Name: The Dos and Don'ts of Using SBOMs for Security
Start: 2023-12-06T18:00:00Z
End: 2023-12-06T18:00:57.000Z
Location: BrightTALK
Rating: 4.6

Up to 90% of any piece of software is from open source, creating countless dependencies and areas of risk to manage. FOSSA is the most reliable automated policy engine for vulnerability management, license compliance, and code quality across the open source stack. With FOSSA, engineering, security, and legal teams all get complete and continuous risk mitigation for the entire software supply chain, integrated into each of their existing workflows.

To help break through CVE noise and focus on high-impact, exploitable issues, a growing number of security teams have started to consider additional inputs for prioritizing vulnerabilities. Among them is EPSS (the Exploit Prediction Scoring System), which measures how likely a particular vulnerability is to be exploited in the wild.

EPSS scores can be used alongside CVSS scores, reachability analysis, and VEX information to facilitate effective vulnerability prioritization.

We’d invite you to join Jay Jacobs — EPSS co-chair and creator — in our upcoming webinar to learn best practices for using EPSS in your organization's vulnerability management program. Topics will include:

-Details of the EPSS data model
-Benefits of using EPSS
-How EPSS differs from other vulnerability scoring systems like CVSS, SSVC, and the new VISS (Vulnerability Impact Scoring System)
-Strategies for using EPSS scores alongside other inputs to effectively prioritize vulnerabilities

Vulnerability Prioritization: An Insider’s Guide to the EPSS Scoring System

SBOMs (software bill of materials) have increasingly become an essential part of managing software supply chain security, maintaining regulatory compliance, and fulfilling customer requests. But there are several common challenges that we’ve seen organizations struggle with as they build out their SBOM programs.

These include data accuracy concerns related to the lack of standardized component metadata, complexities with securely distributing SBOMs to customers, and challenges in keeping SBOM vulnerability data up to date.

Although there aren’t perfect solutions to all of these issues, there are strategies that can help address them.

We’d invite you to join FOSSA Senior Product Manager and SBOM leader Cortez Frazier Jr. in our upcoming webinar for concrete guidance on overcoming SBOM challenges. We’ll discuss solutions and best practices for:

-Ensuring the metadata going into your SBOMs accurately reflects the intent of each data field
-Dealing with the lack of unique software component naming
-Validating the accuracy and provenance of the SBOMs you receive from your suppliers
-Keeping vulnerability and exploitability information in SBOMs up to date
-Securely distributing SBOMs to your customers

Common SBOM Challenges and How to Solve Them

It takes both legal and engineering teams to make open source license compliance work efficiently and effectively. 

But it can be hard to balance these teams’ seemingly competing priorities: engineering’s need for development velocity with legal’s mandate to manage IP risk. For example, how can organizations ship new features at a pace that helps them compete — while ensuring they don’t inadvertently distribute code under a license that risks exposing sensitive IP?

There’s no single straightforward solution, but the right mix of processes and tools can help.

We’d invite you to join our March 6th panel webinar — featuring compliance-focused legal and engineering leaders from Collibra and Nexthink — to learn strategies that can improve collaboration at your organization. 

We’ll discuss: 

-The importance of involving engineering in compliance tooling evaluations and decisions
-Which teams should own which parts of the compliance process
-The role of automation in making compliance workable for engineers
-How legal can make compliance policies accessible to engineering

OSS License Compliance: Bridging the Legal-Engineering Divide

SBOMs are playing increasingly vital roles in a wide range of supply chain security, regulatory compliance, and even sales (satisfying customer requests) initiatives. 

However, not all SBOMs are created equal. It can be difficult to produce SBOMs that are accurate and up-to-date, provide actionable insights for security programs, and satisfy requests from sophisticated (and/or regulated) customers. 

We’re delighted to host Cassie Crossley — VP of Supply Chain Security at Schneider Electric and author of the new O’Reilly book: “Software Supply Chain Security: Securing the End-to-End Supply Chain for Software, Firmware, and Hardware” — for an upcoming webinar on how your organization can address these challenges and effectively scale your SBOM program.

Cassie will share insights from her book — plus firsthand experiences leading supply chain security initiatives at Schneider Electric — to help you make critical decisions on your SBOM journey. Topics will include:

-When in the SDLC is the best time to generate your SBOM
-How to choose between popular SBOM formats 
-Methods for securely distributing SBOMs
-What VEX is and why it’s important — but has yet to be widely adopted
-The long-term vision for VEX and SBOM adoption

Building the Foundation of Your SBOM and VEX Programs

Sentry’s software licensing journey has been a long and winding one. The application performance and error monitoring leader, which serves 4 million developers across 90,000 organizations, started as an open source project under the BSD 3-Clause license. It switched to the Business Source License in 2019 before creating and adopting a new license, the Functional Source License, in 2023.

Sentry’s open source management team has gained significant insight into software licensing strategies along the way, including tips and tricks for managing compliance that your organization may find useful.

Join Chad Whitacre, Sentry’s Head of Open Source, and Gavin Zee, Head of Commercial Transactions in our upcoming webinar for a behind-the-scenes look at the company’s licensing (and re-licensing) path and how it relates to their efforts to tackle the open-source sustainability crisis, plus practical guidance on managing compliance with source-available and open-source licenses.

We’ll also discuss: 

-How and why Sentry relicensed from the open-source BSD license to the source-available Business Source License and later Functional Source License 
-Lessons learned from creating, publishing, and adopting a new license (the Functional Source License)
-The bigger picture of Sentry’s software licensing compliance initiatives across open source, source available, and proprietary licenses
-Potential roadblocks for complying with source-available licenses (and how to address them)

Sentry’s Software Licensing Journey — And Why It Matters for You

Over the years, the line between open source and proprietary software licenses has blurred. Today, source-available licenses (which make source code available but impose license limitations) are growing in popularity, especially in conjunction with open core models and commercial open source development.

As a result, software licensing audits and compliance must account for a new range of licensing scenarios — but analyzing these scenarios can be easier said than done. 

Join Heather Meeker, one of the world’s foremost software licensing experts, on Nov. 8 for a webinar on navigating the current software licensing landscape. Heather will discuss:

-Trends in source-available and dual-licensing
-How to interpret and respond to multi-license scenarios
-What to do if your audit reveals that you’re using source-available software
-Tools that can help provide visibility into your software licenses

When "Open Source" Isn’t Open Source, Featuring Heather Meeker

Generative AI tools like GitHub Copilot have become increasingly popular in software development, and for good reason. Multiple reports have shown that tools like Copilot can significantly improve development efficiency and increase developer satisfaction, among other benefits.

At the same time, some engineering organizations have understandably been reluctant to adopt generative AI tools because of uncertainty around potential security, legal, and data privacy risks.

Over the past months, FOSSA has been working to develop product functionality to help our customers manage these potential risks. Learn about these new features — and get big-picture guidance on generative AI risk-management best practices and processes — in this webinar with Senior Software Engineer Jessica Black, who is leading FOSSA’s generative AI risk management feature development.

Jessica will discuss:

-Design principles behind FOSSA’s new generative AI risk-management features
-How to use FOSSA’s generative AI risk-management features to understand and manage security and legal risks
-Strategies to improve maintainability and code privacy when using generative AI code-generation tools
-GitHub Copilot settings that can guard against potential legal and privacy risks

Managing GitHub Copilot Security and Legal Risks with FOSSA

Kodiak Robotics is a leader in the autonomous vehicle space, offering a variety of solutions to enable self-driving trucking and ground autonomy solutions for national defense. As you might expect from a company that delivers game-changing new technologies, Kodiak prides itself on efficient and effective product and software development. That includes using a large volume of open source software — and doing so responsibly, with risk management processes and tools that don’t slow innovation. 

Join Kodiak’s General Counsel, Jordan Coleman, and Software Engineer, Dhruv Patel, to uncover the key ingredients of Kodiak’s open source management program, including how the company:

-Effectively harnesses the power of open source software across its software stack
-Moved from a manual system of managing open source license compliance to an automated one, significantly reducing the burden on legal and engineering teams
-Enables engineering to use new open source libraries without waiting for explicit permission from legal — but still with legal’s blessing
-Maintains the software transparency required to do business with government customers

How Kodiak Robotics Automates Open Source Management

SBOMs (software bill of materials) have become an increasingly important tool for organizations looking to strengthen software supply chain management and transparency. They play a vital role in initiatives like supply chain security, regulatory compliance, customer requests, and open source license compliance, among other areas.

But given the complexity of modern applications, it can be very hard to maintain an effective and efficient SBOM program without the right tools. Join senior product manager Cortez Frazier Jr. in the webinar “Generating, Importing, and Managing SBOMs with FOSSA” for a workshop-style presentation on using FOSSA to handle SBOM essentials. 

We’ll show you how you can:

-Generate SBOMs in multiple formats, including SPDX and CycloneDX
-Import third-party SBOMs to gain visibility into supply chain security risks
-Manage all SBOMs on an ongoing basis to stay on top of application security threats
-Host and distribute SBOMs for third-party use

Generating, Importing, and Managing SBOMs with FOSSA

Maintaining compliance with open source licensing requirements is an essential part of software development, but it can often be easier said than done. That’s because the typical modern application is built with approximately 90% open source components, which means a lot of different licenses, obligations, and, in some cases, manual work.

Fortunately, tools exist to make compliance much easier than it was a decade ago. Join us in the webinar "Automating Open Source License Compliance Essentials" to see how your organization can use FOSSA to automate important compliance processes, including the ability to: 

-See all open source license obligations for a given application in one place
-Fulfill license notice and attribution requirements
-Customize and implement compliance policies (which ensures you won’t inadvertently distribute a product under a license you don’t allow)

Automating Open Source License Compliance Essentials

SPDX (Software Packet Data Exchange) is a widely used software bill of materials (SBOM) specification. It’s one of two full-stack SBOM standards approved under the U.S. government’s 2021 cybersecurity executive order, and it supports a number of important software supply chain management use cases.

Although SPDX has been around for over a decade (the original v1.0 was released in 2011), the specification has evolved significantly over the years, up to the current v2.3. Today, organizations can leverage SPDX to support a broad range of initiatives (including supply chain security), with a wide range of customizations and formatting options. 

Join Gary O’Neall, Tech Team Lead at SPDX, for a webinar on the specification, its evolution, and best practices for using it efficiently and effectively. We’ll discuss:

-The SPDX big picture: document structure, file formats, and internal vs. external SBOMs
-Typical SPDX data fields: required minimum elements, recommended elements, and useful add-ons
-SPDX security use cases and how the current v2.3 supports them
-Strategies for generating and maintaining SPDX SBOMs

An Insider’s Guide to SPDX

The NIS2 Directive is a new, wide-ranging EU cybersecurity law that includes regulations on incident response, software supply chain security, multi-factor authentication, risk analysis, and more. The Directive will take effect in October 2024 and will apply to more organizations (and include more requirements) than the EU’s current cybersecurity regulations (NIS). 

Join GlobalDots (a leading cloud and performance optimisation partner) during this webinar to review the Directive, with a particular focus on software supply chain security regulations and steps your organization can take now to enable compliance. We'll discuss:

-NIS2 requirements, scope, and implementation timeline
-Differences between NIS2 and NIS
-NIS2 software supply chain security requirements
-Tools, strategies, and processes to enable compliance with supply chain security regulations

NIS2 Directive: Understanding and Complying with Supply Chain Security Guidance

Although there are some universal rules of open source license compliance — like avoiding conflicts with GPL — there’s also plenty of nuance. 

Deploying software today is a mix of on-premises, SaaS, mobile, containerization, and edge computing. Your open source policy may not be one-size-fits-all.

How should your policies differ based on deployment model? What about applications built with generative AI? And, how do you implement these policies in a way that works for engineering teams? 

Join Heather Meeker, one of the world’s foremost open source software licensing experts, in our upcoming webinar for answers. Heather will cover a number of important compliance policy considerations, including:

-Customizing policies for common software deployment models and your work environment
-Strategies for effectively implementing policies — and reducing friction between legal and engineering teams
-Best practices for applications built with generative AI tools like GitHub Copilot
-Creating rules for SaaS, mobile, on-premises, containers, and edge computing

Customizing Your Open Source Compliance Policy, Featuring Heather Meeker

Since launching in 2017, CycloneDX has gained popularity as a lightweight software bill of materials (SBOM) specification. And, that growth has only accelerated in the months since CycloneDX was highlighted in the U.S. government's 2021 cybersecurity executive order as an approved SBOM export format.

Join Steve Springett, Chair of the CycloneDX Core Working Group, for an in-depth look at the current state of the specification — and for practical guidance on using CycloneDX in your organization. We'll discuss:

-Elements of a CycloneDX SBOM
-Top CycloneDX SBOM use cases
-CycloneDX vs. SPDX and other popular SBOM formats
-Best practices for generating and importing CycloneDX SBOMs

Understanding and Using the CycloneDX SBOM Standard

Note: This is the replay of a webinar that originally aired on Nov. 16, 2022. 

Today, nearly every company that builds applications uses open-source software — and the majority of organizations use significant amounts of it.

Although the explosive growth of open source has yielded numerous benefits (including cost savings and faster time to market), it's also led to increased scrutiny of OSS license compliance (e.g. the ongoing matter of SFC v. Vizio). As a result, organizations without comprehensive compliance programs may face exposure to the legal, reputational, and financial risks that can come with non-compliance.
 
But while the license compliance field is still evolving, there are certain proven processes, tools, and workflows that can help organizations successfully manage compliance-related risk.
 
Join IP attorney Kate Downing, a leading expert in open-source license compliance, to uncover the key ingredients of a comprehensive, effective, and efficient compliance program. 
 
Kate will offer practical guidance on areas like:
-Implementing license/legal review processes that don't create a bottleneck for engineering 
-Creating attribution files for distributed products
-Preparing source code files (for compliance with copyleft licenses)
-Leveraging code scanning software
-Bringing these tools and processes together into a scalable, efficient, and effective program

The Lawyer's Guide to a Comprehensive Open Source Compliance Program

The software bill of materials (SBOM) landscape continues to evolve, with new tooling, standards, and use cases emerging each year. For 2023, we expect this to include a significant emphasis on importing third-party SBOMs, operationalizing vulnerability data across the SDLC, and distributing SBOMs in standardized formats.

Join FOSSA for our January 18 webinar discussion on important SBOM trends to track in 2023 — and steps your organization can take now to get ahead.

We’ll discuss:

-New standards and tools (like the CycloneDX SBOM Exchange API) that help standardize SBOM distribution
-Important considerations for ingesting SBOMs from third parties
-Maximizing the value of SBOM vulnerability information, including VEX (CycloneDX’s Vulnerability Exploitability eXchange)
-FOSSA’s new SBOM features, including support for importing and generating in the CycloneDX export format

SBOMs in 2023: Trends, Tools, and Capabilities

A recent Cloud Native Computing Foundation (CNCF) survey revealed that a staggering 84% of organizations use containers in production — up from only 23% a few years ago.

Like much of today’s technological landscape, the container ecosystem is largely fueled by open source components. This, of course, means organizations that use containers must be mindful of open source licensing requirements. But the complexity and relative novelty of the container environment means maintaining license compliance can be easier said than done. 

Join leading open source licensing expert Kate Downing and FOSSA’s engineering team on Dec. 19 for key insights on understanding and managing open source license compliance in the container environment. We’ll discuss:

-Which parts of the open source container ecosystem carry compliance obligations
-How to deal with copyleft-licensed components 
-End-to-end strategies for managing container-related compliance
-The role of container scanning in managing compliance

Containers and Open Source License Compliance

The great tool in any risk professional’s tool belt will always be an accurate and up-to-date asset inventory. SBOMs (software bill of materials) hold significant promise as a means of providing this real-time inventory — but there are a number of potential roadblocks that can prevent organizations from realizing this potential.

Join FOSSA Senior Product Manager Cortez Frazier Jr. in this webinar to learn strategies for successfully leveraging first- and third-party SBOMs in your security program — as well as common mistakes organizations make that prevent them from doing so. 

We’ll discuss: 

-Processes and workflows for generating SBOMs: When in the SDLC should you generate SBOMs, what information should you include, and how often should they be updated? 
-Strategies for getting SBOMs from third-party suppliers: What you should require suppliers to include in their SBOMs, and how should they be transmitted?
-How to integrate SBOM security insights into your security program: How do you consolidate data from first- and third-party SBOMs so you can effectively use it, and what are ideal workflows for security and engineering teams to remediate issues that SBOMs surface?

The Dos and Don'ts of Using SBOMs for Security

SBOM

Software Bill of Materials

Application Security

Vulnerability Management

Open Source

Software Composition Analysis

Intellectual property law is crucial to ensuring that you or your organization have exclusive rights to that assets that you’ve created. The BrightTALK intellectual property community has thousands of professionals focused on learning and exchanging information about intellectual property management, intellectual property software and how to protect intellectual property. Join the community for access to free, interactive presentations or attend live webinars to have your questions answered by IP lawyers and industry experts.

Intellectual Property

The legal community on BrightTALK combines the fields of employment law, e-discovery, intellectual property and environmental law to create a thriving ecosystem of legal resources. Attend live and on-demand webinars dealing with employment contract law, e-discovery solutions, intellectual property software and sustainable development from leading lawyers and legal professionals to gain knowledge in a wide range of fields. Join the community and be part of the conversation by attending live legal webinars and connecting with industry thought leaders.

Legal

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Enterprise applications have become a crucial piece of infrastructure for many businesses. The enterprise applications community on BrightTALK features the latest insights in enterprise application integration, enterprise application architecture and EAS software. Join the community to gain access to thousands of videos and webinars presented by recognized enterprise information systems experts and arm yourself with the knowledge you need to succeed.

Enterprise Applications

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Information Technology

Happy employees make productive employees. HR managers are now finding that compensation and benefits alone cannot keep employees happy; they also need nurturing through proper training and development. Join the BrightTALK talent management community to learn how to engage and retain your best talent by providing them with the tools and rewards they need to enhance their performance and reach their potential.

Talent Management

Modern human resources professionals are charged with not only the recruitment of talent, but also retention, satisfaction and management. They also support the training, assessment and compensation aspects of employee management. Join this community to connect with thought leaders and learn about trends in benefits, compensation and talent management. Stay ahead of the curve to attract and retain top talent and strengthen organizational leadership and culture.

HR Strategy

Human resources is intrinsically linked to business success and requires a thoughtful balance of a variety of complex issues. The human resources community on BrightTALK is made up of thousands of professionals in human resources exchanging human resources best practices and advice. Watch hundreds of on-demand webinars for immediate information or participate in upcoming live webinars and have your questions answered by respected HR thought leaders.

Human Resources

Get powerful market trends insights that are shaping the M

Mergers and Acquisitions

The accounting and finance community on BrightTALK features presentations from leading accountants and finance professionals. The accounting community includes tax planning strategies, QuickBooks webinars and other accounting webinars, while the finance community features presentations on financial capital regulations and forensic data analytics. Join the conversation by attending live financial and accounting presentations and connecting with industry thought leaders.

The Dos and Don'ts of Using SBOMs for Security

Presented by

About this talk

More from this channel