Cyber Supply Chain Management and Transparency Act of 2014
On December 4th, 2014, U.S. Congressional Representatives Ed Royce (R-CA) and Lynn Jenkins (R-KS) introduced H.R. 5793, the “Cyber Supply Chain Management and Transparency Act of 2014.” The proposed legislation will ensure that any organization selling software, firmware or products to the federal government provide a bill of materials of all third party and open source components used, and demonstrate that those component versions have no known vulnerabilities.
FS-ISAC identifies a new cyber attack risk in your "IT supply chain." Sonatype can help.
Data breaches, online banking security and the overall growing threat of cyber attacks concern all organizations, but perhaps none more than the financial services industry.
To address these concerns, the FS-ISAC (Financial Services – Information Sharing and Analysis Center) has released guidelines regarding security risk from "third party service and product providers."
OWASP Top Ten advises: Avoid using components with known vulnerabilities. Sonatype can help.
The Open Web Application Security Project (OWASP) has updated their top ten list of application security threats to now include A9, which advises against "using components with known vulnerabilities."
These days, applications are 90% comprised of open source or third party components which are shared by developers worldwide.
However, most traditional application security methods don’t effectively identify component vulnerabilities.
PCI says “No” to using components with known vulnerabilities. Sonatype can help.
The Payment Card Industry (PCI) standards help ensure that banks, financial services firms and merchants protect their customer's credit card data.
Credit card security became more challenging with the mandate to "avoid components with known vulnerabilities" based on recent Open Web Application Security Project (OWASP) guidelines.
The good news is that Sonatype makes it easy to avoid this risk and achieve PCI compliance.
Are we doing enough to prevent future
heartbleeds? Here is what you can do now.
As the Heartbleed bug wreaked havoc on the internet, we at Sonatype began thinking about the lessons learned from this recent security scare and how, collectively, we can develop a process for mitigating the next major exposure.
Was this OpenSSL vulnerability an oversight by system administrators installing unknown software? The simple answer is no. OpenSSL is the defacto SSL implementation used on most internet servers around the world. This is not an untested, unverified component that slipped by security audits.