SBOM, CycloneDX and Dependency-Track – The Right Security
February 23, 2021 • RBS
Steve Springett, Senior Security Architect at ServiceNow, joins Jake Kouns, CEO and CISO at Risk Based Security, to talk about the need for Software Bill of Materials (SBOM), CycloneDX and the Dependency-Track project.
Steve has been at the forefront of helping organizations identify and reduce risk from the use of third-party and open source components. He is an open source advocate and leads the OWASP Dependency-Track project, OWASP Software Component Verification Standard (SCVS) project, CycloneDX software bill-of-material specification, and participates in several related projects and working groups.
0:00 – Welcome and speaker introductions
1:30 – Defining SAST, DAST, IAST, SCA and SBOM
9:17 – The real difference between SBOM and SCA
12:00 – The importance of SBOM
14:41 – NTIA multi-stakeholder process for Software Component Transparency
20:17 – What is CycloneDX
24:37 – How CycloneDX is different
27:06 – What’s new in CycloneDX
30:45 – The PURL standard
34:00 – The relationship between CycloneDx and PURL
35:41 – What is Dependency-Track
38:42 – Dependency-Track and CycloneDX integration
41:31 – Using Dependency-Track over a commercial vendor solution
43:58 – Major updates in Dependency Track 4.0
47:15 – Closing thoughts
- ServiceNow – The smarter way to workflow™
- CycloneDX Software Bill of Materials (SBOM) Standard
- Dependency-Track | Software Bill of Materials (SBOM) Analysis
The Right Security
This is the latest in our video series The Right Security, in which we talk with leaders and veterans in the security industry, tackling the biggest issues impacting organizations today.