Today we are excited to announce the expansion of our software supply chain security offering with a series of new features that will enhance our ability to detect, prioritize, and remediate open-source software risk. These features set Rezilion apart from SCA (software composition analysis) tools on the market and allow us to provide significantly wider visibility into an organization’s risk – while also dramatically reducing the amount of work required to eliminate it.

According to recent research, Rezilion’s vulnerability scanner was 12% more accurate at identifying existing vulnerabilities vs. industry standard (94% vs. 82% average precision). Vulnerability scanners and software composition analysis (SCA) tools are an inherent part of the secure development life cycle (SDLC) process.

In this final post of a series on software-related risks, we take a look software license compliance and other non-vulnerability risk. Not all software risk has to do with vulnerabilities and the security threats that can come from them. Organizations need to be aware of their licensing requirements and status on various software dependencies, including open source software, because they could be out of compliance if the software license has expired.

There are several best practices for securing the software supply chain. Failing to do so is like leaving open the vault in your home containing your most valuable possessions and sensitive documents. There are an average of 203 open source dependencies per repository in today’s software supply chains. A staggering 99% of codebases contain open source code and between 85 to 97% of enterprise codebases are generated from open source, according to GitHub.

In the first two posts of this series on software-related risks we have looked at vulnerabilities introduced in the development phase and vulnerabilities present in open source software. The third major risk area to consider is software supply chain security and the weaknesses in this area.

The first post of this series on the software-related risks organizations are facing looked at vulnerabilities introduced in development. In this post we look at the risks of open source vulnerabilities. Organizations are increasingly dependent on third-party software, including open source code, but current tools provide limited visibility and require a lot of manual work.

This post offers details on the Control Web Panel Vulnerability, CVE-2022-44877, which is actively being exploited in the wild. If you are using Control Web Panel in any version below 0.9.8.1147, make sure to patch as soon as possible. While CVE-2022-44877, a critical vulnerability affecting Control Web Panel (a popular free, closed-source, web-hosting interface), has received an official patch on October 25th 2022, evidence of active exploitation of the vulnerability are starting to accumulate.

Organizations are facing a variety of software-related risks, and vulnerabilities introduced in the development process are just one of them. The sooner they can figure out where these risks exist and how to address them, the better they can mitigate them and bolster their overall cybersecurity profile. In a series of posts, we will take a look at some of the key software risks organizations are grappling with today. First up: vulnerability risk that emerges during software development.

On January 9, 2023, Palo Alto revealed that their researchers have discovered a vulnerability in the popular JsonWebToken open source project. Although the JsonWebToken vulnerability received a CVSS score of 9.8, upon closer examination it appears that the chances for the preconditions required to exploit the vulnerability in real world applications are slim. In this blog post we will provide some background regarding the vulnerability and explain the conditions in which it can be exploited.

Managing third-party risk is not a high priority, Forrester data finds. And that’s concerning. Juggling was a skill that organizations in the public and private sectors found themselves having to learn in the last two years because of the need to deal with new business priorities and strategic initiatives on top of managing lots of new security risks. Mastering the art of keeping all the balls in the air is something security, compliance and risk professionals must master in 2023.

The basic idea behind DevSecOps is to introduce security as early as possible in the software development life cycle (SDLC). At the same time, the model can lead to increased collaboration between development and security teams as part of the effort to integrate security into the SDLC. In other words, DevSecOps provides an excellent foundation for an effective vulnerability management strategy.

Regulatory demands now make an SBOM an essential in any organization. The Biden Administration released a memo in September 2022 that directs federal agencies to adopt guidelines from the National Institute of Standards and Technology (NIST) for securing software used by the federal government and attest to its security.