Sbom

Recently, I had the pleasure of chatting with Paul Asadoorian, Principal Security Researcher at Eclypsium and the host of the legendary Paul’s Security Weekly podcast. Our conversation dove into the often-murky waters of embedded systems and the Internet of Things (IoT), sparked by a specific vulnerability discussion on Paul’s show concerning reference code for the popular ESP32 microcontroller. Episode Links Paul Eclypsium Below the surface podcast RVAsec This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

I chat with Alan Pope about the open source security tools Syft, Grype, and Grant. These tools help create Software Bills of Materials (SBOMs) and scan for vulnerabilities. Learn why generating and storing SBOMs is crucial for understanding your software supply chain and quickly responding to new threats like Log4Shell. Episode Links Alan Syft Grype Grant Linux Matters podcast https://anchore.com/opensource/ This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player. ...

Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_451_Python_security_with_Seth_Larson.mp3 Show Notes Seth Larson XKCD PGP Signature Seth’s Blog Python and Sigstore Deprecating PGP - PEP 761 Python SBOMs

It’s once again time for the outrage generators on social media to ask if SBOMs have any value. This seems to happen a few times a year. Probably lines up with the pent up excitement while we wait for the McRib to return. I could dig up a few examples of these articles but I can’t be bothered, and it doesn’t matter. I’d rather spend my time searching for a McRib … I mean, writing this blog post. ...

Josh and Kurt talk about SBOMs. Quite a bit has happened in the world of SBOMs in the last year or so. There are going to be different types of SBOMs, like build, source, or runtime. Each will tell us different things depending on what we need to know. We also cover some of the community efforts happening around SBOMs. They’re still not easy to use, but it’s better better. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_364_Using_SBOMs_is_hard.mp3 Show Notes SBOM Types draft SBOM Drift OpenSSF SBOM Everywhere

I take a bike ride every morning, it’s a nice way to think about topics of the day. I’ve been wondering lately why software supply chain security has exploded in popularity in the last year or so. Nothing happens by accident, so there must be some series of events we can point at that has led to everyone suddenly making this a priority. Software supply chain security is not new, I’ve been doing it since about 2002 when I was helping track and coordinate security vulnerabilities in Linux distributions. We didn’t call it a supply chain back then, and nobody really paid attention to it. So what changed between then and now? ...

Josh and Kurt talk about a fake 7-Zip security report. It’s pretty clear that everyone is running open source all the time. We end on some thoughts around what SBOM is good for, and who should be responsible for them. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_323_The_fake_7Zip_vulnerability_and_SBOM.mp3 Show Notes Probably fake 7-Zip

Josh and Kurt talk about SBOMs. Not what they are, there’s plenty about that. We talk about why everyone keeps claiming they’re super important, and why we’re starting to see some people question if we really need them. SBOMs are part of a future that’s still being invented. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_312_The_Legend_of_the_SBOM.mp3 Show Notes Questioning SBOMs Rezilion Log4j diagram David A Wheeler on CII Badges Using open source is communism