venturebeat.com Open in urlscan Pro
192.0.66.2  Public Scan

Form analysis
3 forms found in the DOM

GET https://venturebeat.com/

<form method="get" action="https://venturebeat.com/" class="Search">
  <input id="search-input" class="Search__input GlobalNav__text" type="text" placeholder="Search" name="s" aria-label="Search" required="">
  <button type="submit" class="Search__submit" aria-label="Search submit button">
    <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
      <g>
        <path fill-rule="evenodd" clip-rule="evenodd"
          d="M14.965 14.255H15.755L20.745 19.255L19.255 20.745L14.255 15.755V14.965L13.985 14.685C12.845 15.665 11.365 16.255 9.755 16.255C6.16504 16.255 3.255 13.345 3.255 9.755C3.255 6.16501 6.16504 3.255 9.755 3.255C13.345 3.255 16.255 6.16501 16.255 9.755C16.255 11.365 15.665 12.845 14.6851 13.985L14.965 14.255ZM5.255 9.755C5.255 12.245 7.26501 14.255 9.755 14.255C12.245 14.255 14.255 12.245 14.255 9.755C14.255 7.26501 12.245 5.255 9.755 5.255C7.26501 5.255 5.255 7.26501 5.255 9.755Z">
        </path>
      </g>
    </svg>
  </button>
</form>

GET https://venturebeat.com/

<form method="get" action="https://venturebeat.com/" class="Search Search--mobile Nav__section--active">
  <input id="mobile-search-input" class="Search__input GlobalNav__text" type="text" placeholder="Search" name="s" aria-label="Search" required="">
  <button type="submit" class="Search__submit">
    <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
      <g>
        <path fill-rule="evenodd" clip-rule="evenodd"
          d="M14.965 14.255H15.755L20.745 19.255L19.255 20.745L14.255 15.755V14.965L13.985 14.685C12.845 15.665 11.365 16.255 9.755 16.255C6.16504 16.255 3.255 13.345 3.255 9.755C3.255 6.16501 6.16504 3.255 9.755 3.255C13.345 3.255 16.255 6.16501 16.255 9.755C16.255 11.365 15.665 12.845 14.6851 13.985L14.965 14.255ZM5.255 9.755C5.255 12.245 7.26501 14.255 9.755 14.255C12.245 14.255 14.255 12.245 14.255 9.755C14.255 7.26501 12.245 5.255 9.755 5.255C7.26501 5.255 5.255 7.26501 5.255 9.755Z">
        </path>
      </g>
    </svg>
  </button>
</form>

<form onsubmit="return false;">
  <ul class="firebaseui-idp-list">
    <li class="firebaseui-list-item"><button class="firebaseui-idp-button mdl-button mdl-js-button mdl-button--raised firebaseui-idp-password firebaseui-id-idp-button" data-provider-id="password" style="background-color:#db4437"
        data-upgraded=",MaterialButton"><span class="firebaseui-idp-icon-wrapper"><img class="firebaseui-idp-icon" alt="" src="https://www.gstatic.com/firebasejs/ui/2.0.0/images/auth/mail.svg"></span><span
          class="firebaseui-idp-text firebaseui-idp-text-long">Sign in with email</span><span class="firebaseui-idp-text firebaseui-idp-text-short">Email</span></button></li>
    <li class="firebaseui-list-item"><button class="firebaseui-idp-button mdl-button mdl-js-button mdl-button--raised firebaseui-idp-google firebaseui-id-idp-button" data-provider-id="google.com" style="background-color:#ffffff"
        data-upgraded=",MaterialButton"><span class="firebaseui-idp-icon-wrapper"><img class="firebaseui-idp-icon" alt="" src="https://www.gstatic.com/firebasejs/ui/2.0.0/images/auth/google.svg"></span><span
          class="firebaseui-idp-text firebaseui-idp-text-long">Sign in with Google</span><span class="firebaseui-idp-text firebaseui-idp-text-short">Google</span></button></li>
  </ul>
</form>

Text Content

Skip to main content
VentureBeat Homepage
 * Events
 * GamesBeat

 * Jobs
 * Into the Metaverse

Account Settings Log Out
Become a Member Sign In

VentureBeat Homepage

 * 
 * 

VENTUREBEAT

 * AR/VR
 * Big Data
 * Cloud
 * Commerce
 * DataDecisionMakers
 * Dev
 * Enterprise
 * Entrepreneur
 * Marketing
 * Media
 * Mobile
 * Security
 * Social
 * Transportation

FOLLOW

follow us on Twitter follow us on Facebook follow us on LinkedIn Follow us on
RSS

THE MACHINE

 * AI
 * Machine Learning
 * Computer Vision
 * Natural Language Processing
 * Robotic Process Automation

FOLLOW

Follow us on RSS

GAMESBEAT

 * Games
 * Esports
 * PC Gaming

FOLLOW

follow us on Twitter Follow us on RSS

EVENTS

 * Upcoming
 * Media Partner
 * Webinars

GENERAL

 * Newsletters
 * Got a news tip?
 * Advertise
 * Press Releases
 * Guest Posts
 * Contribute to DataDecisionMakers
 * Deals
 * Jobs
 * VB Lab
 * About
 * Contact
 * Privacy Policy

×


JOIN THE VENTUREBEAT COMMUNITY


FREE: JOIN THE VENTUREBEAT COMMUNITY FOR ACCESS TO 3 PREMIUM POSTS AND UNLIMITED
VIDEOS PER MONTH.

Learn More


SIGN UP WITH YOUR BUSINESS E-MAIL TO CONTINUE WITH TICKET PURCHASE

Please wait...
 * Sign in with emailEmail
 * Sign in with GoogleGoogle

By continuing, you are indicating that you accept our Terms of Service and
Privacy Policy.



SHARE

 * Share on Facebook
 * Share on Twitter
 * Share on LinkedIn

 * VentureBeat Homepage
 * Social Links
 * Newsletters
 * Events
 * Profile

Guest


WHY YOUR ORGANIZATION NEEDS A SOFTWARE BILL OF MATERIALS

Bren Briggs, Hypergiant
January 8, 2022 10:40 AM
 * Share on Facebook
 * Share on Twitter
 * Share on LinkedIn

Image Credit: metamorworks/Getty Images

Did you miss a session from the Future of Work Summit? Head over to our Future
of Work Summit on-demand library to stream.

--------------------------------------------------------------------------------



The recent Log4j vulnerability has exposed systemic problems in how businesses,
and the community at large, audit their software.

Early indications show the Log4j vulnerability was being weaponized and
exploited days before the news broke about its existence. Organizations needed
to take action immediately to find all instances of the vulnerability in linked
libraries, but most had no clear overview of where such instances existed in
their systems. Google’s own research showed that more than 8% of all packages on
Maven Central have a vulnerable version of Log4j in their dependencies, but of
that group only a fifth declared it directly. This means that around 28,000
packages on Maven Central are affected by these bugs while never directly
declaring or using Log4j.

1
/
9
Driving the Future of Work With Low Code and Citizen Developers._
Read More




Video Player is loading.
Play Video
Unmute

Duration 0:00
/
Current Time 0:00
Playback Speed Settings
1x
Loaded: 0%

0:00

Remaining Time -0:00
 
FullscreenPlayUp Next

This is a modal window.



Beginning of dialog window. Escape will cancel and close the window.

TextColorWhiteBlackRedGreenBlueYellowMagentaCyanTransparencyOpaqueSemi-TransparentBackgroundColorBlackWhiteRedGreenBlueYellowMagentaCyanTransparencyOpaqueSemi-TransparentTransparentWindowColorBlackWhiteRedGreenBlueYellowMagentaCyanTransparencyTransparentSemi-TransparentOpaque
Font Size50%75%100%125%150%175%200%300%400%Text Edge
StyleNoneRaisedDepressedUniformDropshadowFont FamilyProportional
Sans-SerifMonospace Sans-SerifProportional SerifMonospace SerifCasualScriptSmall
Caps
Reset restore all settings to the default valuesDone
Close Modal Dialog

End of dialog window.

Playback Speed

0.25x
0.5x
1x Normal
1.5x
2x
Replay the list
 * Powered by AnyClip
 * Privacy Policy


TOP ARTICLES







Driving the Future of Work With Low Code and Citizen Developers._


Finding all instances of vulnerable dependencies and confirming patch levels can
be a daunting task, even for software you completely control and develop in
house. Identifying it in your vendors can be even more difficult. Oftentimes,
these vendors have just as murky an idea of their own dependencies.

Like any other IT assets such as servers, laptops, or installed applications,
having an accurate inventory of your software and dependencies (both direct and
transitive) is an essential, and arguably the most fundamental, security control
you can apply. Businesses cannot secure what they are not aware of. How do
companies begin to take control of the growing complexity of dependencies? By
auditing and automating dependency graphs, beginning with direct dependencies
and expanding to the transitive ones, often referred to as a software bill of
materials (SBOM).

While there is nuance to the discussion about what an SBOM should be and
contain, for the purposes of this article, we will simply refer informally to an
SBOM as a manifest of all components and libraries packaged with an application,
along with their licenses. This includes tools and linked libraries. If you are
delivering a Docker image, it should also include the list of all installed
packages.


GETTING SERIOUS ABOUT YOUR SOFTWARE SUPPLY CHAIN

Unfortunately, the ecosystem for generating these maps of dependencies often
suffers from a lack of sufficient tooling. While the tools available for
analyzing dependencies for vulnerabilities are rapidly evolving and improving,
the domain is still in its relative infancy. Snyk, Anchore, and other tools
provide amazing visibility into your application’s dependencies, but few
languages provide native tooling to generate comprehensive visual maps. As an
example, let’s look at an older language (Java) and a newer language (Go) that
has had the benefit of time and experience to develop a modern package
ecosystem.

In Java, developers may use tools like jdeps (introduced in JDK 8) or Maven
Dependency Analyzer, while Golang, despite its modernity, struggled early on to
work out its own dependency management story and instead allowed tools like Dep
(deprecated and archived) to fill in the gaps before ultimately settling on its
own module system. In both cases, direct dependencies are usually easy to
enumerate, but a full and comprehensive list of direct and transitive
dependencies can be challenging to generate without additional tooling.

For open source maintainers, Google has started a very useful project called
Open Source Insights for auditing projects hosted on NPM, PyPI, or Github, or
similar locations. There is already a significant amount of work and research
being applied in this area, but it is clear that more needs to be done.

While it is critical that applications themselves are audited for dependencies
and vulnerabilities, that is only the beginning of the story. Just as an asset
inventory or vulnerability report can only tell you what exists, an SBOM is only
a manifest of packages and dependencies. These dependencies must be audited for
their relative health beyond what vulnerabilities might be flagged. For
instance, a dependency might not meet the qualifications to be reported to
National Institute of Standards and Technology (NIST) and may not have a Common
Vulnerabilities Exposure (CVE) assigned for whatever reason, be it an issue with
abandonware or a fully internal product that is relatively unscrutinized. Other
reasons it may not be reported include ownership or maintenance of the library
having transferred to a bad actor, bad actors intentionally modifying releases,
outdated and vulnerable packages in the Docker container running the app, and/or
hosts running old kernels with known, critical CVEs.

Security leaders in the organization are responsible for studying and thinking
deeply about software supply chain issues that could affect their products or
business, and this all starts by gathering an accurate inventory of the
dependencies in the SBOM.


GENERATING AN SBOM

Generating an SBOM can be a technical challenge in its own right, but remember
that organizations are made of people and processes. Understanding and
evangelizing the need for such work is of critical importance to get buy-in. As
mentioned above, security leaders in organizations should start by building an
inventory of all their in-house software, containers, and third-party vendor
packages or applications. Once the first level of inventory is complete, the
next step is to determine direct dependencies and finally transitive
dependencies. This process should look and feel very similar to any other
detection process, such as event logging or asset inventory.

When evangelizing an SBOM to your organization, consider the following benefits:

 1. A complete, up-to-date, and accurate inventory of your software dependencies
    dramatically reduces time to remediation when vulnerabilities in packages
    such as Log4j are discovered.

 2. A manifest generated during the CI/CD process also provides instantaneous
    feedback about new dependencies and can prevent new, vulnerable components
    from being included in your software by enforcing policies at build time.

 3. It is often said that what is measured improves. Keeping tabs on your
    dependencies encourages hygiene by stripping unnecessary dependencies and
    removing old ones.

 4. It encourages uniformity in software versioning, saving both time and money
    for engineering and security teams.

 5. Per the White House, it will soon become a compliance requirement for many
    organizations.

As the complexity of our software stacks continues to increase and supply chains
become increasingly tempting and viable targets for attackers, techniques and
tools such as dependency management and SBOMs must become essential parts of our
overall security strategy. And security leaders carry the responsibility of
communicating these benefits of these tools to their organizations.

Bren Briggs is VP of DevOps and Cybersecurity at Hypergiant.


VENTUREBEAT

VentureBeat's mission is to be a digital town square for technical
decision-makers to gain knowledge about transformative technology and transact.
Our site delivers essential information on data technologies and strategies to
guide you as you lead your organizations. We invite you to become a member of
our community, to access:
 * up-to-date information on the subjects of interest to you
 * our newsletters
 * gated thought-leader content and discounted access to our prized events, such
   as Transform 2021: Learn More
 * networking features, and more

Become a member


FIND YOUR DREAM JOB ON VENTUREBEAT CAREERS

Deloitte
New York
View 19952 Jobs
Northrop Grumman
Falls Church
View 2474 Jobs
PayPal
San Jose
View 343 Jobs
Xero
Denver
View 58 Jobs




THE FUTURE OF WORK SUMMIT ON-DEMAND

Did you miss a featured session? Head over to our Future of Work Summit
on-demand library to stream.

Watch Now


JOIN FORCES WITH VENTUREBEAT AT OUR UPCOMING AI & DATA EVENTS

Sponsor VB Events
 * VentureBeat Homepage
 * Follow us on Facebook
 * Follow us on Twitter
 * Follow us on LinkedIn
 * Follow us on RSS

 * VB Lab
 * Newsletters
 * Events
 * Special Issue
 * Product Comparisons
 * Jobs

 * About
 * Contact
 * Careers
 * Privacy Policy
 * Terms of Service
 * Do Not Sell My Personal Information

© 2022 VentureBeat. All rights reserved.

×

We may collect cookies and other personal information from your interaction with
our website. For more information on the categories of personal information we
collect and the purposes we use them for, please view our Notice at Collection.






×