The CVSS (Common Vulnerability Scoring System) is a widely used standard that produces a score between 0 and 10 to indicate the level of severity of a vulnerability. The most popular spot to find CVSS scores is on the National Vulnerability Database (NVD) website, where you’ll see CVSS scores for all CVE (Common Vulnerabilities and Exposures) IDs.

Static Application Security Testing (SAST) has a bit of a bad reputation. SAST tools can produce an overwhelming number of alerts and security teams, having often come from networking backgrounds, don’t always fully understand the alerts that they are passing on to developers for fixes. This can cause the relationships between the teams to sour, as developers often perceive this work as pointless and holding them back from working on their primary responsibilities like new features.

In my previous blog post, we saw how the growth of generative AI and Large Language Models has created a new set of challenges and threats to cybersecurity. However, it’s not just new issues that we need to be concerned about. The scope and capabilities of this technology and the volume of the components that it handles can exacerbate existing cybersecurity challenges. That’s because LLMs are deployed globally, and their impact is widespread.

We’ve talked a lot about why software bills of materials (SBOMs) are important and how they communicate the value of your organization, so we won’t continue those lectures here. We’re all good on the why so today we’ll talk about the how – the best (and free!) tools to help you create SBOMs automatically. Creating an SBOM manually is arduous and error-prone so why not avoid it altogether?

EPSS is a relatively recent addition to the world of freely available security scoring systems. While it’s not without its flaws and limitations, EPSS can be a powerful predictor of exploits to come and a useful tool in your arsenal, as long as you wield it correctly.

So you want to use AI-generated code in your software or maybe your developers already are using it. Is it too risky? Large language model technology is progressing at rapid speeds, and policy makers are ill-equipped to catch up quickly. Anything resembling legal clarity may take years to come about. Some organizations are deciding not to use AI at all for code generation, while others are using it cautiously — but everyone has questions.

In my previous post, I began to list the ways you can strengthen your security posture, with some holistic approaches to application security and the software supply chain. In this second part of the series, let’s look at six more important considerations.