SBOMs enable organizations to identify vulnerabilities, track open-source usage, and ensure compliance with numerous licensing obligations. Having a āsingle source of truthā for security and licensing information helps everyone. Letās take a look at why SBOM Generators need to accurately represent Open Source Licenses.
Letās get it out of the way early: itās not always clear how you can best plug into organizations like OpenSSF. Thatās why Iām writing this guest blog post as an āoutsider.ā Iām just your average tech employee who has become progressively more involved since my company, Sonatype, became members of OpenSSF. If youāre connecting…
Itās important to distinguish the term āsourceā (any source of a good or service) from the term āvendorā (a source who is paid and has a contractual relationship), especially when discussing software. Hereās why.
The use of SBOMs is becoming increasingly essential in managing software supply chains. The main consumption use case is for evaluating dependencies known-vulnerabilities risk, by mapping the dependencies listed in the SBOM to CVEs. In this blog post, we propose using SBOMs alongside OpenSSF Scorecard to evaluate a product's risk.
Weāve been discussing the creation of SBOMs for over ten years, but has it gotten us any closer to hardening our software development practices? SBOMs provide critical supply chain data, but we are simply not using the data to drive our supply chain decisions. Requiring SBOM generation alone is not the answer. What is the…
Security used to be something of an afterthought in software development. Security was clunky or inconvenient, often because it was a ābolt-onā. That has rapidly changed over the last two years. Now, the world has finally realised that security needs to be ābaked-inā, not ābolted-onā.Ā Meaningful and impactful improvements can be achieved in OSS security engineering…
Scorecard is becoming a key part of IBMās review and curation of the open-source software in our products and services. IBM is committed to helping address the systemic security issues in modern SW supply chains and believes an important part of this effort is to help the open-source ecosystem improve the overall security of OS…
Answering even basic questions about software supply chain security has been surprisingly hard. For instance, how widespread are the different practices associated with software supply chain security? And do software professionals view these practices as useful or not? Easy or hard? To help answer these and related questions, Chainguard, the Eclipse Foundation, the Rust Foundation,…
A new report by the Atlantic Councilās Cyber Statecraft Initiative helps draw light on the question on what "open source as infrastructure" really means, and why it matters: Avoiding the success trap: Toward policy for open-source software as infrastructure.
The widespread use of software bill of materials (SBOMs) arguably depends on SBOM qualityāthat SBOMs contain sufficient and accurate information for the intended user to achieve their goals. But, until recently, it has been difficult to measure SBOM quality. New SBOM quality tools, a new SBOM dataset, and new SBOM quality research changes this state…
