A few weeks ago Barak Brudo was interviewed on the DevSec For Scale Podcast on the subject of securing the software supply chain.
The main topic covered was the SBOM – what is it, what is it for, and how to utilize it to increase your visibility, agility, and responsiveness in the face of a vulnerability.
The main ingredient we feel is missing from a lot of security schemes today is the check for integrity – between the final image or product and the SCM, as well as between packages and dependencies you intend to use, and what you’re actually using.
That ever-growing dependency tree is one of the reasons we strongly encourage everyone to use an SBOM in the first place.
We hope it’s as entertaining as it is educational.