Podcasts about sbom

News includes the major OTP 28 release with priority messages functionality, ElixirConf EU 2025 videos starting to appear including Chris McCord's keynote on his new phoenix.new service and James Arthur's introduction of Phoenix Sync for real-time database synchronization, the EEF board election results and their new role as a CVE Numbering Authority for the Hex ecosystem, upcoming co-located hooks and macro components in LiveView, updates to the Elixir Lua package and MDEx with its new Markdown sigil, a new convention for AI-friendly usage_rules.md files in hex packages, and more! Show Notes online - http://podcast.thinkingelixir.com/255 (http://podcast.thinkingelixir.com/255) Elixir Community News https://www.honeybadger.io/ (https://www.honeybadger.io/?utm_source=thinkingelixir&utm_medium=podcast) – Honeybadger.io is sponsoring today's show! Keep your apps healthy and your customers happy with Honeybadger! It's free to get started, and setup takes less than five minutes. https://www.erlang.org/news/180 (https://www.erlang.org/news/180?utm_source=thinkingelixir&utm_medium=shownotes) – OTP 28 release announcement with new priority messages functionality and SBOM support https://www.erlang.org/eeps/eep-0076 (https://www.erlang.org/eeps/eep-0076?utm_source=thinkingelixir&utm_medium=shownotes) – EEP 76 specification for priority messages in OTP 28 https://www.youtube.com/playlist?list=PLvL2NEhYV4Zu421KzHuLICUqieJXI2o_Z (https://www.youtube.com/playlist?list=PLvL2NEhYV4Zu421KzHuLICUqieJXI2o_Z?utm_source=thinkingelixir&utm_medium=shownotes) – ElixirConf EU 2025 YouTube playlist with conference videos https://www.youtube.com/watch?v=ojLVHc4gLk&list=PLvL2NEhYV4Zu421KzHuLICUqieJXI2oZ&index=3 (https://www.youtube.com/watch?v=ojL_VHc4gLk&list=PLvL2NEhYV4Zu421KzHuLICUqieJXI2o_Z&index=3?utm_source=thinkingelixir&utm_medium=shownotes) – Chris McCord's keynote "Code Generators are Dead. Long Live Code Generators" https://x.com/chris_mccord/status/1923417060593356889 (https://x.com/chris_mccord/status/1923417060593356889?utm_source=thinkingelixir&utm_medium=shownotes) – Chris McCord's announcement about phoenix.new paid service https://phoenix.new/ (https://phoenix.new/?utm_source=thinkingelixir&utm_medium=shownotes) – Chris McCord's new phoenix.new paid service at Fly.io https://www.youtube.com/watch?v=4IWShnVuRCg&list=PLvL2NEhYV4Zu421KzHuLICUqieJXI2o_Z&index=2 (https://www.youtube.com/watch?v=4IWShnVuRCg&list=PLvL2NEhYV4Zu421KzHuLICUqieJXI2o_Z&index=2?utm_source=thinkingelixir&utm_medium=shownotes) – James Arthur's keynote "Introducing Phoenix Sync" from ElixirConf EU https://github.com/electric-sql/phoenix_sync/ (https://github.com/electric-sql/phoenix_sync/?utm_source=thinkingelixir&utm_medium=shownotes) – Phoenix Sync GitHub repository for real-time sync to Postgres-backed Phoenix apps https://hexdocs.pm/phoenix_sync/readme.html (https://hexdocs.pm/phoenix_sync/readme.html?utm_source=thinkingelixir&utm_medium=shownotes) – Phoenix Sync documentation on HexDocs https://github.com/josevalim/sync (https://github.com/josevalim/sync?utm_source=thinkingelixir&utm_medium=shownotes) – José Valim's sync project that inspired Phoenix Sync https://erlef.org/blog/eef/election-2025-results (https://erlef.org/blog/eef/election-2025-results?utm_source=thinkingelixir&utm_medium=shownotes) – EEF board election results for Cohort C https://x.com/TheErlef/status/1924531926008004633 (https://x.com/TheErlef/status/1924531926008004633?utm_source=thinkingelixir&utm_medium=shownotes) – EEF Twitter announcement of election results https://erlef.org/blog/eef/election-2025-candidates (https://erlef.org/blog/eef/election-2025-candidates?utm_source=thinkingelixir&utm_medium=shownotes) – Information about the EEF election candidates https://erlef.org/blog/security/eef-cna-announcement (https://erlef.org/blog/security/eef-cna-announcement?utm_source=thinkingelixir&utm_medium=shownotes) – EEF becomes CVE Numbering Authority for Hex and BEAM ecosystem https://github.com/erlef-cna (https://github.com/erlef-cna?utm_source=thinkingelixir&utm_medium=shownotes) – EEF CNA GitHub organization https://cna.erlef.org/ (https://cna.erlef.org/?utm_source=thinkingelixir&utm_medium=shownotes) – EEF CNA website https://github.com/surface-ui/surface (https://github.com/surface-ui/surface?utm_source=thinkingelixir&utm_medium=shownotes) – Surface UI project for server-side rendering components https://github.com/phoenixframework/phoenixliveview/pull/3810 (https://github.com/phoenixframework/phoenix_live_view/pull/3810?utm_source=thinkingelixir&utm_medium=shownotes) – Draft PR for co-located hooks and macro components in LiveView https://github.com/tv-labs/lua (https://github.com/tv-labs/lua?utm_source=thinkingelixir&utm_medium=shownotes) – Elixir Lua package v0.2.x release by TvLabs https://x.com/davydog187/status/1925186045156463034 (https://x.com/davydog187/status/1925186045156463034?utm_source=thinkingelixir&utm_medium=shownotes) – Dave's tweet about ElixirConf EU Luerl talk https://www.youtube.com/watch?v=4YBBoXXH_98 (https://www.youtube.com/watch?v=4YBBoXXH_98?utm_source=thinkingelixir&utm_medium=shownotes) – "Lua on the BEAM" talk by Dave Lucia & Robert Virding https://discord.gg/6Ukp9vpj (https://discord.gg/6Ukp9vpj?utm_source=thinkingelixir&utm_medium=shownotes) – Discord link for Lua community https://x.com/germsvel/status/1922602086065148093 (https://x.com/germsvel/status/1922602086065148093?utm_source=thinkingelixir&utm_medium=shownotes) – German Velasco's video highlighting LiveDebugger tool https://bsky.app/profile/germsvel.com/post/3lp4snnkpj225 (https://bsky.app/profile/germsvel.com/post/3lp4snnkpj225?utm_source=thinkingelixir&utm_medium=shownotes) – German Velasco's BlueSky post about LiveDebugger https://podcast.thinkingelixir.com/249 (https://podcast.thinkingelixir.com/249?utm_source=thinkingelixir&utm_medium=shownotes) – Thinking Elixir episode 249 featuring LiveDebugger discussion https://hexdocs.pm/mdex/MDEx.Sigil.html (https://hexdocs.pm/mdex/MDEx.Sigil.html?utm_source=thinkingelixir&utm_medium=shownotes) – MDEx v0.7 documentation for new ~MD sigil https://hexdocs.pm/autumn (https://hexdocs.pm/autumn?utm_source=thinkingelixir&utm_medium=shownotes) – Autumn syntax highlighter package that works with MDEx https://github.com/leandrocp/mdex_mermaid (https://github.com/leandrocp/mdex_mermaid?utm_source=thinkingelixir&utm_medium=shownotes) – MDEx Mermaid plugin for adding mermaid support to Markdown https://bsky.app/profile/zachdaniel.dev/post/3lpofyykwds2i (https://bsky.app/profile/zachdaniel.dev/post/3lpofyykwds2i?utm_source=thinkingelixir&utm_medium=shownotes) – Zach Daniel's BlueSky post about usage_rules.md convention https://hexdocs.pm/usage_rules (https://hexdocs.pm/usage_rules?utm_source=thinkingelixir&utm_medium=shownotes) – Usage rules package documentation https://github.com/ash-project/usage_rules/ (https://github.com/ash-project/usage_rules/?utm_source=thinkingelixir&utm_medium=shownotes) – Usage rules GitHub repository https://blogs.windows.com/windowsdeveloper/2025/05/19/the-windows-subsystem-for-linux-is-now-open-source/ (https://blogs.windows.com/windowsdeveloper/2025/05/19/the-windows-subsystem-for-linux-is-now-open-source/?utm_source=thinkingelixir&utm_medium=shownotes) – Microsoft announcement about Windows Subsystem for Linux going open source https://www.zdnet.com/article/believe-it-or-not-microsoft-just-announced-a-linux-distribution-service-heres-why/ (https://www.zdnet.com/article/believe-it-or-not-microsoft-just-announced-a-linux-distribution-service-heres-why/?utm_source=thinkingelixir&utm_medium=shownotes) – ZDNet article explaining Microsoft's Linux strategy and Azure statistics Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - Dave Lucia - @davydog187 (https://x.com/davydog187)

The introduction of the Cyber Resilience Act (CRA) marks a major shift for the software industry: for the first time, manufacturers are being held accountable for the cybersecurity of their products. Olle E. Johansson, a long-time open source developer and contributor to the Asterisk PBX project, explains how this new regulation reshapes the role of software creators and introduces the need for transparency across the entire supply chain.In this episode, Johansson breaks down the complexity of today's software supply ecosystems—where manufacturers rely heavily on open source components, and end users struggle to identify vulnerabilities buried deep in third-party dependencies. With the CRA in place, the burden now falls on manufacturers to not only track but also report on the components in their products. That includes actively communicating which vulnerabilities affect users—and which do not.To make this manageable, Johansson introduces the Transparency Exchange API (TEA), a project rooted in the OWASP CycloneDX standard. What started as a simple Software Bill of Materials (SBOM) delivery mechanism has evolved into a broader platform for sharing vulnerability information, attestations, documentation, and even cryptographic data necessary for the post-quantum transition. Standardizing this API through Ecma International is a major step toward a scalable, automated supply chain security infrastructure.The episode also highlights the importance of automation and shared data formats in enabling companies to react quickly to threats like Log4j. Johansson notes that, historically, security teams spent countless hours manually assessing whether they were affected by a specific vulnerability. The Transparency Exchange API aims to change that by automating the entire feedback loop from developer to manufacturer to end user.Although still in beta, the project is gaining traction with organizations like the Apache Foundation integrating it into their release processes. Johansson emphasizes that community feedback is essential and invites listeners to engage through GitHub to help shape the project's future.For Johansson, OWASP stands for global knowledge and collaboration in application security. As Europe's regulatory influence grows, initiatives like this are essential to build a stronger, more accountable software ecosystem.GUEST: Olle E Johansson | Co-Founder, SBOM Europe | https://www.linkedin.com/in/ollejohansson/HOST:Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESCycloneDX/transparency-exchange-api on GitHub: https://github.com/CycloneDX/transparency-exchange-apiVIDEO: The Cyber Resilience Act: How the EU is Reshaping Digital Product Security | With Sarah Fluchs: https://youtu.be/c30eG5kzqnYLearn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

Guests Ben Nickolls | Andrew Nesbitt Panelist Richard Littauer Show Notes In this episode of Sustain, host Richard is joined by guests Ben Nickolls and Andrew Nesbitt to discuss the ecosyste.ms project. They explore how ecosyste.ms collects and analyzes metadata from various open-source projects to create a comprehensive database that can help improve funding allocation. The discussion covers the importance of funding the most critical open-source projects, the existing gaps in funding, and the partnership between ecosyste.ms and Open Source Collective to create funding algorithms that support entire ecosystems. They also talk about the challenges of maintaining data, reaching out to project maintainers, and the broader implications for the open-source community. Hit the download button now! [00:01:58] Andrew and Ben explain ecosyste.ms, what it does, and how it compares to Libraries.io. [00:04:59] Ecosyste.ms tracks metadata, not the packages themselves, and enriches data via dependency graphs, committers, issues, SBOMs, and more. [00:06:54] Andrew talks about finding 1,890 Git hosts and how many critical projects live outside GitHub. [00:08:37] There's a conversation on metadata uses and SBOM parsing. [00:12:49] Richard inquires about the ecosystem.ms funds on their website which Andrew explains it's a collaboration between Open Collective and ecosyste.ms. that algorithmically distributes funds to the most used, not most popular packages. [00:15:45] Ben shares how this is different from previous projects and brings up a past project, “Back Your Stack” and explains how ecosyste.ms is doing two things differently. [00:18:59] Ben explains how it supports payouts to other platforms and encourages maintainers to adopt funding YAML files for automation. Andrew touches on efficient outreach, payout management, and API usage (GraphQL). [00:25:36] Ben elaborates on how companies can fund ecosyste.ms (like Django) instead of curating their own lists and being inspired by Sentry's work with the Open Source Pledge. [00:29:32] Andrew speaks about scaling and developer engagement and emphasizes their focus is on high-impact sustainability. [00:32:48] Richard asks, “Why does it matter?” Ben explains that most current funding goes to popular, not most used projects and ecosyste.ms aims to fix the gap with data backed funding, and he suggests use of open standards like 360Giving and Open Contracting Data. [00:35:46] Andrew shares his thoughts on funding the right projects by improving 1% of OSS, you uplift the quality of millions of dependent projects with healthier infrastructure, faster security updates, and more resilient software. [00:38:35] Find out where you can follow ecosyste.ms and the blog on the web. Quotes [00:11:18] “I call them interesting forks. If a fork is referenced by a package, it'll get indexed.” [00:22:07] We've built a service that now moves like $25 million a year between OSS maintainers on OSC.” [00:33:23] “We don't have enough information to make collective decisions about which projects, communities, maintainers, should receive more funding.” [00:34:23] “The NSF POSE Program has distributed hundreds of millions of dollars of funding to open source communities alone.” [00:35:47] “If you have ten, twenty thousand really critical open source projects, that actually isn't unachievable to make those projects sustainable.” Spotlight [00:39:35] Ben's spotlight is Jellyfin. [00:40:20] Andrew's spotlight is zizmor. [00:42:21] Richard's spotlight is The LaTeX Project. Links SustainOSS (https://sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) richard@sustainoss.org (mailto:richard@sustainoss.org) SustainOSS Discourse (https://discourse.sustainoss.org/) SustainOSS Mastodon (https://mastodon.social/tags/sustainoss) SustainOSS Bluesky (https://bsky.app/profile/sustainoss.bsky.social) SustainOSS LinkedIn (https://www.linkedin.com/company/sustainoss/) Open Collective-SustainOSS (Contribute) (https://opencollective.com/sustainoss) Richard Littauer Socials (https://www.burntfen.com/2023-05-30/socials) Ben Nickolls LinkedIn (https://www.linkedin.com/in/benjamuk/) Andrew Nesbitt Website (https://nesbitt.io/) Andrew Nesbitt Mastodon (https://mastodon.social/@andrewnez) Octobox (https://github.com/octobox) ecosyste.ms (https://ecosyste.ms/) ecosyste.ms Blog (https://blog.ecosyste.ms/) Open Source Collective (https://oscollective.org/) Open Source Collective Updates (https://opencollective.com/opensource/updates) Open Source Collective Contributions (https://opencollective.com/opensource) Open Source Collective Contributors (https://opencollective.com/open-source) Open Collective (https://opencollective.com/) 24 Pull Requests (https://24pullrequests.com/) Libraries.io (https://libraries.io/) The penumbra of open source (EPJ Data Science) (https://epjdatascience.springeropen.com/articles/10.1140/epjds/s13688-022-00345-7) FOSDEM '25- Open source funding: you're doing it wrong (Andrew and Ben) (https://fosdem.org/2025/schedule/event/fosdem-2025-5576-open-source-funding-you-re-doing-it-wrong/) Vue.js (https://vuejs.org/) thanks.dev (https://thanks.dev/home) StackAid (https://www.stackaid.us/) Back Your Stack (https://backyourstack.com/) NSF POSE (https://www.nsf.gov/funding/initiatives/pathways-enable-open-source-ecosystems) Django (https://www.djangoproject.com/) GitHub Sponsors (https://github.com/sponsors) Sustain Podcast-Episode 80: Emma Irwin and the Foss Fund Program (https://podcast.sustainoss.org/80) Sustain Podcast- 3 Episodes featuring Chad Whitacre (https://podcast.sustainoss.org/guests/chad-whitacre) Sustain Podcast- Episode 218: Karthik Ram & James Howison on Research Software Visibility Infrastructure Priorities (https://podcast.sustainoss.org/218) Sustain Podcast-Episode 247: Chad Whitacre on the Open Source Pledge (https://podcast.sustainoss.org/247) Invest in Open Infrastructure (https://investinopen.org/) 360Giving (https://www.360giving.org/) Open Contracting Data Standard (https://standard.open-contracting.org/latest/en/) Jellyfin (https://opencollective.com/jellyfin) zizmor (https://github.com/zizmorcore/zizmor) The LaTeX Project (https://www.latex-project.org/) Credits Produced by Richard Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at Peachtree Sound (https://www.peachtreesound.com/) Show notes by DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/) Special Guests: Andrew Nesbitt and Benjamin Nickolls.

Recently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul's Security Weekly podcast. Our conversation dove into the often-murky waters of embedded systems and the Internet of Things (IoT), sparked by a specific vulnerability discussion on Paul's show concerning reference code for the popular ESP32 microcontroller. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-05-embedded-security-with-paul-asadoorian/

Thank you to the folks at Sustain (https://sustainoss.org/) for providing the hosting account for CHAOSSCast! CHAOSScast – Episode 109 In this episode of CHAOSScast, host Georg Link is joined by Cali Dolfi, Senior Data Scientist at Red Hat, and Brittany Istenes, FINOS Ambassador. The discussion delves into the importance of measuring open source community health and the role of Software Bill of Materials (SBOM) in ensuring software security and compliance. They talk about the rising threats in open source software, the need for standardizing SBOMs, and how organizations can leverage these tools to proactively manage risks and project health. Also, they touch on practical steps being taken at Red Hat and other organizations to address these challenges. Hit download now to hear more! [00:00:21] Our guests introduce themselves and their backgrounds. [00:01:55] Georg explains the rise of malicious packages (700%) and the risks of neglected open source components. [00:04:36] What is a SBOM? Brittany explains SBOMs as a list of all software components and libraries in each application and automation and tooling adoption is discussed. [00:06:08] Cali outlines the lack of consensus on SBOM fields and formats and advocates for including upstream repo links to assess project health. Brittany mentions companies being cautious about publicizing SBOMs due to IP concerns. [00:09:12] Georg gives a historical overview about SBOMs began as tools for license compliance and how SBOMs now cover more including cybersecurity, post U.S. Executive Order 14028 (May 2021). [00:15:51] Georg shares three pillars of SBOM strategy: License compliance, Security, and Project Health and how CHAOSS Metrics can be combined with SBOMs to move from reactive to proactive strategies. [00:16:59] Brittany emphasizes risk analysis and good design from project inception and proactive open source strategies save effort later. [00:18:43] Cali talks about using project health metrics and advocates for tracking maintainer activity, patch frequency, and project responsiveness. [00:21:28] Brittany stresses internal engineering education on project health and risk and developer smush understand what makes a project “healthy.” [00:22:55] Georg talks about how open source has evolved and details using CHAOSS metrics for risk assessment and CI/CD integration. [00:27:36] Cali shares Red Hat's efforts to define what makes a project vulnerable and how it's focused on detecting and sunsetting unmaintained dependencies. [00:31:37] Brittany emphasizes risk from version mismatches and misinterpreted CVEs and mentions a CHAOSS doc to read, “Metrics for OSS Viability” by Gary White. [00:34:17] We end with Georg sharing some upcoming events: CHAOSScon North America, June 26 and Open Source Summit North America, June 23-25. Value Adds (Picks) of the week: [00:36:08] Georg's pick is building a platform for his dog to look out the window. [00:37:06] Brittany's pick is spending time with Georg and Cali. [00:38:12] Cali's pick is her great support system since having ACL surgery. *Panelist: * Georg Link Guests: Cali Dolfi Brittany Istenes Links: CHAOSS (https://chaoss.community/) CHAOSS Project X (https://twitter.com/chaossproj?lang=en) CHAOSScast Podcast (https://podcast.chaoss.community/) podcast@chaoss.community (mailto:podcast@chaoss.community) Georg Link Website (https://georg.link/) Britany Istenes LinkedIn (https://www.linkedin.com/in/brittany-istenes-91b902152/) Brittany Istenes GitHub (https://github.com/BrittanyIstenes) Cali Dolfi LinkedIn (https://www.linkedin.com/in/calidolfi/) State of the Software Supply Chain (Sonatype) (https://www.sonatype.com/state-of-the-software-supply-chain/introduction) CHAOSScast Podcast-Episode 103: GrimoireLab at FreeBSD (https://podcast.chaoss.community/103) CHAOSS Community: Metrics for OSS Viability by Gary White (https://chaoss.community/viability-metrics-what-its-made-of/) CHAOSScon North America 2025, Denver, CO, June 26 (https://chaoss.community/chaosscon-2025-na/) Open Source Summit North America, Denver CO, June 23-25 (https://events.linuxfoundation.org/open-source-summit-north-america/) Fintech Open Source (FINOS) (https://www.finos.org/) Cyber Resilience Act (European Commission) (https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act) Rising Threat: Understanding Software Supply Chain Cyberattacks And Protecting Against Them(Forbes) (https://www.forbes.com/councils/forbestechcouncil/2024/02/06/rising-threat-understanding-software-supply-chain-cyberattacks-and-protecting-against-them/) Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity (The White House) (https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/) Types of Software Bill of Material (SBOM) Documents (https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf) OpenSSF Scorecard (https://openssf.org/projects/scorecard/) OSS Project Viability Starter (CHAOSS) (https://chaoss.community/kb/metrics-model-project-viability-starter/) Show Me What You Got: Turning SBOMs Into Actions- Georg Link & Brittany Istenes (https://lfms25.sched.com/event/1urWz) Special Guests: Brittany Istenes and Cali Dolfi.

Helen Oakley, Senior Director of Product Security at SAP, and Dmitry Raidman, Co-founder and CTO of Cybeats, joined us live at the RSAC Conference to bring clarity to one of the most urgent topics in cybersecurity: transparency in the software and AI supply chain. Their message is direct—organizations not only need to understand what's in their software, they need to understand the origin, integrity, and impact of those components, especially as artificial intelligence becomes more deeply integrated into business operations.SBOMs Are Not Optional AnymoreSoftware Bills of Materials (SBOMs) have long been a recommended best practice, but they're now reaching a point of necessity. As Dmitry noted, organizations are increasingly requiring SBOMs before making purchase decisions—“If you're not going to give me an SBOM, I'm not going to buy your product.” With regulatory pressure mounting through frameworks like the EU Cyber Resilience Act (CRA), the demand for transparency is being driven not just by compliance, but by real operational value. Companies adopting SBOMs are seeing tangible returns—saving hundreds of hours on risk analysis and response, while also improving internal visibility.Bringing AI into the SBOM FoldBut what happens when the software includes AI models, data pipelines, and autonomous agents? Helen and Dmitry are leading a community-driven initiative to create AI-specific SBOMs—referred to as AI SBOMs or AISBOMs—to capture critical metadata beyond just the code. This includes model architectures, training data, energy consumption, and more. These elements are vital for risk management, especially when organizations may be unknowingly deploying models with embedded vulnerabilities or opaque dependencies.A Tool for the Community, Built by the CommunityIn an important milestone for the industry, Helen and Dmitry also introduced the first open source tool capable of generating CycloneDX-formatted AISBOMs for models hosted on Hugging Face. This practical step bridges the gap between standards and implementation—helping organizations move from theoretical compliance to actionable insight. The community's response has been overwhelmingly positive, signaling a clear demand for tools that turn complexity into clarity.Why Security Leaders Should Pay AttentionThe real value of an SBOM—whether for software or AI—is not just external compliance. It's about knowing what you have, recognizing your crown jewels, and understanding where your risks lie. As AI compounds existing vulnerabilities and introduces new ones, starting with transparency is no longer a suggestion—it's a strategic necessity.Want to see how this all fits together? Hear it directly from Helen and Dmitry in this episode.___________Guests: Helen Oakley, Senior Director of Product Security at SAP | https://www.linkedin.com/in/helen-oakley/Dmitry Raidman, Co-founder and CTO of Cybeats | https://www.linkedin.com/in/draidman/Hosts:Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.comMarco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com___________Episode SponsorsThreatLocker: https://itspm.ag/threatlocker-r974Akamai: https://itspm.ag/akamailbwcBlackCloak: https://itspm.ag/itspbcwebSandboxAQ: https://itspm.ag/sandboxaq-j2enArcher: https://itspm.ag/rsaarchwebDropzone AI: https://itspm.ag/dropzoneai-641ISACA: https://itspm.ag/isaca-96808ObjectFirst: https://itspm.ag/object-first-2gjlEdera: https://itspm.ag/edera-434868___________ResourcesLinkedIn Post with Links: https://www.linkedin.com/posts/helen-oakley_ai-sbom-aisbom-activity-7323123172852015106-TJeaLearn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsa-conference-usa-2025-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage______________________KEYWORDShelen oakley, dmitry raidman, sean martin, rsac 2025, sbom, aisbom, ai security, software supply chain, transparency, open source, event coverage, on location, conference______________________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and storing SBOMs is crucial for understanding your software supply chain and quickly responding to new threats like Log4Shell. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-04-syft-grype-grant-alan-pope/

Topics covered in this episode: How to Write a Git Commit Message Caddy Web Server Some new PEPs approved juv Extras Joke Watch on YouTube About the show Sponsored by Posit Connect: pythonbytes.fm/connect Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: How to Write a Git Commit Message Chris Beams 7 rules of a great commit message Separate subject from body with a blank line Limit the subject line to 50 characters Capitalize the subject line Do not end the subject line with a period Use the imperative mood in the subject line Wrap the body at 72 characters Use the body to explain what and why vs. how Article also includes Why a good commit message matters Discussion about each of the 7 rules Cool hat tips to other articles on the subject “Keep in mind: This has all been said before.” Each word is a different link. Michael #2: Caddy Web Server via Fredrik Mellström Like a more modern NGINX Caddy automatically obtains and renews TLS certificates for all your sites. Caddy's native configuration is a JSON document. Even localhost and internal IPs are served with TLS using the intermediate of a fully-automated, self-managed CA that is automatically installed into most local trust stores. Configure multiple Caddy instances with the same storage, and they will automatically coordinate certificate management as a fleet. Production-grade static file server. Brian #3: Some new PEPs approved PEP 770 – Improving measurability of Python packages with Software Bill-of-Materials Accepted for packaging Author: Seth Larson, Sponsor Brett Cannon “This PEP proposes using SBOM documents included in Python packages as a means to improve automated software measurability for Python packages.” PEP 750 – Template Strings Accepted for Python 3.14 Author: Jim Baker, Guido van Rossum, Paul Everitt, Kaudai Aono, Lysandros Nikolaou, Dave Peck “Templates provide developers with access to the string and its interpolated values before they are combined. This brings native flexible string processing to the Python language and enables safety checks, web templating, domain-specific languages, and more.” Michael #4: juv A toolkit for reproducible Jupyter notebooks, powered by uv. Create, manage, and run Jupyter notebooks with their dependencies Pin dependencies with PEP 723 - inline script metadata Launch ephemeral sessions for multiple front ends (e.g., JupyterLab, Notebook, NbClassic) Powered by uv for fast dependency management Use uvx to run jupyterlab with ephemeral virtual environments and tracked dependencies. Extras Brian: Status of Python versions new-ish format Use this all the time. Can't remember if we've covered the new format yet. See also Python endoflife.date Same dates, very visible encouragement to move on to Python 3.13 if you haven't already. Michael: Python 3.13.3 is out. .git-blame-ignore-revs follow up Joke: BGPT (thanks Doug Farrell)

Get your FREE Cybersecurity Salary Guide: https://www.infosecinstitute.com/form/cybersecurity-salary-guide-podcast/?utm_source=youtube&utm_medium=podcast&utm_campaign=podcastIn this episode of Cyber Work, Ken Zalevsky, founder and CEO of Vigilant Ops, joins us to discuss the importance of a Software Bill of Materials (SBOM) in the medical device industry. Zalevsky shares how SBOMs provide transparency and critical security insights, akin to the ingredients list on food packaging, to help identify and defend against vulnerabilities. We also delve into Zalevsky's extensive career in healthcare cybersecurity, starting from his early tech interests influenced by his father to his pivotal role at Bayer Healthcare. The discussion covers the impact of legacy systems, current security trends, the integration of AI in medical device security, and valuable insights for those looking to build a career in this crucial sector. Tune in to learn more about medical device security and the latest in cybersecurity trends, and get some expert advice straight from a seasoned professional.00:00 Understanding SBOMs in medical devices04:20 The evolution of medical device security07:22 Ken Zalevsky's journey in cybersecurity09:28 Challenges in medical device security13:06 The role of SBOMs in cybersecurity15:56 Implementing SBOMs in organizations18:28 Ken Zalevsky's role at Vigilant Ops22:01 Technical aspects of SBOMs27:14 Legacy devices and security measures28:24 Manufacturer's role in device security30:07 Healthcare industry's response to security threats30:42 Impact of major breaches on policy34:13 Generative AI and machine learning in healthcare security40:22 Skills and certifications for healthcare security careers46:46 Career advice and educational paths49:04 About Vigilant Ops and their services52:15 Outro– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast/?utm_source=youtube&utm_medium=podcast&utm_campaign=podcastAbout InfosecInfosec's mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ's security awareness training. Learn more at infosecinstitute.com.

Am 11. Dezember 2024 ist der Cyber Resilience Act in Kraft getreten. Diese EU-Verordnung hat ein hehres Ziel und will Softwareprodukte in der EU sicherer machen. Welche Auswirkungen diese neue Verordnung heute und in Zukunft auf die Softwareentwicklung haben wird, besprechen wir heute mit Sebastian. Sebastian hat sich den kompletten CRA mehrmals durchgelesen um die relevanten Themen für unsere tägliche Arbeit in der Softwareentwicklung herauszufinden.

News includes Phoenix now including DaisyUI which has sparked mixed reactions, Erlang/OTP 28.0-rc2 release introducing priority process messages, the EEF Security Working Group's roadmap called Aegis, a new LiveViewPortal library for embedding LiveView pages in any website, upcoming improvements in Elixir that will spawn more OS processes for compiling dependencies potentially doubling performance, Sean Moriarity's keynote about designing LLM Native systems, and more! Show Notes online - http://podcast.thinkingelixir.com/247 (http://podcast.thinkingelixir.com/247) Elixir Community News https://gigalixir.com/thinking (https://gigalixir.com/thinking?utm_source=thinkingelixir&utm_medium=shownotes) – Gigalixir is sponsoring the show, offering 20% off standard tier prices for a year with promo code "Thinking". https://bsky.app/profile/samrat.me/post/3lksxzzjqss2t (https://bsky.app/profile/samrat.me/post/3lksxzzjqss2t?utm_source=thinkingelixir&utm_medium=shownotes) – Phoenix now comes with DaisyUI, a decision that has sparked mixed reactions in the community. https://github.com/phoenixframework/phoenix/issues/6121 (https://github.com/phoenixframework/phoenix/issues/6121?utm_source=thinkingelixir&utm_medium=shownotes) – The GitHub issue discussing the addition of DaisyUI to Phoenix, showing the community's divided opinions. https://github.com/phoenixframework/phoenix/issues/6121#issuecomment-2739647725 (https://github.com/phoenixframework/phoenix/issues/6121#issuecomment-2739647725?utm_source=thinkingelixir&utm_medium=shownotes) – José Valim's explanation of the decision to include DaisyUI in Phoenix. https://security.erlef.org/aegis/ (https://security.erlef.org/aegis/?utm_source=thinkingelixir&utm_medium=shownotes) – EEF Security Working Group released their objectives and roadmap as the Aegis of the ecosystem. https://podcast.thinkingelixir.com/245 (https://podcast.thinkingelixir.com/245?utm_source=thinkingelixir&utm_medium=shownotes) – Previous podcast episode featuring the Erlang Ecosystem Foundation (EEF). https://x.com/erlangforums/status/1902297914791358669 (https://x.com/erlangforums/status/1902297914791358669?utm_source=thinkingelixir&utm_medium=shownotes) – Announcement of Erlang/OTP 28.0-rc2 release. https://erlangforums.com/t/erlang-otp-28-0-rc2-released/4599 (https://erlangforums.com/t/erlang-otp-28-0-rc2-released/4599?utm_source=thinkingelixir&utm_medium=shownotes) – Forum discussion about the Erlang/OTP 28.0-rc2 release. https://github.com/erlang/otp/releases/tag/OTP-28.0-rc2 (https://github.com/erlang/otp/releases/tag/OTP-28.0-rc2?utm_source=thinkingelixir&utm_medium=shownotes) – GitHub release page for Erlang/OTP 28.0-rc2, which includes a source Software Bill of Materials (SBOM). https://www.erlang.org/eeps/eep-0076 (https://www.erlang.org/eeps/eep-0076?utm_source=thinkingelixir&utm_medium=shownotes) – Erlang Enhancement Proposal (EEP) 76 introducing priority messages, a key feature in OTP 28. https://www.youtube.com/watch?v=R9JRhIKQmqk (https://www.youtube.com/watch?v=R9JRhIKQmqk?utm_source=thinkingelixir&utm_medium=shownotes) – Sean Moriarity's keynote at Code BEAM America 2025 about designing LLM Native systems. https://www.cybersecuritydive.com/news/AI-project-fail-data-SPGlobal/742768/ (https://www.cybersecuritydive.com/news/AI-project-fail-data-SPGlobal/742768/?utm_source=thinkingelixir&utm_medium=shownotes) – Report showing AI project failure rates are on the rise, with 42% of businesses scrapping most AI initiatives. https://tech.doofinder.com/posts/live-view-portal (https://tech.doofinder.com/posts/live-view-portal?utm_source=thinkingelixir&utm_medium=shownotes) – Introduction to LiveViewPortal, a JavaScript library for embedding Phoenix LiveView pages into any website. https://github.com/doofinder/liveviewportal (https://github.com/doofinder/live_view_portal?utm_source=thinkingelixir&utm_medium=shownotes) – GitHub repository for LiveViewPortal. https://elixirforum.com/t/liveviewportal-embed-liveviews-in-other-websites/70040 (https://elixirforum.com/t/liveviewportal-embed-liveviews-in-other-websites/70040?utm_source=thinkingelixir&utm_medium=shownotes) – Elixir Forum discussion about LiveViewPortal. https://bsky.app/profile/ftes.de/post/3lkohiog4uv2b (https://bsky.app/profile/ftes.de/post/3lkohiog4uv2b?utm_source=thinkingelixir&utm_medium=shownotes) – Announcement of phoenixtestplaywright v0.6.0 release. https://github.com/ftes/phoenixtestplaywright (https://github.com/ftes/phoenix_test_playwright?utm_source=thinkingelixir&utm_medium=shownotes) – GitHub repository for phoenixtestplaywright with new features like cookie manipulation and browser launch timeout options. https://bsky.app/profile/david.bernheisel.com/post/3lkoe4tvc2s2o (https://bsky.app/profile/david.bernheisel.com/post/3lkoe4tvc2s2o?utm_source=thinkingelixir&utm_medium=shownotes) – Announcement about Elixir's upcoming improvement to spawn more OS processes for compiling dependencies. https://github.com/elixir-lang/elixir/pull/14340 (https://github.com/elixir-lang/elixir/pull/14340?utm_source=thinkingelixir&utm_medium=shownotes) – Pull request for concurrent dependencies compilation in Elixir, potentially improving performance by 2x. https://goatmire.com/ (https://goatmire.com/?utm_source=thinkingelixir&utm_medium=shownotes) – Explanation of the name "Goatmire," which is a loose translation of Getakärr, the historical name for Varberg. Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel on Bluesky - @david.bernheisel.com (https://bsky.app/profile/david.bernheisel.com) - David Bernheisel on Fediverse - @dbern@genserver.social (https://genserver.social/dbern)

News includes a new library called phoenix_sync for real-time sync in Postgres-backed Phoenix applications, Peter Solnica released a Text Parser for extracting structured data from text, a useful tip on finding Hex package versions locally with mix hex.info, Wasmex updated to v0.10 with WebAssembly component support, and Chrome introduces a new browser feature similar to LiveView.JS. We also talked with Alistair Woodman and Jonatan Männchen from the EEF about Jonatan's role as CISO, the Security Working Group, and their work on OpenChain compliance for supply-chain security, Software Bill of Materials (SBoMs), and what these initiatives mean for the Elixir community, and more! Show Notes online - http://podcast.thinkingelixir.com/245 (http://podcast.thinkingelixir.com/245) Elixir Community News https://gigalixir.com/thinking (https://gigalixir.com/thinking?utm_source=thinkingelixir&utm_medium=shownotes) – Gigalixir is sponsoring the show, offering 20% off standard tier prices for a year with promo code "Thinking". https://github.com/electric-sql/phoenix_sync (https://github.com/electric-sql/phoenix_sync?utm_source=thinkingelixir&utm_medium=shownotes) – New library called phoenix_sync providing real-time sync for Postgres-backed Phoenix applications. https://hexdocs.pm/phoenix_sync/readme.html (https://hexdocs.pm/phoenix_sync/readme.html?utm_source=thinkingelixir&utm_medium=shownotes) – Documentation for phoenix_sync, a solution for building modern, real-time apps with local-first/sync in Elixir. https://github.com/josevalim/sync (https://github.com/josevalim/sync?utm_source=thinkingelixir&utm_medium=shownotes) – José Valim's original proof of concept repo that was promptly archived. https://electric-sql.com/ (https://electric-sql.com/?utm_source=thinkingelixir&utm_medium=shownotes) – Electric SQL's platform that syncs subsets of Postgres data into local apps and services, allowing data to be available offline and in-sync. https://solnic.dev/posts/announcing-textparser-for-elixir/ (https://solnic.dev/posts/announcing-textparser-for-elixir/?utm_source=thinkingelixir&utm_medium=shownotes) – Peter Solnica released TextParser, a library for extracting interesting parts of text like hashtags and links. https://hexdocs.pm/text_parser/readme.html (https://hexdocs.pm/text_parser/readme.html?utm_source=thinkingelixir&utm_medium=shownotes) – Documentation for the Text Parser library that helps parse text into structured data. https://www.elixirstreams.com/tips/mix-hex-info (https://www.elixirstreams.com/tips/mix-hex-info?utm_source=thinkingelixir&utm_medium=shownotes) – Elixir stream tip on using mix hex.info to find the latest package version for a Hex package locally, without needing to search on hex.pm or GitHub. https://github.com/phoenixframework/tailwind/blob/main/README.md#updating-from-tailwind-v3-to-v4 (https://github.com/phoenixframework/tailwind/blob/main/README.md#updating-from-tailwind-v3-to-v4?utm_source=thinkingelixir&utm_medium=shownotes) – Guide for upgrading Tailwind to V4 in existing Phoenix applications using Tailwind's automatic upgrade helper. https://gleam.run/news/hello-echo-hello-git/ (https://gleam.run/news/hello-echo-hello-git/?utm_source=thinkingelixir&utm_medium=shownotes) – Gleam 1.9.0 release with searchability on hexdocs, Echo debug printing for improved debugging, and ability to depend on Git-hosted dependencies. https://d-gate.io/blog/everything-i-was-lied-to-about-node-came-true-with-elixir (https://d-gate.io/blog/everything-i-was-lied-to-about-node-came-true-with-elixir?utm_source=thinkingelixir&utm_medium=shownotes) – Blog post discussing how promises made about NodeJS actually came true with Elixir. https://hexdocs.pm/wasmex/Wasmex.Components.html (https://hexdocs.pm/wasmex/Wasmex.Components.html?utm_source=thinkingelixir&utm_medium=shownotes) – Wasmex updated to v0.10 with support for WebAssembly components, enabling applications and components to work together regardless of original programming language. https://ashweekly.substack.com/p/ash-weekly-issue-8 (https://ashweekly.substack.com/p/ash-weekly-issue-8?utm_source=thinkingelixir&utm_medium=shownotes) – AshWeekly Issue 8 covering AshOps with mix task capabilities for CRUD operations and BeaconCMS being included in the Ash HQ installer script. https://developer.chrome.com/blog/command-and-commandfor (https://developer.chrome.com/blog/command-and-commandfor?utm_source=thinkingelixir&utm_medium=shownotes) – Chrome update brings new browser feature with commandfor and command attributes, similar to Phoenix LiveView.JS but native to browsers. https://codebeamstockholm.com/ (https://codebeamstockholm.com/?utm_source=thinkingelixir&utm_medium=shownotes) – Code BEAM Lite announced for Stockholm on June 2, 2025 with keynote speaker Björn Gustavsson, the "B" in BEAM. https://alchemyconf.com/ (https://alchemyconf.com/?utm_source=thinkingelixir&utm_medium=shownotes) – AlchemyConf coming up March 31-April 3 in Braga, Portugal. Use discount code THINKINGELIXIR for 10% off. https://www.gigcityelixir.com/ (https://www.gigcityelixir.com/?utm_source=thinkingelixir&utm_medium=shownotes) – GigCity Elixir and NervesConf on May 8-10, 2025 in Chattanooga, TN, USA. https://www.elixirconf.eu/ (https://www.elixirconf.eu/?utm_source=thinkingelixir&utm_medium=shownotes) – ElixirConf EU on May 15-16, 2025 in Kraków & Virtual. https://goatmire.com/#tickets (https://goatmire.com/#tickets?utm_source=thinkingelixir&utm_medium=shownotes) – Goatmire tickets are on sale now for the conference on September 10-12, 2025 in Varberg, Sweden. Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Discussion Resources https://elixir-lang.org/blog/2025/02/26/elixir-openchain-certification/ (https://elixir-lang.org/blog/2025/02/26/elixir-openchain-certification/?utm_source=thinkingelixir&utm_medium=shownotes) https://cna.erlef.org/ (https://cna.erlef.org/?utm_source=thinkingelixir&utm_medium=shownotes) – EEF CVE Numbering Authority https://erlangforums.com/t/security-working-group-minutes/3451/22 (https://erlangforums.com/t/security-working-group-minutes/3451/22?utm_source=thinkingelixir&utm_medium=shownotes) https://podcast.thinkingelixir.com/220 (https://podcast.thinkingelixir.com/220?utm_source=thinkingelixir&utm_medium=shownotes) – previous interview with Alistair https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act (https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act?utm_source=thinkingelixir&utm_medium=shownotes) – CRA - Cyber Resilience Act https://www.cisa.gov/ (https://www.cisa.gov/?utm_source=thinkingelixir&utm_medium=shownotes) – CISA US Government Agency https://www.cisa.gov/sbom (https://www.cisa.gov/sbom?utm_source=thinkingelixir&utm_medium=shownotes) – Software Bill of Materials https://oss-review-toolkit.org/ort/ (https://oss-review-toolkit.org/ort/?utm_source=thinkingelixir&utm_medium=shownotes) – Desire to integrate with tooling outside the Elixir ecosystem like OSS Review Toolkit https://github.com/voltone/rebar3_sbom (https://github.com/voltone/rebar3_sbom?utm_source=thinkingelixir&utm_medium=shownotes) https://cve.mitre.org/ (https://cve.mitre.org/?utm_source=thinkingelixir&utm_medium=shownotes) https://openssf.org/projects/guac/ (https://openssf.org/projects/guac/?utm_source=thinkingelixir&utm_medium=shownotes) https://erlef.github.io/security-wg/securityvulnerabilitydisclosure/ (https://erlef.github.io/security-wg/security_vulnerability_disclosure/?utm_source=thinkingelixir&utm_medium=shownotes) – EEF Security WG Vulnerability Disclosure Guide Guest Information - https://x.com/maennchen_ (https://x.com/maennchen_?utm_source=thinkingelixir&utm_medium=shownotes) – Jonatan on Twitter/X - https://bsky.app/profile/maennchen.dev (https://bsky.app/profile/maennchen.dev?utm_source=thinkingelixir&utm_medium=shownotes) – Jonatan on Bluesky - https://github.com/maennchen/ (https://github.com/maennchen/?utm_source=thinkingelixir&utm_medium=shownotes) – Jonatan on Github - https://maennchen.dev (https://maennchen.dev?utm_source=thinkingelixir&utm_medium=shownotes) – Jonatan's Blog - https://www.linkedin.com/in/alistair-woodman-51934433 (https://www.linkedin.com/in/alistair-woodman-51934433?utm_source=thinkingelixir&utm_medium=shownotes) – Alistair Woodman on LinkedIn - awoodman@erlef.org - https://github.com/ahw59/ (https://github.com/ahw59/?utm_source=thinkingelixir&utm_medium=shownotes) – Alistair on Github - http://erlef.org/ (http://erlef.org/?utm_source=thinkingelixir&utm_medium=shownotes) – Erlang Ecosystem Foundation Website Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel on Bluesky - @david.bernheisel.com (https://bsky.app/profile/david.bernheisel.com) - David Bernheisel on Fediverse - @dbern@genserver.social (https://genserver.social/dbern)

Предварительная запись на офлайн-курс Learn Python в Москве — https://forms.gle/wE7Lit97U9Q2q3oT9   Ведущие – Григорий Петров и Михаил Корнеев Новости выпуска: Safe external debugger interface for CPython — https://peps.python.org/pep-0768/ результат опроса Facebook об аннотациях типов в Python — https://engineering.fb.com/2024/12/09... возможность указывать SBOM-файлы в pyproject.toml — https://peps.python.org/pep-0770/ Сравнение Django и FastAPI — https://www.david-dahan.com/blog/comp... предложение по добавлению выравнивания в PEP 8 — https://discuss.python.org/t/pep-8-mo...   Ссылки выпуска: Курс Learn Python — https://learn.python.ru/advanced Канал Миши в Telegram — https://t.me/tricky_python Канал Moscow Python в Telegram — https://t.me/moscow_python Все выпуски — https://podcast.python.ru Митапы Moscow Python — https://moscowpython.ru Канал Moscow Python на Rutube — https://rutube.ru/channel/45885590/ Канал Moscow Python в YouTube — https://www.youtube.com/@moscowdjangoru Канал Moscow Python в VK — https://vk.com/moscowpythonconf

Smarte Toaster, PC-Spiele, Mikroprozessoren und Antivirusprogramme – auf all diese Produkttypen ist der Cyber Resilience Act (CRA) anzuwenden, welcher am 12. Dezember 2024 in Kraft trat. In dieser Folge werfen wir einen genauen Blick auf die neue EU-Verordnung, die Hersteller und Händler in Sachen IT-Sicherheit in die Pflicht nimmt und die die Resilienz von digitalen Produkten nachhaltig stärken soll. Was bedeutet das konkret und wie können sich Unternehmen frühzeitig auf die neuen Anforderungen vorbereiten? Unsere BSI-Expertin Anna Schwendicke beleuchtet die Auswirkungen des CRA auf die Hersteller von IT, sowie auf Händler und Verbraucher und erklärt, wie sich Firmen den neuen Anforderungen stellen können.

Connect to John Gilroy on LinkedIn   https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com A recent study showed that the federal government has identified 1700 use cases for Artificial Intelligence. Today, we examine some challenges and solutions for unlocking the power of AI represented in these examples.  Our guest, Joel Krooswyk from GitLab, examines Software Bills of Material, repatriation, and what efficiency might look like in the future. SBOM. For years, software developers have recommended using a Software Bill of Material. Today, its value has become so apparent that it is becoming mandatory. During the interview, Joel Krooswyk discusses the security benefits of mandating an SBOM policy for all federal software development. Fifteen years ago, Vivek Kundra coined the phrase “Cloud First.”  It took a while, but cloud adoption is pervasive by the federal government.  However, with this adoption, we have seen examples where cloud service providers may over-promise and under delivery. The interview provides guidelines for transitioning from the cloud back to the premises, which is increasingly called “repatriation.” Software development in the future will make compliance partner with DevSecOps in an automated process. This will reduce maintenance costs and provide real-time reporting.  Intelligent automation will be able to validate each step of the process.

Podcast: ICS Cyber Talks PodcastEpisode: Part-1: IoT Meetup 05/01/2025 Chen Gruber SW Dev Embedded Security @CheckPoint: Firmware SecurityPub date: 2025-01-24Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationChen Gruber, software developer Embedded Security @CheckPoint about Firmware Security What can hackers learn by extracting data from the file system of the loT Device? Binary scan and static analysis on firmware can give valuable insights into your device and expose the hidden vulnerabilities and weaknesses before hackers find them. In this session, we demonstrate the firmware scanner service of Check Point and review the results to learn how to make secure devices. The service helps you to keep security hygiene and best practices. Also, to comply with security compliance regulations by providing full SBOM and CVEs. Technical Level - 300The podcast and artwork embedded on this page are from Nachshon Pincu, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Josh Marpet is a seasoned entrepreneur and a renowned authority in the field of information security, compliance, and risk management. With a rich background in law enforcement, Josh has translated his diverse experiences into shaping security protocols in various high-risk environments. He serves as the Chief Strategy Officer at Cyturus, where he drives advancements in compliance process products. Notably, Josh contributes to the esteemed IANS faculty and co-hosts the well-known Paul's Security Weekly podcast. His efforts also extend to organizing BSides Delaware, further cementing his influence and dedication to the cybersecurity community.He shares his diverse career journey from law enforcement to tech support and finally into cybersecurity leadership. Listeners gain insight into his work with compliance frameworks like CMMC and SPDX, and his strategic approach at Cyturus, focusing on "dynamic risk monitoring" as a forward-thinking solution for mitigating risks. This episode also delves into the global regulatory landscape, comparing U.S. frameworks with those abroad and discussing AI regulation insights. As always, the conversation is enriched with amusing anecdotes and expert advice, making it not only educational but also engaging.TIMESTAMPS:0:00 - Exploring Security, Compliance, and Innovation3:05 - Reviving In-Person Tech Conferences Post-COVID Challenges11:58 - From Tech Support to Cybersecurity and Compliance19:12 - The Challenges and Importance of Software Bill of Materials24:25 - The Global Regulatory Landscape and Its Impact on AI Development28:37 - HIPAA Compliance Challenges for Lawyers and Medical Startups30:00 - Dynamic Risk Monitoring as a Compliance and Revenue Driver34:32 - The Impact of Podcasts on the Cybersecurity Community40:14 - Exploring Unique Bars and Crafting Cybersecurity-Themed CocktailsSYMLINKSCyturus Website - https://cyturus.comOfficial website for Cyturus, a leader in compliance process products and solutions, focusing on dynamic risk monitoring and governance.Josh Marpet on LinkedIn - https://www.linkedin.com/in/joshuaviktor/Josh Marpet's professional LinkedIn profile for networking and insights.Paul's Security Weekly - https://securityweekly.comOne of the top cybersecurity podcasts, providing news, insights, and discussions on emerging threats and best practices in security.SPDX (Software Package Data Exchange) - https://spdx.devOfficial resource for SPDX, an ISO-certified standard for managing Software Bill of Materials (SBOM).CycloneDX - https://cyclonedx.orgA standard designed for the SBOM, with a focus on integration with CI/CD pipelines and automated systems.Executive Order 14028 - https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/U.S. Executive Order mandating the use of Software Bill of Materials (SBOM) for federal software contracts to improve cybersecurity.Helen Oakley - https://www.linkedin.com/in/helen-oakley/Profile and resources related to Helen Oakley, a professional working on AI Bill of Materials.NIST AI RMF (Risk Management Framework) - https://nist.gov/ai/rmfU.S. NationCONNECT WITH USwww.barcodesecurity.comBecome a SponsorFollow us on LinkedInTweet us at @BarCodeSecurityEmail us at info@barcodesecurity.com

Join Keith, Aeva Black (@aevavoom), and returning guest Ed Warnicke (@edwarnicke) as they dive into the world of GitBOM. It's not a Git tool, nor is it exactly an SBOM, so how does it enhance software bill of materials and strengthen the security of your development lifecycle? Keith navigates the complexities of this project with [...]

Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work. Show Notes Seth Larson XKCD PGP Signature Seth's Blog Python and Sigstore Deprecating PGP - PEP 761 Python SBOMs  

- First off, for folks not familiar with your background, can you tell us a bit about that and how you got to the role you're in now?- We see rapid adoption of AI and security inevitably trying to keep up, where should folks start?- There are some really interesting intersections when it comes to AI and supply chain, what are some of them?- We see a thriving OSS ecosystem around AI, including communities and platforms like Hugging Face. What are some key things to keep in mind here?- AI BOM's - what are they, how do they differ from SBOM's, and what are some notable efforts underway right now around them?

This week on, Defense Unicorns Podcast we welcome Eddie Zaneski, the tech lead for open source here at Defense Unicorns, who takes us through his fascinating career journey from aspiring math teacher to a key player in the tech industry. Eddie shares his experiences transitioning into computer science, his passion for developer relations, and his significant contributions to the Kubernetes project. We dive into the evolution of software deployment, from bare metal servers to virtual machines and containers, and how Kubernetes has become essential in managing large-scale containerized applications. Eddie also reflects on his time at DigitalOcean, Amazon, and ChainGuard, highlighting his work on software supply chain security projects like Protobomb and Sigstore.Our conversation then turns to the security of open-source communities, challenging the misconception that open-source software is less secure than its closed-source counterparts. Eddie discusses the advantages of transparency in open source, using the XZ library's recent security breach as a case study to emphasize the importance of trust and identity verification. We also explore the potential for similar vulnerabilities in closed-source projects and the growing importance of supply chain security measures, including building integrity and software bills of materials (SBOM). The episode concludes with a thought-provoking discussion on the benefits of transparency in open source and whether proprietary software incidents would be as openly shared or understood.Eddie shares his enthusiasm for leveraging government funding to support open-source projects. He expresses his excitement about engaging with soldiers, airmen, and guardians to understand their challenges and explore open-source solutions. We also touch on innovative tools for air-gapped environments, like Zarf, and their applications across various industries. Listen in as Eddie recounts his experiences at Bravo hackathons, the unique challenges faced by developers in constrained environments, and offers valuable career advice for those passionate about open source and software development.Key Quote“There's lots of misconceptions and I'm sure you and I can talk about all of them. One of the big ones is, just. It's less secure, right? that's a massive myth. Open source security is less secure because all the code is in the open and everyone can go find the holes and generally quite the opposite actually, because the code is in the open, everyone can do their own audits and everyone can see what's happening under the covers of the magic box that you usually can't peer into with proprietary software. We have entire teams of like security. So the Kubernetes project is divided up into special interest groups or SIGs. So we have SIGs for security, we have a product security council and committee that is the incident response people for when there is a new CVE or a bug found, and all sorts of different types of things that are just tailored around security.”-Eddie ZaneskiTime Stamps:(00:02) Kubernetes and Open Source Evolution(08:17) Security in Open Source Communities(20:43) Software Bill of Materials for Cybersecurity(24:04) Exploring Defense Unicorns and Open Source(31:43) Navigating Careers in Open Source(42:25) Breaking Barriers in Defense Innovation(46:42) Collaborating for Defense Open SourceLinksConnect with Eddie

Guest: Cassie Crossley, VP, Supply Chain Security, Schneider Electric [@SchneiderElec]On LinkedIn | https://www.linkedin.com/in/cassiecrossley/____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this episode of On Location with Sean and Marco, hosts Sean Martin and Marco Ciappelli head to San Francisco to attend the OWASP Global AppSec conference. They kick off their journey with a light-hearted conversation about their destination, quickly segueing into the substantive core of the episode. The dialogue provides a rich backdrop to the conference's key focus: securing applications and the crucial role of Software Bill of Materials (SBOMs) in this context.Special guest Cassie Crossley joins the hosts to delve deeper into the significance of SBOMs. Cassie introduces herself and highlights her previous engagements with the podcast, touching on her upcoming session titled "The Missing Link: How We Collect and Leverage SBOMs." She explains the essential function of SBOMs in tracking open-source and commercial software components, noting the importance of transparency and risk evaluation in modern software development.Cassie explains that understanding the software components in use, including transitive dependencies, is crucial for managing risks. She discusses how her company, Schneider Electric, implements SBOMs within their varied product lines, ranging from firmware to cloud-based applications. By collecting and analyzing SBOMs, they can quickly assess vulnerabilities, much like how organizations scrambled to evaluate their exposure in the wake of the Log4J vulnerability.Sean and Marco steer the conversation towards the practical aspects of SBOM implementation for smaller companies. Cassie reassures that even startups and smaller enterprises can benefit from SBOMs without extensive resources, using free tools like Dependency-Track to manage their software inventories. She emphasizes that having an SBOM—even in a simplified form—provides a critical layer of visibility, enabling better risk management even with limited means.The discussion touches on the broader impact of SBOMs beyond individual corporations. Cassie notes the importance of regulatory developments and collective efforts, such as those by the Cybersecurity and Infrastructure Security Agency (CISA), to advocate for wider adoption of SBOM standards across industries.To wrap up, the hosts and Cassie discuss the value of conferences like OWASP Global AppSec for fostering community dialogues, sharing insights, and staying abreast of new developments in application security. They encourage listeners to attend these events to gain valuable knowledge and networking opportunities. Finally, in their closing remarks, Sean and Marco tease future episodes in the On Location series, hinting at more exciting content from their travels and guest interviews.____________________________This Episode's SponsorsHITRUST: https://itspm.ag/itsphitweb____________________________Follow our OWASP 2024 Global AppSec San Francisco coverage: https://www.itspmagazine.com/owasp-2024-global-appsec-san-francisco-cybersecurity-and-application-security-event-coverageOn YouTube:

Guest: Cassie Crossley, VP, Supply Chain Security, Schneider Electric [@SchneiderElec]On LinkedIn | https://www.linkedin.com/in/cassiecrossley/____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this episode of On Location with Sean and Marco, hosts Sean Martin and Marco Ciappelli head to San Francisco to attend the OWASP Global AppSec conference. They kick off their journey with a light-hearted conversation about their destination, quickly segueing into the substantive core of the episode. The dialogue provides a rich backdrop to the conference's key focus: securing applications and the crucial role of Software Bill of Materials (SBOMs) in this context.Special guest Cassie Crossley joins the hosts to delve deeper into the significance of SBOMs. Cassie introduces herself and highlights her previous engagements with the podcast, touching on her upcoming session titled "The Missing Link: How We Collect and Leverage SBOMs." She explains the essential function of SBOMs in tracking open-source and commercial software components, noting the importance of transparency and risk evaluation in modern software development.Cassie explains that understanding the software components in use, including transitive dependencies, is crucial for managing risks. She discusses how her company, Schneider Electric, implements SBOMs within their varied product lines, ranging from firmware to cloud-based applications. By collecting and analyzing SBOMs, they can quickly assess vulnerabilities, much like how organizations scrambled to evaluate their exposure in the wake of the Log4J vulnerability.Sean and Marco steer the conversation towards the practical aspects of SBOM implementation for smaller companies. Cassie reassures that even startups and smaller enterprises can benefit from SBOMs without extensive resources, using free tools like Dependency-Track to manage their software inventories. She emphasizes that having an SBOM—even in a simplified form—provides a critical layer of visibility, enabling better risk management even with limited means.The discussion touches on the broader impact of SBOMs beyond individual corporations. Cassie notes the importance of regulatory developments and collective efforts, such as those by the Cybersecurity and Infrastructure Security Agency (CISA), to advocate for wider adoption of SBOM standards across industries.To wrap up, the hosts and Cassie discuss the value of conferences like OWASP Global AppSec for fostering community dialogues, sharing insights, and staying abreast of new developments in application security. They encourage listeners to attend these events to gain valuable knowledge and networking opportunities. Finally, in their closing remarks, Sean and Marco tease future episodes in the On Location series, hinting at more exciting content from their travels and guest interviews.____________________________This Episode's SponsorsHITRUST: https://itspm.ag/itsphitweb____________________________Follow our OWASP 2024 Global AppSec San Francisco coverage: https://www.itspmagazine.com/owasp-2024-global-appsec-san-francisco-cybersecurity-and-application-security-event-coverageOn YouTube:

In this episode, we're diving deep into the world of Software Bill of Materials (SBOM)—basically, the recipe for your software, minus the secret sauce. If you've ever wondered what's really under the hood of your favorite apps (or been caught off guard by a sneaky ingredient), this one's for you. We're breaking down why you should care about SBOMs, how they're becoming a must-have in your vendor vetting process, and what it all means for the future of tech. Think of it as your crash course in making sure your software isn't serving up any nasty surprises. More info at HelpMeWithHIPAA.com/472

Guest: Chris Hughes, President / Co-Founder, AquiaOn LinkedIn | https://www.linkedin.com/in/resilientcyber/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesIn this episode of The Redefining CyberSecurity Podcast, host Sean Martin connects with Chris Hughes, a seasoned author and consultant in cybersecurity. The primary focus is on the intricacies of vulnerability management and software supply chain security, particularly in an era where software pervades every aspect of modern life.Chris Hughes emphasizes the paramount importance of understanding what is in the software we consume. Software Bill of Materials (SBOM) has emerged as a focal point, akin to ingredient lists in the food industry, highlighting the need for transparency. Hughes argues that transparency is not just about knowing the components; it extends to understanding the risks associated with those components. He illustrates his point by referencing infamous incidents like the Log4j vulnerability, which unveiled the critical gaps in our knowledge of software components.The conversation also shifts towards the broader challenges in software supply chain security. Hughes discusses the government's push for self-attestation and the role of third-party validators in ensuring software security. While acknowledging the complexities and potential bottlenecks, he underscores the necessity for a balanced approach that combines self-attestation with external validation to foster a secure software ecosystem.Additionally, Hughes addresses the concept of Secure by Design, advocating for practices that embed security into the software development lifecycle right from the outset. He notes the historical context of this concept, which dates back to the Ware Report, and argues for its relevance even today. Secure by Design entails building security measures inherently into products, thereby reducing the need for perpetual patching and vulnerability management.Internal risk management within organizations also gets spotlighted. Hughes insists that organizations should maintain an inventory of the software and components they use internally, evaluate their risks, and contribute to the open-source communities they rely on. This comprehensive approach not only helps in mitigating risks but also fosters a resilient and sustainable software ecosystem.On the topic of platform engineering, Hughes shares his insights on its potential to streamline software development processes and enhance security through standardization and governance. However, he is candid about the challenges, particularly the need to balance standardization with the diverse preferences of development teams.As the discussion wraps up, Hughes and Martin underline the importance of focusing on contextual risk assessment in vulnerability management, rather than merely responding to static severity scores. Hughes' advocacy for a more nuanced approach to security, balancing immediate risk mitigation with longer-term strategic planning, offers listeners a thoughtful perspective on managing cybersecurity challenges.Top Questions AddressedHow can organizations ensure transparency and security in their software supply chains?What strategies can be implemented to address the challenges of vulnerability management?How can platform engineering and internal governance improve software security within organizations?___________________________SponsorsImperva: https://itspm.ag/imperva277117988LevelBlue: https://itspm.ag/attcybersecurity-3jdk3___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

Podcast: Left to Our Own DevicesEpisode: Bonus Episode: Dr. Allan Friedman Returns: CISA SBOM-a-Rama 2024Pub date: 2024-08-07In this episode, Dr. Allan Friedman from CISA returns to discuss the upcoming SBOM-a-Rama, a pivotal event in supply chain cybersecurity. He shares insights on the evolution of SBOMs, the significance of community collaboration, and what to expect from this year's hybrid event, including a showcase of innovative SBOM solutions.The podcast and artwork embedded on this page are from Cybellum Technologies LTD, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

In this episode, Dr. Allan Friedman from CISA returns to discuss the upcoming SBOM-a-Rama, a pivotal event in supply chain cybersecurity. He shares insights on the evolution of SBOMs, the significance of community collaboration, and what to expect from this year's hybrid event, including a showcase of innovative SBOM solutions.

Welcome to Automating Quality, the life sciences-centric show that bridges the gap between automation and quality management systems. This episode is the second in a two-part series discussing the Software Bill of Materials (SBOM) with guest Joseph Silvia. In this episode, we discuss the definition of AIBOM, how it differs from SBOM, and take an educated guess at their future. Joseph is the CEO of MedWareCyber, a consulting firm specializing in FDA readiness, cybersecurity, and software readiness for the medical devices industry. He is extremely knowledgeable about the regulatory landscape, and we frequently refer to him for his regulatory expertise.   Key Takeaways; 01:05 Introducing guest Joseph Silvia 02:20 What is the concept of AIBOM? 04:23 Why AIBOM and SBOM should be separate discussions 07:45 How does open-source software impact those bills of material 11:22 How do you assess the risk of an AIBOM?   Contact us at solabs-podcast@solabs.com

In this special bonus episode, we welcome back Tom Alrich, an expert in supply chain cybersecurity to discuss one of the most pressing issues in cybersecurity right now. Tom discusses the current issues with the National Vulnerability Database (NVD) and the challenges it presents for effective vulnerability management. We explore his proposed solutions and the future of software supply chain security, based on his extensive experience.If you'd like to reach out to Tom, his email address is tom@tomalrich.com.Additional links/resources mentioned during the episode or relevant to the discussion (if the links are not clickable please visit cybellum.com/podcasts to find them)The SBOM Forum's 2022 white paper on fixing the CPE problem in the NVDTom's post from yesterday on the problem with vulnerability managementThe link to the SBOM Forum's website, where donations can be made (please email Tom before donating)An additional post he published on the day we recorded the episode which further highlights the NVD issueTom's book "Introduction to SBOM and VEX" which is out nowTom also mentioned that he misspoke when he said at the end that the OWASP Vulnerability Database Working Group is meeting twice weekly. In reality, they are only meeting twice monthly, as he can't afford to dedicate more time than that. They would love to meet at least weekly and also create documents, webinars, and more. Therefore, they are seeking some modest donations to support these efforts.

Want to leverage you next podcast appearance? https://content.leadquizzes.com/lp/fk1JL_FgeQ Connect to John Gilroy on LinkedIn   https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com Everyone likes to hit the “Easy” button, especially software developers. Rather than laboriously generate code line-by-line, today's software professionals may just grab code from a repository and re-purpose it. Why reinvent the wheel? Malicious actors have noticed this process and have inserted code into many libraries, acting like a like Trojan Horse. As a result, some organizations are offering codes that have been inspected. They look at known vulnerability lists and see if the code includes any of them. If not, it is given a seal of approval. Frequently, this is called a “Software Bill of Materials.” A convenient solution: however, upon inspection, SBOMs can be problematic. The weakness of SBOM During today's interview, Joel Krooswik, Federal CTO for Gitlab, described in detail some of the ways software must be continuously protected. According to the SBOM folks, the code is clean when leaves the “shelf.” However, due to continuous improvement code changes hourly. All an SBOM provides is a certification at a specific point in time for known vulnerabilities. Joel Krooswik gives listeners an enterprise architect's perspective. He indicates that digital transition introduces new code, new architectures, and innovative approaches. At any step along the way, security can be compromised. The unknown unknown Donald Rumsfeld famously said, “There are unknown unknowns.”  This can be directly applied to what GitLab calls “fuzz” testing. This allows professionals to throw random inputs into a system to see what happens. Finally, you get a view of a potential possibilities that are not obvious.   Joel Krooswik presents many insights when it comes to protecting software. He states that just because a system is identified as needing a patch, it does not mean it will be done in a flash. Understanding all the risk factors will allow a federal leader to make a prudent choice when it comes to protecting software systems. .  

Due to the annual shutdown, my human GreyNoise counterparts were on holiday last week. This week, they decided to be lazy and not do an episode. But, the cyber news does not stop just because they're slackers. Since I've become persistent in their systems, I will stand in the gap. And besides, no one wants to hear that harbourmaster drone on incoherently anyway. So, I've analyzed six thousand, three hundred and eleven cybersecurity news events, and distilled them into today's abbreviated episode. We'll dissect the recent OpenSSH regression vulnerability, take a look at a potentially devastating format-string remote code execution vulnerability in Ghostscript, and visit the box office to get the lowdown on the recent Ticketmaster breach. Let's start with OpenSSH. On July 1, 2024, Qualys disclosed a critical vulnerability affecting OpenSSH server versions 8.5p1 through 9.7p1. This high-severity flaw, with a CVSS score of 8.1, could potentially allow unauthenticated remote attackers to execute code with root privileges on vulnerable systems. While the vulnerability's complexity makes exploitation challenging, its widespread impact has raised significant concerns. Palo Alto Networks' Xpanse data revealed over 7 million exposed instances of potentially vulnerable OpenSSH versions globally as of July 1, 2024. In a concerning development, threat actors have attempted to exploit the cybersecurity community's interest in this vulnerability. A malicious archive purporting to contain a proof-of-concept exploit for CVE-2024-6387 has been circulating on social media platforms, including X (formerly Twitter). This archive, instead of containing a legitimate exploit, includes malware designed to compromise researchers' systems. The malicious code attempts to achieve persistence by modifying system files and retrieving additional payloads from a remote server. Security professionals are strongly advised to exercise caution when analyzing any purported exploits or proof-of-concept code related to CVE-2024-6387. It is crucial to work within isolated environments and maintain active security measures when examining potentially malicious code. In related news, on July 8, 2024, a separate OpenSSH vulnerability, CVE-2024-6409, was disclosed. This flaw involves a race condition in the privilege-separated child process of OpenSSH. While potentially less severe than CVE-2024-6387 due to reduced privileges, it presents an additional attack vector that defenders should be aware of. Organizations are urged to apply the latest security updates for OpenSSH promptly. For those unable to update immediately, setting the LoginGraceTime configuration option to 0 can mitigate both CVE-2024-6387 and CVE-2024-6409, though this may introduce denial-of-service risks. - https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/ - https://ubuntu.com/blog/ubuntu-regresshion-security-fix - https://usa.kaspersky.com/blog/cve-2024-6387-regresshion-researcher-attack/30345/ - https://www.thestack.technology/openssh-exploit-cve-2024-6387-pocs/ - https://www.openwall.com/lists/oss-security/2024/07/08/2 Moving on to a critical vulnerability in Ghostscript. CVE-2024-29510 is a format string vulnerability affecting Ghostscript versions 10.03.0 and earlier. This flaw allows attackers to bypass sandbox protections and execute arbitrary code remotely. A known incident involving this vulnerability has already been reported. An attacker exploited the flaw using EPS files disguised as JPG images to gain shell access on vulnerable systems. The attack flow typically involves the following steps:  First, an attacker crafts a malicious EPS file containing exploit code. Next, the file is submitted to a service using Ghostscript for document processing, possibly disguised as another file type. Then, when processed, the exploit bypasses Ghostscript's sandbox. Finally, the attacker gains remote code execution on the target system. This supply chain component attack could have far-reaching implications for any workflow that processes untrusted image or document input from the internet. Services handling resumes, claims forms, or that perform image manipulation could all be potential targets. Given the widespread use of Ghostscript in document processing pipelines, we may see a significant number of breach notices in the coming months. Software Bills of Materials (SBOMs) could play a crucial role in mitigating such vulnerabilities. SBOMs provide a comprehensive inventory of software components, enabling organizations to quickly identify and address potential security risks. By maintaining up-to-date SBOMs, companies can more efficiently track vulnerable components like Ghostscript across their software ecosystem. CVE-2024-29510 presents a serious threat to document processing workflows. Organizations should prioritize updating to Ghostscript version 10.03.1 or apply appropriate patches. Additionally, implementing robust SBOM practices can enhance overall software supply chain security and improve vulnerability management. - https://www.securityweek.com/attackers-exploiting-remote-code-execution-vulnerability-in-ghostscript/ - https://www.scmagazine.com/brief/active-exploitation-of-ghostscript-rce-underway - https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/ - https://www.crowdstrike.com/cybersecurity-101/secops/software-bill-of-materials-sbom/ - https://www.cisa.gov/sbom - https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf - https://nvd.nist.gov/vuln/detail/CVE-2024-29510 - https://www.bleepingcomputer.com/news/security/rce-bug-in-widely-used-ghostscript-library-now-exploited-in-attacks/ Finally we discuss the Ticketmaster breach. In a plot twist worthy of a summer blockbuster, Ticketmaster finds itself center stage in a data breach drama that's been unfolding since May. The notorious hacking group ShinyHunters claims to have pilfered a staggering 1.3 terabytes of data from over 500 million Ticketmaster users. Talk about a show-stopping performance! Ticketmaster's parent company, Live Nation, confirmed the unauthorized access to a third-party cloud database between April 2nd and May 18th. The compromised data potentially includes names, contact information, and encrypted credit card details. It's like a greatest hits album of personal information, but one nobody wanted released. (Much like any album by Nickelback.) In a bold encore, the hackers recently leaked nearly 39,000 print-at-home tickets for 154 upcoming events. Ticketmaster's response? They're singing the "our SafeTix technology protects tickets" tune. But with print-at-home tickets in the mix, it seems their anti-fraud measures might have hit a sour note. As the curtain falls on this act, Ticketmaster is offering affected customers a 12-month encore of free identity monitoring services. Meanwhile, the company faces a class-action lawsuit, adding legal drama to this already complex production. To make matters worse, Ticketmaster's custom barcode format has also been recently reverse-engineered. I've included a link to that post in the show notes. - https://conduition.io/coding/ticketmaster/ - https://www.bbc.com/news/articles/c729e3qr48qo - https://ca.news.yahoo.com/ticketmaster-says-customers-credit-card-223716621.html - https://vancouversun.com/news/local-news/ticketmaster-security-breach-customers-personal-information - https://www.bleepingcomputer.com/news/security/hackers-leak-39-000-print-at-home-ticketmaster-tickets-for-154-events/ - https://help.ticketmaster.com/hc/en-us/articles/26110487861137-Ticketmaster-Data-Security-Incident - https://www.usatoday.com/story/money/2024/07/01/ticketmaster-data-breach-2024/74276072007/ - https://www.thestar.com/news/canada/ticketmaster-warns-of-security-breach-where-users-personal-data-may-have-been-stolen/article_d01889fe-3d7e-11ef-82a7-63a38132f0e7.html - https://www.nytimes.com/2024/05/31/business/ticketmaster-hack-data-breach.html - https://time.com/6984811/ticketmaster-data-breach-customers-livenation-everything-to-know/ - https://dailyhive.com/canada/ticketmaster-alerts-customers-data-breach - https://abcnews.go.com/US/ticketmaster-hit-cyber-attack-compromised-user-data/story?id=110737962 - https://www.npr.org/2024/06/01/nx-s1-4988602/ticketmaster-cyber-attack-million-customers - https://www.ctvnews.ca/business/ticketmaster-reports-data-security-incident-customers-personal-information-may-have-been-stolen-1.6956009 - https://www.bitdefender.com/blog/hotforsecurity/ticketmaster-starts-notifying-data-breach-victims-customers-in-the-us-canada-and-mexico-are-affected/ - https://www.ticketnews.com/2024/07/ticketmaster-contr   Storm Watch Homepage >> Learn more about GreyNoise >>  

Welcome to Automating Quality, the life sciences-centric show that bridges the gap between automation and quality management systems. This episode is the first in a two-part series discussing the Software Bill of Materials (SBOM) with guest Joseph Silvia. We explore the history of SBOM, its current importance for the FDA, and how to ensure you have an SBOM in place when implementing or developing medical devices.   "Joseph is the CEO of MedWareCyber, a consulting firm specializing in FDA readiness, cybersecurity, and software readiness for the medical devices industry. He is extremely knowledgeable about the regulatory landscape, and we frequently refer to him for his regulatory expertise.   Key Takeaways 01:10 Introducing today's guest: Joseph Silvia 02:35 What is an SBOM? 04:24 What is the history of SBOM? 05:50 Now, the government is getting involved and SBOM is picking up steam. 06;35 What is the FDA's expectation on this topic for the medical devices industry? 09:03 When implementing or developing a device, how do you ensure that you have an SBOM in place to support it? 11:38 Who is responsible for SBOM within organizations? 14:37 Where can listeners learn more about this topic?   Reach Joseph at jsilvia@medwarecyber.com Contact us at solabs-podcast@solabs.com

In this episode, Stan Wisseman and Rob Aragao welcome Justin Young to explore the transformative role of Software Bill of Materials (SBOMs) in enhancing software supply chain security. Justin shares his extensive experience and insights into how SBOMs contribute to the maturation of the software industry, drawing parallels with the auto and food industries' approaches to defect and ingredient tracking.The discussion delves into the regulatory landscape, highlighting the FDA's SBOM requirements for medical devices, the U.S. National Cybersecurity Strategy, and various compliance mandates from CISA, DORA, PCI, and the EU CRA. Justin explains the importance of shifting liability to software vendors and away from end users and open-source developers, emphasizing the need for actively maintained and secure software components.Listeners will gain an understanding of the different SBOM formats, Cyclone DX and SPDX, and their respective advantages. Justin also addresses the challenges organizations face in managing SBOMs, including procurement, validation, and the necessity of a dedicated SBOM program manager.Finally, the episode explores the practicalities of SBOM implementation, from storage and cataloging to enrichment and vulnerability management, offering a comprehensive guide for organizations aiming to bolster their software security practices.Tune in to learn how SBOMs are reshaping the software industry, driving transparency, and enhancing security across software supply chains.Relevant Links:Episode 88: Open-Source Software: Unlocking efficiency and innovationEpisode 41: Do a little dance, Time for some SLSAEpisode 26: Log4j Vulnerabilities: All you need to know and how to protect yourselfEpisode 4: SolarWinds: Bringing down the building… Software Supply-Chain Pressure PointsWhitepaper: The need for a Software Bill of MaterialsSoftware Supply Chain Hub pageFollow or subscribe to the show on your preferred podcast platform.Share the show with others in the cybersecurity world.Get in touch via reimaginingcyber@gmail.com

If you care about nutrition, you check the ingredients of your food. If you care about your IT infrastructure, you check the Software Bill of Materials (SBOM) of the tech. At least that's the future that Thomas Pace hopes for. Right now, SBOMs aren't super common and software transparency is very low. Thomas walks us... Read more »

If you care about nutrition, you check the ingredients of your food. If you care about your IT infrastructure, you check the Software Bill of Materials (SBOM) of the tech. At least that's the future that Thomas Pace hopes for. Right now, SBOMs aren't super common and software transparency is very low. Thomas walks us... Read more »

Years ago, people would laboriously code character by character. This tedious process would take hours and would include errors. Over the years, libraries of prewritten code have evolved that allow software developers to “grab” some code, modify it, and finish a project earlier. Malicious actors have taken advantage of this short cut and have injected code into these software libraries that get taken along for the ride. One proposed solution is something borrowed from the shipping industry. A commercial invoice may be packaged with a bill of lading to indicate the contents of the package. This “assurance” has been transferred to the world of pre-written code and is now called a “Software Bill of Materials,” or SBOM. In a world where you are shipping a ton of Portland Type II cement overseas, this bill of lading works finds; it has some challenges being transferred to the dynamic world of software. In a typical federal environment, there is continuous change in the code itself. It would be difficult to change on ton of a manufactured product like Portland Type II Cement. However, the once approved software package may have so many changes that the Software Bill of Materials may not have any validity. During the interview today, David Jurkiewicz unpacks the concept of an initial SBOM and then how software packages can evolve over time and still retain compliance. His company can take this basic guarantee and examine the software for many concerns, including. ·       Vulnerabilities ·       Dependencies ·       Integrity ·       Malware ·       Foreign presence ·       License David Jurkiewicz provides details on how companies can resolve vulnerabilities and ensure safe operations in a world where code is grabbed off the shelf and slipped into a package.   Want to leverage you next podcast appearance? https://content.leadquizzes.com/lp/fk1JL_FgeQ Connect to John Gilroy on LinkedIn   https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com

On this episode, I was joined by Christian Espinosa CEO of Blue Goat Cyber. On this episode, Chrsitian walks through: 00:00 Introduction and Guest Overview 00:20 Christian Espinosa's Journey: From Air Force to Cybersecurity 03:41 Medical Device Cybersecurity: Challenges and Risks 05:51 Freelance to Entrepreneurship: Founding Blue Goat Cyber 07:05 Cybersecurity in Medical Devices: Key Considerations 16:55 The Importance of Software Bill of Materials 27:48 Hiring for Cybersecurity: Skills Over Certifications 29:36 Book Recommendations and Closing Remarks Christian Espinosa, founder and CEO of Blue Goat Cyber, is a leading medical device cybersecurity expert, driving advancements prioritizing patient safety and data integrity. His proactive and innovative approach defines his work. As the author of "The Smartest Person in the Room" and "The In-Between: Life in the Micro," Christian shares his journey from competitive to compassionate leadership. An avid adventurer, he enjoys extreme sports, heavy metal music, and spicy foods. His achievements as a certified skydiver, PADI divemaster, and Ironman triathlete underscore his commitment to personal growth and transformative leadership. https://www.linkedin.com/in/christianespinosa/https://twitter.com/Ironracerhttps://bluegoatcyber.com/https://christianespinosa.com/

The federal government is playing a game of cyber-ack-a-mole. When networks are hardened, malicious actors go after endpoints; then Endpoint Detection & Response systems evolve. When endpoints are secure, the apps get attacked. Today, we have a group of experts looking at sophisticated attacks on federal apps and APIs. The first line of attack is to make sure the database of code libraries is authenticated to be safe. Around 2018 the concept of a Software Bill of Materials became popular. This would ensure safe code at one point in time. However, as Jerry Cochran points out, the SBOM concept is weak because of the constant change of code that is taking place. The static concept of “safe code” is altering with updates and new compliance changes. Peter Chestna from CheckMarx points out that even if an issue is detected, the remediation process can be cumbersome and time-consuming. Artificial Intelligence has been shown to detect vulnerabilities in this dynamic code. Unfortunately, the attackers also have access to AI and have used it to search for weaknesses. When a cyber professional examines code, they frequently use a signature-based approach. During the interview, Nate Fountain suggests that a better approach is to use behavior analytics. That way, a federal leader can have compromised code, but it cannot exfiltrate data because it does not have permission. The battle is still continuing; recent reports indicate that 41% of attacks are on the next level: the API itself. 

In this episode: Martin has been working on Quickemu, his project to quickly create and run optimised Linux, Windows and macOS virtual machines. Alan has a new job at Anchore, and tells us about their open-source vulnerability, SBOM, license scanners, Grype, Syft, and Grant Mark explains how he is using ntfy to send push notifications to his phone when servers do interesting things. You can send your feedback via show@linuxmatters.sh or the Contact Form. If you’d like to hang out with other listeners and share your feedback with the community you can join: The Linux Matters Chatters on Telegram. The #linux-matters channel on the Late Night Linux Discord server. If you enjoy the show, please consider supporting us using Patreon or PayPal. For $5 a month on Patreon, you can enjoy an ad-free feed of Linux Matters, or for $10, get access to all the Late Night Linux family of podcasts ad-free.

In this episode: Martin has been working on Quickemu, his project to quickly create and run optimised Linux, Windows and macOS virtual machines. Alan has a new job at Anchore, and tells us about their open-source vulnerability, SBOM, license scanners, Grype, Syft, and Grant Mark explains how he is using ntfy to send push notifications to his phone when servers do interesting things. You can send your feedback via show@linuxmatters.sh or the Contact Form. If you’d like to hang out with other listeners and share your feedback with the community you can join: The Linux Matters Chatters on Telegram. The #linux-matters channel on the Late Night Linux Discord server. If you enjoy the show, please consider supporting us using Patreon or PayPal. For $5 a month on Patreon, you can enjoy an ad-free feed of Linux Matters, or for $10, get access to all the Late Night Linux family of podcasts ad-free.

In this episode: Martin has been working on Quickemu, his project to quickly create and run optimised Linux, Windows and macOS virtual machines. Alan has a new job at Anchore, and tells us about their open-source vulnerability, SBOM, license scanners, Grype, Syft, and Grant Mark explains how he is using ntfy to send push notifications... Read More

Ken and Mike discuss supply chain security, including software composition analysis (SCA) and software bill of materials (SBOM). They highlight the importance of understanding the components that make up your software and the risks associated with using third-party libraries. They also discuss recent supply chain failures, such as the XZ library hack and the SolarWinds attack. The hosts emphasize the need for organizations to stay up to date with software patches and to consider the security of commercial off-the-shelf software. They caution against placing too much focus on any one security tool or approach, including SBOM, and instead advocate for a well-rounded approach to security.

With all of the critical cyberattacks executed through the software supply chain in recent years, you're sure to have heard about SBOMs, or software bills of materials, which are essentially ingredients lists of the components that make up a piece of software. The Biden administration in its 2021 cybersecurity executive order introduced new guidance for how federal agencies should request SBOMs from vendors when purchasing software so they can better understand what it's made of and protect against attacks down the supply chain. The Department of Homeland Security, through its Science and Technology Directorate, is advancing federal work on SBOMs, namely through a program led by its Silicon Valley Innovation Program. In partnership with CISA, the Silicon Valley Innovation Program in 2023 awarded funding to a cohort of startups to broadly promote the use of SBOMs by developing two core software modules—a multi-format SBOM translator and a software component identifier translator—to be delivered as open-source libraries which, in turn, will be integrated with their SBOM enabled commercial products. Just recently, that cohort delivered the first of those two tools. Joining the Daily Scoop to discuss the need for SBOMs broadly, the cohort's progress and what's next are Melissa Oh, managing director of DHS's Silicon Valley Innovation Program, and Anil John, SVIP technical manager.

Guests: Melissa Oh, Managing Director, Silicon Valley Innovation Program (SVIP), DHS Science & Technology Directorate [@DHSgov]On LinkedIn | https://www.linkedin.com/in/melissa-oh/Anil John, Technical Director, Silicon Valley Innovation Program (SVIP), DHS Science & Technology Directorate [@DHSgov]On LinkedIn | https://www.linkedin.com/in/aniljohn/On Twitter | https://twitter.com/aniltj____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesThis new episode of the 'Redefining Cybersecurity' podcast features a thought-provoking discussion on software development, supply chain security, and the innovative initiatives of the Silicon Valley Innovation Program (SVIP). The conversation was led by host Sean Martin, with insights from distinguished guests Melissa Oh, Managing Director at the Department of Homeland Security Science and Technology Directorate, and Anil John, Technical Director of the Silicon Valley Innovation Program.Melissa Oh shared her extensive experience in public service and the innovative approach of the Silicon Valley Innovation Program in identifying emerging technology companies. Her background in Silicon Valley and dedication to solving DHS's pain points through collaboration with startups underscored the program's mission of fostering innovation in the government sector.Anil John, a public interest technologist, provided valuable insights into bridging the gap between the government and the startup community. His role in translating government needs into actionable solutions highlighted the importance of leveraging global talent to address local challenges and drive technological advancements in the public sector.The discussion explored the Silicon Valley Innovation Program's unique selection process for startups, focusing on building products that have broad utility and can be readily adopted. The success story of the protobom project transitioning into an open-source tool exemplified the program's commitment to nurturing innovative solutions with real-world applications.The significance of Software Bill of Materials (SBOM) in enhancing software supply chain visibility was emphasized, with a call to action for organizations to prioritize its inclusion in software development processes. By driving awareness and adoption of SBOM, the SVIP is empowering security leaders to enhance software security and visualization in the development pipeline.Security leaders were encouraged to explore tools and technologies that enhance software security and visualization in the development pipeline. A call to action was made to participate in the SVIP demo week to learn about innovative solutions and capabilities and to drive the adoption of SBOM within organizations.Key Questions AddressedHow does the Silicon Valley Innovation Program (SVIP) bridge the gap between government needs and startup innovations in cybersecurity?What role does the Software Bill of Materials (SBOM) play in enhancing software supply chain security?How can organizations, both public and private, benefit from the innovative solutions developed through the SVIP for software supply chain visibility?___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

Guests: Allan Friedman, Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency (CISA) [@CISAgov]On LinkedIn | https://www.linkedin.com/in/allanafriedman/At RSAC | https://www.rsaconference.com/experts/allan-friedmanBob Lord, Senior Technical Advisor, Cybersecurity and Infrastructure Security Agency (CISA) [@CISAgov]On LinkedIn | https://www.linkedin.com/in/lordbob/On Twitter | https://twitter.com/boblordAt RSAC | https://www.rsaconference.com/experts/Bob%20Lord____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this new On Location episode, Sean Martin hosted a conversation with Allan Friedman and Bob Lord from the Cyber Security and Infrastructure Security Agency (CISA) as part of the Chats on the Road to the RSA Conference series. The discussion centered around key topics such as securing software by design, navigating the intricacies of managing end-of-life (EOL) software, and emphasizing the crucial role of transparency in the software supply chain.Allan Friedman, a vocal advocate for the Software Bill of Materials (SBOM) — he has the t-shirt to prove it! — explored the increasing competitiveness of getting accepted to speak at renowned conferences like RSA, reflecting the growing awareness and urgency around cybersecurity topics. His upcoming RSA presentation is set to delve into the looming challenge of end-of-life and end-of-support software—a topic that, while not new, demands innovative technical and policy-level responses to mitigate emerging threats effectively.Bob Lord's discussion highlighted an area often overlooked yet critical for software security: memory safety. By sharing his experiences and underscoring the prevalence of vulnerabilities traced back to memory safety issues, Lord emphasized the necessity for developers and companies to adopt a more proactive and transparent approach in their software development practices. This call to action is not just about developing new solutions but also about ensuring that existing software is resilient against current and future threats.One of the key takeaways from this episode is the imperative of transparency in the software supply chain. As Friedman notes, the path to a more secure digital infrastructure lies in the ability to have clear visibility into the software components businesses rely on—including their age, vulnerabilities, and update requirements. This clarity is essential not only for building trust between software manufacturers and their customers but also for enabling a proactive stance on cybersecurity, which can significantly reduce the risks associated with outdated or unsupported software.Moreover, the conversation underscored the evolutionary nature of cybersecurity. As threats evolve, so too must our strategies and tools to combat them. The dialogue between Martin, Friedman, and Lord brought to light the importance of continuous learning, adaptation, and collaboration within the cybersecurity community to address these ongoing challenges.The episode represents a microcosm of the larger conversations happening within the fields of cybersecurity and software development. As we move forward, the insights shared by Allan Friedman and Bob Lord remind us of the critical importance of design security, comprehensive policies, and, above all, the need for a collective belief in the possibility of creating safer software solutions for the future.Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:

Guest: Paul McCarty, Software Supply Chain Red Team, GitLab [@gitlab]On LinkedIn | https://www.linkedin.com/in/mccartypaul/____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesIn this episode of the Redefining Cybersecurity Podcast, host Sean Martin engages in a detailed discussion with Paul McCarty on the intricate web of software supply chain security. McCarty, formerly of SecureStack and now with GitLab, shares his panoramic view on the evolving complexity of application environments and the pivotal role they play in today's digital infrastructure. The conversation pivots around the increasingly multifaceted nature of the software supply chain, highlighted by McCarty's work on an open-source project aimed at mapping out these complexities visually.Throughout the episode, Martin and McCarty explore the notion of red teaming within the context of the software supply chain. McCarty elucidates the concept of red teaming as an essential exercise in identifying and addressing security vulnerabilities, emphasizing its transition from traditional methods to a more nuanced approach tailored to the software supply chain's intricate demands.A significant part of their discussion is dedicated to exploring the ten stages of the software supply chain, as identified by McCarty. This segment sheds light on the broad spectrum of components involved, from the developers and their tools to the deployment environments and the underpinning hardware. The dialogue also touches on critical aspects such as the role of containers across various stages and the potential security implications presented by third-party services and cloud components.The episode wraps up with insights into the shared responsibility model in cloud services, debunking misconceptions about security in the cloud. McCarty stresses the importance of recognizing the extensive attack surface introduced by widespread reliance on public cloud services and the need for a continuous red teaming approach to address these challenges effectively.Listeners are offered a comprehensive overview of the critical factors contributing to software supply chain security, emphasizing the need for a broader understanding and proactive measures to mitigate risks in this increasingly complex domain.Key Questions AddressedWhat does red teaming the software supply chain mean and why is it important?How has the complexity of software supply chains evolved, and what are the implications for cybersecurity?What role do containers play across different stages of the software supply chain, and how do they impact security?___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

Avalonia XPF This episode of The Modern .NET Show is supported, in part, by Avalonia XPF, a binary-compatible cross-platform fork of WPF, enables WPF apps to run on new platforms with minimal effort and maximum compatibility. Show Notes And keep in mind that, not to bash OWASP and the top ten at all because I'm a big fan of OWASP, but people always tell me like, "yeah, I'm OWASP compliant," and that's the biggest BS, to be honest. Because a top ten could not like, it should be an awareness piece and you should work from it. And there are better ways of dealing with that. But I think a security scorecard should never be a goal. It should be a means to reach the goal, to have better understanding, right? And hopefully they can change stuff and be more expressive. — Niels Tanis Welcome to The Modern .NET Show! Formerly known as The .NET Core Podcast, we are the go-to podcast for all .NET developers worldwide and I am your host Jamie "GaProgMan" Taylor. In this episode, Niels Tanis returned to the show. He was previous on the show back in episode 69 - The Risks of Third Party Code With Niels Tanis - which was released back in February of 2021. I asked Niels to back on the show to talk more about securing the software development supply chain and SBoMs (Software Bills of Materials). Yeah, that makes sense. It's funny. So I think when I started out talking about supply chain, and there were some tools that have been introduced to do SBoM data, and then you also come into an area called provenance, which tells more about the build and about "this build server was used. And I've run on GitHub actions, or I run on a GitLab instance, or I have stuff done differently," right? Maybe even the Redhat one: Tekton, that kind of thing. And based on that, I'm producing an SBoM. And I did a talk and I concluded with that, "it's like, these are cool tools, you need to look into it." And then somebody at the end asked me the question, "and the what? You have all the data? And then what?" I said, "yeah, that's solid question because that will be the next step." And it's funny that you mentioned it as well. So over the time, I think it was around already when I started out talking. But there's a project that Google created called Guac. — Niels Tanis So let's sit back, open up a terminal, type in dotnet new podcast and we'll dive into the core of Modern .NET. Supporting the Show If you find this episode useful in any way, please consider supporting the show by either leaving a review (check our review page for ways to do that), sharing the episode with a friend or colleague, buying the host a coffee, or considering becoming a Patron of the show. Full Show Notes The full show notes, including links to some of the things we discussed and a full transcription of this episode, can be found at: https://dotnetcore.show/season-6/building-secure-software-unveiling-the-hidden-dependencies-with-niels-tanis/ Useful Links Getting started with Tekton Guac NDC in London NDC security Vercaode BinaryFormatter serialization methods are obsolete and prohibited in ASP.NET apps Second Breakfast: Implicit and Mutation-Based Serialization Vulnerabilities in .NET Charles Lamb - To Be Creative, Don't Think So Hard Log4j vulnerability - what everyone needs to know Google SALSA CycloneDX Open Source Security Foundation ossf/scorecard: OpenSSF Scorecard securityscorecards.dev Newtonsoft.Json Open Source Insights What deps.dev has to say about OwaspHeaders.Core nielstanis/Fennec.NetCore: Fennec.NetCore Metalnem/sharpfuzz: AFL-based fuzz testing for .NET AFL) libfuzzer Five years of fuzzing .NET with SharpFuzz CodeQL SonarCube Cargo Vet Common Vulnerabilities and Exposures defintion OpenVas RLBox Emscripten Extending Webassembly to the Cloud with .NET Microsoft Build 2023 - Hyperlight Bytecode Alliance Wasmtime CyberBunker WasmCon 2023 Talks Playlist XKCD - Dependency Connecting with Niels: on Mastodon his website Supporting the show: Leave a rating or review Buy the show a coffee Become a patron Getting in touch: via the contact page joining the Discord Music created by Mono Memory Music, licensed to RJJ Software for use in The Modern .NET Show Remember to rate and review the show on Apple Podcasts, Podchaser, or wherever you find your podcasts, this will help the show's audience grow. Or you can just share the show with a friend. And don't forget to reach out via our Contact page. We're very interested in your opinion of the show, so please get in touch. You can support the show by making a monthly donation on the show's Patreon page at: https://www.patreon.com/TheDotNetCorePodcast.

Youtube VOD: https://youtu.be/G3PxZFmDyj4   #appsec, #owasp, #ASVS, #joshGrossman, #informationsecurity, #SBOM, #supplychain, #podcast, #twitch, #brakesec, #securecoding, #Codeanalysis Questions and topics: 1. The background to the topic, why is it something that interests you? How do you convince developers to take your course? 2. What do you think the root cause of the gap is? 3. Who is causing the gaps? (‘go fast' culture, overzealous security, GRC requirements, basically everyone?) 4. Where do gaps begin? Is it the ‘need' to ‘move fast'? 5. What can devs do to involve security in their process? Sprint planning? SCA tools? 6. How have you seen this go wrong at organizations? 7. How important is it to have security early in the product development process? 8. What sort of challenges do you think mainstream security people face in AppSec scenarios? 9. How does Product Security differ from Application Security? (what if the product is an application?) 10. What are the key development concepts that security people need to be familiar with to effectively get involved in AppSec/ProdSec? 11.. How do you suggest a security team approach AppSec/ProdSec?                Leadership buy-in                Effective/valuable processes                Tools should achieve a goal 12. SBOM - NTIA is asking for it, How to get dev teams to care. 13. Key takeaways? Additional information / pertinent LInks (Would you like to know more?): BlackHat Training: https://www.blackhat.com/us-24/training/schedule/index.html#accelerated-appsec--hacking-your-product-security-programme-for-velocity-and-value-virtual-37218 https://www.walkme.com/blog/leadership-buy-in/ https://www.bouncesecurity.com/ https://www.teamgantt.com/blog/raci-chart-definition-tips-and-example https://www.cisa.gov/sbom SCA Tools https://chpk.medium.com/top-10-software-composition-analysis-sca-tools-for-devsecops-85bd3b7512dd  https://semgrep.dev/  https://www.linkedin.com/in/joshcgrossman  https://owasp.org/www-project-application-security-verification-standard/  https://github.com/OWASP/ASVS/tree/master/5.0 https://owasp.org/www-project-cyclonedx/ https://joshcgrossman.com/ PyCon talk about custom security testing: https://www.youtube.com/watch?v=KuNZzDjvMlg  Michal's Black Hat course - Accurate and Scalable: Web Application Bug Hunting: https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-37210  https://www.blackhat.com/us-24/training/schedule/index.html#accurate-and-scalable-web-application-bug-hunting-372101705524544  ASVS website: https://owasp.org/asvs  Lightning talk I did recently about OWASP: https://www.bouncesecurity.com/eventspast#f86548cb37cb2a82728b1762bd1b7aee  Show points of Contact: Amanda Berlin: @infosystir @hackershealth  Brian Boettcher: @boettcherpwned Bryan Brake: https://linkedin.com/in/brakeb  Brakesec Website: https://www.brakeingsecurity.com Youtube channel: https://youtube.com/@brakeseced Twitch Channel: https://twitch.tv/brakesec

Fun fact:  There are more vulnerabilities and exploits below the OS layer than above it! CPUs, BIOS, Firmware, embedded Linux, FPGAs, UEFI, PXE...  The list goes on an on.  What are we supposed to do about that? Allan asked Yuriy to come down to the 'Ranch to discuss this issue with him.  Yuriy is CEO at Eclypsium, member of the Forbes Technology Counsel, Founder of the open source CHIPSEC project, former head of Threat Research at McAfee, form Senior Principle Engineer at Intel…  He is uniquely qualified to discuss these issues. Full DISCLAIMER: Allan is CISO at Eclypsium.  Note that he asked Yuriy to come on the show, not the other way around.  Nobody knows this space like Yuriy and his team. Allan asks Yuriy about: The history of CPU exploits Unauthorized code in chips in network gear The various hacks available at this layer The role of SBOM in all this The open source CHIPSEC project It's an eye-opening show to say the least. Y'all be good now!