Name: Why You Need Both SCA and SBOM Management
Start: 2024-11-19T05:00:00Z
End: 2024-11-19T05:00:21.000Z
Location: BrightTALK
Rating: 5

Sonatype is the software supply chain management company. We empower developers and security professionals with intelligent tools to innovate more securely at scale. Our platform addresses every element of an organization’s entire software development life cycle, including third-party open source code, first-party source code, infrastructure as code, and containerized code. Sonatype identifies critical security vulnerabilities and code quality issues and reports results directly to developers when they can most effectively fix them. This helps organizations develop consistently high-quality, secure software which fully meets their business needs and those of their end-customers and partners. More than 2,000 organizations, including 70% of the Fortune 100, and 15 million software developers already rely on our tools and guidance to help them deliver and maintain exceptional and secure software.

AI coding assistants are transforming software development, helping teams move faster than ever. But speed often comes at a cost: vulnerable or low-quality dependencies that create more work. In fact, 68% of developers report spending more time debugging AI-generated code than writing new code.

Stop fixing AI code. Start shipping it.

Join us for an exclusive webinar where we’ll unbox the latest innovation from Sonatype, a solution designed to make AI-assisted development faster, safer, and more reliable.

In this session, you’ll learn how to:
- Integrate seamlessly with your existing AI coding tools to enhance their capabilities.
- Put dependency management on autopilot with agentic AI that keeps your code secure and up to date.
- Reduce rework and accelerate delivery by empowering AI coding assistants to choose secure, high-quality components from the start.

Don't miss this opportunity to get a first look at the future of AI-assisted development in action. Learn how you can transform your development process and deliver better software, faster.

First Look: Unboxing Guardrails for AI-Generated Code

The Open Letter on Sustainable Stewardship, co-signed by the Python Software Foundation, Rust Foundation, OpenJS, Ruby Central, and others, highlights a critical truth: current open source consumption patterns are unsustainable.

In this webinar, Sonatype CTO and Maven Central steward Brian Fox joins leaders from the Rust, Eclipse, and OpenJS Foundations to explore why the status quo must change, what risks we face if it doesn’t, and how enterprises can take practical steps toward responsibility.

You’ll Learn:
- The hidden costs of “free” infrastructure — from wasted bandwidth to slower builds.
- Why billion-dollar ecosystems cannot depend on unpaid weekends.
- How communities, enterprises, and governments can collaborate to keep open source strong for the next generation.

The Open Letter on Sustainable Stewardship: Why Responsible Open Source Matters

Navigate the new era of software compliance and turn regulatory shifts into your strategic advantage.

As innovation accelerates, the landscape of software security and compliance is undergoing a seismic shift. The European Union’s Cyber Resilience Act (CRA) is setting a new global benchmark, requiring strict security obligations for software products and connected devices. Simultaneously, emerging AI oversight introduces complex new layers of accountability.

For today’s leaders, the challenge is clear: how to protect software supply chains and meet these rigorous standards without sacrificing development velocity.

Join our expert panel for a crucial discussion on the future of software compliance. We provide actionable strategies to meet CRA requirements and prepare for the next wave of AI regulation.

In This Webinar, You Will Learn:
- The global impact of the EU Cyber Resilience Act (CRA) and what it means for your organization.
- How the EU AI Act builds on CRA principles to set a new precedent for AI oversight.
- Key risks and opportunities when integrating AI into your regulatory compliance frameworks.
- Best practices for embedding secure-by-design and compliance-by-default innovation without slowing down your teams.

CRA and AI Regulation: What’s Next for Software Compliance

Malware authors are evolving faster than ever, exploiting automation gaps in legacy SCA tools. Relying on outdated CVE databases is no longer enough to protect your software supply chain.

The result?
- Malicious packages infiltrate your repositories.
- Developers waste time chasing false positives.
- Your software supply chain becomes a bottleneck instead of a competitive advantage.

Join this webinar to learn how to solve these challenges and stay ahead of attackers. You’ll discover:
- Why traditional AppSec tools are falling short in today’s fast-paced threat landscape.
- How real-time malware detection empowers you to block threats before they reach your repositories.
- Practical strategies to secure your software supply chain and boost developer productivity without compromising security.

This session will equip you with actionable strategies to secure your software supply chain, reduce risk, and boost developer productivity.

Outpace Malware: Build Faster, Safer Software

As organizations deepen their reliance on open source software, evolving security threats are reshaping the landscape at an unprecedented pace.

Threat actors are now increasingly targeting development pipelines and trusted ecosystems like npm to orchestrate supply chain attacks with significant downstream impact. Incidents such as the 2025 Shai-Hulud npm campaign, the XZ Utils backdoor, and the widespread compromise of over 23,000 GitHub repositories illustrate how open source malware has quickly become a critical, top-tier threat—built to evade legacy scanning and exploit trust woven into modern delivery pipelines.

In this webinar, Bryan Whyte, Director of Solutions Engineering at Sonatype, will break down the latest wave of open source malware, explain how these threats diverge from traditional vulnerabilities, and share actionable steps for federal and defense organizations to defend mission-critical software.

Key Takeaways:
- The shifting tactics of threat actors targeting npm, GitHub, and development pipelines
- Key differences between open source malware and traditional malware or vulnerabilities
- The most prevalent malware types and tactics driving today’s software supply chain attacks
- Practical strategies to secure your SDLC and deliver on Secure Software Acquisition and SWFT objectives

Open Source Malware: Defending Your Software Supply Chain From Evolving Threats

Software security vulnerabilities can compromise your entire software supply chain. But with the right strategies in place, you can stop these risks at their source. This webinar is your guide to mastering Sonatype's Repository Firewall to ensure release integrity, block risky components, and fortify your organization’s defenses without sacrificing speed.

Join us to learn from experts who will reveal how to safeguard your development pipelines and shift malware prevention left. Whether you’re new to Sonatype Repository Firewall or fine-tuning your current setup, this session delivers actionable insights to help you make software faster—and safer.

Key Takeaways:
- Implement smarter firewall rules to better protect your software components.
- Tune policy thresholds to balance speed and security.
- Ensure release integrity across your teams and workflows.
- Identify and block risky components before they can harm your pipeline.
- Prevent shadow artifacts and maintain control in your repositories.

Best Practices for Firewall

The federal government is continuously advancing software security standards, positioning the Software Bill of Materials (SBOM) as a critical element of compliance. As mandates like Executive Order 14028, CISA guidance, and evolving frameworks from NIST and the Software Fast Track (SWFT) Initiative reshape the regulatory landscape, staying ahead requires more than just meeting today's checklists. It demands a forward-thinking, automated approach.

Join our webinar to explore how AI-powered automation is transforming SBOM creation and management. Discover how to build a resilient compliance strategy that not only meets current federal requirements but also anticipates future changes, ensuring your software supply chain is secure, transparent, and mission-ready.

In This Webinar, You Will Learn How To:
- Automate SBOM Management with AI: See how intelligent tools streamline SBOM creation, validation, and monitoring in alignment with NIST, SWFT, and other federal mandates.
- Navigate Evolving Federal Compliance: Understand the latest software security requirements and how new frameworks impact your development and compliance strategies.
- Integrate AI-Driven Audits: Explore how to use AI-powered tools to automate compliance checks, accelerate vulnerability detection, and reduce manual effort.
- Future-Proof Your Compliance Strategy: Gain strategic insights from industry leaders to anticipate and prepare for the next wave of regulations in the federal software ecosystem.

Mission-Ready SBOMs

As containers power modern applications, ensuring every image is secure and compliant is critical. In this webinar, discover how the Sonatype Repository Firewall integration with Docker helps teams automatically block risky or non-compliant images before they enter your pipelines.

You’ll learn how Sonatype and Docker help:
- Enforce policies at ingestion to quarantine malicious and vulnerable images.
- Provide instant developer feedback with clear remediation paths.
- Streamline exceptions with container-level waivers and API support.
- Extend governance across single- and multi-architecture Docker Hardened Images that deliver a secure, audit-ready foundation.

Why attend? You will see how Sonatype and Docker work better together to protect your container supply chain from vulnerabilities and compliance drift, accelerate delivery by eliminating late-stage security bottlenecks, and scale governance across development teams and environments with confidence.

Fortifying Your Container Supply Chain with Docker + Sonatype

Engineering teams face immense pressure to innovate faster while maintaining security across complex software supply chains. Static Software Bill of Materials (SBOMs) can no longer keep pace with this demand. But what if your SBOMs could move beyond inventories to become real-time drivers of secure, scalable software development?

Join Sonatype experts and customer pioneers to explore how leading engineering and security teams are evolving their approach to SBOMs. With real-world insights and practical applications, you'll learn how to harness the true power of SBOMs for actionable governance, efficient scaling, and risk reduction.

Why you should attend:
- SCA and SBOM - Better together: Learn how SCA and SBOMs work together to provide continuous security monitoring and a complete record for compliance, leading to faster incident response.
- Secure Development Pipelines: Discover how top teams actively identify vulnerabilities and mitigate risks without slowing down innovation.
- Scalable Solutions: See how SBOMs enable organization-wide visibility, empowering teams to operate with confidence across every phase of the Software Development Life Cycle (SDLC).
- Exclusive Expertise: Hear directly from a Sonatype field expert about overcoming real-world challenges and achieving measurable outcomes.
- Actionable Frameworks: Learn how to turn static SBOMs into dynamic resources for real-time Software Composition Analysis (SCA).

Using SBOMs to Power SCA

Many organizations assume that using a repository manager or perimeter security tools is enough to protect them from open source malware. The reality is different. Repository managers help control usage and access, but they cannot prevent packages and AI models from being downloaded outside of approved channels. These ungoverned "shadow downloads" bypass your policies entirely. 

Perimeter security tools, meanwhile, were never designed with software development in mind. They excel at blocking external network threats but have no ability to detect malicious software components. That gap is growing as new risks emerge, from shadow downloads in build pipelines to malicious code embedded in open source packages and even AI models. Together, these weaknesses create a false sense of protection, while malware can still make its way into your builds and applications.

So how can you close these gaps and stop open source malware before it enters your development pipeline?

In this webinar, you will learn:
- How shadow downloads bypass defenses you thought were secure.
- The biggest blind spots in repository managers, perimeter defenses, and endpoint tools.
- Why real-time malware prevention at the source is the ultimate safeguard for your software.

We will also show you how Sonatype Repository Firewall stops malware before it enters your development ecosystem—across both cloud and on-premises—so your teams can continue building securely at speed.

The False Sense of Security

The pressure to innovate faster in today’s AI-driven world is greater than ever. But can you scale development velocity without sacrificing security, compliance, or control? Join Sonatype and AWS for an exclusive webinar designed to equip modern software teams with the insights and tools to innovate boldly, without compromise.

Here’s What You’ll Learn:
- Build Secure, AI-Enabled Pipelines: Govern AI-generated code and models effectively, while preventing open source malware and blocking unauthorized tools from jeopardizing your environment.  
- Accelerate Development with Confidence: Achieve centralized management for code, zero-downtime upgrades, and high availability—ensuring speed never comes at the expense of quality or security.  
- Transform DevOps with Real-World Demos: Watch real-world demos to understand how governed pipelines maximize delivery velocity, compliance, and resilience across teams.  

This session brings clarity to the complexities of secure software development in the age of AI. You’ll leave empowered to lead transformation across your software development life cycle with actionable strategies, expert demonstrations, and practical insights.

Developer Velocity With Sonatype & AWS

The Lazarus Group — an advanced persistent threat (APT) linked to North Korea — is weaponizing the trust inherent in open source ecosystems like npm and PyPI. Sonatype’s latest research uncovered 234 unique malware packages attributed to Lazarus in the first half of 2025 alone, representing 36,000 potential victims. This on-demand webinar exposes how Lazarus Group is turning open source into a delivery mechanism for cyberespionage.

Learn how these malicious actors exploit developers’ trust, deploy multi-stage malware, and use sophisticated obfuscation to evade detection.

Key takeaways include:
- Insights into Lazarus’ exfiltration-focused malware, targeting developer credentials, cloud keys, and production secrets.
- An examination of their advanced strategies, including two novel techniques, for long-term persistence and wide-scale impact on software supply chains.
- Actionable recommendations to safeguard your development pipelines and proactively defend against similar threats.

This webinar equips you with the knowledge and strategies needed to mitigate the rising threat of supply chain attacks. Enable your teams to stay secure without sacrificing speed or innovation.

How Lazarus Group Uses Open Source To Attack Developers

How do you enable rapid, secure software development while remaining compliant with strict regulations? Discover the answer during this exclusive webinar.

Join Tom Tapley, Senior Product Manager at Sonatype, as he explores cutting-edge strategies to safeguard software supply chains in disconnected environments. This session will focus on overcoming common obstacles, adhering to federal regulations like the Executive Order on Improving the Nation's Cybersecurity, and integrating best practices to mitigate security risks.

Key Takeaways:
1) Learn how to generate accurate Software Bill of Materials (SBOMs) to ensure compliance and software integrity.
2) Discover methods to enforce open-source policies and automatically block harmful dependencies.
3) Explore how Sonatype’s innovative solutions empower teams to balance agility with security, even in air-gapped settings.

This webinar is tailored for federal professionals striving to secure their software ecosystems without slowing innovation. Don’t miss this opportunity to gain actionable insights from an industry expert.

Securing Software Supply Chains in Air-Gapped Environments

In this timely session, Sonatype experts will outline what’s known about SWFT so far and what it means for organizations building, evaluating, and procuring software for defense applications.

What You’ll Gain:
1) Up-to-date insights on the current draft SWFT requirements as they stand today.
2) Guidance on building secure, compliant software even as the details continue to evolve.
3) Practical tools and strategies for staying agile and maintaining compliance during this transition.

Join us for a grounded discussion tailored to defense contractors, integrators, and security leaders. We’ll separate fact from speculation, offering actionable steps you can take now to navigate SWFT and support your organization’s mission with confidence.

DoD-Ready Software: Navigating the Evolving SWFT Initiative

Uncover Hidden Risks in Your Software Supply Chain—Before They Strike. 

The rapid adoption of AI/ML is revolutionizing innovation, but it’s also creating new, often overlooked vulnerabilities. Malicious actors are exploiting pre-trained models, shadow dependencies, and non-code artifacts to infiltrate even the most robust software supply chains. Are you prepared to defend against these emerging threats?

Join Sonatype’s expert-led webinar to explore how the explosive growth of AI tools like Hugging Face has introduced a new frontier for open-source risk.

What You’ll Learn:
1) Identify Vulnerabilities – How hidden malware in pre-trained models and dependencies can derail your software ecosystem.
2) Real-World Lessons – See how actual breaches have unfolded and what they teach us about evolving threats.
3) Practical Solutions – Discover how Sonatype’s Repository Firewall and advanced malware research are redefining risk mitigation in AI/ML supply chains.

Securing Your Supply Chain: How Al/ML Tools are Changing the Game

Federal agencies are accelerating the adoption of artificial intelligence and machine learning. As these technologies are integrated into critical workflows, they introduce complex security and compliance challenges throughout the software supply chain. This webinar will examine the key challenges in managing AI/ML integrations across federal workflows.

Join an expert panel as they break down best practices for enhancing governance of AI stacks, mitigating risks, and maintaining compliance with evolving regulations. The discussion will explore how modern tools and techniques can secure not only your code but also your AI models throughout the software supply chain.

Key Takeaways
• Discover how to protect AI/ML pipelines by detecting risks in open-source components and third-party dependencies.
• Learn best practices to govern AI systems across federal stacks while adhering to frameworks such as NIST and EO 14144.
• Gain insights from leading industry experts into addressing threats and ensuring the integrity of AI/ML models.

Securing the AI Supply Chain: Federal Strategies for Safe and Compliant Adoption

Join us for a timely webinar as we assess the real-world impact of DORA’s operational resilience and ICT risk mandates. We’ll explore early enforcement trends, common compliance pitfalls, and what regulators and auditors are signaling for the road ahead.

Our expert panel will also break down how financial entities and their critical third-party providers are adapting practices around software supply chain security and incident reporting. Whether you're ahead of the curve or still closing gaps, this session will provide practical insights and guidance to strengthen your resilience strategy in the second half of 2025 and beyond.

Key Takeaways:
• What’s working and what’s not in early DORA compliance efforts
• How regulators and supervisory authorities are interpreting the rules 
• The growing role of SBOMs and third-party risk transparency 
• Actionable recommendations for maintaining compliance

DORA Compliance: Lessons Learned, Gaps Exposed, and What’s Next

Join Sonatype and guest speaker Janet Worthington, Principal Analyst at Forrester, for an open discussion on AI governance, risk, and compliance in software development.

AI Fireside Chat with Forrester

Understand the essential duo of SCA and SBOM management and why you need both. 

Learn about:

- The role of SCA vs. SBOMs
- The combination of both SCA and SBOM management in a software development lifecycle
- How to integrate SBOM management into your SCA tools

Why You Need Both SCA and SBOM Management

Security

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The application development community features top thought leadership focusing on optimal practices in software development, SDLC methodology, mobile app development and application development platforms and tools. Join top software engineers and coders as they cover emerging trends in everything from enterprise app development to developing for mobile platforms such as Android and iOS.

Application Development

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Information Technology

Thousands of healthcare IT professionals compose the health IT community on BrightTALK. Learn alongside them with relevant webinars on healthcare IT compliance, big data in healthcare and IT solutions for healthcare organizations. Join the conversation by asking questions and engaging with other participants during live webinars and organized discussions.

Why You Need Both SCA and SBOM Management

Presented by

About this talk

Sonatype