Organizations are hard-pressed to do anything new or innovate without considering the cybersecurity implications, and business executives are making sure–or at least should be making sure–that innovation happens with the consent of the cybersecurity team.

“Now what we’re being told as a line of business, is that we have to be in lock step with cybersecurity,” says Theresa Lanowitz, head of evangelism and portfolio marketing for AT&T Cybersecurity.

Things have shifted dramatically over the last handful of years, with the previous model of investing in cybersecurity as needs or incidents arise becoming a risky practice that could spell disaster for any organization.

Now, the “sweet spot” for security investment for any new initiative is between 11% and 21% upfront, says Lanowitz, citing companies’ testimonials to the telecommunications giant.

Because of the heightened importance given to cybersecurity, there is a growing level of cross-functional support in both the culture and budget of organizations.

“We’re seeing cybersecurity step out of the shadows, become a full business partner and become something that the line of business is investing in and expecting,” Lanowitz says.

In short, cybersecurity should have the proverbial full seat at the table at any organization.

However, that strategy is now a baseline, and organizations must be in line with current trends in IT and cybersecurity so they don’t fall behind. According to Lanowitz, there are eight key trends shaping the cybersecurity landscape in 2023.

5G and the edge

According to Lanowitz, the new era of computing is underpinned by 5G and edge technologies. While vendors and businesses have different definitions of edge, Lanowitz says the technology can largely be defined as a software-defined distributed model of management, intelligence and networks with applications, workloads and hosting close to users and assets that are generating or consuming the data.

Edge use cases are generally driven by the Internet of Things (IoT) to collect and transmit data to make logical decisions to derive an outcome, and the new year should bring about an accelerated full-scale roll out of use cases. Those use cases include real-time fraud detection for financial services, automated warehousing with real-tine inventory management and near real-time visual inspections for manufacturing lines, border crossings and available parking spaces, to name a few.

However, these edge use cases require connected systems from the network layer through to application monitoring and management, and each component needs to be secure.

“With more democratized computing, security is no longer isolated,”  Lanowitz says. “It is central to delivering strong business outcomes.”

For successful implementations with security at the core, decades-old siloes such as networking, IT, app development and security will need to fade away to enable more cross-functional work, Lanowitz says.

Disaggregation of the Network

According to Lanowitz, disaggregation of the network, or separating it into component parts, means that security tools can actually become part of the network. New types of networks will have more inherent security built in than previous generations.

With the move to the edge, which is software-defined, disaggregated networks can bring in the security components needed at a specific time, Lanowitz says.

“So if somebody accidentally clicks on a malicious link, rather than having that malware spread through the whole network, with a disaggregated network, what you can do is you can say, ‘All right, I know there’s a problem here.’ And it’s going to basically self-heal. It’ll disaggregate into itself and spin up a new version.”

While new and still conceptual, Lanowitz predicts this cybersecurity trend to emerge in 2023.

Securing the Data Lifecycle

According to Lanowitz, edge computing is all about the collection, use and enrichment of data. In edge use cases such as manufacturing assembly lines, the data is hosted and consumed right there using a series of cameras and sensors.

“You’re not backhauling data to the data center for some sort of analytical program to go through it,” Lanowitz says. “It’s near-real time.”

With that near real-time data the most important part of edge computing, it must be protected, in-tact and usable. Organizations should expect to see more solutions designed around the data lifecycle and to help organizations make sure that data governance policies are automated and enforced.

That is especially true as more edge applications are deployed and the amount of data being generated multiplies at a rapid pace.

Applications: Built-in Security

Applications are central in the new software-defined business world, but applications are the last frontier of an ecosystem built with security in mind, Lanowitz says.

In 2001, the Open Web Application Security Project (OWASP) was formed to identify the most common web app security vulnerabilities. In the 21 years since, the OWASP’s top 10 web application security risks have not seen meaningful shifts.

The application is the last mile connecting the user, and as organizations move to the edge, we’ll start to see more applications that are non-GUI based and aren’t traditional transactional types of applications.

“Devices running on the edge will be running headless applets, which will have to transfer data back and forth,” Lanowitz says. “So, the idea of building security from the beginning becomes incredibly important.”

That will force different departments in organizations to work more closely, as software development teams will work in tandem with security, operations, networking and business teams.

That will also put more emphasis on securing the software supply chain and software bills of materials (SBOM).

“The SBOM, the focus on software-defined and the edge coming together will hopefully create that perfect storm … and really spur on the idea of application security and make it more mainstream,” Lanowitz says.

Biometric Security

The cybersecurity community is trending towards multiple and different types of authentication methods, including biometrics such as face scanning, fingerprints and more.

According to Lanowitz, most people have pictures of themselves online, even if they are not active on social media. This makes it relatively easy for bad actors to create digital twins of a person based on a quick internet search. The technology to do so will only improve over time.

“This is one of the next frontiers,” Lanowitz says. “One of the next opportunities for security is the idea of being able to secure biometrics and digital twins.”

The more we use biometrics for authentication methods, the more we’ll give bad actors an opportunity to create deep fakes.

“Biometric security is going to be something we’ll see a lot more of, and I think we need to get used to it,” Lanowitz says.

Threat Intelligence

Gathering information on attacks from a variety of sources and publishing those findings for the entire IT and security community to consume will continue to be an essential part of cybersecurity.

However, that threat intelligence this year will become more relevant and curated. For example, the manufacturing industry should be less concerned about attacks impacting the financial service sector and more concerned with security risks faced in their particular market.

“We’re going to get to this point of relevance and then curation,” Lanowitz says. “You have all this data coming at you and all this information coming at you, but the more curated and relevant it is for you, the more it will help you  make those decisions.”

IoT Cybersecurity

Along with protecting digital assets from hackers and keeping data safe, another cybersecurity trend defenders now have to think about how to keep devices capable of causing physical harm out of the hands of bad actors. For example, machines connected to the internet such as a construction tool or a medical device must be secured.

As new AI-driven, internet-connected technology finds its way into cars and other vehicles, these physical devices are now considered endpoints. As such, they need to be protected like a regular endpoint. However, organizations now also need to ensure that these new categories of online devices are also free from physical harm.

“Safety critical devices are the ones that should really give you more pause,” Lanowitz says.

Moving to the Edge

As companies continue to move to the edge, data and application security will be increasingly embedded from the beginning, and Lanowitz predicts 2023 as a big year for that movement.

Companies “born on the edge” will continue the tech disruption that we’ve seen with companies “born on the web.”

“Companies born on the edge aren’t going to have to deal with legacy software,” Lanowitz says. “They’ll have application security built into everything they’re doing. They’ll have data governance and data security built into everything. They’ll have biometric security built into everything.”

The post These Trends Will Shape Cybersecurity in 2023 appeared first on My TechDecisions.

The Mountain View, Calif. company’s report, “The Cost of Poor Software Quality in the US,” finds that software quality issues may have cost the U.S. economy more than $2.4 trillion this year as the software industry is building up what the company calls a historic number of deficiencies.

The report, sponsored by Synopsys and produced by the Consortium for Information & Software Quality (CISQ), finds that cybercrime is a leading cause of these issues, with losses due to cybercrime rising 64% between 2020 and 2021, with 2022 on track for another 42% increase.

According to the report, cybercrime is predicted to cost the world $7 trillion in 2022, and the average cost of a data breach in the U.S. is now $9.44 million, up from $9.05 million the year prior.

In fact, the quantity and cost of cybercrime incidents have been on the rise for over a decade, and now account for a sum equivalent to the world’s third largest economy after the U.S. and China, the report found.

The software supply issues continues to be a major IT problem and are getting worse, with the report finding that the number of failures due to weaknesses in open-source software components accelerated by 650% from 2020 to 2021.

With problems with underlying third-party components rising significantly, Synopsys and CISQ urge the importance of responsible and comprehensive open-source security and risk management. The report of course highlights high-profile incidents, including the Log4Shell vulnerability which surfaced last year and is still causing problems for organizations.

However, the CISQ and Synopsys report identified technical debt as the largest obstacle for organizations to overcome. Technical debt, the cost of rework in software development and accumulated deficiencies that are time-consuming and expensive to fix, is leaving systems and organizations vulnerable, the report says.

Due to these issues, the technical debt in the U.S. has risen to more than $1.5 trillion this year, the report found.

Herb Krasner, the report’s author and a retired professor of software engineering at the University of Texas, Austin, says the report offers proactive advice for engineers, project teams and organizational leaders to improve the quality of the software the use and build.

“Now is the time to turn our attention to recent developments and emerging solutions to help improve the poor software quality situation as it now exists and stabilize and reduce the growth rate of CPSQ in the near future,” Krasner says.

Meanwhile, Dr. Anita D’Amico, the Synopsys Software Integrity Group vice president of cross-portfolio solutions and strategy and CISQ Board Member, urges the IT industry to adopt software bills of materials (SBOM) to help give organizations a comprehensive inventory of components used to make a piece of software.

“That means when a new vulnerability is identified in an existing component, organizations can quickly identify where it is in their software and take action to remedy it,” D’Amico says.

The post Software Inefficiencies are Costing U.S. Economy Trillions, Study Says appeared first on My TechDecisions.

The company’s software composition analysis (SCA) solution will be integrated into its cloud-native application protection platform Prisma Cloud, which Palo Alto Networks says will help developers and security teams proactive surface and prioritize known vulnerabilities throughout the application lifecycle.

Palo Alto Networks calls Prisma Cloud a complete cloud-native application protection platform (CNAPP) that is context aware at every stage of the application lifecycle, providing a unified view of risk across an organization’s cloud environments and delivering deep dependency detection and remediation of vulnerabilities in open source software before applications reach production.

With the integration of SCA, developers can use the tool to prioritize remediation based on software components that are actually in use.

According to the company, there has been a 188% increase in cloud incident response cases over the past three years, which demands a new approach to cloud security that doesn’t rely on siloed products that provide intermittent visibility. Prisma Cloud, the company says, provides a comprehensive prevention-first framework.

In addition to SCA, Prisma Cloud now also includes a software bill of materials (SBOM) and other capabilities to help developers maintain and reference a complete codebase inventory of every application component used across cloud environments.

Palo Alto Networks says a complete code-to-cloud CNAPP needs to incorporate these key principles, which the company says Prisma Cloud was designed to align with:

• Security from code to cloud — protects applications at every stage of the development lifecycle — from code, build, deploy and run.
• Continuous, real time visibility — uses real-time and contextual security analysis of cloud environments to help prevent misconfigurations, vulnerabilities and threats.
• Prevention-first protection — stopping attacks and defending against zero-day vulnerabilities to drive down mean time to remediation.
• Choice for every cloud journey — aligning security needs with current and future cloud priorities by supporting a breadth of cloud service providers, workload architectures, continuous integration and continuous delivery (CI/CD) pipelines, integrated development environments (IDEs), and repositories with a unified platform
• Cloud scale security — consistently secures applications as cloud environments scale.

Ankur Shah, the senior vice president of Palo Alto Networks’ Prisma Cloud, says developers who leverage open-source software should be able to build applications without having to worry about introducing vulnerabilities into organizations’ environments.

“With the average application consisting of 75% open-source components, SCA on Prisma Cloud is key to protecting the organization from code to cloud and empowering developers to build with speed,” says Shah in a statement.

The post Palo Alto Networks Releases Software Composition Analysis in Prisma Cloud appeared first on My TechDecisions.

Attackers are increasingly leveraging the software supply chain and open-source software to gain access to victim networks, and as more organizations migrate to the cloud, attackers are seizing on misconfigured cloud infrastructure and vulnerabilities, according to panelists from leading cybersecurity and IT companies, including VMware, Immersive Labs and more.

Cloud and supply chain threats wreaking havoc

According to Kevin Breen, director of cyber threat research at Immersive Labs, cybercriminals of all types are leveraging vulnerabilities in the software supply chain to carry out attacks.

“This isn’t limited to advanced persistent threat (APT) attacks,” Breen says. “We’re seeing ransomware operators make use of this.”

Breen says Immersive Lab researchers have also seen open-source developers sabotaging their own code with political statements.

Úlfar Erlingsson, chief architect at Lacework, says the constant shifting to the cloud and within the cloud provides an open door for attackers to leverage that constant change and “sneak in at almost any level,” with the supply chain remaining a prime target.

“That’s very concerning, and the supply chain is definitely a big part of that,” Erlingsson says.

That constant change is also making it easier for attackers to leverage zero-day vulnerabilities quicker than ever, with the notorious Log4Shell bug being exploited in attacks just hours after it was publicly disclosed late last year.

“We were alerting our customers at 5 a.m., the day it was announced,” Erlingsson says. “That was only an hour or two after it was (disclosed).”

The speed with which attackers are jumping on new vulnerabilities and the constantly changing cloud and software industry is making it incredibly difficult for organizations to respond in a timely manner. Now, organizations need to prioritize risk, says Jeffrey Martin, vice president of product at Mend, a developer tool that helps secure code.

While a software bill of materials (SBOM) can provide a useful snapshot of the components that make up a piece of software, it doesn’t do much more than that, Martin says.

“That creates the biggest problem, which is everything is chaos—I don’t know what I have and what I have keeps changing,” Martin says. “I need to be able to prioritize the risks in there, because I can’t eliminate them and I cant prevent them, so I need to be able to prioritize them.”

Log4Shell was a good example of a critical vulnerability that everyone knew about immediately but finding and remediating the bug was no small task. In fact, 30% of Log4j instances remained vulnerable to exploitation two months after it was disclosed, according to cybersecurity firm Qualys.

Identifying what software is running vulnerable versions of Log4j can be very challenging for some organizations, especially when it is in third-party software or dynamically loaded after a piece of software starts running, Erlingsson says.

“Any static scan of the passenger manifest before things took flight would have missed this,” Erlingsson states.

Applying psychology to cybersecurity 

For IT and cybersecurity professionals tasked with protecting their organization and fixing things on the fly, the job can be incredibly stressful.

When critical vulnerabilities are released and defenders are under pressure to mitigate and patch, adrenaline kicks in and “rational thinking goes the opposite direction,” says Bec McKeown, director of human science at Immersive Labs.

Essentially, a highly trained expert could succumb to fear and anxiety during a ransomware attack and freeze up when the organization needs them the most, McKeown says.

“It’s noting to do with experience and capabilities—it’s to do wit the fact of the situation that you’re in,” McKeown says.

To help IT and security professionals better operate under pressure, McKeown suggests adapting concepts used in the military designed to help people remain self aware and adapt to challenging situations.

McKeown also suggests IT and security professionals maintain good relationships with their technology vendors so those difficult conversations during a crisis will be easier. As well as rehearsing incident response, tech professionals should also rehearse those vendor conversations.

“When those bad things happen, you don’t get any friction going on because that’s not when you want to be testing relationships,” she says.

Rick McElroy, principal cybersecurity strategist at VMware, says these issues are leading to rampant cybersecurity burnout. With the growing reliance on the cloud, the problem is being multiplied, and skilled cybersecurity professionals are increasingly hard to find.

McElroy touched on VMware’s latest Global Incident Response Threat report, which touched on the burnout issue and the increasing use of deepfakes in cyberattacks.

“This idea that attackers understand who we are at humans and can manipulate us at scale using bots and deepfakes—those are things I think we have to account for in our training and awareness programs, and I’m not seeing us make enough innovation in that particular space.”

The post Modern Cyber Threats, Supply Chain Attacks Are Burning Out IT Pros, Experts Say appeared first on My TechDecisions.

That is especially true if that provider is part of an unstoppable trend of cloud, software-as-a-service or cybersecurity providers taking on the responsibility of handling and safeguarding its customer’s data. Without those internal controls over a cloud-based technology that is being handled in a vendor’s environment, trust is now more important than ever.

Offloading that responsibility to a technology and putting them in the position to make critical business decisions for your organization should require a high level of trust. IT buyers should ensure that not only are the right security practices in place at the prospective vendor, but that they also have the resources and the right philosophy when it comes to customer data, says Robb Reck, a security professional currently working to uphold standards of trust and transparency as the chief trust officer at managed detection and response provider Red Canary.

“All of those questions should work to determine if the technology vendor is a trustworthy partner or not,” Reck says.

Positions such as Reck’s are typically security or risk management initiatives from leadership that go beyond the scope of a typical security program and look critically at the company’s transparency with customers.

A chief trust officer defines how the software vendor talks to customers about security issues, including proactively bringing issues to customers, oftentimes before they even know about it.

Can you trust your technology vendor?

According to Reck, technology providers are trustworthy when they follow two simple rules: fulfilling their promises and being proactively transparent.

“You probably learn this at age 2—the idea of doing what you said you were going to do and saying what you’re going to do. Telling a customer what is coming and delivering that thing over and over again is a way to earn an awful lot of trust,” Reck says. “When you become predictable, you become trustworthy.”

Equally as important when selecting a technology vendor is their track record when it comes to transparency, and not just being honest when asked about security incidents. For example, a vendor should tell its customers about a security incident that went unnoticed, even if it could have gotten away without any negative press.

Reck used the analogy of borrowing a friend’s car, getting in a minor fender-bender, and not telling the owner.

“Am I willing to be the person who proactively tells the truth and apologizes and explains how they’re going to make it better? In the future, you know I’m not going to lie to you.”

Another key pillar of trust is around aligned incentives of the software vendor and customer that prioritize positive outcomes rather than just business transactions.

“If they’re making money on me all the way until I go bankrupt, I don’t feel like that’s a very good partnership,” Reck says. “Finding ways that you can align incentives between the provider and customer is a big part of it.”

Cloud, SaaS providers and trust

While cybersecurity providers may top the list of tech companies that should be trustworthy, organizations consuming any software-as-a-service (SaaS) and other cloud-based deployments of their enterprise technologies should demand a higher level of transparency and trust.

With data storage and management shifting from on-premises and an organization’s own data center to the cloud, organizations are essentially trusting the control of their data, infrastructure and services to an outsider. Before, the enterprises themselves were their own backstop and were able to make changes, and evaluate how the software was running.

Customers of security providers like Red Canary—that monitor telemetry and essentially decide what behavior to ignore and what behavior warrants an alert and investigation—have to trust that the software is both made well by the vendor and that is running well, and that any human interaction is not costing them downtime.

With that in mind, a wide range of cloud-based technologies should be looked at from this angle, including customer relationship management tools and enterprise resource planning (ERP) software.

Warning signs

According to Reck, these are several warning signs that indicate a software vendor is not transparent or trustworthy.

Downplaying the incident in first communications about an incident

Those first few messages about a security incident need to clearly outline what is known and what is not known. Too often software vendors will say only a certain portion of customers are affected, only to later revise that to a larger number and undermine the trust their customers place in them.

No transparency about any security incidents

Every company has security incidents, so a lack of disclosures should be alarming—regardless of how insignificant the incident is. Reck provided one example from his experience at Red Canary in which a customer stopped sending the firm its telemetry to be monitored for threats for about 12 hours. Once the company noticed the issue and fixed it, it combed through the data to make sure nothing malicious was missed. After that, the company had a brief internal conversation about informing the customer, and it quickly decided that the customer should know, even though nothing bad happened during those 12 hours.

“I see each of those opportunities as a way to not only build trust with our customers … but also to build that internal understanding of what it means to be a trustworthy company,” Reck says.

No status page

Public-facing resources or information detailing the status of services are the low-hanging fruit of any technology vendor’s transparency.

Government-mandated transparency

This level of transparency is now being required by certain agencies in the U.S. government, including the SEC, which has proposed new rules that would require publicly traded organizations—which include many leading software providers—to report about material cybersecurity incidents and provide updates about previously reported incidents.

In addition, organizations would be required to detail their security policies and procedures to identify and manage cybersecurity risks, per the proposals.

As a result of President Joe Biden’s Executive Order on cybersecurity, software providers will be required to be more proactively transparent about the security of their products and their own environment, including a software bill of materials that details the different components in a piece of software.

In a recent blog, Brookings Institution notes that the recent RSA Conference highlighted offerings to secure the supply chain and increase vendor transparency, with many referencing the Executive Order.  The Institute calls Biden’s decree a “set of goals” designed to create a transparent marketplace for technology and security tools.

“The creation of a transparent market for software and provision of information for operators and purchasers leverages the greatest competitive advantage of the United States: the rule of law required to support a trustworthy marketplace,” the research group wrote.

The post How to Vet a Vendor’s Transparency and Trustworthiness appeared first on My TechDecisions.

SBOMs have recently been given heightened importance after several high-profile cybersecurity flaws in popular software products have led to widespread exploitation and attacks. That includes Log4Shell, the critical zero-day vulnerability in Log4j that allows attackers to send a specially crafted request to a vulnerable system and execute arbitrary code and take control of the targeted system.

SBOMs, essentially a list of ingredients and software packages included in an end product, is a key requirement in President Joe Biden’s executive order on improving cybersecurity.

Microsoft calls the Salus SBOM tool a “general purpose, enterprise-proven, build-time SBOM generator” that works across Windows, Linux and Mac platforms and uses the standard Software Package Data Exchange (SPDX) format.

The company says Salus can be integrated into build workflows and auto-detect NPM, NuGet, PyPI, CocoaPods, Maven, Golang, Rust Crates, RubyGems, Linux packages within containers, Gradle, Ivy, GitHub public repositories, and more through Component Detection. Microsoft will be adding more detectors to the Component Detection tool.

Documents created by Salus contain four main sections, including document creation information that contains software name, SPDX license, SPDX version, who created the document and when it was created; a list of files that compose the piece of software; a list of packages used when building the software; and a list of relationships between the different elements of the SBOM.

The Salus SBOM tool can also reference other SBOM documents for a larger view of dependencies, according to a Microsoft blog penned by two product and program managers.

“Microsoft wants to work with the open-source community to help everyone be compliant with the Executive Order,” the pair wrote. “Open sourcing Salus is an important step towards fostering collaboration and innovation within our community, and we believe this will enable more organizations to generate SBOMs as well as contribute to its development.”

The post Microsoft Open Sources Salus SBOM Tool appeared first on My TechDecisions.

Trustcenter offers an always up-to-date background scanning for any artifact, build, or software stack – customers never miss vulnerabilities

HOUSTON–(BUSINESS WIRE)–#SBOM—Codenotary, leaders in software supply chain security, today announced that the company’s flagship product, Trustcenter, now offers the first integrated solution to support an always up-to-date background scanning for any artifact, build, or software stack.

Until now, the safety of organizations’ codebases was only protected during each scan, still leaving them in a somewhat vulnerable position. Trustcenter scans continuously in the background based on the latest, up-to-the-minute threat intelligence from multiple sources. Once a vulnerability is detected, Codenotary will immediately flag the offending component and provide an alert with different options available for remediation.

“We understand the complexities many companies face when running vulnerability scans and we know that because of this in many cases organizations forgo regular scanning, leaving them vulnerable,” said Dennis Zimmer, co-founder and chief technology officer, Codenotary. “But we all know better and the potential risks and costs are high without continuous scanning. Codenotary now makes scanning simple to run by automating the process and then makes that information actionable.”

Trustcenter provides an end-to-end trusted software supply chain with integrity and authenticity. It can be scaled to millions of integrity verifications per second and gives developers a way to attach a tamper-proof Software Bill of Materials (SBOM) for development artifacts that include source code, builds, repositories, and more, plus Docker container images for their software and Kubernetes deployments. The SBOM can make those instantly visible to customers, auditors and compliance professionals. It is built without uploading any data to the service, and notarizes software artifacts using tamper-proof cryptographic verification to uniquely identify those. Each artifact retains a cryptographically strong identity stored inside immudb the open source immutable database developed by Codenotary.

With Trustcenter it’s possible to maintain trust status at the level of each individual artifact at scale. Codenotary provides tools for notarization and verification of the software development lifecycle attesting to the provenance and safety of the code.

For more information, go to Codenotary Trustcenter.

About Codenotary

With hundreds of customers that include top three banks in the U.S. and Europe, Codenotary brings easy to use trust and integrity into the software lifecycle by providing end-to-end cryptographically verifiable tracking and provenance for all artifacts, actions, and dependencies. Codenotary can be set up in minutes and can be fully integrated with modern CI/CD platforms. It is the only immutable and client-verifiable solution available that is capable of processing millions of transactions a second. With the Codenotary tamper-proof bill of materials, users can instantly identify untrusted components in their software builds. For more information, go to https://www.codenotary.com.

Contacts

Joe Eckert for Codenotary

Eckert Communications

jeckert@eckertcomms.com

The post Codenotary Introduces First Continuous Background Vulnerability Scanning appeared first on My TechDecisions.

SBOM Operator for Kubernetes allows users to continuously be aware of all software and software dependencies running in Kubernetes

HOUSTON–(BUSINESS WIRE)–#SBOM—Codenotary, leaders in software supply chain security, today launched SBOM Operator for Kubernetes in both its open source Community Attestation Service, as well as Codenotary’s Trustcenter, the company’s flagship product, that mitigates the risk of software supply chain attacks by tracking all software and software dependencies running in Kubernetes. Codenotary provides the easiest way to generate SBOMs (Software Bill of Materials) of running container images and maintaining up-to-date records of all builds, and dependencies. This allows for immediate risk mitigation in the event that unwanted, dangerous or vulnerable artifacts are detected.

All SBOM information is continuously updated and versioned to include any changes in deployments, then stored in a tamper-proof, auditable database. That information is instantly available for search so that the location of software artifacts can be pinpointed in seconds, and the history of image content changes verified, which is essential to maintaining a secure software supply chain.

The new SBOM Operator for Kubernetes helps enterprises comply with the U.S. Executive Order on Improving the Nation’s Cybersecurity, which includes maintaining a Software Bill of Materials (SBOM), as well as the SLSA security framework to ensure trust in the software supply chain.

“By itself, the SBOM is not very useful without continuously being updated and maintained as the information is deprecated with every new deployment or update,” said Dennis Zimmer, co-founder and chief technology officer, Codenotary. “Now, users know exactly what is running in containers, with the most recent information so they have the ability to immediately remediate something if necessary.”

SBOM Operator is an open source community project – supported by Codenotary – to store SBOM information about container images as files in a Git repository and has been extended to support both Community Attestation Service, as well as Trustcenter, which are tamper-proof, versioned and fully searchable.

“I am pleased to contribute to the wider adoption and use of SBOMs with the Codenotary integration in my Kubernetes operator, especially the additional security, timestamp and search capabilities across the infrastructure were key to developing the extension,” said Christian Kotzbauer.

Codenotary provides tools for cataloging and trusting components of the software development lifecycle which help attest to the origin and safety of the code. The company further enhances this core functionality by providing an additional tamper-proof layer which processes and stores millions of transactions per second, on-premises or as a cloud service, and with cryptographic verification. It gives developers and DevOps engineers a way to attach a Software Bill of Materials (SBOM) for development artifacts that include source code, builds, repositories, and more, plus Docker and Kubernetes container images for their software.

For more information, go to Codenotary Trustcenter.

About Codenotary

With over 100 customers that includes top three banks in the U.S. and Europe, Codenotary brings easy to use trust and integrity into the software lifecycle by providing end-to-end cryptographically verifiable tracking and provenance for all artifacts, actions, and dependencies. Codenotary can be set up in minutes and can be fully integrated with modern CI/CD platforms. It is the only immutable and client-verifiable solution available that is capable of processing millions of transactions a second. With the Codenotary tamper-proof bill of materials, users can instantly identify untrusted components in their software builds. For more information, go to https://www.codenotary.com.

Contacts

Joe Eckert for Codenotary

Eckert Communications

jeckert@eckertcomms.com

The post Codenotary First to Provide Continuously Updated and Fully Searchable Tamper-Proof Information about Software Components in Container Images appeared first on My TechDecisions.

Condenotary Cloud provides zero-trust with immutable data storage in one integrated package; enables organizations to conform with supply-chain levels for software artifacts (SLSA)

HOUSTON–(BUSINESS WIRE)–#SBOM—Codenotary, leaders in software supply chain security, today announced that the company’s flagship product, Codenotary Cloud, is now the first all-in-one offering that allows organizations to attain compliance with the industry-standard Supply-chain Levels for Software Artifacts (SLSA) to assure the integrity of software used in the development process and safeguard from introducing unknown issues.

The easy-to-deploy integrated offering helps guard against the software supply chain attacks that are increasing dramatically. The SLSA security framework significantly advances trust in the application environments for modern organizations. Until now, compliance with this new standard was difficult because it requires a zero-trust approach – and immutable data storage. Codenotary Cloud is the first integrated solution to allow organizations to attain SLSA compliance with secure infrastructure that prevents tampering with software development.

“SLSA is a strict requirement in the modern approach to application development,” said Dennis Zimmer, co-founder and chief technology officer, Codenotary. “It has been extraordinarily difficult or impossible to attain compliance as a zero trust approach to the DevOps pipeline and immutable storage were always two key missing elements. Codenotary Cloud brings this into an integrated, easy-to-deploy solution.”

Codenotary provides tools for cataloging and trusting components of the software development lifecycle which help attest to the origin and safety of the code. The company further enhances this core functionality by providing an additional tamper-proof layer which processes and stores millions of transactions per second, on-premises or as a cloud service, and with cryptographic verification. It gives developers a way to attach a Software Bill of Materials (SBOM) for development artifacts that include source code, builds, repositories, and more, plus Docker and Kubernetes container images for their software.

Register now for the webinar on Friday, June 24 to see how Codenotary Cloud can be used to achieve SLSA compliance.

About Codenotary

With over 100 customers that includes top three banks in the U.S. and Europe, Codenotary brings easy to use trust and integrity into the software lifecycle by providing end-to-end cryptographically verifiable tracking and provenance for all artifacts, actions, and dependencies. Codenotary can be set up in minutes and can be fully integrated with modern CI/CD platforms. It is the only immutable and client-verifiable solution available that is capable of processing millions of transactions a second. With the Codenotary tamper-proof bill of materials, users can instantly identify untrusted components in their software builds. For more information, go to https://www.codenotary.com.

Contacts

Joe Eckert for Codenotary

Eckert Communications

jeckert@eckertcomms.com

The post Codenotary First to Offer Integrated Solution for Compliance for Integrity of Supply Chain Software appeared first on My TechDecisions.

Bills of material have long been standard requirements in other industries for decades. Some cybersecurity experts say SBOMs will foster transparency, which will lead to increased security and trust.

The challenges of creating and using an SBOM

While more organizations recognize now that they need an SBOM, that doesn’t mean the process of creating and maintaining one is easy.

Currently, static SBOM tools fail to meet today’s security needs and create too much work. They require manual, single point-in-time scanning to understand changes in the environment.  Static SBOMs yield noisy and complex outputs that make focusing difficult.

Static SBOMs are also limited in scope of what they can see and are often only available in specific parts of the software stack. Within this context, delay and uncertainty result in risk.

For SBOMs to work, they need to have component identification and the ability to scale globally across diverse software ecosystems, sectors, and markets. Although component identification is a critical part of an SBOM, the group acknowledged it will be difficult to come up with a universal, global component identification system.

The minimum elements of an SBOM

The National Telecommunications and Information Administration (NTIA) and the U.S. Department of Commerce were recently tasked with publishing the minimum elements for an SBOM along with a description of use cases for greater transparency in the supply chain.

The departments determined that data fields, automation support, and practices and processes should be the foundation for developing software transparency. There should be data fields for supplier, component name and version, as well as dependency relationship, among other areas.

Automation support refers to automatic data generation and machine-readability to allow for scaling across the software ecosystem. Data formats used to generate and consume SBOMs include SPDX, CycloneDX, and SWID tags.

Practices and processes define the operation, generation, and use of SBOM requests including frequency, depth, distribution, and delivery and access control.

The departments acknowledged that an SBOM is a starting point, and that software is dynamic in nature and subject to change.

“The minimum elements that are deemed feasible in today’s environment do not capture the full range of metadata around software source, processing, and use that is likely to emerge from modern software prochanesses,’’ the Department of Commerce stated. “Some of this data will be incorporated into future extensions of SBOM data.”

Noting that SBOMs will not be the sole resource for supply chain security or software assurance, the department advised taking “a linkable, modular approach … to maximize the potential for flexibility and adoption.”

Two Steps for Creating & Implementing an SBOM

Here are two important steps for successfully creating and implementing an SBOM.

#1 Start small

Software composition analysis (SCA) tools and developer IDE plug-ins are being used to produce digestible reports of components for security use cases. Once an SBOM has been generated, the information must be distributed efficiently.

One approach is to forward the SBOMs to your organization’s data lake or knowledge management system. That way, users within the security organization or elsewhere in the organization can access the data from the central repository to ensure they have up-to-date and accurate information.

KPMG advises organizations to start small and deploy SBOMs to development and security teams first. By doing so, they can determine if any roadblocks exist, ensure that the knowledgebase is being utilized effectively, and then seek for areas of improvements.

Once those first steps are completed, the SBOM should then be distributed to the rest of the organization with help from security champions.

#2 Make sure your SBOM is dynamic and continually updated

An SBOM needs to be updated continuously. This is where a dynamic SBOM comes in. To keep data up-to-date, businesses must deploy software with the capability for a dynamic SBOM that will automatically incorporate updates whenever there are changes.

In addition, a dynamic SBOM provides context about how software components are dynamically used and executed (unlike static SBOMs that just inform on what’s there). This dynamic runtime context is critical in distinguishing latent components from active exploitable threats, understanding true risk factors, and focusing remediation efforts on the relevant parts of your SBOM.

Eventually, it will become a requirement to shift to dynamic SBOMs, especially in organizations that develop software on a regular basis. For organizations that have most recently felt the pain of the Log4j vulnerability, integrating SBOMs into the SDLC and making them dynamic is vital.

The post Static SBOMs vs Dynamic SBOMs appeared first on My TechDecisions.