Larry Pesce [1] [2], a director at Finite State [1] [2], will be presenting on “Evil SBOMs” at the upcoming RSA Conference. He will discuss the risks associated with software bills of material (SBOMs) and how attackers can exploit them to identify vulnerabilities in applications.
Description
Pesce will highlight how attackers can exploit SBOMs to identify vulnerabilities in applications and leverage components for post-compromise activities [2]. SBOMs are increasingly required by government and security-sensitive companies to address supply chain risks. Efforts are also underway to standardize the use of SBOMs for improved software security. Pesce suggests that organizations should proactively incorporate SBOMs into their security programs to stay ahead of potential threats [2], despite concerns about SBOM confidentiality due to their widespread availability [2].
Conclusion
Incorporating SBOMs into security programs can help organizations stay ahead of potential threats. Despite concerns about SBOM confidentiality [2], efforts to standardize their use for improved software security are underway [2]. It is crucial for organizations to address supply chain risks by implementing SBOMs and staying informed about the evolving landscape of software security.
References
[1] https://www.darkreading.com/cybersecurity-operations/ciso-corner-evil-sboms-zero-trust-cloud-security-mitre-ivanti
[2] https://www.darkreading.com/application-security/cyberattack-gold-sboms-census-vulnerable-software