Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

That’s an excerpt from the fact sheet accompanying the May 2021 Executive Order on Improving the Nation’s Cybersecurity (EO). It refers to one of seven ambitious measures in the EO: shoring up security of that notorious playground for hackers, the software supply chain. Knowing that organizations lack visibility into the components that comprise their connected assets, bad actors can have a field day exploiting vulnerabilities to penetrate networks and take control.

PA Consulting recently joined forces with RKVST to host a Hackathon, looking to identify new and innovative propositions for digital supply chains. Could the teams of PA consultants and analysts identify opportunities to help their clients using RKVST technology? Short answer: YES! Many of today’s business challenges can be addressed with a reliable evidence ledger. If you want the long answer, read on.

During our recent webinar hosted by Device Authority’s Tyler Gannon and Imagination Technologies Marc Canel (Does new IoT security legislation make Zero Trust the only strategy?). We ran a poll asking attendees about their understanding of SBOM; one of the options was “SBOMs are a roadmap to the attacker”.

Supply chain risk continues to make headlines, from Solarwinds and Kaseya to last week’s announcement of a patch for the OpenSSL vulnerability, and the latest cybersecurity review from the U.K.’s National Cyber Security Centre highlights the serious threats posed by supply chain attacks.

Last year the Log4J vulnerability perfectly illustrated how properly shared SBOMs would have helped users find and mitigate the “vulnerability of the decade”. And over the last few days we’ve been worried that we’re in the same place with OpenSSL 3.x. Why will this keep on happening? A lot has happened since The White House issued Executive Order 14028.

When building applications in Java, we highly depend on external libraries and frameworks. And each Java package that is imported likely also depends on more libraries. This means that the amount of Java packages included in your application is often not really transparent. As a developer, these nested (transitive) dependencies create the problem that you probably do not know all the libraries you are actually using.