Ever wondered if your #Java containers hide a ticking time bomb? @MohammadAliEN combines #SpringBoot #DockerScout & #SBOM attestations to lock down the supply chain. Ready to secure your build?
Read: https://javapro.io/2025/07/03/how-to-containerize-a-java-application-securely/
Burning #SBOM or #Vulnerability scanning questions for the Anchore OSS team? Join our live stream every Thursday!
Or just come along and hang out while we noodle on our projects.
https://anchorecommunity.discourse.group/t/july-3rd-open-source-gardening-live-stream/486
"It's more than just software now, it really is a system"βthe insight driving the biggest evolution in supply chain security since SBOMs were invented.
Why SPDX 3.0 redesigned everything around system-level thinking:
π https://anchore.com/blog/spdx-3-0-from-software-inventory-to-system-risk-orchestration/
Is your company planning to start contributing to open source? π My new post shares best practices for corporate upstream contributions, spanning things from legal compliance (CRA is coming!) to building reputation & quality: https://optimizedbyotto.com/post/best-practices-corporate-open-source-contributions/
#OpenSource #SoftwareEngineering #CRA #SBOM
Syft users! π£ We want to hear from YOU! Take our quick 5-question survey to help shape the future of Syft. Your feedback is invaluable! π https://forms.gle/VJZ7idKZgchminYD7
#Syft #SBOM #OpenSource
While everyone's debating SBOM formats, the real revolution is happening:
β Software inventory
β
System risk orchestrator
Legacuy SBOMs weren't built for distributed architectures where risk flows through connections, not just components.
π https://anchore.com/blog/spdx-3-0-from-software-inventory-to-system-risk-orchestration/
Presented at @OWASPLondon Chapter "You secured your code dependencies, is that enough?"
Focus is on things other then SBOM / code imports that will and have in past result in compromises and you should have awareness about.
https://slides.anantshri.info/dzKZn9/you-secured-your-code-dependencies-is-that-enough
The Nordic Software Security Summit is the premier conference on the topic of the EU Cyber Resilience Act (CRA) in the Nordics. Check out our agenda today and enjoy early bird pricing on your registration! https://nsss.se
We have opened for early bird registration to the conference! The program is getting updated every day as we're getting the photos and details from speakers.
Looking forward to meeting you in Stockholm!
You can't secure what you can't seeβand traditional SBOMs can't see the connections where tomorrow's vulnerabilities hide.
How SPDX 3.0 transforms software inventory into system risk orchestration π
π https://anchore.com/blog/spdx-3-0-from-software-inventory-to-system-risk-orchestration/
π‘ "SBOM capabilities opened doors we didn't know existed."
One client's results:
β
CISO-approved POCs that wouldn't happen before
β
Faster sales cycles
β
Positioned as trusted security partner vs vendor
Implementation strategy π https://anchore.com/blog/how-to-respond-when-your-customers-require-an-sbom/
Still relying on outdated security tools?
π No binary scanning
π³οΈ Incomplete #SBOMs
π Missed vulnerabilities
Here are 6 signs it's time to upgrade & what to look for π https://finitestate.io/blog/when-to-upgrade-product-security-tools
#ProductSecurity #IoTSecurity #SBOM #BinaryAnalysis #DevSecOps #SCA #SAST
Burning #SBOM or #Vulnerability scanning questions for the Anchore OSS team? Join our live stream every Thursday!
Or just come along and hang out while we noodle on our projects.
https://anchorecommunity.discourse.group/t/june-26th-open-source-gardening-live-stream/475
I chatted with Philippe Ombredanne about Package URLs, or PURLs. He created them, so he knows a thing or two.
We do complain about CPE quite a bit :)
But it's a really hard problem. It feels like a package identifier should be easy, but it's way harder than you think it is. There's nobody better than Philippe to drop some knowledge.
https://opensourcesecurity.io/2025/2025-06-purl-philippe-ombredanne/
In case you missed it, here's yesterday's live stream. Best enjoyed at 2x speed :) #security #sbom https://www.youtube.com/watch?v=HZhyaffuiEo
π Executive Order 14028. EU Cyber Resilience Act. FedRAMP updates.
The regulatory tsunami driving SBOM requirements isn't slowing downβit's accelerating.
Most vendors are scrambling.
Smart orgs are riding the wave π https://anchore.com/blog/how-to-respond-when-your-customers-require-an-sbom/
Grab a beverage and join the Syft & Grype team livestream in 5 minutes! #security #sbom https://www.youtube.com/watch?v=HZhyaffuiEo
We're live in an hour! Join us on YouTube for #opensource fun with the Syft & Grype team! #security #sbom
https://www.youtube.com/watch?v=HZhyaffuiEo
π¨ Security teams: Stop manually grepping through your codebase during #zeroday incidents. Learn how to implement production #SBOM inventory that turns "Are we affected by this CVE?" into a simple query. https://get.anchore.com/rapid-incident-response-with-sboms/ #ZeroDay #DevSecOps
The team was busy shipping last week! π’ While Grype got some new scanners, Syft got quality-of-life improvements for enterprise users and better SPDX handling. A rising tide lifts all boats!
See what we were up to: https://anchorecommunity.discourse.group/t/anchore-open-source-weekly-report-week-24-2025/457
#SBOM #OpenSource #SoftwareSupplyChain
