The tech industry loves its acronyms and one that is grabbing attention these days is the Exploit Prediction Scoring System (EPSS). Since many people are more familiar with the Common Vulnerability Scoring System (CVSS), the question becomes, what is the difference between the two scores? A definition of both is a good place to start. The EPSS is a large, open, data-driven effort used to estimate the probability of a software vulnerability being exploited in the wild.

Generative AI has reshaped the digital content landscape, with Large Language Models (LLMs) like GPT pushing the boundaries of what machines can create. However, as this technology rapidly enters the market, are we giving enough attention to its security aspects and generative AI risk?

In a post published earlier. this week, we delved into the sharing lifecycle phases of a Software Bill of Materials (SBOM) from a report the Cybersecurity and Infrastructure Security Agency (CISA) recently released. Included within the report was a survey on the current state of SBOM sharing among stakeholders, in which 21 organizations provided responses on their approaches.

As Software Bill of Materials (SBOM) adoption efforts mature, a report recently released by the Cybersecurity and Infrastructure Security Agency (CISA) provides guidance to users in selecting suitable SBOM sharing platforms based on the amount of time, resources, subject-matter expertise, effort, and access to tooling available to them to implement a phase of the SBOM sharing lifecycle. The lifecycle has three phases: discovery, access, and transport.

According to Fortinet, 110 vulnerabilities affecting Fortinet software were announced since the beginning of 2023. On June 8th, security fixes were released in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5. Interestingly, no specific reference to a CVE patch was provided, raising questions about the nature and extent of the new version release’s purpose.

Software supply chain risks is an increasingly hot topic because attention to the supply chain has grown in recent years. Its importance has naturally attracted the attention of hackers, so protecting the software supply chain is paramount. A 2023 software supply study found that organizations recognize, and have been impacted by, software supply chain security threats.

Software vulnerabilities are among the biggest security risks organizations face today, and several critical vulnerabilities have already been revealed in 2023. Software bugs plague enterprises and small organizations alike and wreak havoc on entire supply chains. What’s worse, new bugs emerge on a regular basis, forcing security leaders and teams to scramble for solutions to avoid data breaches and other incidents.

Progress Software has recently (May 31st, 2023) released a security advisory regarding a critical zero-day vulnerability affecting ALL VERSIONS of the company’s MOVEit product which is being actively exploited in the wild in order to exfiltrate data from targeted environments. The vulnerability has been already added to the CISA KEV (known exploited vulnerabilities) catalog.

The concepts of cyber resilience and software supply chain security go hand in hand. It’s heartening that many organizations now recognize the cybersecurity landscape continues to evolve and grow more sophisticated and are taking steps to increase their security posture. However, not enough are working on becoming cyber resilient- especially when it comes to software supply chain security.