Risk Based Security Announces Sponsorship and Integration With OWASP Dependency-Track

Risk Based Security is pleased to announce our sponsorship of the OWASP Dependency-Track project and corresponding integration of VulnDB data into the Dependency-Track platform.

Dependency-Track is an intelligent Software Composition Analysis (SCA) platform that allows organizations to identify and reduce risk from the use of third-party and open source components.  The platform tracks third-party component usage across all applications created or consumed by an organization. The platform proactively identifies vulnerabilities in components that are placing applications and their users at risk. With the VulnDB integration, platform users now have the option to access more comprehensive vulnerability intelligence for better vulnerability identification and prioritization of remediation efforts.

Dependency-Track is designed to be used in an automated DevOps environment and supports integration with OWASP Dependency-Check and industry-standard bill-of-material formats, both of which can be consumed by Dependency-Track via a Jenkins plugin.

The Dependency-Track project, launched in 2013 in an effort to drive further awareness, adoption, and reduction of supply-chain risk, has elevated the capabilities of open-source SCA through a series of technological milestones, especially in the latest release. Among the newest enhancements is native integration of VulnDB which is both straightforward and extremely simple for organizations to set up.

“I’m excited about the Risk Based Security sponsorship and the many benefits their VulnDB data bring to the platform. I’m especially optimistic about what capabilities we’ll be able to deliver in future milestones as we advance the open-source SCA platform even further”, says Steve Springett, project lead for Dependency-Track.

Use of Dependency-Track can play a vital role in an overall Supply Chain Risk Management (SCRM) program by providing many of the recommendations outlined in the NIST Cybersecurity Framework. Dependency-Track can also be used to monitor vulnerabilities in COTS (commercial off-the-shelf) software.

Organizations, which also have a VulnDB subscription, are able to easily see comprehensive vulnerability intelligence directly in the the Dependency-Track project. In the latest release, there is built-in support for the VulnDB API.

“What Steve and his team have done with the latest release of Dependency-Track is extremely impressive.  Further, by ensuring that VulnDB is integrated, it allows organizations to feel comfortable that the components that they care about are being properly monitored for vulnerabilities.”, said Jake Kouns, CISO for Risk Based Security.

To learn more about Dependency-Track capabilities please view the following video:

If you have any questions or ideas for improvements we would love to hear from you!

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.