Application Security , Endpoint Security , Internet of Things Security

Keeping the Software Supply Chain Secure

Steve Springett Says a Software Bill of Materials Increases Transparency
Steve Springett, creator of Dependency-Track

IoT devices and software applications often use a range of components, including third-party libraries and open source code. All of those pose risks if vulnerabilities are discovered.

See Also: 2021: The Cyber-Attack Outlook

Ensuring devices and services are secure requires keeping track of the status of those software ingredients, promptly applying patches when available. But that can be challenging, says Steve Springett, creator of the open source project called Dependency-Track, a supply chain component analysis platform.

"Whenever you use third-party and open source software, you're ultimately using code that you didn't write yourself," Springett says. "In many cases, code can be slipped in, and you're not even aware that you were using it in the first place. Even when you include your first-level dependencies, those dependencies also have dependencies in many cases."

Dependency-Track, which is part of the Online Web Application Security Project, is a free application that helps identify out-of-date and risky software components by using a software bill of materials, which describes the exact software components that an application contains.

Springett also created CycloneDX, a vendor agnostic specification for creating a software bill of materials.

In this video interview with Information Security Media Group, Springett discusses:

  • The risks around using out-of-date software components;
  • How software bill of materials and software transparency efforts are growing;
  • How Dependency-Track approaches software composition.

Springett, creator of Dependency-Track, is a senior security architect with ServiceNow in Chicago.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.