Close

Register Now for JFrog Xray and VulnDB Webinar, July 30, 2019

Join our CISO, Jake Kouns and JFrog Senior Product Manager, Ofir Azoulay-Rozanes, in a live webcast July 30, 2019 at 1:30PM EST / 10:30AM PST.

A scanning solution is only as good as the vulnerability data that drives it. Since February 2019, Risk Based Security’s VulnDB® has been fueling JFrog’s Xray platform with the most comprehensive and timely data available. 

During this presentation, participants will gain an understanding of the powerful integration between Risk Based Security’s VulnDB and JFrog Xray. Anyone who wants to ensure that their deliverables are not vulnerable should attend. 

Register for the webinar with JFrog here

Can’t make it? Register anyway, and you’ll receive a link to the recording.

Video: Improve Your Vulnerability Response Using the New ServiceNow VulnDB Vulnerability Integration

Risk Based Security participated in ITS Partner’s webcast demonstrating the capabilities of the new ServiceNow VulnDB Vulnerability Integration.

Your security solution is only as good as the vulnerability data that drives it. Better data matters because it enables better prioritization decisions and quicker remediation. VulnDB contains comprehensive metadata and research on over 200,000 vulnerabilities, including over 69,000 that aren’t found in the National Vulnerability Database (NVD/CNE), and those numbers are growing quickly, with an  average of about 70 new vulnerabilities disclosed every day.

In this webcast, Jake Kouns, CISO at Risk Based Security, joins Jay Wigard, Product Development Leader from ITS Partners, to discuss the challenges facing security professionals, and the valuable features of the new VulnDB Vulnerability Integration, available now as a free* download from the ServiceNow Store. The setup process is quick and simple. Check out the recorded webcast and start utilizing the ServiceNow platform to leverage asset information within your workflow.

Watch the video above, or download the VulnDB Vulnerability Integration app from the ServiceNow store today.

Interested in learning more about Risk Based Security’s suite of products? Click here to schedule a demo and see how much more comprehensive VulnDB is compared to other security solutions on the market.

* VulnDB subscription required

A Scanning Solution is Only as Good as the Vulnerability Data That Drives it

We had some great conversations at JFrog’s user conference, SwampUp 2019. Brian Martin, our Vice President of Vulnerability Intelligence, took part in an all-star keynote of experts where he discussed how our VulnDB® service helps secure JFrog Xray user pipelines.

The integration of VulnDB allows DevOps teams to discover, receive notifications on, and help remediate vulnerabilities in third-party libraries and dependencies early in the development cycle. As JFrog puts it, “a security scanning solution is only as good as the database of vulnerabilities that drives it.” Driven by Risk Based Security’s comprehensive data, Xray with VulnDB is the best security intelligence solution on the market for developers. 

Why does data from VulnDB give you an edge?

VulnDB is the most comprehensive source of vulnerability data available, with almost 69,000 vulnerabilities that are not found in CVE or the National Vulnerability Database (NVD). As Brian shared in his SwampUP keynote presentation, an average of about 70 new vulnerabilities are disclosed every day. This is an alarming volume, especially if your organization isn’t seeing the complete picture. That’s why our rallying cry is #BetterDataMatters. VulnDB is so much more advanced than any other database because we are looking for vulnerabilities and we speak with the DevOps community to ensure we are monitoring the libraries they are using. VulnDB includes more vulnerabilities, and carries more metadata and research on entries. This allows you to arm your organization with the most complete and up-to-date information available so you can make data-driven decisions to effectively manage and prioritize risk mitigation.

Taking this to mind, let’s look at some real-world applications. Recently, Sophos put out a very thought provoking article. The article made some very interesting points:

  1. Most vulnerabilities aren’t exploited, and if they are, they tend to have a high CVSS score.
  2. There is apparently no relationship between the proof-of-concept (PoC) exploit code being published online and the start of real-world attacks.
  3. In order to patch vulnerabilities, a “reference tagging” machine learning model is the most efficient method.

Sophos based their conclusions on data provided in a whitepaper that researchers from Cyntia, Virginia Tech, and the RAND Corporation published. The findings were extremely engaging, however, the data used to support these claims is lacking…comprehensiveness. 

Looking further into the data provided, it’s apparent that the researchers relied very heavily on security sensors based on CVE IDs, meaning that only vulnerabilities within CVE were being considered. This means that there are almost 69,000 vulns being missed in this study. To make matters worse, security scanning devices tend to cover half of the vulnerabilities in CVE, which makes the subset of data even smaller. 

In addition, Risk Based Security believes the machine learning models used in the study may have mis-categorized focused attacks. In situations where someone determines that a remote target is running specific software, then tries a comprehensive list of attacks against it, a detected attack would likely be labeled incorrectly. Since the researchers were basing their findings off of CVE data, it is highly likely that their sensors were not aware of specific vulnerabilities, resulting in a label of “Generic XSS” for example. This could have skewed results.

Last, these type of reports typically don’t share their full methodology, let alone what they are capable of matching against. This means that there is no way to reproduce or validate their findings. Unfortunately, if the research is solely based on CVE data it means that several vendors performing a similar study will also provide the same rough figures. CVE is the industry “standard,” yet it is missing a huge amount of vulnerabilities, with many of them possessing high CVSS scores and affecting major vendors. As previously stated, “a security scanning solution is only as good as the database of vulnerabilities that drives it.” 

#BetterDataMatters. We would be very interested if the findings presented would be the same if more up-to-date data was used.

Interested in learning more about Risk Based Security’s suite of products? Click here to schedule a demo and see how much more comprehensive VulnDB is compared to other security solutions on the market.

Integrate Better Data from VulnDB into RSA Archer

RSA Archer® is a staple within the risk management community. Recognized as a leader in the 2018 Gartner Magic Quadrant for integrated risk management, RSA Archer allows organizations of all sizes to manage multiple dimensions of risk within its software platform. And now, you can integrate the world-leading vulnerability intelligence from VulnDB® directly into RSA Archer.

Introducing the VulnDB Data Feed for RSA Archer IT Security Vulnerabilities Program. Vulnerability Management is a key component of an integrated risk management strategy. Your organization can now combine the power and flexibility of RSA Archer with the rich vulnerability data of Risk Based Security’s VulnDB service. Some of the many highlights include:

  • Comprehensive and timely vulnerability intelligence. Get access to over 200,000+ vulnerabilities, 68,000 of which are not found in CVE/NVD.
  • Surface potential vulnerabilities by matching asset and software data within RSA Archer to VulnDB’s extensive product associations.
  • Prioritize risk management using VulnDB without needing an additional vulnerability scan.

“The RSA Archer IT Security Vulnerabilities Program is a very powerful tool for surfacing and managing vulnerability-related risks.  With the VulnDB Data Feed, organizations can ensure they are using the best available data to inform that analysis process.” – Eric Paxton, Director of Business Operations, Risk Based Security

With a VulnDB subscription and the VulnDB Data Feed, you can investigate vulnerabilities within your software and make improved and timely risk prioritization and mitigation decisions. New vulnerabilities can be surfaced and remediated without the need to wait for results from another vulnerability scan. As a result, organizations can continuously monitor their environment for new vulnerabilities and potential exploits and greatly reduce their risk window.

Get the VulnDB Data Feed for RSA Archer from the RSA Link portal today*.

* VulnDB subscription required

About VulnDB

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

For more information visit vulndb.cyberriskanalytics.com or call 855-RBS-RISK

Already using VulnDB? Risk Based Security has a suite of products that enables organizations make data-driven decisions to effectively manage and prioritize risk mitigation. See how our other products, Cyber Risk Analytics and YourCISO, can help you or your vendors stay secure in this rapidly evolving environment.

New VulnDB Integration for ServiceNow Enables Better Vulnerability Response

The ServiceNow® Vulnerability Response application is a powerful way for organizations to track, prioritize and resolve vulnerabilities. However, depending on data from vulnerability scanning processes can add time to remediation activities and unnecessarily increase risk exposure. In addition, many of the sources of vulnerability data available for use within ServiceNow are incomplete, limiting visibility to many potentially critical issues.

That’s why we’re excited to introduce the VulnDB® Vulnerability Integration for ServiceNow. With this integration, developed by ITS Partners, organizations can access data for over 200,000 vulnerabilities catalogued by VulnDB directly within ServiceNow, including over 68,000 vulnerabilities not found in the National Vulnerability Database (NVD / CVE).

“Successful vulnerability management involves understanding the assets and software in your environment, determining the vulnerabilities associated with that software, and using asset and vulnerability criticality information to inform risk-based prioritization and remediation decisions.  The VulnDB Vulnerability Integration app for ServiceNow is designed to help customers accomplish that goal” – Eric Paxton, Director of Business Operations, Risk Based Security.

Better Processes Powered by Better Data

Better data matters when it comes to helping organizations understand and mitigate the risks that could impact them. That’s why we our product, VulnDB, is the most comprehensive and timely source for vulnerability intelligence available. VulnDB revolutionizes vulnerability identification and remediation processes, arming customers with fast, current insights about the vulnerabilities associated with the technologies they use, without the need for repeated vulnerability scans.

“The VulnDB Vulnerability Integration app provides additional info about the solution to a vulnerability, whether the vulnerability is actually exploitable or not, and classification data indicating how the vulnerability might be exploited. This rich metadata allows you to filter out the noise and make better decisions about which vulnerabilities you remediate and which you can safely ignore, which makes VulnDB a great supplement to your scanner-based solutions and other vulnerability data providers like the NVD.” – Josh Bernson, CTO, ITS Partners

With the VulnDB Vulnerability Integration app for ServiceNow, available as a free download* from the ServiceNow Store, organizations can leverage asset information and workflow within ServiceNow to quickly identify the vulnerabilities that are relevant to their organization, prioritize them using rich vulnerability and asset criticality information, and implement strong workflows and processes to facilitate quick remediation. The app features a fully guided setup process that makes configuration quick and simple.

Download the VulnDB Vulnerability Integration app from the ServiceNow store today

* VulnDB subscription required

About VulnDB

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

For more information visit vulndb.cyberriskanalytics.com or call 855-RBS-RISK

ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.

Software Vulnerability Management with Device42 and VulnDB

At Risk Based Security, we’ve always believed that one of the critical components of effective security is knowing your vendors and assets, understanding the threats and vulnerabilities that may impact those vendors and assets, and then using that data to prioritize mitigation actions.

That’s why we’re excited to announce the VulnDB® integration into the Device42 platform. With this new integration, Device42 customers can easily map the best-in-class vulnerability information from VulnDB to the asset data discovered by Device42 and view a near-real time list of vulnerable software in their environment. In addition, much of the rich metadata from VulnDB is available directly within Device42 to help organizations understand the most critical vulnerabilities and assets that should receive attention first, yielding a truly risk-based approach.

Experience the power of Device42 + VulnDB for yourself at www.device42.com/integrations/vulndb/

Check your entire IT deployment against VulnDB, automatically

Device42 is a comprehensive, centralized, and cost-effective CMDB solution that auto-discovers and maps your entire IT infrastructure, automatically. Integrate VulnDB to:

  • View a near-real time list of vulnerable software – and where it’s running
    Use Device42 + VulnDB to see an up-to-date list of machines running software instances
    with disclosed vulnerabilities – on demand.
  • Understand vulnerability details
    See software type, license model, vendor, category, license count, and more for each
    software component, and click the ID to see full vulnerability details.
  • API access to vulnerabilities
    Search by software ID and quickly see all disclosed vulnerabilities.
    Experience the power of Device42 + VulnDB™ for yourself at www.device42.com/integrations

Experience the power of Device42 + VulnDB for yourself! Visit https://www.device42.com to learn more about Software Vulnerability Management within Device42 and how it could benefit you.

Contact Device42

Device42, Inc.
600 Saw Mill Road
West Haven, CT 06516

1 (844) 424-2422 | 1 (203) 409-7242

[email protected] 

About VulnDB

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

For more information, visit vulndb.cyberriskanalytics.com, call 855-RBS-RISK or contact us here.

Risk Based Security Announces New Integration with Recorded Future for Intelligence-Driven Vulnerability Management

Risk Based Security, Inc., a provider of detailed information and analysis on Vulnerability Intelligence, Data Breaches, and Vendor Risk Ratings, today announced a new partnership with Recorded Future, the leading threat intelligence company, to help joint customers more effectively identify and prioritize the vulnerabilities they should mitigate.

Recorded Future and VulnDB logos

Risk Based Security’s VulnDB is the most comprehensive and timely vulnerability intelligence solution available.  It provides actionable information about the latest in security vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications.  It enables security professionals to quickly and thoroughly analyze and respond to possible threats to their organization, helping safeguard them against the considerable costs and damage, to both data and reputation, that may result from an unmanaged vulnerability. The integration of the best-in-class vulnerability data from VulnDB into the Recorded Future analysis platform enables security teams to not only prioritize the vulnerabilities needing mitigation more effectively but also enrich and enhance their ability to respond to indicators of compromise.

The Recorded Future Connect partner program is laser focused on providing intelligence that helps teams make faster, more confident decisions by integrating rich threat intelligence into all security processes. Today, partners represent leading SIEM, incident response, ticketing, link analysis, security infrastructure, security orchestration and automation, vulnerability management, and threat intelligence platform (TIP) solutions.

“In 2018 alone, more than 22,000 vulnerabilities were added to the VulnDB database – more than any security team could manually identify and analyze on their own, never mind the actual patching and mitigation when a company is at risk. We’re proud to partner with Risk Based Security and believe the goal they’re working toward is foundational to cybersecurity teams’ ability to protect their organizations.” – Glenn Wong, Director of Product Management and Technology Partnerships, Recorded Future

VulnDB contains over 67,000 additional vulnerabilities not found in the frequently relied-upon Common Vulnerabilities and Exposures (CVE) database, and a much higher degree of information for each vulnerability, providing the richest, most complete vulnerability intelligence available.  VulnDB helps customers better address points of risk across their organization – from application development and IT infrastructure management to security operations, vendor risk management, and procurement.

“Better data matters when it comes to effectively prioritizing and remediating vulnerabilities,” said Jake Kouns, Chief Information Security Officer at Risk Based Security. “With the VulnDB Intelligence Card extension for Recorded Future, our joint customers can access VulnDB’s extensive vulnerability intelligence from within the Recorded Future platform to provide additional valuable context and better respond to growing threats.”

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

For more information, please visit www.riskbasedsecurity.com or vulndb.cyberriskanalytics.com, call 855-RBS-RISK or contact us here.

About Recorded Future

Recorded Future delivers the only complete threat intelligence solution powered by patented machine learning to lower risk. We empower organizations to reveal unknown threats before they impact business, and enable teams to respond to alerts 10 times faster. To supercharge the efforts of security teams, our technology automatically collects and analyzes intelligence from technical, open web, and dark web sources and aggregates customer-proprietary data. Recorded Future delivers more context than threat feeds, updates in real time so intelligence stays relevant, and centralizes information ready for human analysis, collaboration, and integration with security technologies. 91 percent of the Fortune 100 use Recorded Future. Learn more at www.recordedfuture.com and follow us on Twitter at @RecordedFuture.

Request a demo of Recorded Future: https://go.recordedfuture.com/demo

VulnDB Add-On for Splunk Brings Best Vulnerability Intelligence To Risk Based Security and Splunk Customers

Risk Based Security (RBS), a provider of detailed information and analysis regarding Vendor Risk Ratings and Vulnerability Intelligence is pleased to announce the launch of our latest VulnDB integration option.

The VulnDB Add-On for Splunk helps customers easily integrate data from Risk Based Security’s VulnDB service into Splunk software. The VulnDB Add-On for Splunk assists Splunk® Enterprise and Splunk Cloud customers to uncover and remediate the highest priority vulnerabilities that exist in their environment. Download the VulnDB Add-On for Splunk now onhttps://splunkbase.splunk.com/app/4220/.

When a new vulnerability is disclosed, organizations need to know if and where they are impacted without having to do a vulnerability scan of their environment.  Risk Based Security’s VulnDB contains over 63,000 additional vulnerabilities not found in the frequently relied-upon Common Vulnerabilities and Exposures (CVE) database and a much higher degree of information for each vulnerability, providing the richest, most complete vulnerability intelligence available.  VulnDB helps customers better address points of risk across their organization than relying on legacy vulnerability scanning – from application development and IT infrastructure management to security operations, vendor risk management, and procurement.  Bringing VulnDB data into Splunk allows organizations to easily map vulnerability data to the assets and vendors in their environment and quickly identify if a newly disclosed vulnerability will impact them.  Armed with this insight, organizations can efficiently prioritize and plan remediation activities, and also quickly identify relevant vulnerability data during security incident response activities.

“Better data matters when it comes to effectively prioritizing and remediating vulnerabilities,” said Jake Kouns, Chief Information Security Officer at Risk Based Security. “With the VulnDB Add-On for Splunk software, our customers can combine the best-in-class vulnerability intelligence from VulnDB with the powerful analysis capabilities of Splunk to mature their vulnerability management program to better respond to growing threats and regulatory requirements.”

Download the VulnDB Add-On for Splunk  now on https://splunkbase.splunk.com/app/4220/.

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, ourYourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

Leaping Forward – Risk Based Security & JFrog Launch 2019 With A New Partnership

Risk Based Security (RBS), the elite provider of comprehensive vulnerability intelligence and vendor risk ratings, is pleased to announce the launch of a new partnership with JFrog, the DevOps technology leader known for enabling liquid software via Continuous Update flows and the creator of Xray, JFrog’s flagship security and compliance scanning solution.

Risk Based Security’s founder and CISO Jake Kouns said of the partnership, “We have known for some time that combining VulnDB with the right partner would produce extraordinary value for the DevOps community. When we surveyed the various tools out there in the marketplace, it was clear that Xray – with its unparalleled visibility into software components and the vision that JFrog leadership has for the product – was where we wanted to be. Together Xray and VulnDB deliver powerful results that enables faster development cycles as well as ensuring much more secure code than other competitors.”

RBS’ VulnDB, which provides ongoing, detailed vulnerability intelligence covering more than 21,000 vendors and spanning over 196,000 vulnerabilities, is built on the principle that better data matters when it comes to effective prioritization and remediation of vulnerabilities. Too often security teams are left struggling with an incomplete picture of their vulnerability exposure landscape. These holes consume valuable time and resources as teams try to fill in the blind spots, or worse, result in a crippling security incident or data breach. Combining comprehensive coverage with speed of delivery, VulnDB solves this problem by delivering continuous, high quality and actionable intelligence for more effective vulnerability management.

JFrog shares RBS’ commitment to innovation and delivering best-in-class solutions. To this point, JFrog’s Xray is widely recognized as the go-to solution for monitoring software as it flows through the pipeline from code into production. As Shlomi Ben Haim, JFrog Co-Founder and CEO explained,  “900% growth YoY and over 2,200 Xray installations tell us that JFrog Xray answers developers’ real security concerns by offering a deep, recursive scanning and impact analysis solution. JFrog offers developers the two fundamental pillars of DevOps: Speed and Security. Therefore, when it comes to our customers’ CI/CD pipelines, we are determined to build more than just a ‘security-alarm-system’ – we are committed to offering a first-class, universal, automated solution to support DevOps at scale.”

About Risk Based Security and VulnDB

Risk Based Security is a recognized leader in vulnerability intelligence, organizational ratings, and on-demand security solutions. Founded in 2011, RBS’ mission is to provide action-quality, comprehensive and timely vulnerability intelligence and in-depth organizational security ratings through innovative, technology enabled solutions. RBS has developed VulnDB, the largest and most comprehensive vulnerability intelligence database available, to provide customers the vulnerability intelligence to address points of risk across the entire organization – from application development, security operations, vendor risk management and procurement. RBS’ Cyber Risk Analytics, (CRA), the most comprehensive data breach and cyber exposure knowledge base available, supports fact-based procurement due diligence, vendor performance monitoring, organizational ratings, and prioritized remediation for high-risk vendors. Leveraging CRA’s risk ratings with VulnDB’s vulnerability intelligence produces the most comprehensive organization security assessment available. RBS products are available via a SaaS Portal, RESTful APIs, and a customized Alerting system.

For more information, please visit: https://vulndb.cyberriskanalytics.com/  and https://www.riskbasedsecurity.com/

About JFrog – the Liquid Software Company

JFrog is on a mission to enable continuous updates through liquid software, empowering developers to code high-quality applications that securely flow to end-users with zero downtime. JFrog is the creator of Artifactory, the heart of the end-to-end Universal DevOps platform for automating, managing, securing, distributing, and monitoring all type of binaries. JFrog products are available as open-source, on-premise, and on the cloud on AWS, Microsoft Azure, and Google Cloud. As the leading universal, highly available enterprise DevOps Solution, the JFrog platform empowers customers with trusted and expedited software releases from code-to-production. Trusted by more than 4,700 customers, the world’s top brands, such as Amazon, Facebook, Google, Netflix, Uber, VMware, and Spotify depend on JFrog to manage their binaries for their mission-critical applications. JFrog is privately held with offices across North America, Europe, and Asia.

Learn more at jfrog.com

Risk Based Security Announces Sponsorship and Integration With OWASP Dependency-Track

Risk Based Security is pleased to announce our sponsorship of the OWASP Dependency-Track project and corresponding integration of VulnDB data into the Dependency-Track platform. 

Dependency-Track is an intelligent Software Composition Analysis (SCA) platform that allows organizations to identify and reduce risk from the use of third-party and open source components.  The platform tracks third-party component usage across all applications created or consumed by an organization. The platform proactively identifies vulnerabilities in components that are placing applications and their users at risk. With the VulnDB integration, platform users now have the option to access more comprehensive vulnerability intelligence for better vulnerability identification and prioritization of remediation efforts. Dependency-Track is designed to be used in an automated DevOps environment and supports integration with OWASP Dependency-Check and industry-standard bill-of-material formats, both of which can be consumed by Dependency-Track via a Jenkins plugin

The Dependency-Track project, launched in 2013 in an effort to drive further awareness, adoption, and reduction of supply-chain risk, has elevated the capabilities of open-source SCA through a series of technological milestones, especially in the latest release. Among the newest enhancements is native integration of VulnDB which is both straightforward and extremely simple for organizations to set up. “I’m excited about the Risk Based Security sponsorship and the many benefits their VulnDB data bring to the platform. I’m especially optimistic about what capabilities we’ll be able to deliver in future milestones as we advance the open-source SCA platform even further”, says Steve Springett, project lead for Dependency-Track. 

Use of Dependency-Track can play a vital role in an overall Supply Chain Risk Management (SCRM) program by providing many of the recommendations outlined in the NIST Cybersecurity Framework. Dependency-Track can also be used to monitor vulnerabilities in COTS (commercial off-the-shelf) software. Organizations, which also have a VulnDB subscription, are able to easily see comprehensive vulnerability intelligence directly in the the Dependency-Track project. In the latest release, there is built-in support for the VulnDB API. “What Steve and his team have done with the latest release of Dependency-Track is extremely impressive.  Further, by ensuring that VulnDB is integrated, it allows organizations to feel comfortable that the components that they care about are being properly monitored for vulnerabilities.”, said Jake Kouns, CISO for Risk Based Security. To learn more about Dependency-Track capabilities please view the following video:

If you have any questions or ideas for improvements we would love to hear from you! 

About Risk Based Security 

Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.

 VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.