Feeling VEXed by software supply chain security? You’re not alone

Trending 6 months ago

SCSW The immense mostly of off-the-shelf package is composed of imported components, whether that's unfastened root libraries aliases proprietary code. And that spells a information danger: if personification tin subvert 1 of those components, they tin infiltrate each installation of applications utilizing those dependencies.

"Attackers person realized this, and that it's easy to hide successful and onslaught each those gaps, those third-party components arsenic they get transferred astir and reused by different vendors," Dan Lorenc, CEO and co-founder of information specialists Chainguard, told The Register. 

"We've seen a immense emergence successful proviso concatenation attacks complete nan past mates of years, which has led to expanding recollection and attraction successful nan space," Lorenc added.

This, successful turn, has led to increased regulation and attraction arsenic nan authorities and backstage manufacture person taken steps to unafraid package proviso chains — and forestall different awesome incident specified arsenic nan SolarWinds aliases Log4j attacks.

For The Register's Supply Chain Security Week, we sat down pinch Lorenc to talk these efforts, including 1 that his startup is spearheading called OpenVEX, an unfastened root specification that intends to jumpstart nan take of nan Vulnerability Exploitability eXchange, aliases VEX. 

And because nan manufacture loves its acronyms, VEX is intended to complement different supply-chain information instrumentality called SBOM, aliases software measure of materials.

Tune into nan question and reply supra arsenic Lorenc discusses nan challenges of securing package proviso chains and really each of these acronyms tin help. ®