBOMs aren't super common and software transparency is very low. Thomas walks us... Read more »

If you care about nutrition, you check the ingredients of your food. If you care about your IT infrastructure, you check the Software Bill of Materials (SBOM) of the tech. At least that's the future that Thomas Pace hopes for. Right now, SBOMs aren't super common and software transparency is very low. Thomas walks us... Read more »

Guests: Melissa Oh, Managing Director, Silicon Valley Innovation Program (SVIP), DHS Science & Technology Directorate [@DHSgov]On LinkedIn | https://www.linkedin.com/in/melissa-oh/Anil John, Technical Director, Silicon Valley Innovation Program (SVIP), DHS Science & Technology Directorate [@DHSgov]On LinkedIn | https://www.linkedin.com/in/aniljohn/On Twitter | https://twitter.com/aniltj____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesThis new episode of the 'Redefining Cybersecurity' podcast features a thought-provoking discussion on software development, supply chain security, and the innovative initiatives of the Silicon Valley Innovation Program (SVIP). The conversation was led by host Sean Martin, with insights from distinguished guests Melissa Oh, Managing Director at the Department of Homeland Security Science and Technology Directorate, and Anil John, Technical Director of the Silicon Valley Innovation Program.Melissa Oh shared her extensive experience in public service and the innovative approach of the Silicon Valley Innovation Program in identifying emerging technology companies. Her background in Silicon Valley and dedication to solving DHS's pain points through collaboration with startups underscored the program's mission of fostering innovation in the government sector.Anil John, a public interest technologist, provided valuable insights into bridging the gap between the government and the startup community. His role in translating government needs into actionable solutions highlighted the importance of leveraging global talent to address local challenges and drive technological advancements in the public sector.The discussion explored the Silicon Valley Innovation Program's unique selection process for startups, focusing on building products that have broad utility and can be readily adopted. The success story of the protobom project transitioning into an open-source tool exemplified the program's commitment to nurturing innovative solutions with real-world applications.The significance of Software Bill of Materials (SBOM) in enhancing software supply chain visibility was emphasized, with a call to action for organizations to prioritize its inclusion in software development processes. By driving awareness and adoption of SBOM, the SVIP is empowering security leaders to enhance software security and visualization in the development pipeline.Security leaders were encouraged to explore tools and technologies that enhance software security and visualization in the development pipeline. A call to action was made to participate in the SVIP demo week to learn about innovative solutions and capabilities and to drive the adoption of SBOM within organizations.Key Questions AddressedHow does the Silicon Valley Innovation Program (SVIP) bridge the gap between government needs and startup innovations in cybersecurity?What role does the Software Bill of Materials (SBOM) play in enhancing software supply chain security?How can organizations, both public and private, benefit from the innovative solutions developed through the SVIP for software supply chain visibility?___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

Guests: Melissa Oh, Managing Director, Silicon Valley Innovation Program (SVIP), DHS Science & Technology Directorate [@DHSgov]On LinkedIn | https://www.linkedin.com/in/melissa-oh/Anil John, Technical Director, Silicon Valley Innovation Program (SVIP), DHS Science & Technology Directorate [@DHSgov]On LinkedIn | https://www.linkedin.com/in/aniljohn/On Twitter | https://twitter.com/aniltj____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesThis new episode of the 'Redefining Cybersecurity' podcast features a thought-provoking discussion on software development, supply chain security, and the innovative initiatives of the Silicon Valley Innovation Program (SVIP). The conversation was led by host Sean Martin, with insights from distinguished guests Melissa Oh, Managing Director at the Department of Homeland Security Science and Technology Directorate, and Anil John, Technical Director of the Silicon Valley Innovation Program.Melissa Oh shared her extensive experience in public service and the innovative approach of the Silicon Valley Innovation Program in identifying emerging technology companies. Her background in Silicon Valley and dedication to solving DHS's pain points through collaboration with startups underscored the program's mission of fostering innovation in the government sector.Anil John, a public interest technologist, provided valuable insights into bridging the gap between the government and the startup community. His role in translating government needs into actionable solutions highlighted the importance of leveraging global talent to address local challenges and drive technological advancements in the public sector.The discussion explored the Silicon Valley Innovation Program's unique selection process for startups, focusing on building products that have broad utility and can be readily adopted. The success story of the protobom project transitioning into an open-source tool exemplified the program's commitment to nurturing innovative solutions with real-world applications.The significance of Software Bill of Materials (SBOM) in enhancing software supply chain visibility was emphasized, with a call to action for organizations to prioritize its inclusion in software development processes. By driving awareness and adoption of SBOM, the SVIP is empowering security leaders to enhance software security and visualization in the development pipeline.Security leaders were encouraged to explore tools and technologies that enhance software security and visualization in the development pipeline. A call to action was made to participate in the SVIP demo week to learn about innovative solutions and capabilities and to drive the adoption of SBOM within organizations.Key Questions AddressedHow does the Silicon Valley Innovation Program (SVIP) bridge the gap between government needs and startup innovations in cybersecurity?What role does the Software Bill of Materials (SBOM) play in enhancing software supply chain security?How can organizations, both public and private, benefit from the innovative solutions developed through the SVIP for software supply chain visibility?___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

Guests: Allan Friedman, Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency (CISA) [@CISAgov]On LinkedIn | https://www.linkedin.com/in/allanafriedman/At RSAC | https://www.rsaconference.com/experts/allan-friedmanBob Lord, Senior Technical Advisor, Cybersecurity and Infrastructure Security Agency (CISA) [@CISAgov]On LinkedIn | https://www.linkedin.com/in/lordbob/On Twitter | https://twitter.com/boblordAt RSAC | https://www.rsaconference.com/experts/Bob%20Lord____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this new On Location episode, Sean Martin hosted a conversation with Allan Friedman and Bob Lord from the Cyber Security and Infrastructure Security Agency (CISA) as part of the Chats on the Road to the RSA Conference series. The discussion centered around key topics such as securing software by design, navigating the intricacies of managing end-of-life (EOL) software, and emphasizing the crucial role of transparency in the software supply chain.Allan Friedman, a vocal advocate for the Software Bill of Materials (SBOM) — he has the t-shirt to prove it! — explored the increasing competitiveness of getting accepted to speak at renowned conferences like RSA, reflecting the growing awareness and urgency around cybersecurity topics. His upcoming RSA presentation is set to delve into the looming challenge of end-of-life and end-of-support software—a topic that, while not new, demands innovative technical and policy-level responses to mitigate emerging threats effectively.Bob Lord's discussion highlighted an area often overlooked yet critical for software security: memory safety. By sharing his experiences and underscoring the prevalence of vulnerabilities traced back to memory safety issues, Lord emphasized the necessity for developers and companies to adopt a more proactive and transparent approach in their software development practices. This call to action is not just about developing new solutions but also about ensuring that existing software is resilient against current and future threats.One of the key takeaways from this episode is the imperative of transparency in the software supply chain. As Friedman notes, the path to a more secure digital infrastructure lies in the ability to have clear visibility into the software components businesses rely on—including their age, vulnerabilities, and update requirements. This clarity is essential not only for building trust between software manufacturers and their customers but also for enabling a proactive stance on cybersecurity, which can significantly reduce the risks associated with outdated or unsupported software.Moreover, the conversation underscored the evolutionary nature of cybersecurity. As threats evolve, so too must our strategies and tools to combat them. The dialogue between Martin, Friedman, and Lord brought to light the importance of continuous learning, adaptation, and collaboration within the cybersecurity community to address these ongoing challenges.The episode represents a microcosm of the larger conversations happening within the fields of cybersecurity and software development. As we move forward, the insights shared by Allan Friedman and Bob Lord remind us of the critical importance of design security, comprehensive policies, and, above all, the need for a collective belief in the possibility of creating safer software solutions for the future.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:

Guests: Allan Friedman, Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency (CISA) [@CISAgov]On LinkedIn | https://www.linkedin.com/in/allanafriedman/At RSAC | https://www.rsaconference.com/experts/allan-friedmanBob Lord, Senior Technical Advisor, Cybersecurity and Infrastructure Security Agency (CISA) [@CISAgov]On LinkedIn | https://www.linkedin.com/in/lordbob/On Twitter | https://twitter.com/boblordAt RSAC | https://www.rsaconference.com/experts/Bob%20Lord____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this new On Location episode, Sean Martin hosted a conversation with Allan Friedman and Bob Lord from the Cyber Security and Infrastructure Security Agency (CISA) as part of the Chats on the Road to the RSA Conference series. The discussion centered around key topics such as securing software by design, navigating the intricacies of managing end-of-life (EOL) software, and emphasizing the crucial role of transparency in the software supply chain.Allan Friedman, a vocal advocate for the Software Bill of Materials (SBOM) — he has the t-shirt to prove it! — explored the increasing competitiveness of getting accepted to speak at renowned conferences like RSA, reflecting the growing awareness and urgency around cybersecurity topics. His upcoming RSA presentation is set to delve into the looming challenge of end-of-life and end-of-support software—a topic that, while not new, demands innovative technical and policy-level responses to mitigate emerging threats effectively.Bob Lord's discussion highlighted an area often overlooked yet critical for software security: memory safety. By sharing his experiences and underscoring the prevalence of vulnerabilities traced back to memory safety issues, Lord emphasized the necessity for developers and companies to adopt a more proactive and transparent approach in their software development practices. This call to action is not just about developing new solutions but also about ensuring that existing software is resilient against current and future threats.One of the key takeaways from this episode is the imperative of transparency in the software supply chain. As Friedman notes, the path to a more secure digital infrastructure lies in the ability to have clear visibility into the software components businesses rely on—including their age, vulnerabilities, and update requirements. This clarity is essential not only for building trust between software manufacturers and their customers but also for enabling a proactive stance on cybersecurity, which can significantly reduce the risks associated with outdated or unsupported software.Moreover, the conversation underscored the evolutionary nature of cybersecurity. As threats evolve, so too must our strategies and tools to combat them. The dialogue between Martin, Friedman, and Lord brought to light the importance of continuous learning, adaptation, and collaboration within the cybersecurity community to address these ongoing challenges.The episode represents a microcosm of the larger conversations happening within the fields of cybersecurity and software development. As we move forward, the insights shared by Allan Friedman and Bob Lord remind us of the critical importance of design security, comprehensive policies, and, above all, the need for a collective belief in the possibility of creating safer software solutions for the future.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:

017 Adrian Sroka - bezpieczny kod da się zrobićArtur Markiewicz podcasthttps://powiedzcospoinformatycznemu.pl/artur-markiewicz-podcast/ Podcast o ludziach, o branży o projektachPodcast dotyczący budowania cyberbezpieczeństwa i ludzi, którzy to robią.

In this episode of CISO Tradecraft, host G Mark Hardy converses with Cassie Crossley, author of the book on software supply chain security. Hardy explores the importance of cybersecurity, the structure of software supply chains, and the potential risks they pose. Crossley shares her expert insights on different software source codes and the intricacies of secure development life cycle. She highlights the significance of Software Bill of Materials (SBOM) and the challenges in maintaining the integrity of software products. The discussion also covers the concept of counterfeits in the software world, stressing the need for continuous monitoring and a holistic approach towards cybersecurity. Link to the Book: https://www.amazon.com/Software-Supply-Chain-Security-End/dp/1098133706?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2 Transcripts: https://docs.google.com/document/d/1SJS2VzyMS-xLF0vlGIgrnn5cOP8feCV9 Chapters 00:00 Introduction 01:44 Discussion on Software Supply Chain Security 02:33 Insights into Secure Development Life Cycle 03:20 Understanding the Importance of Supplier Landscape 05:09 The Role of Security in Software Supply Chain 07:29 The Impact of Vulnerabilities in Software Supply Chain 09:06 The Importance of Secure Software Development Life Cycle 14:13 The Role of Frameworks and Standards in Software Supply Chain Security 17:39 Understanding the Importance of Business Continuity Plan 20:53 The Importance of Security in Agile Development 24:01 Understanding OWASP and Secure Coding 24:20 The Importance of API Security 24:50 The Concept of Shift Left in Software Development 25:20 The Role of Culture in Software Development 25:52 Exploring Different Source Code Types 26:19 The Rise of Low Code, No Code Platforms 28:53 The Potential Risks of Generative AI Source Code 34:24 Understanding Software Bill of Materials (SBOM) 41:07 The Challenge of Spotting Counterfeit Software 41:36 The Importance of Integrity Checks in Software Development 45:45 Closing Thoughts and the Importance of Cybersecurity Awareness

Cosa si intende per Container Supply Chain? E cosa può andare storto se la catena non viene gestita nel modo corretto? Quali framework e strumenti sono a disposizione? In questo episodio ospito Simone Salsi, Solutions Architect di AWS Italia, per parlare di come creare pipeline di sviluppo e messa in produzione in grado di mitigare i rischi e massimizzare la sicurezza dei container. Link utili: SLSA: https://slsa.dev Software Bill of Materials (SBoM): https://docs.aws.amazon.com/whitepapers/latest/practicing-continuous-integration-continuous-delivery/software-bill-of-materials-sbom.html CNCF whitepaper: https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf [blog] Shift left to secure your container supply chain: https://aws.amazon.com/blogs/containers/shift-left-to-secure-your-container-supply-chain/ DevSecOps workshop: https://container-devsecops.awssecworkshops.com

Podcast: Energy TalksEpisode: #71: Cybersecurity in the Power Grid – A 360° View | Part 5Pub date: 2024-01-11Security engineering – building trust in digital products used in the power grid Welcome to the 5th episode of our Energy Talks miniseries, called Cybersecurity in the Power Grid, in which we provide you with a 360-degree view of how power grids can best safeguard their infrastructures from cyber-attacks. In this episode, Andreas Klien, OMICRON cybersecurity expert and Business Area Manager of Power Utility Communication, discusses the security engineering of digital products used in the power grid with his guest, Sarah Fluchs, Chief Technology Officer at admeritia GmbH. Together, they debate the question, “Can power grid operators trust their manufacturers to ensure reliable cybersecurity?” Andreas and Sarah conduct their discussion from the perspective of an OT security officer. They address the pending EU Cyber Resilience Act and how it can help better secure the power grid and other critical infrastructures by requiring manufacturers to build cybersecurity measures into their products and the significance of security certificates for digital products, especially OT devices. They also discuss the growing use of a Software Bill of Materials (SBOM) and how it can help manufacturers be more transparent and enable power grid operators to identify possible security issues in products. Lastly, Andreas and Sarah discuss the importance of open, 2-way communication between power grid operators and manufacturers to achieve security goals. Stay tuned for upcoming episodes in our Cybersecurity in the Power Grid miniseries. Learn more about our approach to cybersecurity in power grids: https://www.omicroncybersecurity.com/The podcast and artwork embedded on this page are from OMICRON electronics GmbH, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Podcast: Energy TalksEpisode: #71: Cybersecurity in the Power Grid – A 360° View | Part 5Pub date: 2024-01-11Security engineering – building trust in digital products used in the power grid Welcome to the 5th episode of our Energy Talks miniseries, called Cybersecurity in the Power Grid, in which we provide you with a 360-degree view of how power grids can best safeguard their infrastructures from cyber-attacks. In this episode, Andreas Klien, OMICRON cybersecurity expert and Business Area Manager of Power Utility Communication, discusses the security engineering of digital products used in the power grid with his guest, Sarah Fluchs, Chief Technology Officer at admeritia GmbH. Together, they debate the question, “Can power grid operators trust their manufacturers to ensure reliable cybersecurity?” Andreas and Sarah conduct their discussion from the perspective of an OT security officer. They address the pending EU Cyber Resilience Act and how it can help better secure the power grid and other critical infrastructures by requiring manufacturers to build cybersecurity measures into their products and the significance of security certificates for digital products, especially OT devices. They also discuss the growing use of a Software Bill of Materials (SBOM) and how it can help manufacturers be more transparent and enable power grid operators to identify possible security issues in products. Lastly, Andreas and Sarah discuss the importance of open, 2-way communication between power grid operators and manufacturers to achieve security goals. Stay tuned for upcoming episodes in our Cybersecurity in the Power Grid miniseries. Learn more about our approach to cybersecurity in power grids: https://www.omicroncybersecurity.com/The podcast and artwork embedded on this page are from OMICRON electronics GmbH, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Explore the cutting-edge concepts of Software Bill of Materials (SBOM) and the newly coined Workflow Bill of Materials (WBOM) in our latest newsletter article, where we unravel how these strategies can revolutionize operational transparency and business security.________This fictional story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence.Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn.Sincerely, Sean Martin and TAPE3________Sean Martin is the host of the Redefining CyberSecurity Podcast, part of the ITSPmagazine Podcast Network—which he co-founded with his good friend Marco Ciappelli—where you may just find some of these topics being discussed. Visit Sean on his personal website.TAPE3 is the Artificial Intelligence for ITSPmagazine, created to function as a guide, writing assistant, researcher, and brainstorming partner to those who adventure at and beyond the Intersection Of Technology, Cybersecurity, And Society. Visit TAPE3 on ITSPmagazine.

Explore the cutting-edge concepts of Software Bill of Materials (SBOM) and the newly coined Workflow Bill of Materials (WBOM) in our latest newsletter article, where we unravel how these strategies can revolutionize operational transparency and business security.________This fictional story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence.Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn.Sincerely, Sean Martin and TAPE3________Sean Martin is the host of the Redefining CyberSecurity Podcast, part of the ITSPmagazine Podcast Network—which he co-founded with his good friend Marco Ciappelli—where you may just find some of these topics being discussed. Visit Sean on his personal website.TAPE3 is the Artificial Intelligence for ITSPmagazine, created to function as a guide, writing assistant, researcher, and brainstorming partner to those who adventure at and beyond the Intersection Of Technology, Cybersecurity, And Society. Visit TAPE3 on ITSPmagazine.

On this episode, David London and Adam Isles from the Chertoff Group stop by to discuss emerging risk topics such as AI, Supply Chain Attacks, and the new SEC regulations. Stick around and learn the tradecraft to better protect your company. Special Thanks to our Sponsors: The Chertoff Group: https://www.chertoffgroup.com.Note you can read more about their thoughts on AI here: https://www.chertoffgroup.com/managing-ai-risks/ Prelude: https://www.preludesecurity.com/ CPrime: Visit https://www.cprime.com/train to schedule an IT governance workshop to align expectations, capture priorities, and improve effective governance across your entire technology portfolio. Use the code CPRIMEPOD to get 15% off your training course purchase. Transcripts: https://docs.google.com/document/d/1tW0kOYCURXgRF-z7UqeQGga0zAkwGuZ9/ Chapters 00:00 Introduction 02:33 The SEC's Final Rule on Cybersecurity Disclosure 05:29 What is a Material Incident? 07:13 The Commission's Final Rule on Board Engagement in Cybersecurity Risk 10:03 The Four Day Rule for Incident Reporting 12:46 The Implications of the New Role of the CISO 15:46 The Ticking Clock on Disclosure 18:31 SolarWinds and the Software Chain Security Exposure 19:53 The Role of the Software Bill of Materials (SBOM) in the Software Supply Chain Security Challenges 21:29 The Rise of the SBOM 23:16 The Rise of Expectations in the U.S. Government 25:02 The Future of Software Security 27:22 The Progress of the CMMC Program 29:59 The SEC Disclosure Requirements: What to Expect From Your Board 31:57 How to Reduce Complexity in Your Software Development Lifecycle 34:05 How AI is Impacting Our Business and Cyber 37:32 How to Measure and Manage Cyber Risks Effectively 39:57 The SEC's Final Rule on Disclosure

"Visualizing the Software Supply Chain" is a project which aims to kick off a discussion about the scope and breadth of the software supply chain.Paul McCarty emphasizes the importance of understanding what's in the software supply chain to secure it effectively. He uses the burrito analogy, stating that you can't decide if you want to eat it if you don't know what's in it. We discuss the nuances around the Software Bill of Materials (SBOM) and the importance of understanding the differences between various SBOMs, especially for companies that deploy frequently.The conversation also covers third-party components, such as APIs, SaaS solutions, payment gateways, and identity providers, which are part of the software supply chain. Paul gives the example of Stripe, a payment platform that includes software components and SaaS.Paul's project helps people understand the different threats associated with each category in the software supply chain. The episode concludes with a call to action for organizations to prioritize understanding their software supply chain and leveraging automation as much as possible.Gain valuable insights into securing the software supply chain and consider guidance on actionable steps organizations can take to enhance their security.Four key takeaways from the episode:Understanding the Software Supply Chain: Paul McCarty emphasizes the importance of understanding the scope and breadth of the software supply chain. He suggests you can't secure or have a valuable conversation about the software supply chain if you don't know what's in it.The Role of Third-Party Components:  Third-party components in the software supply chain are crucial. These can include APIs, SaaS solutions, payment gateways, and identity providers. Paul uses Stripe as an example to illustrate this point.The Nuances of the Software Bill of Materials (SBOM): SBOM has nuance. We highlight the importance of understanding the differences between various SBOMs, especially for companies that deploy frequently.Threat Thinking in the Software Supply Chain: We appreciate the depth of threat thinking in Paul's project. This approach helps people understand the different threats associated with each category in the software supply chain.Links:https://github.com/SecureStackCo/visualizing-software-supply-chainhttps://github.com/6mile/DevSecOps-PlaybookFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald and Dino Boukouris, Founder and Managing Director of Momentum Cyber, delve into the increasing demand for detailed, actionable data in providing cybersecurity services. Eric and Dino scrutinize the role of regulations, assessing whether they inspire innovation or inadvertently stifle growth. They also examine the crucial part that data analytics and Software Bill of Materials (SBOM) play in today's risk management practices.  Will the increased prevalence of AI and emerging regulations bring about significant improvements in managing cyber risks? Join the conversation to find out.   Interview with Dino Boukouris    Dino Boukouris is a Founder of Momentum Cyber as well as its Managing Director. Momentum serves as a strategic advisor to founders, CEOs, and boards in the cybersecurity space. Dino specializes in cybersecurity, M&A, venture capital and private equity. He also has a background in engineering and finance.    Prior to founding Momentum Cyber, Dino served in a variety of capacities at strategic advisory services  and VC firms, including Illuminate Ventures and Advatech Advisors. Earlier in his career, he held the position of Engineering Manager at Cameron Health, a start-up later acquired by Boston Scientific.    Dino earned an MBA with honors from UC Berkeley's Haas School of Business and a Masters of Science degree in Mechanical Engineering from the University of Michigan's College of Engineering.      In this episode, Eric and Dino discuss: The increasing sophistication of cybersecurity threats and marketplace demand for better data risk management The role of regulation in driving and governing the proliferation of AI and whether it also stifles growth The double-edged sword that these advances bring to cybersecurity tools and threats  Whether AI's promises of efficiency will be a game-changer to today's cybersecurity practices   Find Dino on LinkedIn:   Dino Boukouris: https://www.linkedin.com/in/konstantinosboukouris/   Learn more about Momentum Cyber: https://www.linkedin.com/company/momentumcyber/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building a robust software supply chain security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/

Danno, Josh and Kito recap the always-amazing Devnexus and a discuss a wide-range of topics, including TypeScript 5, RIFE2, Hilla, OpenJFX, Adobe buying Figma, Quarkus, JakartaEE 11, AWS Application Composer, Rust, Java 20, SBOMs, Kotlin, and more.  We Thank DataDog for sponsoring this podcast! https://www.pubhouse.net/datadog Front End  - Anyone heard of Eclipse Scout - A one-stop framework to develop professional business applications? (https://www.eclipse.org/scout/)  - Announcing TypeScript 5.0Eclipse Scout - A one-stop framework to develop professional business applications  - PrimeOne 2.0 for Figma (https://www.primefaces.org/introducing-primeone-2-0-for-figma/)  - Adobe to buy Figma (https://news.adobe.com/news/news-details/2022/Adobe-to-Acquire-Figma/default.aspx)  - RIFE2 (https://rife2.com/)  - Hilla 2.0: New features and an improved technology baseline using Spring Boot 3 and Java 17 (https://hilla.dev/blog/hilla-2-0-release/)  - OpenJFX 20 Released (https://gluonhq.com/products/javafx/openjfx-20-release-notes/)  - Hands-On Selenium WebDriver with Java: A Deep Dive into the Development of End-to-End Tests (https://www.amazon.com/Hands-Selenium-WebDriver-Java-End/dp/1098110005) Server Side Java  - Quarkus dropping MicroProfile Metrics (https://vived.io/much-ado-about-observability-jep-making-profiling-easier-and-quarkus-dropping-microprofile-standard/)  - Visualize and create your serverless workloads with AWS Application Composer (https://aws.amazon.com/blogs/compute/visualize-and-create-your-serverless-workloads-with-aws-application-composer/?sc_icampaign=launch_aws-application-composer-preview_reinvent22&sc_ichannel=ha&sc_icontent=awssm-12026_launch_reinvent22&sc_i)  - Jakarta EE 11 Discussion (https://docs.google.com/document/d/1m-dkvbL0iFFzitO4vt1SVq6GGSJyFdCDM2NU_FzGS10/edit?hss_channel=tw-939323243076259842#heading=h.1oyn459kodrn) News  - Don't call it Rust: Community complains about draft trademark policy restricting use of 'word marks' (https://devclass.com/2023/04/11/dont-call-it-rust-community-complains-about-draft-trademark-policy-restricting-use-of-word-marks/) Java Platform  - Qbicc's - Experimental static compiler for Java programs. (https://github.com/qbicc/qbicc)  - Java 20 is Out (https://inside.java/2023/03/21/the-arrival-of-java-20/)  - Java: Developing smaller Docker images with jdeps and jlink | by Joe Honour | Level Up Coding (https://levelup.gitconnected.com/java-developing-smaller-docker-images-with-jdeps-and-jlink-d4278718c550) Other  - Software Bill of Materials (SBOM) (https://apiiro.com/blog/practical-guide-to-sbom/)    - Snyk (https://snyk.io/)    - Nexus Lifecycle - Control Open Source Risk | Sonatype (https://www.sonatype.com/products/open-source-security-dependency-management)    - DependencyTrack (https://dependencytrack.org/)    - Brian Fox - OpenSSF Governing Board Member (https://www.linkedin.com/in/brianefox)  - Kotlin 1.8.20 (https://kotlinlang.org/docs/whatsnew1820.html) Picks   - Rectangle Mac (Kito) (https://rectangleapp.com/)  - The Big Door Prize (Josh) (https://tv.apple.com/us/show/the-big-door-prize/umc.cmc.2rjxcljdjz4h47vjdxnytcn23?ctx_brand=tvs.sbd.4000)  - ChatGPT for Code (Danno) (https://openai.com/blog/chatgpt)  - Atlanta's Breakfast Club (Danno) (https://www.atlbreakfastclub.com/) Other Pubhouse Network podcasts   - Breaking into Open Source (https://www.pubhouse.net/breaking-into-open-source)  - OffHeap (https://www.javaoffheap.com/)  - Java Pubhouse (https://www.javapubhouse.com/) Events  - JCON EUROPE 2023 - June 20-23, Cologne Köln, Germany (https://jcon.one/)  - JPrime - May 30-31st, Sofia, Bulgaria (https://jprime.io/)  - Central Iowa Software Symposium - June 9 - 10,  Des Moines, IA, USA (https://nofluffjuststuff.com/desmoines)  - Lone Star Software Symposium - July 14 - 15, Austin, TX, USA (https://nofluffjuststuff.com/austin)  - ÜberConf - July 18 - 21, Denver, CO, USA (https://uberconf.com/)  - JChampions Conference Sessions Recorded online…https://jchampionsconf.com/ (https://jchampionsconf.com/)    

Joining the podcast this week is Brian Hajost, the founder and COO of SteelCloud. Brian shares insights on his concept of a Compliance Bill of Materials (CBOM). For those that have heard of Software Bill of Materials (SBOM) it's a similar concept. In addition to CBOM's, Brian also breaks down the challenges and opportunities in automating compliance as well as well frameworks organizations can leverage to help them achieve compliance. Compliance is a super hot topic for every organization! This is a podcast you don't want to miss! Brian Hajost, Chief Operating Officer at SteelCloud, LLC Brian Hajost is the founder and COO of SteelCloud, a company that develops technology for automated compliance for DISA STIGs and the CIS Security Benchmarks. Mr. Hajost has transformed SteelCloud into a recognized leader in delivering new technologies that allow government customers and commercial enterprises to effectively meet the compliance mandates of RMF, NIST 800-53, NIST 800-171, CMMC, and IRS Pub 1075. Brian's technical career has spanned over thirty years, primarily with leading-edge technologies in regulated industries. He holds 10 patents in IT security and two patents in mobile security. Mr. Hajost is an active contributor to AFCEA International through his membership on the Technology Committee and Secure Supply Chain subcommittee. He is also the Vice Chair of the Advanced Technology Academic Research Center (ATARC) Continuous ATO Working Group. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e220

Tanium has recently released a new capability called Tanium Software Bill of Materials (SBOM) to help customers identify third-party libraries associated with software packages. • What is Tanium SBOM • Why is it different and why do you need it • How to configure SBOM • How to query for the details about every software application in your environment • Where your vulnerable packages exist • Ways that Tanium can remediate vulnerabilities from OpenSSL to Struts to Log4j today as well as new supply-chain vulnerabilities in the future   No one knows what the next supply chain vulnerability is going to be, but with Tanium, you will have access to data about how your applications are affected before it happens so that when it does, you're ready to take action to remediate the issue from within the Tanium XEM platform.   Segment Resources: https://www.tanium.com/products/tanium-sbom/  https://www.tanium.com/press-releases/tanium-launches-software-bill-of-materials-for-unprecedented-visibility-to-combat-supply-chain-threats/  https://www.tanium.com/blog/software-bill-of-materials-openssl/   This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!   Syxsense and Enterprise Management Associates (EMA) recently teamed up to publish a survey around the current state of Zero Trust within enterprises as well as where it's going. This interview will discuss the key findings and insights into the challenges many organizations face around Zero Trust, as well as endpoint security and network access. Segment Resources: https://www.syxsense.com/advancing-zero-trust-priorities   In the Enterprise News: Whether you want insurtechs or not, they're here and you're getting them! Don't worry - we'll explain what insurtechs are. Two potential deals to take security companies private: Sumo Logic and Rapid 7! Looks like 32 year old security company Cyren is shutting down, hoping for an asset sale. They've already laid off all their employees. Big drama: a firm shorts Darktrace and releases a scathing report. We've got yet more more layoffs this week, but don't fret - the NSA is hiring!  For our squirrel stories, we'll be deciding between three stories: codebreakers solve 500 year old ciphers, the real cost of meetings visualized, and sushi terrorists! All that and more, on this episode of Enterprise Security Weekly.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw305

Tanium has recently released a new capability called Tanium Software Bill of Materials (SBOM) to help customers identify third-party libraries associated with software packages. • What is Tanium SBOM • Why is it different and why do you need it • How to configure SBOM • How to query for the details about every software application in your environment • Where your vulnerable packages exist • Ways that Tanium can remediate vulnerabilities from OpenSSL to Struts to Log4j today as well as new supply-chain vulnerabilities in the future   No one knows what the next supply chain vulnerability is going to be, but with Tanium, you will have access to data about how your applications are affected before it happens so that when it does, you're ready to take action to remediate the issue from within the Tanium XEM platform.   Segment Resources: https://www.tanium.com/products/tanium-sbom/  https://www.tanium.com/press-releases/tanium-launches-software-bill-of-materials-for-unprecedented-visibility-to-combat-supply-chain-threats/  https://www.tanium.com/blog/software-bill-of-materials-openssl/   This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!   Syxsense and Enterprise Management Associates (EMA) recently teamed up to publish a survey around the current state of Zero Trust within enterprises as well as where it's going. This interview will discuss the key findings and insights into the challenges many organizations face around Zero Trust, as well as endpoint security and network access. Segment Resources: https://www.syxsense.com/advancing-zero-trust-priorities   In the Enterprise News: Whether you want insurtechs or not, they're here and you're getting them! Don't worry - we'll explain what insurtechs are. Two potential deals to take security companies private: Sumo Logic and Rapid 7! Looks like 32 year old security company Cyren is shutting down, hoping for an asset sale. They've already laid off all their employees. Big drama: a firm shorts Darktrace and releases a scathing report. We've got yet more more layoffs this week, but don't fret - the NSA is hiring!  For our squirrel stories, we'll be deciding between three stories: codebreakers solve 500 year old ciphers, the real cost of meetings visualized, and sushi terrorists! All that and more, on this episode of Enterprise Security Weekly.   Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly   Show Notes: https://securityweekly.com/esw305

Tanium has recently released a new capability called Tanium Software Bill of Materials (SBOM) to help customers identify third-party libraries associated with software packages. • What is Tanium SBOM • Why is it different and why do you need it • How to configure SBOM • How to query for the details about every software application in your environment • Where your vulnerable packages exist • Ways that Tanium can remediate vulnerabilities from OpenSSL to Struts to Log4j today as well as new supply-chain vulnerabilities in the future   No one knows what the next supply chain vulnerability is going to be, but with Tanium, you will have access to data about how your applications are affected before it happens so that when it does, you're ready to take action to remediate the issue from within the Tanium XEM platform.   Segment Resources:  https://www.tanium.com/products/tanium-sbom/  https://www.tanium.com/press-releases/tanium-launches-software-bill-of-materials-for-unprecedented-visibility-to-combat-supply-chain-threats/ https://www.tanium.com/blog/software-bill-of-materials-openssl/   This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw305

Tanium has recently released a new capability called Tanium Software Bill of Materials (SBOM) to help customers identify third-party libraries associated with software packages. • What is Tanium SBOM • Why is it different and why do you need it • How to configure SBOM • How to query for the details about every software application in your environment • Where your vulnerable packages exist • Ways that Tanium can remediate vulnerabilities from OpenSSL to Struts to Log4j today as well as new supply-chain vulnerabilities in the future   No one knows what the next supply chain vulnerability is going to be, but with Tanium, you will have access to data about how your applications are affected before it happens so that when it does, you're ready to take action to remediate the issue from within the Tanium XEM platform.   Segment Resources:  https://www.tanium.com/products/tanium-sbom/  https://www.tanium.com/press-releases/tanium-launches-software-bill-of-materials-for-unprecedented-visibility-to-combat-supply-chain-threats/ https://www.tanium.com/blog/software-bill-of-materials-openssl/   This segment is sponsored by Tanium. Visit https://securityweekly.com/tanium to learn more about them!   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw305

In this episode, Michael and Mark talk to Adrian Diglio about Software Bill of Materials and its role in helping secure the software supply chain.We also have news items about SQL Server, Azure SQL DB, Azure Database for PostgreSQL, Azure Database for MySQL and Application Secure Groups and Private Endpoints. Mark goes over MCRA, Immutable Laws of Cybersecurity and Security Architecture Design.

Michelle Dennedy is Co-Founder & CEO of PrivacyCode, Inc., Partner at Privatus Consulting, and the Co-Author of The Privacy Engineer's Manifesto. In our lively conversation, we discuss the digital cost of information, the privacy problems that her company solves for, and how the Privatus Wicked Privacy™ framework differs from other approaches.---------Thank you to our sponsor, Privado, the developer-friendly privacy platform---------As Michelle puts it, we're living in an ‘innovation palooza' right now. But, there's still progress to be made. Michelle highlights how we can change the investment proposition to get more VCs and investors to see privacy is a strategic business enabler. At PrivacyCode, they're focused on creating a simple way to communicate the language of ‘people data' across specialities.Part of the solution includes having a software bill of materials (SBOM), which is essentially a list of ingredients that make up software components. Michelle shares a tangible example of how an SBOM creates flow, compliance, and transparency in new areas of tech. She also touches on her consulting work, including her simple strategy for determining privacy benefit metrics.Topics Covered:Privacy as a strategic enablerWhy Michelle thinks "today's VCs are more of a mood than an algorithm"How PrivacyCode allows users to orchestrate requirements across various departments and lets specialists operate in their "zone of genius"What a Software Bill of Materials (SBOM) is & why we need one to ensure privacyMichelle's advice to privacy engineers on how to leverage an SBOM for quality codeMichelle's work at Privatus Consulting and their Wicked Privacy FrameworkExamples of creative, straightforward privacy metricsResources Mentioned:Learn more about PrivacyCode & schedule a demoLearn more about Privatus ConsultingTrillions: Thriving in the Emerging Information EcologyGuest Info:Follow Michelle on LinkedInFollow Michelle on TwitterRead The Privacy Engineer's Manifesto: Getting from Policy to Code to QA to Value Privado.ai Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.Shifting Privacy Left Media Where privacy engineers gather, share, & learnBuzzsprout - Launch your podcast Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.Copyright © 2022 - 2024 Principled LLC. All rights reserved.

Recorded on Saturday 29 October 2022, at the tailgate before the University of Michigan vs Michigan State University (American) football game, Brian, Erik and Dan chat about the news of the day, with more than a few correlations back to football. And we had a special guest join us, too: Zah Gonzalvo Rodriguez (https://www.linkedin.com/in/zahira-zah-rodriguez-gonzalvo-1a97692/) There was an upcoming OpenSSL vulnerability hitting the world this week. How would Software Bill of Materials (SBOM) make the response easier? A reminder of our dependence on the stability and security of some very core tools (like OpenSSL) to run our businesses. Mot to mention the fact that such tools are often within the libraries we use and don't even realise it's there. Similarities between football and security in the need to adjust based on what the other team shows signs of throwing at you, and further based on what they actually bring to the line. How repeatable process and inventory help make the response to these vulnerability disclosures less like a firedrill and more like standard ops. Did you know that credit ratings are being affected by information security posture and breach response? Same thing with M&A and investment valuation… if you're not as mature in security and privacy you may see a discount taken on your value! How transparent should we be with the peer companies and the public world about our security posture (like incident response plans, and security controls in place)? And if you're curious, you can find out what team Dan (the lifelong Badger) was supporting in the game. Congratulations to the University of Michigan in later winning this game, and to both teams for keeping the rivalry alive and spicy. We also have a video channel on YouTube that airs the "with pictures" edition of the podcast. Please head to https://youtube.com/@greatsecuritydebate and watch, subscribe and "like" the episodes. Some of the links in the show notes contain affiliate links that may earn a commission should you choose to make a purchase using these links. Using these links supports The Great Security Debate, so we appreciate it when you use them. We do not make our recommendations based on the availability or benefits of these affiliate links. Thanks for listening!

In May 2021, Following the Solarwinds and the Colonial Pipeline attacks, the Biden administration published a presidential Executive Order mandating the use of SBOMs - Software Bill of Materials - in all government agencies. What are SBOMs and how useful are they in cybersecurity? Nate Nelson talks to two experts: Allan Friedman (CISA) and Chris Blask (Cybeats).

Podcast: Malicious Life (LS 58 · TOP 0.5% what is this?)Episode: Software Bill of Materials (SBOM) [ML B-side]Pub date: 2022-08-31 In May 2021, Following the Solarwinds and the Colonial Pipeline attacks, the Biden administration published a presidential Executive Order mandating the use of SBOMs – Software Bill of Materials – in all government agencies. What are SBOMs and how useful are they in cybersecurity? Nate Nelson talks to two experts: Allan Friedman (CISA) and Chris Blask (Cybeats). The podcast and artwork embedded on this page are from Cybereason, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

TТайминг: 00:00:00 Начало 00:02:07 Thoughtworks radar 00:02:58 Макс все еще не готов монтажить 00:04:07 Что за radar? 00:06:16 Квадранты радара 00:09:54 И сново Martin Fowler 00:11:42 Four key metrics 00:14:38 Single team remote wall 00:19:11 Definition of production readiness 00:24:10 Documentation quadrants 00:30:07 Rethinking remote standups 00:36:13 Server-driven UI 00:37:52 Software bill of Materials (SBOM) 00:40:54 Tactical Forking 00:44:29 Transitional architecture 00:48:19 CUPID 00:50:25 Operator pattern for non clustered resources 00:51:27 Service mesh without sidecar 00:55:56 SLSA 00:57:22 Platforms 00:58:05 Azure DevOps, Azure DevOps pipeline templates 00:59:02 Circle CI 01:00:07 Почему столько CI/CD тулов? 01:02:27 Reusable workflows in Github Actions 01:05:52 Sealed Secrets 01:08:25 actions-runner-controller 01:10:15 Colima 01:14:17 eBPF 01:15:00 Tools 01:15:17 tfsec 01:16:40 cert-manager 01:18:06 Cloud Carbon Footprint 01:20:01 Conftest 01:20:46 kube-score 01:21:51 Lighthouse 01:24:22 NUKE 01:27:00 Podman 01:28:33 Syft 01:28:54 CDKTF 01:31:15 Excalidraw 01:34:15 Github Codespaces 01:36:25 GoReleaser 01:36:44 Grype 01:37:30 Infracost 01:41:51 jc 01:42:55 skopeo 01:44:46 Languages & Frameworks 01:45:43 Bicep 01:46:25 WebAssembly   Ссылки: Web Vitals - https://www.youtube.com/watch?v=T6Eu4wkTdAY Сказать спасибо: https://www.patreon.com/devopskitchentalks Музыка: https://www.bensound.com/  

On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: A look at the DHS Cyber Safety Review Board's Log4j report Joshua Schulte no longer the “alleged” Vault7 leaker Chinese APT crews targeted US political journalists before Jan 6 Ransomware gangs make leak sites searchable Why recovering plaintext passwords from Okta is expected behaviour US Government seizes North Korean ransomware payment Much, much more This week's show is brought to you by Trail of Bits. Dan Guido is this week's sponsor guest and he'll tell us about work Trail of Bits did for DARPA on investigating blockchain security fundamentals. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Patrick Gray on Twitter: "During our discussion yesterday on the show we didn't know pre-existing MDM was preserved when iOS lockdown mode is enabled, which is great!" / Twitter DHS Cyber Safety Review Board found no evidence China knew of Log4j before disclosure Ex-CIA Hacker Convicted for ‘One of the Most Damaging Acts of Espionage in American History' Chinese hackers targeted U.S. political reporters just ahead of Jan. 6 attack, researchers say Experts concerned about ransomware groups creating searchable databases of victim data - The Record by Recorded Future Who-is-Trickbot.pdf A Deep Dive Into the Residential Proxy Service ‘911' – Krebs on Security Risky Biz News: Google removes app permissions from the Play Store Ongoing phishing campaign can hack you even when you're protected with MFA | Ars Technica ‘Password extraction risk' in identity provider Okta disputed | The Daily Swig Authomize Discovers Password Stealing and Impersonation Risks in Okta | Authomize.com Okta Response to Security Report | Okta DOJ seized ransoms paid by health centers in Kansas, Colorado after 2021 attacks - The Record by Recorded Future North Korean hackers target small businesses with H0lyGh0st ransomware, Microsoft warns - The Record by Recorded Future Colorado police investigating ransomware attack on small town - The Record by Recorded Future Albania shuts down government websites, services due to wide ranging cyberattack - The Record by Recorded Future Bandai Namco confirms cyberattack after ransomware group threatens leak - The Record by Recorded Future MiCODUS MV720 GPS tracker | CISA Honda redesigning latest vehicles to address key fob vulnerabilities - The Record by Recorded Future Russia Released a Ukrainian App for Hacking Russia That Was Actually Malware Are blockchains decentralized? | Trail of Bits Blog Announcing the new Trail of Bits podcast | Trail of Bits Blog GitHub - trailofbits/it-depends: A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.

In this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald and the Vidovich brothers Nick and Sam hack the headlines – they discuss the latest news in security and offer their perspectives. Eric also interviews guest Darren Pulsipher, Chief Solutions Architect at Intel Corporation, about supply chain security at Intel.   Hacking the Headlines:   Researchers warn of the huge risks involved in the rapid deployment of AI in agriculture, noting that cyberattacks on high-tech farm equipment could threaten the global food supply chain. Netgear recently issued a security advisory outlining vulnerabilities in two popular router models. According to Netgear, they are unfixable. Is this a responsible disclosure, or does it just raise more questions/concerns than it addresses?  A malicious Python package that performs supply chain attacks was spotted in the PyPI registry. It was downloaded 325 times before being removed. Is this more serious than funny, or more funny than serious?    Interview with Darren Pulsipher: Darren has been working on security solutions with Intel for 12 years. He's seen from the inside how to build robust security into the software development and supply chain processes. In addition to his day job, he hosts his own tech podcast and is part of a standards body working to articulate how organizations should use the Software Bill of Materials (SBOM) to secure software and meet regulatory requirements.    Eric and Darren discuss: Intel's process for analyzing third-party software and scanning for vulnerabilities Securing the DevOps pipeline Balancing value and risk in using open-source software Potential impacts of Executive Order 14028 on improving the nation's cybersecurity   Find Darren on LinkedIn: https://www.linkedin.com/in/darrenpulsipher/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast. To learn more about building a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

This week's episode of the IoT: The Internet of Threats podcast features host Eric Greenwald reviewing security news with Nick and Sam, the Vidovich brothers and discussing the future of the Software Bill of Materials (SBOM) Allan Friedman, Senior Advisor and Strategist at CISA.   News Roundup:   This week's Weekly News Roundup covers:   Lessons that IT professionals can take away from the new Windows patch The importance of boardrooms bracing for supply chain cyberattacks The importance of the SBOM in addressing cybersecurity supply chain risk   Interview with Allan Friedman:   Allan is the former Director of Cybersecurity Initiatives at NTIA and has been one of the central figures in advancing the Software Bill of Materials (SBOM) as a key element of product and supply-chain cybersecurity.    Allan and Eric discuss: The history of the SBOM Increasing adoption of the SBOM as a security practice How SBOMs may be mandated under federal rules  Misconceptions and myths around the SBOM   Connect with Allan Friedman: https://www.linkedin.com/in/allanafriedman   Learn more about CISA at: https://www.cisa.gov/   Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading product security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.   To learn more about building out a robust product security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/.

Patrick is a Senior Product Security Engineer in the Application Security team at ServiceNow. He is also Co-Leader of the OWASP CycloneDX project. A lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

On this week's episode of IoT: The Internet of Threats podcast, host Eric Greenwald discusses recent news in product and supply-chain cybersecurity with Nick and Sam, the Vidovich brothers. He interviews Joshua Corman, former Chief Strategist at CISA COVID Task Force and Founder of I am The Cavalry.   News Roundup:   This week's Weekly News Roundup covers: Assessing the difference between Spring4Shell and Log4j vulnerabilities New draft, bipartisan legislation that would require SBOMs for medical devices   Interview with Josh Corman:   Josh has worked in security for many years. His background includes a lot of in-depth work in cyber and physical security for medical devices.   Josh is also widely known as the godfather of the Software Bill of Materials (SBOM).    All of this experience led to his recent work with the government as the Chief Strategist for the CISA COVID Task Force.   On the episode, Josh and Eric discuss the key functions of a product security team and the critical leadership role of the Chief Product Security Officer.   Josh and Eric also discuss: How a world increasingly dependent on digital infrastructure can be protected Trends and forces that have made product security roles increasingly important General principles for prioritizing and accurately interpreting the severity of threat reports Guidance for teams that lack sufficient resources How to buy down more risk with fewer resources Connect with Josh Corman: https://www.linkedin.com/in/joshcorman/   Learn more about I am The Cavalry at https://iamthecavalry.org/   Read up on the Health Care Industry Cybersecurity Task Force here: https://www.phe.gov/Preparedness/planning/CyberTF/Pages/default.aspx   Thank you for listening to this episode of IoT: The Internet of Threats podcast, powered by Finite State — the leading product security solution provider for connected devices and embedded systems.   If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast. To learn more about building out a robust product security program, protecting your connected devices, and complying with emerging supply-chain cybersecurity regulations and technical standards, visit https://finitestate.io/.

What is code integrity and how does it affect the software supply chain? Have you heard about Log4j? In this episode, I talk with Barak Brudo, Developer Relations Advocast at Scribe Security about the Software Bill of Materials (SBOM) that helps to ensure all your code and packages are secure, down to the file level. By utilizing automated SBOMs, both companies and users can better understand what packages are being used, what dependencies, what file versions, and more are in your software. All this makes dealing with supply chain problems much easier by ensuring the integrity of all the packages and files being utilized.

Рад представить вам 141-й выпуск подкаста, в котором речь вновь идёт про безопасность приложений. У меня в гостях Александр Герасимов, директор по информационной безопасности в компании Awillix и Сергей Овчинников, cloud security architect. В этом выпуске мы говорим о том, что же такое Application Security (AppSec), как обеспечивается безопасность на всех этапах жизненного цикла разработки ПО, какие методы и подходы применяются в тех или иных случаях. Обсуждаем взаимодействие бизнеса, разработки, специалистов по информационной безопасности и devops инженеров. Обсуждаем различные подходы, приёмы и инструменты для непосредственно разработки безопасных приложений, такие как шаблоны приложений, инструменты анализа кода, подходы к созданию контейнеров и базовых образов. Отдельно поговорили про фаззинг приложений: что это такое, как он устроен и как его применять. Не обошли стороной тему кадров и знаний: обсудили где искать специалистов и как выращивать своих, где черпать знания и какие в принципе знания необходимы специалисту по информационной безопасности. В заключении выпуска немного подискутировали о будущем сферы информационной безопасности. Ссылки на ресурсы по темам выпуска: * Just Security (https://t.me/justsecurity). Телеграм канал Александра про исследования, тренды и личный опыт в кибербезопасности. * ISO/IEC 27034-6 Information technology, Security techniques, Application security (https://www.iso.org/standard/60804.html) * CIS Benchmarks (https://www.cisecurity.org/cis-benchmarks/) * CodeQL (https://codeql.github.com/) - code analysis engine developed by GitHub to automate security checks * Заметка «Hunting for XSS with CodeQL» (https://medium.com/codex/hunting-for-xss-with-codeql-57f70763b938) * SonarQube (https://www.sonarqube.org/). Если кто-то его ещё не знает :) * “Software Bill of Materials” (SBOM) (https://www.ntia.gov/SBOM) * Yandex talk from ZeroNights "Company wide SAST" (https://www.youtube.com/watch?v=JK8uUKjo_ag) * Bandit (https://github.com/PyCQA/bandit). Helps to find common security issues in Python code * Owasp ZAP (https://medium.com/cloudadventure/security-in-a-ci-cd-pipeline-876ed8541fa4). Dynamic Application Security Testing tool (DAST) * IAST Seeker (https://www.synopsys.com/software-integrity/security-testing/interactive-application-security-testing.html) * The Docker Bench for Security (https://github.com/docker/docker-bench-security) is a script that checks for dozens of common best-practices around deploying Docker * Kube-bench (https://github.com/aquasecurity/kube-bench) - Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark * Книга «Kubernetes Security» (https://kubernetes-security.info/) * RESTler for RESP API fuzzing (https://github.com/microsoft/restler-fuzzer) * libFuzzer (https://llvm.org/docs/LibFuzzer.html) a library for coverage-guided fuzz testing * ClusterFuzz (https://google.github.io/clusterfuzz/) is a scalable fuzzing infrastructure that finds security and stability issues in software * OSS-Fuzz (https://github.com/google/oss-fuzz) - continuous fuzzing for open source softwar * Microsoft Sentinel (https://azure.microsoft.com/en-us/services/microsoft-sentinel/). Next-generation security operations with cloud and AI * Книга «Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats» (https://www.amazon.es/Rootkits-Bootkits-Reversing-Malware-Generation/dp/1593277164) Понравился выпуск? — Поддержи подкаст на patreon.com/KSDaemon (https://www.patreon.com/KSDaemon), звёздочками в iTunes (https://podcasts.apple.com/ru/podcast/software-development-podcast/id890468606?l=en) или своём подкаст-плеере, а так же ретвитом или постом! Заходи в телеграм-чат SDCast (https://t.me/SDCast), где можно обсудить выпуски, предложить гостей и высказать свои замечания и пожелания!

Protecting Data & the Supply Chain so deeply intertwined with everything from software to identity. Join Program Committee members Edna Conway and Diana Kelley as they discuss the challenges that folks are struggling with right now and some potential mitigation strategies. We'll explore what's happening with Log4j and other vulnerabilities as well as the need for a software Bill of Materials (SBOM). Speakers: Edna Conway, Vice President, Security & Risk Officer, Azure, VP, Chief Security & Risk Officer, Azure Microsoft Diana Kelley, CTO and Co-Founder, SecurityCurve Kacy Zurkus, Content Strategist, RSAC

Podcast: Hacking Humans (LS 51 · TOP 0.5% what is this?)Episode: software bill of materials (SBOM) (noun) [Word Notes]Pub date: 2021-11-23A formal record containing the details and supply chain relationships of various components used in building software. The podcast and artwork embedded on this page are from CyberWire Inc., which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

A formal record containing the details and supply chain relationships of various components used in building software. 

A formal record containing the details and supply chain relationships of various components used in building software. 

Welcome back to the Community Podcasts, a mini-series on the Kaspersky Transatlantic Cable podcast. As always, my co-host for this series is Anastasiya Kazakova, a Senior Public Affairs Manager who coordinates global cyber diplomacy projects at Kaspersky. As a reminder, the Community Podcasts is a short series of podcasts featuring frank cyber diplomacy conversations with cyber-heroes who unite people despite everything – growing fragmentation, confrontation, and cyber threats – there are people who build communities and unite people to work together for the common good. Why are they doing this? And are their efforts working? Our third episode includes a chat with Kate Stewart - co-chair of one of the working groups within of National Telecommunications and Information Administration's cyber-security multi-stakeholder process for Software Component Transparency. NTIA has years of experience in conducting open, multi-stakeholder processes to help make progress on issues such as finding common ground on cyber-security vulnerability disclosure, developing clear policy guidance on the secure update of IoT devices, and providing more transparency about data collected by mobile apps. But today we will focus on this multi-stakeholder process for Software Bill of Materials (SBOM) or software component transparency. During our extended conversation, we discuss a wide array of topics from the need for collaboration between the public/private sector, what working with governments has been like, what the future holds for FIRST and incident respondent in general, how to make sure that they remain neutral in cyber ‘firefighting', and more.

This week Greg Touhill, Director of CERT Division, joins the podcast to share insights on CERT's history as the birthplace of cyber and culture of innovation at the center of the cyber universe. He also dives into the importance of the development of a Software Bill of Materials (SBOM), what happens when national leaders shine a light on cyber, why talent with breadth and depth is critical helping move the federal government cyber needle and the building blocks for standing up the federal government's first CISO office. To learn more about CERT visit CERT.org. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e141  

Elizabeth Wharton: @lawyerliz on Twitter Executive Order: (https://www.americanbar.org/groups/public_education/publications/teaching-legal-docs/what-is-an-executive-order-/) “An executive order is a signed, written, and published directive from the President of the United States that manages operations of the federal government. They are numbered consecutively, so executive orders may be referenced by their assigned number, or their topic. Other presidential documents are sometimes similar to executive orders in their format, formality, and issue, but have different purposes. Proclamations, which are also signed and numbered consecutively, communicate information on holidays, commemorations, federal observances, and trade. Administrative orders—e.g. memos, notices, letters, messages—are not numbered, but are still signed, and are used to manage administrative matters of the federal government. All three types of presidential documents—executive orders, proclamations, and certain administrative orders—are published in the Federal Register, the daily journal of the federal government that is published to inform the public about federal regulations and actions. They are also catalogued by the National Archives as official documents produced by the federal government. Both executive orders and proclamations have the force of law, much like regulations issued by federal agencies, so they are codified under Title 3 of the Code of Federal Regulations, which is the formal collection of all of the rules and regulations issued by the executive branch and other federal agencies. Executive orders are not legislation; they require no approval from Congress, and Congress cannot simply overturn them. Congress may pass legislation that might make it difficult, or even impossible, to carry out the order, such as removing funding. Only a sitting U.S. President may overturn an existing executive order by issuing another executive order to that effect.” https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ Another Review: https://www.atlanticcouncil.org/blogs/new-atlanticist/markup-our-experts-annotate-bidens-new-executive-order-on-cybersecurity/ https://www.insurancejournal.com/news/national/2021/05/21/615373.htm     Within 60 days of the date of this order, the head of each agency shall:        (i) update existing agency plans to prioritize resources for the adoption and use of cloud technology as outlined in relevant OMB guidance;        (ii)   develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them; and Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.  Within 90 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Attorney General, the Director of the FBI, and the Administrator of General Services acting through the Director of FedRAMP, shall establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology, in order to ensure effective information sharing among agencies and between agencies and CSPs. SBOM!  Dr. Allan Friedman on BrakeSec https://brakeingsecurity.com/2020-031-allan-friedman-sbom-software-transparency-and-knowing-how-the-sausage-is-made http://brakeingsecurity.com/2020-032-dr-allan-friedman-sbom-software-transparency-and-how-the-sausage-is-made-part-2   providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;        (viii)  participating in a vulnerability disclosure program that includes a reporting and disclosure process;        (ix) attesting to conformity with secure software development practicesWithin 270 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the Federal Trade Commission (FTC) and representatives of other agencies as the Director of NIST deems appropriate, shall identify IoT cybersecurity criteria for a consumer labeling program, and shall consider whether such a consumer labeling program may be operated in conjunction with or modeled after any similar existing government programs consistent with applicable law.  The criteria shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone, and shall use or be compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products.  The Director of NIST shall examine all relevant information, labeling, and incentive programs and employ best practices.  This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize manufacturer participation. https://thehill.com/opinion/technology/553891-our-cybersecurity-industry-best-practices-keep-allowing-breaches?rl=1 Rebuttal to “The Hill article”: https://soatok.blog/2021/05/19/a-balanced-response-to-allen-gwinn/  thank you Brian Harden (@_noid) Author’s ‘apology’: https://twitter.com/2wiredSecurity/status/1395531110436704258     Check out our Store on Teepub! https://brakesec.com/store Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com #AmazonMusic: https://brakesec.com/amazonmusic  #Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora  #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: bds.podcast@gmail.com Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

Panelists Georg Link | Kate Stewart Guest Justin Rackliffe (https://podcast.chaoss.community/guests/justin-rackliffe) Sponsor SustainOSS (https://sustainoss.org/) Show Notes [00:02:17] Justin tells us what he does, his background, and his journey to where he is today. [00:04:47] Georg wonders if Justin is the only one helping with all the different concerns around open source, and he also tells us what the structure is like that he works within. [00:07:17] Kate wonders with the amount of automation happening behind the scenes to effectively make policy decisions if it is all still funneling more manually then Justin would like. Also, Justin explains how they want to leverage other people's stuff and contributing back when they can. [00:09:58] Justin talks about SBOM's being a challenge in the industry. [00:10:56] Kate explains what Software Bill of Materials (SBOM) and Software Package Data Exchange (SPDX) are. [00:15:18] Justin tells us other data points and metrics he employs besides SBOM. [00:19:08] Kate mentions one of the challenges is identity for software in the industry and matching it up to other sources of information and metrics, and she wonders if Justin finds it easy or hard to find that type of matching and if he's looking at the National Vulnerability Database (NVD) as a set of risk metrics associated with a project whether it's up to date as part of his signals. [00:22:31] Justin explains the difference in viewpoints between CHAOSS metrics and Downstream metrics. [00:25:14] Kate wonders how much some of the signals that the project sends about new releases and implicit end of life when you've got a new release coming out, and how much do people park on one release and not move it forward. [00:27:37] Justin talks about how tooling needs to be visible and we learn what kind of signals are useful to him. [00:31:17] We learn from Justin what he would like to see if Georg gave him a magic wand and he could wish for anything from the CHAOSS Project to support him. [00:34:41] Find out where you can follow Justin online. Value Adds (Picks) of the week [00:35:59] Georg's pick is the Apple watch. [00:37:03] Kate's pick is having a quarterly meeting with the NTIA SBOM working group. [00:37:53] Justin's pick is his bike and getting out on the greenways. Links CHAOSS (https://chaoss.community/) CHAOSS Project Twitter (https://twitter.com/chaossproj?lang=en) CHAOSScast Podcast (https://podcast.chaoss.community/) podcast@chaoss.community (mailto:podcast@chaoss.community) Justin Rackliffe Linkedin (https://www.linkedin.com/in/jrackliffe/) Justin Rackliffe Twitter (https://twitter.com/byjrack?lang=en) opensource@fidelity.com (mailto:opensource@fidelity.com) Fidelity Investments-GitHub (https://github.com/fmr-llc) SPDX-GitHub (https://github.com/spdx) Apple Watch (https://www.apple.com/watch/) National Telecommunications and Information Administration SBOM (https://www.ntia.gov/sbom) Special Guest: Justin Rackliffe.

Software Bill of Materials (SBOM) are used to describe the list of ingredients for the software that organizations create or acquire. There's a rapidly expanding community of adopters, implementers, and producers that are creating, consuming, and analyzing them en mass. What are the benefits of SBOMs and what types of risk that can be identified through their use? Segment Resources: https://cyclonedx.org/ https://www.ntia.gov/sbom https://owasp.org/scvs https://dependencytrack.org/   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw226

Software Bill of Materials (SBOM) are used to describe the list of ingredients for the software that organizations create or acquire. There's a rapidly expanding community of adopters, implementers, and producers that are creating, consuming, and analyzing them en mass. What are the benefits of SBOMs and what types of risk that can be identified through their use? Segment Resources: https://cyclonedx.org/ https://www.ntia.gov/sbom https://owasp.org/scvs https://dependencytrack.org/   Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw226

The complexity of managing physical and virtual assets in increasingly digital healthcare environments creates a dauting task for security professionals. Fortunately, some promising technologies and standards are beginning to emerge to help evolve capabilities for identifying, tracking, and securing healthcare assets across the enterprise. In this episode with Susan Ramonat, CEO of Spiritus, we discuss trends in asset management standards development, distributed ledger technology, medical device tracking, regulatory activity, and more. Highlights of the discussion include: The future of healthcare asset management including service models, unique identifiers (UDI), RFID, geolocation services, and predictive analytics Lessons learned from Scotland's deployment of distributed ledger technology in the healthcare provider setting Software Bill of Materials (SBoM) standards from the FDA and other groups like National Telecommunication and Information Administration (NTIA) Using distributed ledger to help with infection control from asset movement for outbreaks like the coronavirus Software and data asset management approaches The role of IoT and IoMT technology solutions People, process, and governance considerations for healthcare asset management programs Responding to industry-wide medical device vulnerabilities like Urgent 11 Proposed federal investments for the FDA for medical device security