Keeping the Software Supply Chain SecureSteve Springett Says a Software Bill of Materials Increases Transparency
IoT devices and software applications often use a range of components, including third-party libraries and open source code. All of those pose risks if vulnerabilities are discovered.
Ensuring devices and services are secure requires keeping track of the status of those software ingredients, promptly applying patches when available. But that can be challenging, says Steve Springett, creator of the open source project called Dependency-Track, a supply chain component analysis platform.
“Whenever you use third-party and open source software, you’re ultimately using code that you didn’t write yourself,” Springett says. “In many cases, code can be slipped in, and you’re not even aware that you were using it in the first place. Even when you include your first-level dependencies, those dependencies also have dependencies in many cases.”
Dependency-Track, which is part of the Online Web Application Security Project, is a free application that helps identify out-of-date and risky software components by using a software bill of materials, which describes the exact software components that an application contains.
Springett also created CycloneDX, a vendor agnostic specification for creating a software bill of materials.
In this video interview with Information Security Media Group, Springett discusses:
- The risks around using out-of-date software components;
- How software bill of materials and software transparency efforts are growing;
- How Dependency-Track approaches software composition.
Springett, creator of Dependency-Track, is a senior security architect with ServiceNow in Chicago.