Software components that were once good can sour instantly when new vulnerabilities are discovered within them. When that happens, the bears are coming, and you have to respond quickly.



Two men are walking through a forest. Suddenly, they see a bear off in the distance, running toward them. Adrenaline pumping, they start running away. But then one of them stops, takes some running shoes from his bag and starts putting them on.

“Frank, what are you doing?” says the other man. “Do you think you will run faster than the bear with those?”

“I don’t need to run faster than the bear,” Frank replies. “I just have to run faster than you.”

This scenario repeats itself every time a new security vulnerability is discovered in a widely used open source component. Imagine the bear as your adversary. Rushing to attack when easy prey is present. Your response time is critical.

Sneakers on. Go!

For my complete story, please continue to Dark Reading



5 Steps to Improve Your Software Supply Chain Security


Organizations that take control of their software supply chains will see tremendous gains in developer productivity, improved quality, and lower risk.

To improve management of component vulnerabilities, consider these five steps, which mimic a number of the supply chain management concepts originated by quality guru W. Edwards Deming to improve quality, accelerate feedback loops, and increase efficiencies of manufacturing operations. The same approaches are being adopted by organizations improving their own operations through the adoption of Continuous Delivery and DevOps processes:

1. Create a software bill of materials for one application: Visibility into one application can help you understand your current component usage. A number of free and paid services are available to help you create a software bill of materials within a few minutes. The bill of materials will help you identify the unique component parts used within your application and the suppliers who contributed them. These reports list all components used, and several services also identify component age, popularity, version numbers, licenses, and known vulnerabilities.

For more tips and my complete story, please continue to Dark Reading