A Software Bill of Materials – better known as an SBOM – can enhance your compliance posture. But how do you structure and operationalize it to ensure that it is helping with that objective? And how do you know if your SBOM complies with the Executive Order that mandates maintaining an SBOM?

Failing to comply with software licensing agreements can cost you. This is one of many arguments – particularly in the financial realm – that motivate organizations to be in compliance – and a Software Bill of Materials (SBOM) is an increasingly important tool for that goal. It’s relatively easy for an organization to obtain unlicensed software, according to UpCounsel, a legal platform that operates a network of independent lawyers.

In part one of our series on software supply chain security risk, we examined six of the top software supply chain risks, but unfortunately, there are others. Code is where modern software development begins, and the supply chain makes up everything that touches that code during the software development lifecycle–from infrastructure to hardware to operating systems to cloud services. In other words, software supply chains are the lifeblood of most organizations.

It cannot be stated enough that software supply chain security risks are serious as organizations are so dependent on the software supply chain, an attack could cripple their business. The effects of the Log4j vulnerability continue to be felt as it spreads through the supply chain, all but assuring that more threats will emerge. Further, open source is increasingly being used in development projects.

The Food and Drug Administration (FDA) has done more than just apply a bandage on the issue of cybersecurity-related risks in medical devices. Late last month, the FDA issued guidance for medical device companies to ensure the safety of devices like heart monitors, MRI machines, and insulin pumps.

The Biden administration’s recently released National Cybersecurity Strategy goes beyond the executive order it issued in 2021, which defined security measures any organization doing business with the federal government must follow.

SolarWinds has become almost a household name and for all the wrong reasons: beginning in 2019, the system management company was the target of one of the largest software supply chain attacks in history. Software supply chain attacks are especially insidious because they target organizations by going after their third-party vendors or suppliers of software, hardware, or services at any stage of the development lifecycle. The goal is to gain access, conduct espionage, and enable sabotage.

OpenAI’s ChatGPT was forced to halt service for a few hours earlier this week in order to fix an issue in an open-source library. The vulnerability may have exposed some users’ payment data. The company published a blog post on March 24, 2023, explaining what lead to the data breach and why it was temporarily offline.

BE’ER SHEVA, Israel — Rezilion announced today the release of the company’s new research, titled “Do you know KEV? You should (because hackers do)!” The report finds that although KEV catalog vulnerabilities are frequent targets of APT Groups, a large and exploitable attack surface remains due to software vendors’ lack of awareness and action. The research also identified thousands of ongoing exploitation attempts targeting KEV vulnerabilities.

Do you know KEV? You should, because hackers do! Rezilion’s research team just released a new report, which highlights the critical importance of Known Exploited Vulnerabilities (KEV). Specifically, our research uncovers that although KEV catalog vulnerabilities are frequent targets of APT Groups, many organizations are still exposed and at risk from these vulnerabilities because they are not patching them.