What if the problem is not #proprietary software, but its devs not wising up to using it responsibly?

#dataCollection #dataPrivacy #dataTransparency #freeSoftware #FOSS #openSource #softwareTransparency

With the EU's Cyber Resilience Act, #SoftwareTransparency isn't optional. It's a global mandate.

We're thrilled to announce #SBOM pioneer @allanfriedman.bsky.social is joining the Anchore board to help navigate this new landscape.

Read the full Q&A: https://anchore.com/blog/anchore-welcomes-sbom-pioneer-dr-allan-friedman-as-board-advisor/

How big is the risk of using LLM-generated code from the open source point of view? Check this #openchain webinar describing the latest research on LLM-generated code similarities.

https://openchainproject.org/news/2025/06/05/webinar-llm-compliance?hss_channel=lcp-18146973

#plagiarism #copyright #software #license #compliance #ai #llm #softwaretransparency

SBOMs are essential for modern security. That's why we're launching Anchore SBOM. Get a unified view of your software supply chain, from code to cloud. Meet regulatory demands (NIS2, U.S. EO, etc.) and customer expectations with complete inventory visibility. Details: #SoftwareTransparency #Compliance #RiskManagement

By leveraging modern SSCS practices, organizations gain deeper visibility and design more effective chaos engineering experiments. #chaosengineering #softwaresecurity #supplychainsecurity #securitytesting #blackboxsoftware #softwaretransparency
https://tinyurl.com/mufmyawr

When someone registers a CVE, a vulnerability, for a product the CNA that opens the issue adds a name for the product called a CPE. The owner of the product is not always involved and the name is not very specific. This leads to problems when we try to match names in our SBOM with the names in the CVE and NVD databases to see if there's any issues. A "not found" answer means both "product not found" and "product found, but no CVEs reported" - which is confusing.

The community is heading towards PURL, package URL, as a name specification. The PURL specification will be standardised by ECMA, spearheaded by OWASP, which is a good step forward. It's an extensible naming scheme that can be used for a large variety of packages - NPM, Maven, Linux packaging, crates and more. It can also be used for projects and products outside of these systems.

Naming is important and we do hope that coming versions of the CVE/NVD will adopt PURLs. Check it out at https://github.com/package-url/purl-spec

As other systems already use PURL, make sure you have PURLs in your SBOM!

#PURL #SBOM #CVE #NVD #CNA #CyberSecurity #SoftwareTransparency

In order to keep the costs under control for vulnerability handling in software and other related processes we need to automate the exchange of artefacts between the manufacturer and the customer. My experience of working with Internet-related applications for many years is that we have one global database and other attempts to create global databases will not work, especially if "global" really means "US based". We have to bootstrap any automation and discovery process using the DNS distributed database system. Allowing everyone to create an identifier for software based on their domain, we can create a discovery system that scales.

The vision is to have an identifier I can add to my software platform and it will discover and download the right documents more or less automatically. I think it's doable. What do you think?

#cybersecurity #CRA #EUCRA #softwaresupplychainsecurity #softwaretransparency

Great article from Basil Hess and Nicklas Körtge on Cryptography Bill of Materials (CBOM), the many use cases, and how we're building this capability into #OWASP @CycloneDX v1.6.

https://owasp.org/blog/2023/10/03/CycloneDX-Cryptography-CBOM.html

#SBOM #CBOM #CSRM #SoftwareTransparency #Cryptography #nsm10 #eo14028