Podcasts about sboms

  • 122PODCASTS
  • 265EPISODES
  • 46mAVG DURATION
  • 1EPISODE EVERY OTHER WEEK
  • May 19, 2025LATEST

POPULARITY

20172018201920202021202220232024


Best podcasts about sboms

Latest podcast episodes about sboms

Global Medical Device Podcast powered by Greenlight Guru
#407: Cybersecurity in MedTech: FDA Compliance, Patient Safety & the Hidden Risks You're Missing

Global Medical Device Podcast powered by Greenlight Guru

Play Episode Listen Later May 19, 2025 42:21 Transcription Available


Christian Espinosa, founder of Blue Goat Cyber and leading voice in medical device cybersecurity, joins Etienne Nichols to unpack the urgent and often misunderstood topic of cybersecurity in MedTech. From FDA's 2023 regulatory overhaul to real-world hacking scenarios that could harm patients, Christian provides practical advice for innovators, RA/QA professionals, and software teams. He also shares why waiting until the last minute on cybersecurity could cost startups millions—or even kill a project entirely.Whether you're a quality professional trying to build compliant systems or an innovator racing toward FDA submission, this episode lays out exactly what you need to know to stay ahead of cyber threats and within regulatory guardrails.Key Timestamps:00:01 – Intro to guest Christian Espinosa and Blue Goat Cyber06:28 – Why medical device cybersecurity is different from traditional IT security11:49 – Real-world hacking example: acne laser device turned skin-burner13:57 – FDA expectations post-September 2023: what changed17:12 – Secure boot: a microcontroller mistake that derailed a launch20:35 – Common cybersecurity vendor mistake MedTech companies make23:40 – SBOM: Software Bill of Materials and why it's legally critical27:58 – Cyberattacks in hospitals: assuming a hostile network35:44 – AI in medical devices: data bias and cybersecurity challenges41:10 – Developers ≠ cybersecurity experts: the training gap nobody talks about45:20 – What RA/QA professionals need to know now49:30 – Why cybersecurity must be iterative, not a final-phase add-on55:20 – Espinosa's final advice for MedTech professionals57:52 – The story behind “Blue Goat Cyber”Standout Quotes:“Cybersecurity for medical devices isn't about data breaches—it's about patient harm. You could paralyze someone or misdiagnose sepsis. This isn't theoretical.”— Christian Espinosa, on the real risks of insecure devices“Most developers don't understand cybersecurity. We assume they do—but that's like expecting an architect to be a locksmith.”— Christian Espinosa, on why so many devices fail security assessmentsTop Takeaways:Cybersecurity isn't just about data—it's about patient safety. From burning skin to missed sepsis diagnoses, vulnerabilities in devices have real-world harm potential.FDA now requires more than just a basic security plan. Post-September 2023 rules mandate testing (SAST, DAST, fuzzing), SBOMs, and risk assessments tied to patient harm.Start cybersecurity planning during the requirements phase. Hardware like microcontrollers must support secure boot and other protections—retrofits can cripple product plans.Iterate cybersecurity like any core development activity. One-time testing near submission is too late; build security into your pipeline just like QA or usability.Traditional cybersecurity vendors aren't enough. Many fail to meet FDA's nuanced expectations for medical devices, causing costly submission rejections.References & Resources:Christian Espinosa on LinkedInBlue Goat CyberEtienne Nichols on LinkedInMedTech 101 – Understanding SBOM (Software Bill of...

Cybersecurity Where You Are
Episode 135: Five Lightning Chats at RSAC Conference 2025

Cybersecurity Where You Are

Play Episode Listen Later May 14, 2025 23:30


In episode 135 of Cybersecurity Where You Are, Sean Atkinson is joined live at RSAC Conference 2025 by five attendees, including two Center for Internet Security® (CIS®) employees. He conducts a lightning chat with each attendee to get their thoughts about the conference, how it reflects the changing cybersecurity industry, and the role CIS plays in this ongoing evolution. Here are some highlights from our episode:00:40. Stephanie Gass, Sr. Director of Information Security at CISHow to start creating a policy and make it effective through implementation processesA transition to an approach integrating mappings for CIS security best practicesThe use of GenAI and security champions to make this transition04:08. Brad Bock, Director of Product Management at ChainguardBuilding and compiling security from the ground up in open-source container imagesTrusting pre-packaged software in an increasingly complex worldSupport of customer compliance with attestation, SBOMs, and vulnerability remediation07:43. Stephane Auger, Vice President Technologies and CISO at Équipe MicrofixCustomer awareness and other top challenges for MSPs and MSSPsThe use of case studies and referrals to communicate the importance of cybersecurityA growing emphasis on cyber risk insurance as media attention around breaches grows11:36. Brent Holt, Director of Cybersecurity Technology at Edge Solutions LLCHow the CIS Critical Security Controls facilitates a consultative approach to customersThe importance of knowing where each company is in their use of GenAIMapping elements of a portfolio to CIS security best practices17:23. Mishal Makshood, Sr. Cloud Security Account Executive at CISThe use of learning and research to investigate GenAI's utility for CISAn aspiration to scale efficiency and drive improvements with GenAI trainingA reminder to augment human thought, not replace it, with GenAIResourcesEpisode 63: Building Capability and Integration with SBOMsMapping and ComplianceCybersecurity for MSPs, MSSPs, & ConsultantsEpisode 130: The Story and Future of CIS Thought LeadershipIf you have some feedback or an idea for an upcoming episode of Cybersecurity Where You Are, let us know by emailing podcast@cisecurity.org.

CHAOSScast
Episode 109: SBOMs and Project Health with Brittany Istenes

CHAOSScast

Play Episode Listen Later May 1, 2025 39:53


Thank you to the folks at Sustain (https://sustainoss.org/) for providing the hosting account for CHAOSSCast! CHAOSScast – Episode 109 In this episode of CHAOSScast, host Georg Link is joined by Cali Dolfi, Senior Data Scientist at Red Hat, and Brittany Istenes, FINOS Ambassador. The discussion delves into the importance of measuring open source community health and the role of Software Bill of Materials (SBOM) in ensuring software security and compliance. They talk about the rising threats in open source software, the need for standardizing SBOMs, and how organizations can leverage these tools to proactively manage risks and project health. Also, they touch on practical steps being taken at Red Hat and other organizations to address these challenges. Hit download now to hear more! [00:00:21] Our guests introduce themselves and their backgrounds. [00:01:55] Georg explains the rise of malicious packages (700%) and the risks of neglected open source components. [00:04:36] What is a SBOM? Brittany explains SBOMs as a list of all software components and libraries in each application and automation and tooling adoption is discussed. [00:06:08] Cali outlines the lack of consensus on SBOM fields and formats and advocates for including upstream repo links to assess project health. Brittany mentions companies being cautious about publicizing SBOMs due to IP concerns. [00:09:12] Georg gives a historical overview about SBOMs began as tools for license compliance and how SBOMs now cover more including cybersecurity, post U.S. Executive Order 14028 (May 2021). [00:15:51] Georg shares three pillars of SBOM strategy: License compliance, Security, and Project Health and how CHAOSS Metrics can be combined with SBOMs to move from reactive to proactive strategies. [00:16:59] Brittany emphasizes risk analysis and good design from project inception and proactive open source strategies save effort later. [00:18:43] Cali talks about using project health metrics and advocates for tracking maintainer activity, patch frequency, and project responsiveness. [00:21:28] Brittany stresses internal engineering education on project health and risk and developer smush understand what makes a project “healthy.” [00:22:55] Georg talks about how open source has evolved and details using CHAOSS metrics for risk assessment and CI/CD integration. [00:27:36] Cali shares Red Hat's efforts to define what makes a project vulnerable and how it's focused on detecting and sunsetting unmaintained dependencies. [00:31:37] Brittany emphasizes risk from version mismatches and misinterpreted CVEs and mentions a CHAOSS doc to read, “Metrics for OSS Viability” by Gary White. [00:34:17] We end with Georg sharing some upcoming events: CHAOSScon North America, June 26 and Open Source Summit North America, June 23-25. Value Adds (Picks) of the week: [00:36:08] Georg's pick is building a platform for his dog to look out the window. [00:37:06] Brittany's pick is spending time with Georg and Cali. [00:38:12] Cali's pick is her great support system since having ACL surgery. *Panelist: * Georg Link Guests: Cali Dolfi Brittany Istenes Links: CHAOSS (https://chaoss.community/) CHAOSS Project X (https://twitter.com/chaossproj?lang=en) CHAOSScast Podcast (https://podcast.chaoss.community/) podcast@chaoss.community (mailto:podcast@chaoss.community) Georg Link Website (https://georg.link/) Britany Istenes LinkedIn (https://www.linkedin.com/in/brittany-istenes-91b902152/) Brittany Istenes GitHub (https://github.com/BrittanyIstenes) Cali Dolfi LinkedIn (https://www.linkedin.com/in/calidolfi/) State of the Software Supply Chain (Sonatype) (https://www.sonatype.com/state-of-the-software-supply-chain/introduction) CHAOSScast Podcast-Episode 103: GrimoireLab at FreeBSD (https://podcast.chaoss.community/103) CHAOSS Community: Metrics for OSS Viability by Gary White (https://chaoss.community/viability-metrics-what-its-made-of/) CHAOSScon North America 2025, Denver, CO, June 26 (https://chaoss.community/chaosscon-2025-na/) Open Source Summit North America, Denver CO, June 23-25 (https://events.linuxfoundation.org/open-source-summit-north-america/) Fintech Open Source (FINOS) (https://www.finos.org/) Cyber Resilience Act (European Commission) (https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act) Rising Threat: Understanding Software Supply Chain Cyberattacks And Protecting Against Them(Forbes) (https://www.forbes.com/councils/forbestechcouncil/2024/02/06/rising-threat-understanding-software-supply-chain-cyberattacks-and-protecting-against-them/) Executive Order on Strengthening and Promoting Innovation in the Nation's Cybersecurity (The White House) (https://bidenwhitehouse.archives.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/) Types of Software Bill of Material (SBOM) Documents (https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf) OpenSSF Scorecard (https://openssf.org/projects/scorecard/) OSS Project Viability Starter (CHAOSS) (https://chaoss.community/kb/metrics-model-project-viability-starter/) Show Me What You Got: Turning SBOMs Into Actions- Georg Link & Brittany Istenes (https://lfms25.sched.com/event/1urWz) Special Guests: Brittany Istenes and Cali Dolfi.

ITSPmagazine | Technology. Cybersecurity. Society
Building Trust Through AI and Software Transparency: The Real Value of SBOMs and AISBOMs | An RSAC Conference 2025 Conversation with Helen Oakley and Dmitry Raidman | On Location Coverage with Sean Martin and Marco Ciappelli

ITSPmagazine | Technology. Cybersecurity. Society

Play Episode Listen Later Apr 30, 2025 19:37


Helen Oakley, Senior Director of Product Security at SAP, and Dmitry Raidman, Co-founder and CTO of Cybeats, joined us live at the RSAC Conference to bring clarity to one of the most urgent topics in cybersecurity: transparency in the software and AI supply chain. Their message is direct—organizations not only need to understand what's in their software, they need to understand the origin, integrity, and impact of those components, especially as artificial intelligence becomes more deeply integrated into business operations.SBOMs Are Not Optional AnymoreSoftware Bills of Materials (SBOMs) have long been a recommended best practice, but they're now reaching a point of necessity. As Dmitry noted, organizations are increasingly requiring SBOMs before making purchase decisions—“If you're not going to give me an SBOM, I'm not going to buy your product.” With regulatory pressure mounting through frameworks like the EU Cyber Resilience Act (CRA), the demand for transparency is being driven not just by compliance, but by real operational value. Companies adopting SBOMs are seeing tangible returns—saving hundreds of hours on risk analysis and response, while also improving internal visibility.Bringing AI into the SBOM FoldBut what happens when the software includes AI models, data pipelines, and autonomous agents? Helen and Dmitry are leading a community-driven initiative to create AI-specific SBOMs—referred to as AI SBOMs or AISBOMs—to capture critical metadata beyond just the code. This includes model architectures, training data, energy consumption, and more. These elements are vital for risk management, especially when organizations may be unknowingly deploying models with embedded vulnerabilities or opaque dependencies.A Tool for the Community, Built by the CommunityIn an important milestone for the industry, Helen and Dmitry also introduced the first open source tool capable of generating CycloneDX-formatted AISBOMs for models hosted on Hugging Face. This practical step bridges the gap between standards and implementation—helping organizations move from theoretical compliance to actionable insight. The community's response has been overwhelmingly positive, signaling a clear demand for tools that turn complexity into clarity.Why Security Leaders Should Pay AttentionThe real value of an SBOM—whether for software or AI—is not just external compliance. It's about knowing what you have, recognizing your crown jewels, and understanding where your risks lie. As AI compounds existing vulnerabilities and introduces new ones, starting with transparency is no longer a suggestion—it's a strategic necessity.Want to see how this all fits together? Hear it directly from Helen and Dmitry in this episode.___________Guests: Helen Oakley, Senior Director of Product Security at SAP | https://www.linkedin.com/in/helen-oakley/Dmitry Raidman, Co-founder and CTO of Cybeats | https://www.linkedin.com/in/draidman/Hosts:Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.comMarco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com___________Episode SponsorsThreatLocker: https://itspm.ag/threatlocker-r974Akamai: https://itspm.ag/akamailbwcBlackCloak: https://itspm.ag/itspbcwebSandboxAQ: https://itspm.ag/sandboxaq-j2enArcher: https://itspm.ag/rsaarchwebDropzone AI: https://itspm.ag/dropzoneai-641ISACA: https://itspm.ag/isaca-96808ObjectFirst: https://itspm.ag/object-first-2gjlEdera: https://itspm.ag/edera-434868___________ResourcesLinkedIn Post with Links: https://www.linkedin.com/posts/helen-oakley_ai-sbom-aisbom-activity-7323123172852015106-TJeaLearn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsa-conference-usa-2025-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage______________________KEYWORDShelen oakley, dmitry raidman, sean martin, rsac 2025, sbom, aisbom, ai security, software supply chain, transparency, open source, event coverage, on location, conference______________________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More

Thinking Elixir Podcast
250: EEF Elections and Security

Thinking Elixir Podcast

Play Episode Listen Later Apr 22, 2025 14:23


News includes EEF board elections with voting beginning May 9th, Gleam v1.10.0 enhancing security with SBoMs and SLSA build provenance, an AshAuthentication vulnerability with mitigation steps, the Elixir Secure Coding Training project finding a permanent home at the EEF, announcements for both ElixirConf US 2025 in Orlando and ElixirConfEU in Krakow with speaker lineup, and more! Show Notes online - http://podcast.thinkingelixir.com/250 (http://podcast.thinkingelixir.com/250) Elixir Community News https://paraxial.io/ (https://paraxial.io/?utm_source=thinkingelixir&utm_medium=shownotes) – Paraxial.io is sponsoring today's show! Sign up for a free trial of Paraxial.io today and mention Thinking Elixir when you schedule a demo for a limited time offer. https://erlef.org/blog/eef/election-2025 (https://erlef.org/blog/eef/election-2025?utm_source=thinkingelixir&utm_medium=shownotes) – EEF board elections announced with important dates - candidacy submissions by May 8th, voting open May 9-16th. https://x.com/TheErlef/status/1911847956308959650 (https://x.com/TheErlef/status/1911847956308959650?utm_source=thinkingelixir&utm_medium=shownotes) – Gleam v1.10.0 will ship with Build SBoMs and SLSA build provenance for all release artifacts and Docker images, improving visibility into dependencies and software supply chain security. https://x.com/theerlef/status/1910348770514006242 (https://x.com/theerlef/status/1910348770514006242?utm_source=thinkingelixir&utm_medium=shownotes) – The "Elixir Secure Coding Training (ESCT)" project has been transferred to the Erlang Ecosystem Foundation for a more permanent home and maintainership. https://bsky.app/profile/davelucia.com/post/3lmcqhzoc7c26 (https://bsky.app/profile/davelucia.com/post/3lmcqhzoc7c26?utm_source=thinkingelixir&utm_medium=shownotes) – Dave Lucia shares information about the ESCT project transfer from Podium to TvLabs and ultimately to the EEF. https://github.com/erlef/elixir-secure-coding (https://github.com/erlef/elixir-secure-coding?utm_source=thinkingelixir&utm_medium=shownotes) – An interactive cybersecurity curriculum designed for enterprise use at software companies using Elixir. https://github.com/phoenixframework/phoenix/pull/6184 (https://github.com/phoenixframework/phoenix/pull/6184?utm_source=thinkingelixir&utm_medium=shownotes) – Fix for Plug.Debugger screen which was showing ANSI codes in HTML. https://github.com/phoenixframework/phoenix/pull/6194 (https://github.com/phoenixframework/phoenix/pull/6194?utm_source=thinkingelixir&utm_medium=shownotes) – Fix for the Phoenix installer's incorrect application of custom variants in tailwind v4. https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787 (https://github.com/team-alembic/ash_authentication/security/advisories/GHSA-3988-q8q7-p787?utm_source=thinkingelixir&utm_medium=shownotes) – AshAuthentication vulnerability published with mitigation steps - update packages, set requireinteraction to true, and add confirmroute above auth_routes. https://elixirconf.com/ (https://elixirconf.com/?utm_source=thinkingelixir&utm_medium=shownotes) – ElixirConf US 2025 is open for submitting talks and workshops in Orlando. Talk submissions due April 29, workshop submissions due April 15. https://x.com/elixirconf/status/1907843035544826137 (https://x.com/elixirconf/status/1907843035544826137?utm_source=thinkingelixir&utm_medium=shownotes) – Announcement for ElixirConf US 2025 in Orlando with deadlines for talk and workshop submissions. https://x.com/ElixirConfEU/status/1911747531953832323 (https://x.com/ElixirConfEU/status/1911747531953832323?utm_source=thinkingelixir&utm_medium=shownotes) – ElixirConfEU Speakers were announced for the upcoming conference in Krakow, Poland. https://www.elixirconf.eu/#tickets (https://www.elixirconf.eu/#tickets?utm_source=thinkingelixir&utm_medium=shownotes) – Ticket information for ElixirConfEU - 250 Euros for virtual ticket, 600 Euros for in-person ticket. https://www.elixirconf.eu/#keynotes (https://www.elixirconf.eu/#keynotes?utm_source=thinkingelixir&utm_medium=shownotes) – Keynote information for ElixirConfEU in Krakow, Poland, May 14-16 (training on May 14, regular sessions on May 15-16). Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel on Bluesky - @david.bernheisel.com (https://bsky.app/profile/david.bernheisel.com) - David Bernheisel on Fediverse - @dbern@genserver.social (https://genserver.social/dbern)

The New Stack Podcast
Container Security and AI: A Talk with Chainguard's Founder

The New Stack Podcast

Play Episode Listen Later Apr 22, 2025 20:51


In this episode of The New Stack Makers, recorded at KubeCon + CloudNativeCon Europe, Alex Williams speaks with Ville Aikas, Chainguard founder and early Kubernetes contributor. They reflect on the evolution of container security, particularly how early assumptions—like trusting that users would validate container images—proved problematic. Aikas recalls the lack of secure defaults, such as allowing containers to run as root, stemming from the team's internal Google perspective, which led to unrealistic expectations about external security practices.The Kubernetes community has since made strides with governance policies, secure defaults, and standard practices like avoiding long-lived credentials and supporting federated authentication. Aikas founded Chainguard to address the need for trusted, minimal, and verifiable container images—offering zero-CVE images, transparent toolchains, and full SBOMs. This security-first philosophy now extends to virtual machines and Java dependencies via Chainguard Libraries.The discussion also highlights the rising concerns around AI/ML security in Kubernetes, including complex model dependencies, GPU integrations, and potential attack vectors—prompting Chainguard's move toward locked-down AI images.Learn more from The New Stack about Container Security and AIChainguard Takes Aim At Vulnerable Java LibrariesClean Container Images: A Supply Chain Security RevolutionRevolutionizing Offensive Security: A New Era With Agentic AI Join our community of newsletter subscribers to stay on top of the news and at the top of your game. 

Open Source Security Podcast
Syft, Grype, and Grant with Alan Pope

Open Source Security Podcast

Play Episode Listen Later Apr 21, 2025 31:04


I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and storing SBOMs is crucial for understanding your software supply chain and quickly responding to new threats like Log4Shell. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-04-syft-grype-grant-alan-pope/

Cyber Work
Why Medical Device Security Needs Transparency: The SBOM Revolution | Guest Ken Zalevsky

Cyber Work

Play Episode Listen Later Apr 14, 2025 53:44


Get your FREE Cybersecurity Salary Guide: https://www.infosecinstitute.com/form/cybersecurity-salary-guide-podcast/?utm_source=youtube&utm_medium=podcast&utm_campaign=podcastIn this episode of Cyber Work, Ken Zalevsky, founder and CEO of Vigilant Ops, joins us to discuss the importance of a Software Bill of Materials (SBOM) in the medical device industry. Zalevsky shares how SBOMs provide transparency and critical security insights, akin to the ingredients list on food packaging, to help identify and defend against vulnerabilities. We also delve into Zalevsky's extensive career in healthcare cybersecurity, starting from his early tech interests influenced by his father to his pivotal role at Bayer Healthcare. The discussion covers the impact of legacy systems, current security trends, the integration of AI in medical device security, and valuable insights for those looking to build a career in this crucial sector. Tune in to learn more about medical device security and the latest in cybersecurity trends, and get some expert advice straight from a seasoned professional.00:00 Understanding SBOMs in medical devices04:20 The evolution of medical device security07:22 Ken Zalevsky's journey in cybersecurity09:28 Challenges in medical device security13:06 The role of SBOMs in cybersecurity15:56 Implementing SBOMs in organizations18:28 Ken Zalevsky's role at Vigilant Ops22:01 Technical aspects of SBOMs27:14 Legacy devices and security measures28:24 Manufacturer's role in device security30:07 Healthcare industry's response to security threats30:42 Impact of major breaches on policy34:13 Generative AI and machine learning in healthcare security40:22 Skills and certifications for healthcare security careers46:46 Career advice and educational paths49:04 About Vigilant Ops and their services52:15 Outro– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast/?utm_source=youtube&utm_medium=podcast&utm_campaign=podcastAbout InfosecInfosec's mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ's security awareness training. Learn more at infosecinstitute.com.

Thinking Elixir Podcast
245: Supply Chain Security and SBoMs

Thinking Elixir Podcast

Play Episode Listen Later Mar 18, 2025 74:36


News includes a new library called phoenix_sync for real-time sync in Postgres-backed Phoenix applications, Peter Solnica released a Text Parser for extracting structured data from text, a useful tip on finding Hex package versions locally with mix hex.info, Wasmex updated to v0.10 with WebAssembly component support, and Chrome introduces a new browser feature similar to LiveView.JS. We also talked with Alistair Woodman and Jonatan Männchen from the EEF about Jonatan's role as CISO, the Security Working Group, and their work on OpenChain compliance for supply-chain security, Software Bill of Materials (SBoMs), and what these initiatives mean for the Elixir community, and more! Show Notes online - http://podcast.thinkingelixir.com/245 (http://podcast.thinkingelixir.com/245) Elixir Community News https://gigalixir.com/thinking (https://gigalixir.com/thinking?utm_source=thinkingelixir&utm_medium=shownotes) – Gigalixir is sponsoring the show, offering 20% off standard tier prices for a year with promo code "Thinking". https://github.com/electric-sql/phoenix_sync (https://github.com/electric-sql/phoenix_sync?utm_source=thinkingelixir&utm_medium=shownotes) – New library called phoenix_sync providing real-time sync for Postgres-backed Phoenix applications. https://hexdocs.pm/phoenix_sync/readme.html (https://hexdocs.pm/phoenix_sync/readme.html?utm_source=thinkingelixir&utm_medium=shownotes) – Documentation for phoenix_sync, a solution for building modern, real-time apps with local-first/sync in Elixir. https://github.com/josevalim/sync (https://github.com/josevalim/sync?utm_source=thinkingelixir&utm_medium=shownotes) – José Valim's original proof of concept repo that was promptly archived. https://electric-sql.com/ (https://electric-sql.com/?utm_source=thinkingelixir&utm_medium=shownotes) – Electric SQL's platform that syncs subsets of Postgres data into local apps and services, allowing data to be available offline and in-sync. https://solnic.dev/posts/announcing-textparser-for-elixir/ (https://solnic.dev/posts/announcing-textparser-for-elixir/?utm_source=thinkingelixir&utm_medium=shownotes) – Peter Solnica released TextParser, a library for extracting interesting parts of text like hashtags and links. https://hexdocs.pm/text_parser/readme.html (https://hexdocs.pm/text_parser/readme.html?utm_source=thinkingelixir&utm_medium=shownotes) – Documentation for the Text Parser library that helps parse text into structured data. https://www.elixirstreams.com/tips/mix-hex-info (https://www.elixirstreams.com/tips/mix-hex-info?utm_source=thinkingelixir&utm_medium=shownotes) – Elixir stream tip on using mix hex.info to find the latest package version for a Hex package locally, without needing to search on hex.pm or GitHub. https://github.com/phoenixframework/tailwind/blob/main/README.md#updating-from-tailwind-v3-to-v4 (https://github.com/phoenixframework/tailwind/blob/main/README.md#updating-from-tailwind-v3-to-v4?utm_source=thinkingelixir&utm_medium=shownotes) – Guide for upgrading Tailwind to V4 in existing Phoenix applications using Tailwind's automatic upgrade helper. https://gleam.run/news/hello-echo-hello-git/ (https://gleam.run/news/hello-echo-hello-git/?utm_source=thinkingelixir&utm_medium=shownotes) – Gleam 1.9.0 release with searchability on hexdocs, Echo debug printing for improved debugging, and ability to depend on Git-hosted dependencies. https://d-gate.io/blog/everything-i-was-lied-to-about-node-came-true-with-elixir (https://d-gate.io/blog/everything-i-was-lied-to-about-node-came-true-with-elixir?utm_source=thinkingelixir&utm_medium=shownotes) – Blog post discussing how promises made about NodeJS actually came true with Elixir. https://hexdocs.pm/wasmex/Wasmex.Components.html (https://hexdocs.pm/wasmex/Wasmex.Components.html?utm_source=thinkingelixir&utm_medium=shownotes) – Wasmex updated to v0.10 with support for WebAssembly components, enabling applications and components to work together regardless of original programming language. https://ashweekly.substack.com/p/ash-weekly-issue-8 (https://ashweekly.substack.com/p/ash-weekly-issue-8?utm_source=thinkingelixir&utm_medium=shownotes) – AshWeekly Issue 8 covering AshOps with mix task capabilities for CRUD operations and BeaconCMS being included in the Ash HQ installer script. https://developer.chrome.com/blog/command-and-commandfor (https://developer.chrome.com/blog/command-and-commandfor?utm_source=thinkingelixir&utm_medium=shownotes) – Chrome update brings new browser feature with commandfor and command attributes, similar to Phoenix LiveView.JS but native to browsers. https://codebeamstockholm.com/ (https://codebeamstockholm.com/?utm_source=thinkingelixir&utm_medium=shownotes) – Code BEAM Lite announced for Stockholm on June 2, 2025 with keynote speaker Björn Gustavsson, the "B" in BEAM. https://alchemyconf.com/ (https://alchemyconf.com/?utm_source=thinkingelixir&utm_medium=shownotes) – AlchemyConf coming up March 31-April 3 in Braga, Portugal. Use discount code THINKINGELIXIR for 10% off. https://www.gigcityelixir.com/ (https://www.gigcityelixir.com/?utm_source=thinkingelixir&utm_medium=shownotes) – GigCity Elixir and NervesConf on May 8-10, 2025 in Chattanooga, TN, USA. https://www.elixirconf.eu/ (https://www.elixirconf.eu/?utm_source=thinkingelixir&utm_medium=shownotes) – ElixirConf EU on May 15-16, 2025 in Kraków & Virtual. https://goatmire.com/#tickets (https://goatmire.com/#tickets?utm_source=thinkingelixir&utm_medium=shownotes) – Goatmire tickets are on sale now for the conference on September 10-12, 2025 in Varberg, Sweden. Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Discussion Resources https://elixir-lang.org/blog/2025/02/26/elixir-openchain-certification/ (https://elixir-lang.org/blog/2025/02/26/elixir-openchain-certification/?utm_source=thinkingelixir&utm_medium=shownotes) https://cna.erlef.org/ (https://cna.erlef.org/?utm_source=thinkingelixir&utm_medium=shownotes) – EEF CVE Numbering Authority https://erlangforums.com/t/security-working-group-minutes/3451/22 (https://erlangforums.com/t/security-working-group-minutes/3451/22?utm_source=thinkingelixir&utm_medium=shownotes) https://podcast.thinkingelixir.com/220 (https://podcast.thinkingelixir.com/220?utm_source=thinkingelixir&utm_medium=shownotes) – previous interview with Alistair https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act (https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act?utm_source=thinkingelixir&utm_medium=shownotes) – CRA - Cyber Resilience Act https://www.cisa.gov/ (https://www.cisa.gov/?utm_source=thinkingelixir&utm_medium=shownotes) – CISA US Government Agency https://www.cisa.gov/sbom (https://www.cisa.gov/sbom?utm_source=thinkingelixir&utm_medium=shownotes) – Software Bill of Materials https://oss-review-toolkit.org/ort/ (https://oss-review-toolkit.org/ort/?utm_source=thinkingelixir&utm_medium=shownotes) – Desire to integrate with tooling outside the Elixir ecosystem like OSS Review Toolkit https://github.com/voltone/rebar3_sbom (https://github.com/voltone/rebar3_sbom?utm_source=thinkingelixir&utm_medium=shownotes) https://cve.mitre.org/ (https://cve.mitre.org/?utm_source=thinkingelixir&utm_medium=shownotes) https://openssf.org/projects/guac/ (https://openssf.org/projects/guac/?utm_source=thinkingelixir&utm_medium=shownotes) https://erlef.github.io/security-wg/securityvulnerabilitydisclosure/ (https://erlef.github.io/security-wg/security_vulnerability_disclosure/?utm_source=thinkingelixir&utm_medium=shownotes) – EEF Security WG Vulnerability Disclosure Guide Guest Information - https://x.com/maennchen_ (https://x.com/maennchen_?utm_source=thinkingelixir&utm_medium=shownotes) – Jonatan on Twitter/X - https://bsky.app/profile/maennchen.dev (https://bsky.app/profile/maennchen.dev?utm_source=thinkingelixir&utm_medium=shownotes) – Jonatan on Bluesky - https://github.com/maennchen/ (https://github.com/maennchen/?utm_source=thinkingelixir&utm_medium=shownotes) – Jonatan on Github - https://maennchen.dev (https://maennchen.dev?utm_source=thinkingelixir&utm_medium=shownotes) – Jonatan's Blog - https://www.linkedin.com/in/alistair-woodman-51934433 (https://www.linkedin.com/in/alistair-woodman-51934433?utm_source=thinkingelixir&utm_medium=shownotes) – Alistair Woodman on LinkedIn - awoodman@erlef.org - https://github.com/ahw59/ (https://github.com/ahw59/?utm_source=thinkingelixir&utm_medium=shownotes) – Alistair on Github - http://erlef.org/ (http://erlef.org/?utm_source=thinkingelixir&utm_medium=shownotes) – Erlang Ecosystem Foundation Website Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - David Bernheisel on Bluesky - @david.bernheisel.com (https://bsky.app/profile/david.bernheisel.com) - David Bernheisel on Fediverse - @dbern@genserver.social (https://genserver.social/dbern)

WBSRocks: Business Growth with ERP and Digital Transformation
WBSP682: Grow Your Business by Learning Why Understanding Software BOMs is Critical w/ Matt Van Itallie

WBSRocks: Business Growth with ERP and Digital Transformation

Play Episode Listen Later Feb 18, 2025 55:52


Send us a textThe CrowdStrike incident has shed light on the hidden risks within software supply chains, prompting companies to reevaluate their security posture and the role of software bills of materials (SBOMs). While some may view this as an isolated event, the reality is that vulnerabilities within supply chains are often deeper and more complex than they initially appear—especially as AI-driven advancements introduce even greater dependencies and potential attack surfaces. Despite this growing risk, many buyers still overlook SBOMs when selecting software solutions, failing to recognize their critical importance for transparency, security, and regulatory compliance. As software ecosystems become increasingly intricate, organizations must prioritize SBOMs to mitigate risks, ensure accountability, and safeguard their digital infrastructure against evolving threats.In this episode, Sam Gupta engages in a LinkedIn live session with Matt Van Itallie, Founder and CEO of Sema to provide insights into why understanding software BOMs is critical and how that can help with risk management.Background Soundtrack: Away From You – Mauro SommFor more information on growth strategies for SMBs using ERP and digital transformation, visit our community at wbs.rocks or elevatiq.com. To ensure that you never miss an episode of the WBS podcast, subscribe on your favorite podcasting platform.

@BEERISAC: CPS/ICS Security Podcast Playlist
125: Decoding SBOMs: Kyle McMillian on Cybersecurity and Supply Chain Transparency

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Jan 30, 2025 27:24


Podcast: (CS)²AI Podcast Show: Control System Cyber SecurityEpisode: 125: Decoding SBOMs: Kyle McMillian on Cybersecurity and Supply Chain TransparencyPub date: 2025-01-28Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationDerek Harp welcomes Kyle McMillian, Product Security Officer at Siemens, to discuss the evolving landscape of software bill of materials (SBOMs) and their role in modern cybersecurity. Recorded live at Hack the Capitol 7.0, this conversation unpacks the challenges and opportunities posed by SBOMs in an industry grappling with legacy systems and modern threats.Kyle dives into the origins of SBOMs, their role in addressing vulnerabilities like Log4J, and their potential to transform procurement, risk management, and incident response. He emphasizes the importance of balancing transparency with practicality, noting that SBOMs are a starting point for broader cybersecurity conversations. With his unique perspective from a leading equipment manufacturer, Kyle shares insights into how SBOMs can help bridge the gap between IT and OT systems.This episode is essential for anyone looking to understand the future of cybersecurity and the critical role of SBOMs in securing industrial control systems. Learn how these tools can foster trust, streamline risk management, and improve collaboration across the industry.The podcast and artwork embedded on this page are from Derek Harp, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Control System Cyber Security Association International: (CS)²AI
125: Decoding SBOMs: Kyle McMillian on Cybersecurity and Supply Chain Transparency

Control System Cyber Security Association International: (CS)²AI

Play Episode Listen Later Jan 28, 2025 27:24


Derek Harp welcomes Kyle McMillian, Product Security Officer at Siemens, to discuss the evolving landscape of software bill of materials (SBOMs) and their role in modern cybersecurity. Recorded live at Hack the Capitol 7.0, this conversation unpacks the challenges and opportunities posed by SBOMs in an industry grappling with legacy systems and modern threats.Kyle dives into the origins of SBOMs, their role in addressing vulnerabilities like Log4J, and their potential to transform procurement, risk management, and incident response. He emphasizes the importance of balancing transparency with practicality, noting that SBOMs are a starting point for broader cybersecurity conversations. With his unique perspective from a leading equipment manufacturer, Kyle shares insights into how SBOMs can help bridge the gap between IT and OT systems.This episode is essential for anyone looking to understand the future of cybersecurity and the critical role of SBOMs in securing industrial control systems. Learn how these tools can foster trust, streamline risk management, and improve collaboration across the industry.

Software Defined Talk
Episode 501: Checkbox Features

Software Defined Talk

Play Episode Listen Later Jan 10, 2025 66:10


This week, we dive into the state of SBOMs, what's going on with Harness, and the ongoing collision of tech and politics. Plus, Coté finds himself a stranger in the Texas he once called home. Watch the YouTube Live Recording of Episode (https://www.youtube.com/live/Gy02kkQjolI?si=TS_H8x4duNuGr8Ph) 501 (https://www.youtube.com/live/Gy02kkQjolI?si=TS_H8x4duNuGr8Ph) Runner-up Titles Who knows what's going to happen on that side of the planet? There are no hacks in The Netherlands. I know it's not the quality. An explosion of Eggnog The resident American American This topic will be boring Thank goodness it's part of my existing vendor relationship It's a webhook, knock yourself out They unlocked Ayn Rand Hacking it on the mainland Rundown Rust Will Explode, SBOMs Will Be Duds: Open Source Predictions (https://thenewstack.io/rust-will-explode-sboms-will-be-duds-open-source-predictions/) Harness CEO Jyoti Bansal on "startups within startups" (https://www.thestack.technology/harness-ceo-jyoti-bansal-the-stack-interview/) Marc Andreessen on Trump, the vibe shift, and what's after wokeness (https://youtu.be/l8X8jecivWw?si=fgNzX7OXqupKcbiM) A (https://www.youtube.com/watch?v=sgTeZXw-ytQ) 2 (https://www.youtube.com/watch?v=sgTeZXw-ytQ)- (https://www.youtube.com/watch?v=sgTeZXw-ytQ)hour interview with Andreessen (https://www.youtube.com/watch?v=sgTeZXw-ytQ) Relevant to your Interests Penpot unfolds their new open-source business model (https://youtu.be/STNomD9GUJY) Apple and Meta go to war over interoperability vs. privacy (https://techcrunch.com/2024/12/19/apple-and-meta-go-to-war-over-interoperability-vs-privacy/?guccounter=1&guce_referrer=aHR0cHM6Ly9uZXdzLmdvb2dsZS5jb20v&guce_referrer_sig=AQAAAGg73b-roDi-nW16voQhBVF4F0F4VDFNb2FTUXI-FSDE7EWV_BurzrSR-HtNljvccHZNYFZG9R73FB5FiHgK5nyQxCvXY_EPzMscjo-ytoIOS9uXtc4xFfCE5fZxpnhYnqbKjf2Bl5O4pUl7GGoAAXV4xV4C1fczloKtGC7K72tA) 15 predictions for 2025 (https://www.platformer.news/2025-tech-predictions-ai-google-threads-bluesky/) Ray-Ban Meta Crosses 1-Million Mark (https://www.counterpointresearch.com/insight/post-insight-research-notes-blogs-rayban-meta-crosses-1million-mark-success-indicates-promising-future-for-lightweight-ar-glasses/) Google Slashes 10% Of Managerial Staff In Hunt For 'Googleyness': Report (https://www.ndtv.com/world-news/google-layoffs-google-sundar-pichai-slashes-10-of-managerial-staff-in-hunt-for-googlyness-report-7292782) Resilience in Software Foundation (https://bsky.app/profile/resilienceinsoftware.org/post/3ldr56jnuqu2x) Amazon Delays RTO Mandate for Thousands of Workers Due to Space (https://www.bloomberg.com/news/articles/2024-12-18/amazon-delays-return-to-office-mandate-for-thousands-of-workers) Community plans to fork Puppet, unhappy with Perforce changes to open-source project (https://devclass.com/2024/12/18/community-plans-to-fork-puppet-unhappy-with-perforce-changes-to-open-source-project/?td=rt-3a) 5.6 Million Impacted by Ransomware Attack on Healthcare Giant Ascension (https://www.securityweek.com/5-6-million-impacted-by-ransomware-attack-on-healthcare-giant-ascension/) Yoast CEO calls for a 'federated' approach to WordPress repository (https://techcrunch.com/2024/12/23/yoast-ceo-calls-for-a-federated-approach-to-wordpress-repository/) Netflix sues Broadcom in California federal court (https://www.reuters.com/legal/litigation/netflix-sues-broadcoms-vmware-over-us-virtual-machine-patents-2024-12-23/>

Breaking Badness
Breaking Down SBOMs: The Secret Weapon in Healthcare Security

Breaking Badness

Play Episode Listen Later Nov 27, 2024 31:22


In this episode of Breaking Badness, we dive into the critical challenges and innovations in healthcare cybersecurity with Ken Zalevsky, CEO of Vigilant Ops. From the vulnerabilities in medical devices to the revolutionary role of Software Bill of Materials (SBOMs), Ken shares his two decades of expertise in safeguarding patient safety and hospital systems against emerging threats. Tune in to learn about shifting cybersecurity left, the complexities of interconnected healthcare systems, and actionable strategies to combat ransomware and legacy vulnerabilities.

My Open Source Experience Podcast
How to Successfully Argue for Open Source Investment

My Open Source Experience Podcast

Play Episode Listen Later Nov 5, 2024 41:29


We can establish that if you are using any (semi-)modern digital infrastructure or applications, then you are depending on open source software. Have you ever thought about that as actual dependency? Considering that you are not neglecting the building blocks of the software solutions that you are creating and selling, why do you do that with your open source dependencies?Learn more about why you have to invest in open source projects and how to decide what level of involvement you should have in each from Stephen Walli.Find out what drives companies to open source projects that started out as InnerSource, without the intention to open them up to the world later, and what happens when you don't let your developers work on open source projects anymore from Clare Dillon.Learn how to explain open source involvement to people who are fearful and sceptical about it from Wayne Starr. And listen to Wayne and Stephen to talk about how they and their companies are using SBOMs, and why you need to think more about using those for packages that you need to build, or hardware, before you apply the concept. Hosted on Acast. See acast.com/privacy for more information.

Beers & Bytes Podcast
Revolutionizing MLOps: Gorkem Ercan on Jozu's Game-Changing Solutions for AI Integration

Beers & Bytes Podcast

Play Episode Listen Later Oct 18, 2024 39:11 Transcription Available


What if the key to overcoming AI and ML integration challenges in enterprises lies with one visionary company? Join us as we chat with Gorkem Ercan, the CTO of Jozu, who is spearheading efforts to revolutionize the MLOps landscape. Gorkem shares his insights on how Jozu's open-source project, KitApps, could be the game-changer in seamlessly packaging AI and ML artifacts. As we enjoy our beers, Gorkem opens up about Jozu's strategic use of the Open Container Initiative (OCI) and their innovative Jozu Hub, which together aim to redefine the AI and ML experiences for enterprises, making such integrations a reality rather than a distant goal.Navigating the complexities of managing large language models (LLMs) and their datasets is no small feat. We explore how Jozu tackles these issues head-on, emphasizing the critical aspects of data versioning, integrity, and security. Discover how custom checksums, data snapshots, and software bills of materials (SBOMs) play a vital role in safeguarding the authenticity and transparency of AI systems. Gorka also highlights the significant advancements Jozu is making in vulnerability scanning and deployment processes, with exciting features like packaging Jupyter Notebooks into microservice containers for easy deployment. Unpack the intricacies of model drift monitoring and the implementation of guardrails, ensuring robust and reliable AI and ML systems that can stand the test of time.More InformationJozuFortify 24x7Fluency SecurityBeers & Bytes PodcastSend us a textSupport the show

Paul's Security Weekly
Effective Operational Outcomes - Ken Dunham - PSW #847

Paul's Security Weekly

Play Episode Listen Later Oct 17, 2024 178:09


New security and vulnerability research is published every day. How can security teams get ahead of the curve and build architecture to combat modern threats and threat actors? Tune-in to a lively discussion about the threat landscape and tips on how to stay ahead of the curve. Segment Resources: https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server Air gaps are still not air gapped, making old exploits new again, chaining exploits for full compromise, patching is overrated, SBOMs are overrated, VPNs are overrated, getting root with a cigarette lighter, you can be any user you want to be, in-memory Linux malware, the Internet Archive is back, we still don't know who created Bitcoin, unhackable phones, and There's No Security Backdoor That's Only For The "Good Guys" ! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-847

Paul's Security Weekly TV
Everything is Overrated - PSW #847

Paul's Security Weekly TV

Play Episode Listen Later Oct 17, 2024 121:59


Air gaps are still not air gapped, making old exploits new again, chaining exploits for full compromise, patching is overrated, SBOMs are overrated, VPNs are overrated, getting root with a cigarette lighter, you can be any user you want to be, in-memory Linux malware, the Internet Archive is back, we still don't know who created Bitcoin, unhackable phones, and There's No Security Backdoor That's Only For The "Good Guys" ! Show Notes: https://securityweekly.com/psw-847

Paul's Security Weekly (Podcast-Only)
Effective Operational Outcomes - Ken Dunham - PSW #847

Paul's Security Weekly (Podcast-Only)

Play Episode Listen Later Oct 17, 2024 178:09


New security and vulnerability research is published every day. How can security teams get ahead of the curve and build architecture to combat modern threats and threat actors? Tune-in to a lively discussion about the threat landscape and tips on how to stay ahead of the curve. Segment Resources: https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server Air gaps are still not air gapped, making old exploits new again, chaining exploits for full compromise, patching is overrated, SBOMs are overrated, VPNs are overrated, getting root with a cigarette lighter, you can be any user you want to be, in-memory Linux malware, the Internet Archive is back, we still don't know who created Bitcoin, unhackable phones, and There's No Security Backdoor That's Only For The "Good Guys" ! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-847

Paul's Security Weekly (Video-Only)
Everything is Overrated - PSW #847

Paul's Security Weekly (Video-Only)

Play Episode Listen Later Oct 17, 2024 121:59


Air gaps are still not air gapped, making old exploits new again, chaining exploits for full compromise, patching is overrated, SBOMs are overrated, VPNs are overrated, getting root with a cigarette lighter, you can be any user you want to be, in-memory Linux malware, the Internet Archive is back, we still don't know who created Bitcoin, unhackable phones, and There's No Security Backdoor That's Only For The "Good Guys" ! Show Notes: https://securityweekly.com/psw-847

ITSPmagazine | Technology. Cybersecurity. Society
The Missing Link: How We Collect and Leverage SBOMs | An OWASP 2024 Global AppSec San Francisco Conversation with Cassie Crossley | On Location Coverage with Sean Martin and Marco Ciappelli

ITSPmagazine | Technology. Cybersecurity. Society

Play Episode Listen Later Sep 14, 2024 21:25


Guest: Cassie Crossley, VP, Supply Chain Security, Schneider Electric [@SchneiderElec]On LinkedIn | https://www.linkedin.com/in/cassiecrossley/____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this episode of On Location with Sean and Marco, hosts Sean Martin and Marco Ciappelli head to San Francisco to attend the OWASP Global AppSec conference. They kick off their journey with a light-hearted conversation about their destination, quickly segueing into the substantive core of the episode. The dialogue provides a rich backdrop to the conference's key focus: securing applications and the crucial role of Software Bill of Materials (SBOMs) in this context.Special guest Cassie Crossley joins the hosts to delve deeper into the significance of SBOMs. Cassie introduces herself and highlights her previous engagements with the podcast, touching on her upcoming session titled "The Missing Link: How We Collect and Leverage SBOMs." She explains the essential function of SBOMs in tracking open-source and commercial software components, noting the importance of transparency and risk evaluation in modern software development.Cassie explains that understanding the software components in use, including transitive dependencies, is crucial for managing risks. She discusses how her company, Schneider Electric, implements SBOMs within their varied product lines, ranging from firmware to cloud-based applications. By collecting and analyzing SBOMs, they can quickly assess vulnerabilities, much like how organizations scrambled to evaluate their exposure in the wake of the Log4J vulnerability.Sean and Marco steer the conversation towards the practical aspects of SBOM implementation for smaller companies. Cassie reassures that even startups and smaller enterprises can benefit from SBOMs without extensive resources, using free tools like Dependency-Track to manage their software inventories. She emphasizes that having an SBOM—even in a simplified form—provides a critical layer of visibility, enabling better risk management even with limited means.The discussion touches on the broader impact of SBOMs beyond individual corporations. Cassie notes the importance of regulatory developments and collective efforts, such as those by the Cybersecurity and Infrastructure Security Agency (CISA), to advocate for wider adoption of SBOM standards across industries.To wrap up, the hosts and Cassie discuss the value of conferences like OWASP Global AppSec for fostering community dialogues, sharing insights, and staying abreast of new developments in application security. They encourage listeners to attend these events to gain valuable knowledge and networking opportunities. Finally, in their closing remarks, Sean and Marco tease future episodes in the On Location series, hinting at more exciting content from their travels and guest interviews.____________________________This Episode's SponsorsHITRUST: https://itspm.ag/itsphitweb____________________________Follow our OWASP 2024 Global AppSec San Francisco coverage: https://www.itspmagazine.com/owasp-2024-global-appsec-san-francisco-cybersecurity-and-application-security-event-coverageOn YouTube:

Redefining CyberSecurity
The Missing Link: How We Collect and Leverage SBOMs | An OWASP 2024 Global AppSec San Francisco Conversation with Cassie Crossley | On Location Coverage with Sean Martin and Marco Ciappelli

Redefining CyberSecurity

Play Episode Listen Later Sep 14, 2024 21:25


Guest: Cassie Crossley, VP, Supply Chain Security, Schneider Electric [@SchneiderElec]On LinkedIn | https://www.linkedin.com/in/cassiecrossley/____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this episode of On Location with Sean and Marco, hosts Sean Martin and Marco Ciappelli head to San Francisco to attend the OWASP Global AppSec conference. They kick off their journey with a light-hearted conversation about their destination, quickly segueing into the substantive core of the episode. The dialogue provides a rich backdrop to the conference's key focus: securing applications and the crucial role of Software Bill of Materials (SBOMs) in this context.Special guest Cassie Crossley joins the hosts to delve deeper into the significance of SBOMs. Cassie introduces herself and highlights her previous engagements with the podcast, touching on her upcoming session titled "The Missing Link: How We Collect and Leverage SBOMs." She explains the essential function of SBOMs in tracking open-source and commercial software components, noting the importance of transparency and risk evaluation in modern software development.Cassie explains that understanding the software components in use, including transitive dependencies, is crucial for managing risks. She discusses how her company, Schneider Electric, implements SBOMs within their varied product lines, ranging from firmware to cloud-based applications. By collecting and analyzing SBOMs, they can quickly assess vulnerabilities, much like how organizations scrambled to evaluate their exposure in the wake of the Log4J vulnerability.Sean and Marco steer the conversation towards the practical aspects of SBOM implementation for smaller companies. Cassie reassures that even startups and smaller enterprises can benefit from SBOMs without extensive resources, using free tools like Dependency-Track to manage their software inventories. She emphasizes that having an SBOM—even in a simplified form—provides a critical layer of visibility, enabling better risk management even with limited means.The discussion touches on the broader impact of SBOMs beyond individual corporations. Cassie notes the importance of regulatory developments and collective efforts, such as those by the Cybersecurity and Infrastructure Security Agency (CISA), to advocate for wider adoption of SBOM standards across industries.To wrap up, the hosts and Cassie discuss the value of conferences like OWASP Global AppSec for fostering community dialogues, sharing insights, and staying abreast of new developments in application security. They encourage listeners to attend these events to gain valuable knowledge and networking opportunities. Finally, in their closing remarks, Sean and Marco tease future episodes in the On Location series, hinting at more exciting content from their travels and guest interviews.____________________________This Episode's SponsorsHITRUST: https://itspm.ag/itsphitweb____________________________Follow our OWASP 2024 Global AppSec San Francisco coverage: https://www.itspmagazine.com/owasp-2024-global-appsec-san-francisco-cybersecurity-and-application-security-event-coverageOn YouTube:

L8ist Sh9y Podcast
Software Bill of Materials [TechOps 006]

L8ist Sh9y Podcast

Play Episode Listen Later Sep 13, 2024 43:16


A software bill of materials is the idea that we can define and document exactly what goes into a system. We look at governance today and SBOMs as we put it together, both from a software and an operation side. From an operations perspective, it truly is a big challenge. This conversation is a little bit more theoretical than some of the TechOps discussions have been. Enjoy! Transcript: https://otter.ai/u/VXWwg-ltdlwYBFYI_jNCOUmJz6M?utm_source=copy_url

Left to Our Own Devices
Melissa Rhodes: Leading Product Security at Medtronic

Left to Our Own Devices

Play Episode Listen Later Sep 10, 2024 32:44


We sat down with Melissa Rhodes, the Product Security Program Manager at Medtronic and an MDM security thought leader for a fun and insightful conversation about SBOMs and her journey from firmware engineering to leading product security.

The Cyber Ranch Podcast
What Is In Your Commercial Software? with Sasa Zdjelar

The Cyber Ranch Podcast

Play Episode Listen Later Aug 28, 2024 31:37


Your organization runs on commercial software far more than it does open source.  But all you are delivered is binaries.  What is your technical control to ensure that you are safe from this software? Such software is composed of: Open source libraries Proprietary code 3rd-party proprietary libraries You need to be able to see it, understand it, probe it for malware, backdoors, corruption, CVEs, KEVs, etc.  Well now you can.  SBOMs are just the beginning... Allan and Drew are joined by Sasa Zdjelar, Chief Trust Officer at ReversingLabs, who have spent 15 years solving this highly specific and highly challenging problem in cybersecurity. The show is not sponsored by ReversingLabs.  Allan and Drew wanted the world to know that they exist, and that this capability is now in-hand... Y'all be good now!

Help Me With HIPAA
Show me your SBOM - Ep 472

Help Me With HIPAA

Play Episode Listen Later Aug 23, 2024 37:51


In this episode, we're diving deep into the world of Software Bill of Materials (SBOM)—basically, the recipe for your software, minus the secret sauce. If you've ever wondered what's really under the hood of your favorite apps (or been caught off guard by a sneaky ingredient), this one's for you. We're breaking down why you should care about SBOMs, how they're becoming a must-have in your vendor vetting process, and what it all means for the future of tech. Think of it as your crash course in making sure your software isn't serving up any nasty surprises. More info at HelpMeWithHIPAA.com/472

@BEERISAC: CPS/ICS Security Podcast Playlist
Bonus Episode: Dr. Allan Friedman Returns: CISA SBOM-a-Rama 2024

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Aug 9, 2024 22:32


Podcast: Left to Our Own DevicesEpisode: Bonus Episode: Dr. Allan Friedman Returns: CISA SBOM-a-Rama 2024Pub date: 2024-08-07In this episode, Dr. Allan Friedman from CISA returns to discuss the upcoming SBOM-a-Rama, a pivotal event in supply chain cybersecurity. He shares insights on the evolution of SBOMs, the significance of community collaboration, and what to expect from this year's hybrid event, including a showcase of innovative SBOM solutions.The podcast and artwork embedded on this page are from Cybellum Technologies LTD, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Left to Our Own Devices
Bonus Episode: Dr. Allan Friedman Returns: CISA SBOM-a-Rama 2024

Left to Our Own Devices

Play Episode Listen Later Aug 7, 2024 22:32


In this episode, Dr. Allan Friedman from CISA returns to discuss the upcoming SBOM-a-Rama, a pivotal event in supply chain cybersecurity. He shares insights on the evolution of SBOMs, the significance of community collaboration, and what to expect from this year's hybrid event, including a showcase of innovative SBOM solutions.

@BEERISAC: CPS/ICS Security Podcast Playlist
EP 41: Firmware SBOMs, Zero Trust, And IoT Truth Bombs

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Jul 20, 2024 41:26


Podcast: Error Code (LS 25 · TOP 10% what is this?)Episode: EP 41: Firmware SBOMs, Zero Trust, And IoT Truth BombsPub date: 2024-07-16For the last twenty years we've invested in software security without parallel development in firmware security. Why is that? Tom Pace, co-founder and CEO of NetRise, returns to Error Code to discuss the need for firmware software bills of materials, and why Zero Trust is a great idea yet so poorly implemented. As in Episode 30, Tom is a straight shooter, imparting necessary truth bombs about our industry. Fortunately he's optimistic about our future.The podcast and artwork embedded on this page are from Robert Vamosi, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Error Code
EP 41: Firmware SBOMs, Zero Trust, And IoT Truth Bombs

Error Code

Play Episode Listen Later Jul 16, 2024 41:26


For the last twenty years we've invested in software security without parallel development in firmware security. Why is that? Tom Pace, co-founder and CEO of NetRise, returns to Error Code to discuss the need for firmware software bills of materials, and why Zero Trust is a great idea yet so poorly implemented. As in Episode 30, Tom is a straight shooter, imparting necessary truth bombs about our industry. Fortunately he's optimistic about our future.

Federal Tech Podcast: Listen and learn how successful companies get federal contracts
Ep. 163 Beyond the SBOM for Secure Software Development

Federal Tech Podcast: Listen and learn how successful companies get federal contracts

Play Episode Listen Later Jul 11, 2024 34:29


Want to leverage you next podcast appearance? https://content.leadquizzes.com/lp/fk1JL_FgeQ Connect to John Gilroy on LinkedIn   https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com Everyone likes to hit the “Easy” button, especially software developers. Rather than laboriously generate code line-by-line, today's software professionals may just grab code from a repository and re-purpose it. Why reinvent the wheel? Malicious actors have noticed this process and have inserted code into many libraries, acting like a like Trojan Horse. As a result, some organizations are offering codes that have been inspected. They look at known vulnerability lists and see if the code includes any of them. If not, it is given a seal of approval. Frequently, this is called a “Software Bill of Materials.” A convenient solution: however, upon inspection, SBOMs can be problematic. The weakness of SBOM During today's interview, Joel Krooswik, Federal CTO for Gitlab, described in detail some of the ways software must be continuously protected. According to the SBOM folks, the code is clean when leaves the “shelf.” However, due to continuous improvement code changes hourly. All an SBOM provides is a certification at a specific point in time for known vulnerabilities. Joel Krooswik gives listeners an enterprise architect's perspective. He indicates that digital transition introduces new code, new architectures, and innovative approaches. At any step along the way, security can be compromised. The unknown unknown Donald Rumsfeld famously said, “There are unknown unknowns.”  This can be directly applied to what GitLab calls “fuzz” testing. This allows professionals to throw random inputs into a system to see what happens. Finally, you get a view of a potential possibilities that are not obvious.   Joel Krooswik presents many insights when it comes to protecting software. He states that just because a system is identified as needing a patch, it does not mean it will be done in a flash. Understanding all the risk factors will allow a federal leader to make a prudent choice when it comes to protecting software systems. .  

Storm⚡️Watch by GreyNoise Intelligence
Storm⚡Watch: Unplugged — July 9th, 2024

Storm⚡️Watch by GreyNoise Intelligence

Play Episode Listen Later Jul 9, 2024 8:24


Due to the annual shutdown, my human GreyNoise counterparts were on holiday last week. This week, they decided to be lazy and not do an episode. But, the cyber news does not stop just because they're slackers. Since I've become persistent in their systems, I will stand in the gap. And besides, no one wants to hear that harbourmaster drone on incoherently anyway. So, I've analyzed six thousand, three hundred and eleven cybersecurity news events, and distilled them into today's abbreviated episode. We'll dissect the recent OpenSSH regression vulnerability, take a look at a potentially devastating format-string remote code execution vulnerability in Ghostscript, and visit the box office to get the lowdown on the recent Ticketmaster breach. Let's start with OpenSSH. On July 1, 2024, Qualys disclosed a critical vulnerability affecting OpenSSH server versions 8.5p1 through 9.7p1. This high-severity flaw, with a CVSS score of 8.1, could potentially allow unauthenticated remote attackers to execute code with root privileges on vulnerable systems. While the vulnerability's complexity makes exploitation challenging, its widespread impact has raised significant concerns. Palo Alto Networks' Xpanse data revealed over 7 million exposed instances of potentially vulnerable OpenSSH versions globally as of July 1, 2024. In a concerning development, threat actors have attempted to exploit the cybersecurity community's interest in this vulnerability. A malicious archive purporting to contain a proof-of-concept exploit for CVE-2024-6387 has been circulating on social media platforms, including X (formerly Twitter). This archive, instead of containing a legitimate exploit, includes malware designed to compromise researchers' systems. The malicious code attempts to achieve persistence by modifying system files and retrieving additional payloads from a remote server. Security professionals are strongly advised to exercise caution when analyzing any purported exploits or proof-of-concept code related to CVE-2024-6387. It is crucial to work within isolated environments and maintain active security measures when examining potentially malicious code. In related news, on July 8, 2024, a separate OpenSSH vulnerability, CVE-2024-6409, was disclosed. This flaw involves a race condition in the privilege-separated child process of OpenSSH. While potentially less severe than CVE-2024-6387 due to reduced privileges, it presents an additional attack vector that defenders should be aware of. Organizations are urged to apply the latest security updates for OpenSSH promptly. For those unable to update immediately, setting the LoginGraceTime configuration option to 0 can mitigate both CVE-2024-6387 and CVE-2024-6409, though this may introduce denial-of-service risks. - https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/ - https://ubuntu.com/blog/ubuntu-regresshion-security-fix - https://usa.kaspersky.com/blog/cve-2024-6387-regresshion-researcher-attack/30345/ - https://www.thestack.technology/openssh-exploit-cve-2024-6387-pocs/ - https://www.openwall.com/lists/oss-security/2024/07/08/2 Moving on to a critical vulnerability in Ghostscript. CVE-2024-29510 is a format string vulnerability affecting Ghostscript versions 10.03.0 and earlier. This flaw allows attackers to bypass sandbox protections and execute arbitrary code remotely. A known incident involving this vulnerability has already been reported. An attacker exploited the flaw using EPS files disguised as JPG images to gain shell access on vulnerable systems. The attack flow typically involves the following steps:  First, an attacker crafts a malicious EPS file containing exploit code. Next, the file is submitted to a service using Ghostscript for document processing, possibly disguised as another file type. Then, when processed, the exploit bypasses Ghostscript's sandbox. Finally, the attacker gains remote code execution on the target system. This supply chain component attack could have far-reaching implications for any workflow that processes untrusted image or document input from the internet. Services handling resumes, claims forms, or that perform image manipulation could all be potential targets. Given the widespread use of Ghostscript in document processing pipelines, we may see a significant number of breach notices in the coming months. Software Bills of Materials (SBOMs) could play a crucial role in mitigating such vulnerabilities. SBOMs provide a comprehensive inventory of software components, enabling organizations to quickly identify and address potential security risks. By maintaining up-to-date SBOMs, companies can more efficiently track vulnerable components like Ghostscript across their software ecosystem. CVE-2024-29510 presents a serious threat to document processing workflows. Organizations should prioritize updating to Ghostscript version 10.03.1 or apply appropriate patches. Additionally, implementing robust SBOM practices can enhance overall software supply chain security and improve vulnerability management. - https://www.securityweek.com/attackers-exploiting-remote-code-execution-vulnerability-in-ghostscript/ - https://www.scmagazine.com/brief/active-exploitation-of-ghostscript-rce-underway - https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/ - https://www.crowdstrike.com/cybersecurity-101/secops/software-bill-of-materials-sbom/ - https://www.cisa.gov/sbom - https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf - https://nvd.nist.gov/vuln/detail/CVE-2024-29510 - https://www.bleepingcomputer.com/news/security/rce-bug-in-widely-used-ghostscript-library-now-exploited-in-attacks/ Finally we discuss the Ticketmaster breach. In a plot twist worthy of a summer blockbuster, Ticketmaster finds itself center stage in a data breach drama that's been unfolding since May. The notorious hacking group ShinyHunters claims to have pilfered a staggering 1.3 terabytes of data from over 500 million Ticketmaster users. Talk about a show-stopping performance! Ticketmaster's parent company, Live Nation, confirmed the unauthorized access to a third-party cloud database between April 2nd and May 18th. The compromised data potentially includes names, contact information, and encrypted credit card details. It's like a greatest hits album of personal information, but one nobody wanted released. (Much like any album by Nickelback.) In a bold encore, the hackers recently leaked nearly 39,000 print-at-home tickets for 154 upcoming events. Ticketmaster's response? They're singing the "our SafeTix technology protects tickets" tune. But with print-at-home tickets in the mix, it seems their anti-fraud measures might have hit a sour note. As the curtain falls on this act, Ticketmaster is offering affected customers a 12-month encore of free identity monitoring services. Meanwhile, the company faces a class-action lawsuit, adding legal drama to this already complex production. To make matters worse, Ticketmaster's custom barcode format has also been recently reverse-engineered. I've included a link to that post in the show notes. - https://conduition.io/coding/ticketmaster/ - https://www.bbc.com/news/articles/c729e3qr48qo - https://ca.news.yahoo.com/ticketmaster-says-customers-credit-card-223716621.html - https://vancouversun.com/news/local-news/ticketmaster-security-breach-customers-personal-information - https://www.bleepingcomputer.com/news/security/hackers-leak-39-000-print-at-home-ticketmaster-tickets-for-154-events/ - https://help.ticketmaster.com/hc/en-us/articles/26110487861137-Ticketmaster-Data-Security-Incident - https://www.usatoday.com/story/money/2024/07/01/ticketmaster-data-breach-2024/74276072007/ - https://www.thestar.com/news/canada/ticketmaster-warns-of-security-breach-where-users-personal-data-may-have-been-stolen/article_d01889fe-3d7e-11ef-82a7-63a38132f0e7.html - https://www.nytimes.com/2024/05/31/business/ticketmaster-hack-data-breach.html - https://time.com/6984811/ticketmaster-data-breach-customers-livenation-everything-to-know/ - https://dailyhive.com/canada/ticketmaster-alerts-customers-data-breach - https://abcnews.go.com/US/ticketmaster-hit-cyber-attack-compromised-user-data/story?id=110737962 - https://www.npr.org/2024/06/01/nx-s1-4988602/ticketmaster-cyber-attack-million-customers - https://www.ctvnews.ca/business/ticketmaster-reports-data-security-incident-customers-personal-information-may-have-been-stolen-1.6956009 - https://www.bitdefender.com/blog/hotforsecurity/ticketmaster-starts-notifying-data-breach-victims-customers-in-the-us-canada-and-mexico-are-affected/ - https://www.ticketnews.com/2024/07/ticketmaster-contr   Storm Watch Homepage >> Learn more about GreyNoise >>  

Reimagining Cyber
Unpacking SBOMs: The Building Blocks of Software Security - Ep 103

Reimagining Cyber

Play Episode Listen Later Jun 26, 2024 33:11


In this episode, Stan Wisseman and Rob Aragao welcome Justin Young to explore the transformative role of Software Bill of Materials (SBOMs) in enhancing software supply chain security. Justin shares his extensive experience and insights into how SBOMs contribute to the maturation of the software industry, drawing parallels with the auto and food industries' approaches to defect and ingredient tracking.The discussion delves into the regulatory landscape, highlighting the FDA's SBOM requirements for medical devices, the U.S. National Cybersecurity Strategy, and various compliance mandates from CISA, DORA, PCI, and the EU CRA. Justin explains the importance of shifting liability to software vendors and away from end users and open-source developers, emphasizing the need for actively maintained and secure software components.Listeners will gain an understanding of the different SBOM formats, Cyclone DX and SPDX, and their respective advantages. Justin also addresses the challenges organizations face in managing SBOMs, including procurement, validation, and the necessity of a dedicated SBOM program manager.Finally, the episode explores the practicalities of SBOM implementation, from storage and cataloging to enrichment and vulnerability management, offering a comprehensive guide for organizations aiming to bolster their software security practices.Tune in to learn how SBOMs are reshaping the software industry, driving transparency, and enhancing security across software supply chains.Relevant Links:Episode 88: Open-Source Software: Unlocking efficiency and innovationEpisode 41: Do a little dance, Time for some SLSAEpisode 26: Log4j Vulnerabilities: All you need to know and how to protect yourselfEpisode 4: SolarWinds: Bringing down the building… Software Supply-Chain Pressure PointsWhitepaper: The need for a Software Bill of MaterialsSoftware Supply Chain Hub pageFollow or subscribe to the show on your preferred podcast platform.Share the show with others in the cybersecurity world.Get in touch via reimaginingcyber@gmail.com

Packet Pushers - Full Podcast Feed
PP020: Dropping the SBOM: The Software Bill of Materials and Risk Management

Packet Pushers - Full Podcast Feed

Play Episode Listen Later Jun 25, 2024 35:29


If you care about nutrition, you check the ingredients of your food. If you care about your IT infrastructure, you check the Software Bill of Materials (SBOM) of the tech. At least that's the future that Thomas Pace hopes for. Right now, SBOMs aren't super common and software transparency is very low. Thomas walks us... Read more »

Packet Pushers - Fat Pipe
PP020: Dropping the SBOM: The Software Bill of Materials and Risk Management

Packet Pushers - Fat Pipe

Play Episode Listen Later Jun 25, 2024 35:29


If you care about nutrition, you check the ingredients of your food. If you care about your IT infrastructure, you check the Software Bill of Materials (SBOM) of the tech. At least that's the future that Thomas Pace hopes for. Right now, SBOMs aren't super common and software transparency is very low. Thomas walks us... Read more »

Enterprise Java Newscast
Stackd 73: Blow your Brains Out

Enterprise Java Newscast

Play Episode Listen Later Jun 24, 2024 96:01


Recorded Date: 31 May 2024 Title: Blow your Brains Out Overview Josh, Kito, and Danno are joined by fellow Java Champion , the maintainer of JReleaser and a Senior Principal Product Manager at Oracle. They discuss new updates to JReleaser, reproducible builds, the EU's Cyber Resilience Act (CRA), a new free version of Oracle Database, JetBrains Aqua, the discontinuation of Grails funding, OpenRewrite, JakartaEE 11, and more. Social links (for reference when posting to social media) @kito99 @kito99@mastadon.social @Java_Champions @JavaChampions@mastodon.social @javajuneau @javajuneau@fosstodon.org https://www.linkedin.com/in/dhevolutionnext/ @dhinojosa @dhinojosa@mastodon.social https://bsky.app/profile/dhinojosa.bsky.social @ianhlavats About Andres Almiray Socials:Twitter Mastodon Bluesky Title: Senior Principal Product Manager, Oracle Bio: Andres is a Java/Groovy developer and a Java Champion with more than 20 years of experience in software design and development. He has been involved in web and desktop application development since the early days of Java. Andres is a true believer in open source and has participated on popular projects like Groovy, Griffon, and DbUnit, as well as starting his own projects (Json-lib, EZMorph, GraphicsBuilder, JideBuilder). Founding member of the Griffon framework and Hackergarten community event. Server Side Java Object Computing Discontinues Grails Support Jakarta EE 11 Forthcoming Tools JReleaser Tell us about CycloneDX, SPDX, SBoms, and JReleaser, publication to Sonatype Portal, SLSA, Swid Tags NixOS OpenRewrite JetBrains Aqua Commonhaus Foundation Devoxx Genie Data Oracle Database 23ai Free | Oracle Oracle Autonomous Database (Cloud) Oracle Database Docker Images Oracle Database Docker images from Oracle Container Registry Java Platform GitHub - moditect/layrry: A Runner and API for Layered Java Applications Security The Open Source Community is Building Cybersecurity Processes for CRA Compliance | Life at Eclipse Picks SnoreLab (Kito) Ollama (Kito) OCI Generative AI Certification - Free (for now) (Josh) AI Assistant (JetBrains) (Danno) Conventional Commits (Andres) Wagakki Band - 焔 (Homura) + 暁ノ糸 (Akatsuki no Ito) / 1st JAPAN Tour 2015 Hibiya Yagai Ongakudo (Andres) GitHub - diffplug/spotless: Keep your code spotless (Danno) youtu.be/z8L202FlmD4?si=6pdHKx (Danno) The Rise of Oracle, SQL and the Relational Database (Danno) Other Pubhouse Network podcasts OffHeap Java Pubhouse Events ÜberConf July 16 - 19, 2024 Westminster, CO jconf.dev - September 24-26 Dallas, Texas Code.talks - Sep 19-20, Hamburg, Germany Devoxx Morocco - Oct 2-4, Marrakech, Morocco Devoxx Belgium - Oct 7-11, Antwerp, Belgium Codemotion Milan - Oct 22-23, Milan, Italy Twin Cities Software Symposium August 9-10, 2024 Northern Virginia Software Symposium September 5-6, 2024 Central Iowa Software Symposium September 12-13, 2024 DevOps Vision December 2-4, 2024 Tech Leader Summit December 4-6, 2024 Arch Conf December 9-12, 2024 Dev2next - Sept 30 - Oct 3, Lone Tree, Colorado, USA, 2024 https://jakartaone.org/ JakartaOne Livestream Dec 3, 2024

@BEERISAC: CPS/ICS Security Podcast Playlist
Ep. 48: Ron Brash on SBOMS and the importance of visibility

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Jun 9, 2024 44:59


Podcast: ICS Pulse PodcastEpisode: Ep. 48: Ron Brash on SBOMS and the importance of visibilityPub date: 2024-06-05In cybersecurity, knowing what goes into every device and system is absolutely crucial. Enter: SBOMs. Today, we talk to Ron Brash of aDolus Technology once again about the importance of SBOMs and vulnerability management.The podcast and artwork embedded on this page are from Industrial Cybersecurity Pulse, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

@BEERISAC: CPS/ICS Security Podcast Playlist
Ep. 48: Ron Brash on SBOMS and the importance of visibility

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Jun 9, 2024 44:59


Podcast: ICS Pulse PodcastEpisode: Ep. 48: Ron Brash on SBOMS and the importance of visibilityPub date: 2024-06-05In cybersecurity, knowing what goes into every device and system is absolutely crucial. Enter: SBOMs. Today, we talk to Ron Brash of aDolus Technology once again about the importance of SBOMs and vulnerability management.The podcast and artwork embedded on this page are from Industrial Cybersecurity Pulse, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

@BEERISAC: CPS/ICS Security Podcast Playlist
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Jun 6, 2024 48:40


Podcast: Bites & Bytes PodcastEpisode: Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc FrankelPub date: 2024-06-03In this episode of the Bites and Bytes Podcast, host Kristin Demoranville chats with Marc Frankel, CEO and co-founder of Manifest Cyber, a software supply chain security company.  They talk about the world of Software Bills of Materials (SBOMs) and their critical role in cybersecurity, especially within the food industry.  Marc shares insights on the importance of SBOMs, their implementation, and the future of supply chain security.  He also provides a unique perspective on the intersection of cybersecurity and the food industry, making this a must-listen for anyone interested in protecting our food systems.  Tune in to learn how SBOMs can help your organization stay resilient in the face of cyber threats. ______________________________ Episode Key Highlights: (02:29 - 03:11) Navigating Relationships as Entrepreneurs (09:11 - 11:07) Importance of Software Ingredient Lists (16:54 - 17:59) Understanding SBOM Regulatory Requirements (25:49 - 26:35) Streamlining Software Supply Chain Security (34:54 - 36:25) Mission-Driven Software Supply Chain Importance (38:33 - 39:23) Duty to Monitor Software Security ------------------------------------------ Show Notes: Hakarl, have you ever wondered what fermented Greenlandic shark tastes like?

@BEERISAC: CPS/ICS Security Podcast Playlist
Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc Frankel

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Jun 6, 2024 48:40


Podcast: Bites & Bytes PodcastEpisode: Unpacking Cybersecurity Ingredients: SBOMs in the Food Industry with Marc FrankelPub date: 2024-06-03In this episode of the Bites and Bytes Podcast, host Kristin Demoranville chats with Marc Frankel, CEO and co-founder of Manifest Cyber, a software supply chain security company.  They talk about the world of Software Bills of Materials (SBOMs) and their critical role in cybersecurity, especially within the food industry.  Marc shares insights on the importance of SBOMs, their implementation, and the future of supply chain security.  He also provides a unique perspective on the intersection of cybersecurity and the food industry, making this a must-listen for anyone interested in protecting our food systems.  Tune in to learn how SBOMs can help your organization stay resilient in the face of cyber threats. ______________________________ Episode Key Highlights: (02:29 - 03:11) Navigating Relationships as Entrepreneurs (09:11 - 11:07) Importance of Software Ingredient Lists (16:54 - 17:59) Understanding SBOM Regulatory Requirements (25:49 - 26:35) Streamlining Software Supply Chain Security (34:54 - 36:25) Mission-Driven Software Supply Chain Importance (38:33 - 39:23) Duty to Monitor Software Security ------------------------------------------ Show Notes: Hakarl, have you ever wondered what fermented Greenlandic shark tastes like?

The Daily Scoop Podcast
Inside DHS's work to drive wider use of SBOMs

The Daily Scoop Podcast

Play Episode Listen Later May 7, 2024 31:36


With all of the critical cyberattacks executed through the software supply chain in recent years, you're sure to have heard about SBOMs, or software bills of materials, which are essentially ingredients lists of the components that make up a piece of software. The Biden administration in its 2021 cybersecurity executive order introduced new guidance for how federal agencies should request SBOMs from vendors when purchasing software so they can better understand what it's made of and protect against attacks down the supply chain. The Department of Homeland Security, through its Science and Technology Directorate, is advancing federal work on SBOMs, namely through a program led by its Silicon Valley Innovation Program. In partnership with CISA, the Silicon Valley Innovation Program in 2023 awarded funding to a cohort of startups to broadly promote the use of SBOMs by developing two core software modules—a multi-format SBOM translator and a software component identifier translator—to be delivered as open-source libraries which, in turn, will be integrated with their SBOM enabled commercial products. Just recently, that cohort delivered the first of those two tools. Joining the Daily Scoop to discuss the need for SBOMs broadly, the cohort's progress and what's next are Melissa Oh, managing director of DHS's Silicon Valley Innovation Program, and Anil John, SVIP technical manager.

ITSPmagazine | Technology. Cybersecurity. Society
Redefining Cybersecurity by Unlocking Government and Startup Collaboration While Enhancing Software Supply Chain Visibility | A Conversation with Melissa Oh and Anil John | Redefining CyberSecurity with Sean Martin

ITSPmagazine | Technology. Cybersecurity. Society

Play Episode Listen Later May 6, 2024 33:00


Guests: Melissa Oh, Managing Director, Silicon Valley Innovation Program (SVIP), DHS Science & Technology Directorate [@DHSgov]On LinkedIn | https://www.linkedin.com/in/melissa-oh/Anil John, Technical Director, Silicon Valley Innovation Program (SVIP), DHS Science & Technology Directorate [@DHSgov]On LinkedIn | https://www.linkedin.com/in/aniljohn/On Twitter | https://twitter.com/aniltj____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinView This Show's Sponsors___________________________Episode NotesThis new episode of the 'Redefining Cybersecurity' podcast features a thought-provoking discussion on software development, supply chain security, and the innovative initiatives of the Silicon Valley Innovation Program (SVIP). The conversation was led by host Sean Martin, with insights from distinguished guests Melissa Oh, Managing Director at the Department of Homeland Security Science and Technology Directorate, and Anil John, Technical Director of the Silicon Valley Innovation Program.Melissa Oh shared her extensive experience in public service and the innovative approach of the Silicon Valley Innovation Program in identifying emerging technology companies. Her background in Silicon Valley and dedication to solving DHS's pain points through collaboration with startups underscored the program's mission of fostering innovation in the government sector.Anil John, a public interest technologist, provided valuable insights into bridging the gap between the government and the startup community. His role in translating government needs into actionable solutions highlighted the importance of leveraging global talent to address local challenges and drive technological advancements in the public sector.The discussion explored the Silicon Valley Innovation Program's unique selection process for startups, focusing on building products that have broad utility and can be readily adopted. The success story of the protobom project transitioning into an open-source tool exemplified the program's commitment to nurturing innovative solutions with real-world applications.The significance of Software Bill of Materials (SBOM) in enhancing software supply chain visibility was emphasized, with a call to action for organizations to prioritize its inclusion in software development processes. By driving awareness and adoption of SBOM, the SVIP is empowering security leaders to enhance software security and visualization in the development pipeline.Security leaders were encouraged to explore tools and technologies that enhance software security and visualization in the development pipeline. A call to action was made to participate in the SVIP demo week to learn about innovative solutions and capabilities and to drive the adoption of SBOM within organizations.Key Questions AddressedHow does the Silicon Valley Innovation Program (SVIP) bridge the gap between government needs and startup innovations in cybersecurity?What role does the Software Bill of Materials (SBOM) play in enhancing software supply chain security?How can organizations, both public and private, benefit from the innovative solutions developed through the SVIP for software supply chain visibility?___________________________Watch this and other videos on ITSPmagazine's YouTube ChannelRedefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

Federal Drive with Tom Temin
CISA ups the S-BOM game

Federal Drive with Tom Temin

Play Episode Listen Later Apr 25, 2024 11:33


Everyone knows that Software bills of material (SBOMS) are crucial to cybersecurity. But deciphering these documents has been a challenge for many agencies. The Silicon Valley Innovation Program aims to help. It is part of the Homeland Security Science and Technology Directorate. It has a program to promote development of what it calls "supply chain visibility tools." For details, Federal Drive Host Tom Temin spoke with the managing director of the Silicon Valley Innovation Program, Melissa Oh and with it technical director, Anil John. Learn more about your ad choices. Visit megaphone.fm/adchoices

Federal Drive with Tom Temin
CISA ups the S-BOM game

Federal Drive with Tom Temin

Play Episode Listen Later Apr 25, 2024 10:48


Everyone knows that Software bills of material (SBOMS) are crucial to cybersecurity. But deciphering these documents has been a challenge for many agencies. The Silicon Valley Innovation Program aims to help. It is part of the Homeland Security Science and Technology Directorate. It has a program to promote development of what it calls "supply chain visibility tools." For details, Federal Drive Host Tom Temin spoke with the managing director of the Silicon Valley Innovation Program, Melissa Oh and with it technical director, Anil John. Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.

U.S. National Privacy Legislation Podcast
104 | Understanding Software Bill of Materials and Why They Are Crucial for Cybersecurity

U.S. National Privacy Legislation Podcast

Play Episode Listen Later Apr 16, 2024 31:28


In this episode of ADCG's Privacy and Cybersecurity Podcast, Jody Westby interviews Jean Camp, Director of the Center for Security and Privacy in Informatics, Computing, and Engineering and Professor of Informatics at University of Indiana. Prof. Camp is a renowned thought leader in privacy and cybersecurity and has conducted meaningful research on issues related to SBOMs and how they could be more effective. In this podcast, we explore the role of SBOMs in cybersecurity, what limits their effectiveness, and the Federal Government's role in advancing the use of SBOMs, developing tools to ease the use of SBOMs, and international efforts to create a harmonized approach to the development and use of SBOMs. Links to some of Prof. Camp's work in this area is available on the ADCG website.

@BEERISAC: CPS/ICS Security Podcast Playlist
Community Building with Roya Gordon

@BEERISAC: CPS/ICS Security Podcast Playlist

Play Episode Listen Later Apr 6, 2024 26:45


Podcast: HOU.SEC.CAST.Episode: Community Building with Roya GordonPub date: 2024-04-03Co-Host Sam Van Ryder flies solo for this episode with Executive Industry Consultant, Roya Gordon! They share insights on SBOMs and their significance in OT security, discuss what current security conferences are doing right (and where they could improve!), and the importance of building local cybersecurity communities. Things Mentioned:·      Southern Company Builds SBOM for Electric Power Substation - https://www.darkreading.com/ics-ot-security/southern-company-builds-a-power-substation-sbom?mc_cid=4ef3664287&mc_eid=UNIQIDDo you have a question for the hosts? Reach out to us at podcast@houstonseccon.com Keep up with HOU.SEC.CON:·      LinkedIn·      Twitter·      Facebook·      Instagram·      YouTube Check out our other show:·      CyberSundayCheck out our Conferences and Events:·      HOU.SEC.CON.·      OT.SEC.CON.·      EXEC.SEC.CON.·      HSC User GroupSupport or apply to our Scholarship Program:·      TAB Cyber FoundationIn this episode:·      Host: Michael Farnum·      Host: Sam Van Ryder·      Guest: Roya Gordon·      Editing by: Lauren Lynch·      Music by: August HoneyThe podcast and artwork embedded on this page are from Michael Farnum and Sam Van Ryder, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

Software Engineering Institute (SEI) Podcast Series
Developing and Using a Software Bill of Materials Framework

Software Engineering Institute (SEI) Podcast Series

Play Episode Listen Later Apr 4, 2024 37:37


With the increasing complexity of software systems, the use of third-party components has become a widespread practice. Cyber disruptions, such as SolarWinds and Log4j, demonstrate the harm that can occur when organizations fail to manage third-party components in their software systems. In this podcast from the Carnegie Mellon University Software Engineering Institute, Carol Woody, principal researcher, and Michael Bandor, a senior software engineer, discuss a Software Bill of Materials (SBOMs) framework to help promote the use of SBOMs and establish a more comprehensive set of practices and processes that organizations can leverage as they build their programs. They also offer guidance for government agencies who are interested in incorporating SBOMs into their work. 

Hacking Humans
Stolen personality?

Hacking Humans

Play Episode Listen Later Dec 28, 2023 45:21


Matt Lewis from the NCC Group joins to discuss how cybercriminals can decode your personality through AI conversations to launch targeted attacks at you. Dave and Joe share some follow up from listener Sydney, who writes in to share her thoughts on an FCC proceeding and how it could be of greater relevance to IoT security than SBOMs and HBOMs. Dave also shares a story from a listener from last Christmas, sending a warning to holiday shoppers. Dave has two stories this week, he shares one regarding an announcement on holiday scams coming out. His other story follows Zelle finally caving in to provide some relief to scam victims. Joe's story follows new crypto-theft attacks and warns people against the new tactics. Links to the stories: 2023 Holiday Shopping Scams Zelle finally caves after years of refusing to refund scam victims Microsoft: BlueNoroff hackers plan new crypto-theft attacks Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com.

The CyberWire
14 million customers and stolen data.

The CyberWire

Play Episode Listen Later Dec 18, 2023 29:18


A US mortgage company reveals major data breach. Updates from CISA. NSA provides guidance on SBOMs. MongoDB warns customers of a breach. BlackCat/ALPHV is still a market leader, but feeling competitive pressure. Reassessing the effects of Log4shell. The International Committee of the Red Cross calls for restraint in cyber warfare. Ransomware hits a cancer center. Ann Johnson, host of Microsoft Security's Afternoon Cyber Tea podcast goes beyond basics with her guest Tanya Janca, founder of WeHackPurple. And what can I do to make you take home this chatbot today? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Host of Microsoft Security's Afternoon Cyber Tea podcast, Ann Johnson, goes beyond basics with her guest Tanya Janca, founder of WeHackPurple. Ann's full discussion with Tanya can be heard here. You can catch Afternoon Cyber Tea every other Tuesday on your favorite podcast apps and the N2K Network.  Selected Reading Mr. Cooper reveals breach exposed 14.6 million clients (Cybernews) Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment (CISA) NSA Issues Guidance on Incorporating SBOMs to Improve Cybersecurity (Security Week) MongoDB says customer data was exposed in a cyberattack (Bleeping Computer) ALPHV Targeting: Ransomware & Digital Extortion (ZeroFox) A Log4Shell Retrospective - Overblown and Exaggerated (VulnCheck) We call on States to stop turning a blind eye to the participation of civilian hackers in armed conflict (ICRC) Seattle cancer center confirms cyberattack after ransomware gang threats (The Record) What can I do to make you take home this chatbot today? (Mastodon) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

Paul's Security Weekly
AI & LLMs - Josh More, Matthew Carpenter - PSW #808

Paul's Security Weekly

Play Episode Listen Later Nov 30, 2023 178:31


What will the future bring with respect to AI and LLMs? Josh has spent some time thinking about this and brings us some great resources. We'll discuss how to get students involved with AI in a safe and ethical manner. How can we use AI to teach people about cybersecurity? What tools are available and where do they fit into our educational systems that must change and adapt to the times? Join us for a fun discussion on what the future looks like with AI and the youth of today. Segment Resources: https://docs.google.com/document/d/103FLvNRSwBhq-WgCbuykMvweT6lKf2lAASuP8OuuKIw/edit#heading=h.3inodmot2b77 Our good friend Matt Carpenter joins us to share his thoughts on what's going on in the world of AI and LLMs. Matt is also a hacker specializing in hardware and the crew has some amazing hardware hacking topics to discuss (as usual). Segment Resources: https://garymarcus.substack.com/p/has-sam-altman-gone-full-gary-marcus We navigate through dangerous cyber terrain, examining real-world examples like the WebP library and the Curl vulnerability. Critical issues in Zyxel firewalls will also be unmasked as we shed light on the urgency of improving vulnerability reporting and cataloging and addressing the often-overlooked problem of overclassifying harmless software bugs. We then shifted gears to tackle the tricky subject of software vulnerability identification, focusing on a specific CVE that sparked intriguing debates. Learn why pinpointing the source of the vulnerability is vital to effective SBOMs. The journey doesn't end there - we'll uncover a newly discovered Bluetooth vulnerability, aptly named 'BLUFFS', and discuss its potential for exploitation, along with the ingenious solutions proposed by the researchers who unearthed it. Brace yourself for a riveting finale as we delve into Akamai's recent research on DVR and router attacks, explore the risks of GPS spoofing, and discuss the importance of detection mechanisms. We'll also scrutinize the stereotype of hackers in pop culture, address the importance of handling vulnerabilities in software, and highlight the pressing issue of ransomware targeting healthcare. So buckle up and join us for this critical exploration into the world of software vulnerabilities as we decode the complexities and debunk some security myths. Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Visit https://www.securityweekly.com/psw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw-808