You can't secure what you can't see—and traditional SBOMs can't see the connections where tomorrow's vulnerabilities hide.
How SPDX 3.0 transforms software inventory into system risk orchestration 👇
🔗 https://anchore.com/blog/spdx-3-0-from-software-inventory-to-system-risk-orchestration/
The team was busy shipping last week! 🚢 While Grype got some new scanners, Syft got quality-of-life improvements for enterprise users and better SPDX handling. A rising tide lifts all boats!
See what we were up to: https://anchorecommunity.discourse.group/t/anchore-open-source-weekly-report-week-24-2025/457
#SBOM #OpenSource #SoftwareSupplyChain
The most successful standards start by doing almost nothing.
HTTP in 1991: Just GET requests
HTTP today: Powers the entire internet
SBOMs in 2024: "Barely valid"
SBOMs in 2030: ?
Sometimes "useless" is a strategy.
https://anchore.com/blog/the-sbom-paradox-why-useless-today-means-essential-tomorrow/
Kate Stewart spent 14 years building something everyone thinks is useless.
Plot twist: That's exactly why SBOMs will succeed.
The "useless" label isn't a bug—it's the feature that ensures adoption.
Blog on the SBOM paradox: https://anchore.com/blog/the-sbom-paradox-why-useless-today-means-essential-tomorrow/
"Which applications use Log4j?"
"How fast can we respond to CVEs?"
"Are we compliant with EU CRA?"
Can your team answer these questions in minutes or days?
SCA + SBOM = Minutes Manual processes = Days/Weeks
On June 12th, Matt will be joining a panel at IMC's IoT Days Summer Conference to discuss how global manufacturers can operationalize security throughout the software supply chain.
Reserve your spot https://www.bigmarker.com/horizon-house-publications/track-3-security-by-design-default-breach-defense-as-embedded-concept?utm_bmcr_source=fst
Dario & Tim will be at #InfosecurityEurope June 3–5 — no booth, just real convos.
Want to talk SBOMs, IoT security, or CRA prep? Look out for them on the conference floor
Anchore extends its container security offering with Bring Your Own SBOM support! Anchore SBOM provides a centralized platform for viewing, managing, and analyzing SBOMs, giving organizations comprehensive visibility into their software supply chains. Learn more about how you can identify and mitigate security and compliance risks: https://anchore.com/news/anchore-releases-bring-your-own-sbom/ #SBOM #SoftwareSupplyChain #Anchore
🚨 Critical alert for developers & security teams! 🚨
Over 70 malicious npm & VS Code packages have been uncovered, targeting developers by:
🐍 Embedding data- & crypto-stealing scripts
🐱💻 Exploiting helper libraries & legitimate-looking extensions
⚡ Using advanced obfuscation, Discord webhooks, & multi-stage payloads
💥 Even sneaking malware through browser extensions + phishing chains
This highlights why software supply chain security is no longer optional — attackers are innovative, patient, and increasingly targeting developers’ environments.
If you use npm, VS Code, or build in Solidity, audit your environments now. Stay ahead with continuous monitoring, threat intelligence, and team awareness.
How is your org strengthening its supply chain defenses?
#Cybersecurity #SoftwareSupplyChain #npm #VSCode #ThreatIntelligence #Malware
https://thehackernews.com/2025/05/over-70-malicious-npm-and-vs-code.html
Join our launch webinar on June 4th at 10 AM PT to learn how Anchore SBOM helps you establish visibility & manage risk in your software supply chain. We'll cover importing SBOMs, validating integrity, and addressing vulnerabilities. Register now: https://go.anchore.com/introducing-anchore-sbom.html #SBOM #SoftwareSupplyChain #DevSecOps
As #SoftwareSupplyChain attacks rise, verifying #SBOM quality is vital to identifying hidden risks, managing 3rd-party dependencies & meeting global compliance standards. Catch up on Beecham Research's webinar to learn what good looks like & why it matters
https://beecham-research.webinargeek.com/securing-enterprise-iot?cst=as
Matt will be on the panel "Security by Design/Default: Breach Defense as Embedded Concept" at #IMC's IoT Days Summer event (June 12th), joining the conversation on how global leaders are embedding resilience into the #SoftwareSupplyChain.
Announcing Anchore SBOM! Gain comprehensive visibility & transparency into your software supply chain with our new capabilities in Anchore Enterprise. Manage internal and external SBOMs in a single location to track software supply chain issues and meet compliance requirements. Learn more here: #SBOM #SoftwareSupplyChain #Security #Anchore
Open-source vulnerabilities keeping you up at night? 😬 ActiveState’s platform is here to help. From proactive risk prioritization to precision remediation, we make managing open-source security simple, scalable, and effective.
🎥 Watch our latest video to see how we reduce open-source risks: https://www.activestate.com/resources/videos/reduce-open-source-risk/
#OpenSource #DevSecOps #CyberSecurity #SoftwareSupplyChain #RiskManagement
📢 IoT cybersecurity is now a boardroom priority.
Matt joined @BeechamResearch & Aeris to unpack the latest in #SoftwareSupplyChain security—from global regs like EU CRA to why SBOMs & visibility are non-negotiable 👉 https://finitestate.io/blog/bridging-iot-security-gap-webinar-summary
Global software, local laws. Part 4 of Steve Poole’s series dives into export controls #AI liability & compliance in a divided world. Regional hosting, risk audits & readiness matter more than ever.
👉Read: https://javapro.io/2025/04/10/move-fast-break-laws-ai-open-source-and-devs-part-4/
What’s shaping the future of cybersecurity in 2025? ActiveState’s insights from RSA reveal critical trends in open-source security and software supply chain resilience. From compliance to proactive threat mitigation, these takeaways are a must-read for security professionals and developers alike.
🔗 Read the blog: https://www.activestate.com/blog/learnings-top-security-trends-from-activestate-at-rsa-2025/
#CyberSecurity #OpenSource #SoftwareSupplyChain #DevSecOps #RSAC2025 #ApplicationSecurity
Until these tools learn how to properly trust sources, check them yourself, and ensure their trustworthiness before using them.
I'm wondering if some kind of trust ecosystem could work here, though? It wouldn't be hard for the AIs to verify digital signatures, right?
#supplychainsecurity #supplychainattack #LLMs #factchecking #softwaresupplychain #SoftwareSupplyChainSecurity #ai #packagemanagement #weboftrust #factchecking #digitalsignatures
Think EU laws don’t affect you? The Brussels Effect is real – and it’s just the start. Steve Poole reveals why your stack isn't safe anywhere.
👇 Read Part 2 of his series: https://javapro.io/2025/04/03/move-fast-break-laws-ai-open-source-and-devs-part-2/
Syft v1.23.0 is out! 🎉 Now detecting R packages in directories, JS assets in .NET via libman, Chrome binaries, and undeclared Python licenses. Plus, faster scans by optionally skipping archive extraction!
#SBOM #OpenSource #SoftwareSupplyChain
https://github.com/anchore/syft/releases/tag/v1.23.0
