Application Security , Endpoint Security , Internet of Things Security

Keeping the Software Supply Chain Secure

Steve Springett Says a Software Bill of Materials Increases Transparency
Steve Springett, creator of Dependency-Track

IoT devices and software applications often use a range of components, including third-party libraries and open source code. All of those pose risks if vulnerabilities are discovered.

See Also: Building Better Security Operations Centers With AI/ML

Ensuring devices and services are secure requires keeping track of the status of those software ingredients, promptly applying patches when available. But that can be challenging, says Steve Springett, creator of the open source project called Dependency-Track, a supply chain component analysis platform.

“Whenever you use third-party and open source software, you’re ultimately using code that you didn’t write yourself,” Springett says. “In many cases, code can be slipped in, and you’re not even aware that you were using it in the first place. Even when you include your first-level dependencies, those dependencies also have dependencies in many cases.”

Dependency-Track, which is part of the Online Web Application Security Project, is a free application that helps identify out-of-date and risky software components by using a software bill of materials, which describes the exact software components that an application contains.

Springett also created CycloneDX, a vendor agnostic specification for creating a software bill of materials.

In this video interview with Information Security Media Group, Springett discusses:

  • The risks around using out-of-date software components;
  • How software bill of materials and software transparency efforts are growing;
  • How Dependency-Track approaches software composition.

Springett, creator of Dependency-Track, is a senior security architect with ServiceNow in Chicago.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.