Root

🚀 Discover How Root is Transforming Software Security! In our latest interview with TFiR, our CEO, Ian R. and Swapnil Bhartiya explore how Root is setting new standards in software security and ensuring compliance with the NIST Cybersecurity Framework (CSF) 2.0. Watch the interview here: https://lnkd.in/ev8dKaek For a detailed overview, visit the podcast page: https://lnkd.in/eDgxA7xD Ian highlights the challenges many companies face in managing vulnerabilities within their containerized applications and how Root provides a collaborative platform to streamline this process. By establishing a collaborative platform, Root eliminates the challenge of trusting application security. This benefits both developers who can efficiently verify their applications, and users who gain confidence in the software's security. We'll be at Black Hat Startup City Booth SC311 next week! Come meet with us to discuss how Root can help secure your software and streamline your development process. #ApplicationSecurity #NISTCompliance #Blackhat2024 #Blackhat #CyberSecurity 

𝗗𝗘𝗩𝗦 𝘃𝘀. 𝗖𝗜𝗦𝗢𝘀: 𝗪𝗘 𝗙𝗢𝗥𝗖𝗘𝗗 𝗧𝗛𝗘𝗠 𝗧𝗢 𝗪𝗢𝗥𝗞 𝗧𝗢𝗚𝗘𝗧𝗛𝗘𝗥! (𝗧𝗵𝗶𝘀 𝗘𝗻𝗱𝗲𝗱 𝗦𝘂𝗿𝗽𝗿𝗶𝘀𝗶𝗻𝗴𝗹𝘆 𝗪𝗲𝗹𝗹...) Collaboration is key to securing the software #supplychain, but for many organizations, it's a major hurdle. This challenge stems from balancing developer speed with the benefits of open-source tools, all while addressing new vulnerabilities in the ever-evolving software landscape. In this post, we'll explore 10 key points developers hope CISOs will consider to bridge this gap and build a more secure #development process. The Root platform leverages the cloud to streamline app delivery. This cloud-based service directly connects software producers with consumers, promoting trust and #security.

🎉 Exciting News! 🎉 Root is joining forces with industry giants like Cisco, Microsoft, Google, IBM, the Cybersecurity and Infrastructure Security Agency, and the National Security Agency on the OSIM Technical Committee. Together, we can enhance transparency, clarity, and trust in the global software supply chain. As Allan Friedman, PhD, aptly states: “We have many of the basic building blocks for software transparency and security, including SBOM, VEX, and CSAF. This work by OASIS will facilitate automation for easier and cheaper implementation and tooling, and help provide a unifying supply chain framework and raise the level of collaboration across industries.” I’m excited to collaborate with John Amaral, Benji Kalman, Mickey Gordon, Ayse Kaya Gururaj Raman, Erez Yalon, Isaac Hepworth, and Jautau White, PhD, MBA, MS, on this initiative! #SBOM #AppSec #SPDX #CSAF #OpenVEX #CycloneDX #OWASP #OASIS

We're excited to welcome Root as a new OASIS Sponsor! Root is a software supply chain collaboration and transparency platform built for cloud-native software companies. We look forward to their contributions in enhancing software supply chain security and driving innovation within our community. Interested in joining OASIS? Contact [email protected] or visit our website to learn more: https://lnkd.in/dnw2XZ5C #opensource #openstandards #cybersecurity #OSIM #softwaresecurity #supplychainsecurity #SBOM #informationmodeling #innovation #collaboration #community

🚀 At Root, we're dedicated to building a stronger, more resilient software supply chain. We are proud to announce our active participation as a technical member of the new OASIS Open Supply-Chain Information Modeling (OSIM) Technical Committee. This initiative, supported by industry leaders such as Cisco, Cyware, Google, IBM, Microsoft, SAP, and key governmental agencies, represents a significant step towards enhancing security, transparency, and efficiency within the software supply chain ecosystem. Our commitment to proactive and transparent sharing of security findings, SBOMs, and exploitability information aligns perfectly with the goals of OSIM. We believe that collaboration and open standards are essential for fostering innovation and safeguarding the software supply chain. Stay tuned as we work together with other industry leaders to drive forward this crucial initiative. Together, we can build a more secure and resilient digital future. #SoftwareSecurity #SupplyChainManagement #OSIM #OpenStandards #Root #CyberSecurity

Incorporating open-source software (OSS) into projects can significantly accelerate development but comes with security challenges. The accompanying graphic illustrates a robust framework for managing these risks, ensuring a secure software supply chain. Here’s how adopting these practices can enhance your #security posture: 𝟭) 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗲𝗱 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗦𝗰𝗿𝗲𝗲𝗻𝗶𝗻𝗴: Leveraging automated tools to scan OSS components immediately upon download is crucial. These tools detect vulnerabilities early, preventing compromised components from entering your development pipeline. This proactive approach reduces the risk of latent vulnerabilities surfacing later in the development cycle. 𝟮) 𝗜𝗻𝘁𝗲𝗿𝗺𝗲𝗱𝗶𝗮𝘁𝗲 𝗦𝗲𝗰𝘂𝗿𝗲 𝗥𝗲𝗽𝗼𝘀𝗶𝘁𝗼𝗿𝘆: An intermediate secure repository for initial review and testing provides an additional layer of scrutiny. At this stage, organizations can use software composition analysis (SCA) tools to assess components' security, licensing, and quality before they are widely adopted. 𝟯) 𝗖𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗮𝗻𝗱 𝗔𝗹𝗲𝗿𝘁𝘀: Continuous monitoring is essential even after a component passes initial checks. Automated systems track new vulnerabilities, patches, and licensing changes, ensuring your software remains secure. This ongoing vigilance is critical for maintaining long-term security and compliance. 𝟰) 𝗗𝗲𝘃𝗲𝗹𝗼𝗽𝗲𝗿 𝗡𝗼𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀 𝗮𝗻𝗱 𝗗𝗲𝗰𝗶𝘀𝗶𝗼𝗻-𝗠𝗮𝗸𝗶𝗻𝗴: When #vulnerabilities are detected post-integration, timely notifications enable developers to respond swiftly. This informed decision-making process helps teams address issues before they escalate, whether by applying patches, seeking alternatives, or adjusting their risk management strategies. 𝟱) 𝗖𝗲𝗻𝘁𝗿𝗮𝗹𝗶𝘇𝗲𝗱 𝗦𝗲𝗰𝘂𝗿𝗲 𝗥𝗲𝗽𝗼𝘀𝗶𝘁𝗼𝗿𝘆: A centralized repository of vetted components fosters trust and collaboration among development teams. Access to pre-approved, secure components streamlines development processes while maintaining high-security standards. By implementing these techniques, organizations can transform their software supply chain security. Integrating automated tools, continuous monitoring, and a centralized repository mitigates risks and enhances efficiency and collaboration. This framework offers a transparent, scalable approach to managing #OSS and #SBOMs, ensuring development teams can confidently leverage OSS's benefits while maintaining rigorous security and compliance.

From Planning to Deployment: Embedding SCA and SBOMs in the Software Lifecycle 🌀 While SBOMs and software component analysis tools play similar roles in enhancing software security, they do so in different contexts and modes. SBOMs provide a detailed inventory of all software components, improving transparency and traceability throughout the supply chain. In contrast, software component analysis tools focus on examining these components for vulnerabilities, license compliance issues, and other risks, ensuring the security and integrity of the software. An SBOM is a standardized format for capturing detailed information about a software application's components. Generating or consuming an SBOM can significantly enhance your software supply chain security. There are two primary scenarios to consider: The Supplier (should..) Provide(s) an SBOM: Ideally, your software supplier provides a pre-built SBOM. This approach is most efficient when the SBOM generation process is integrated throughout the software development lifecycle, from planning to deployment (see graphic: Software Lifecycle). This lifecycle includes phases such as Develop, Build, Test, Release, and more, all contributing to a secure supply chain. Self-Analysis is Necessary: This scenario applies to closed-source programs and verifying supplier information. Tools such as binary analysis and reverse engineering are essential for identifying components in closed-source software, while Software Composition Analysis (SCA) tools are indispensable in open-source programs. Top 3 Benefits of Using SBOMs and SCA During the SDLC 1. Identify and Address Vulnerabilities: Using SBOMs and SCA tools throughout the SDLC helps identify and mitigate vulnerabilities at each phase. SBOMs provide a detailed inventory of all components, which is crucial for reference in case of known exploit scenarios. During the Build and Test phases, SCA tools can scan for these known vulnerabilities (see graphic: Risks—CVE-1234, CWE-123), ensuring that issues are caught and resolved early. 2. Improve Traceability: Integrating SBOMs into the SDLC enhances traceability, tracking changes, and detecting tampering throughout the software supply chain. This is particularly crucial during the Release and Maintenance phases, where continuous monitoring and updates are necessary (see graphic: Certification - FIPS-140, EAL-4). 3. Manage License Compliance: SBOMs ensure adherence to open-source license requirements, a critical aspect during the Develop and Plan phases. By having a precise inventory of components and their licenses, organizations can avoid legal risks and ensure compliance throughout the development process. By embedding SBOMs and SCA tools throughout the SDLC, suppliers, and consumers can collaborate effectively to build a more secure and transparent software supply chain ecosystem (see graphic: Supplier and Consumer roles). #security #cyber #sbom #cve

📝 SPDX vs. CycloneDX: The ULTIMATE SBOM FORMAT BATTLE! Software Bills of Materials (SBOMs) are critical for managing software transparency and security. They provide a structured approach to capture and communicate details about a software product's components, including their origin, licensing, and potential vulnerabilities. 𝗧𝘄𝗼 𝗽𝗿𝗲𝘃𝗮𝗹𝗲𝗻𝘁 𝗦𝗕𝗢𝗠 𝗳𝗼𝗿𝗺𝗮𝘁𝘀 𝗮𝗿𝗲 𝗦𝗣𝗗𝗫 𝗮𝗻𝗱 𝗖𝘆𝗰𝗹𝗼𝗻𝗲𝗗𝗫, 𝗲𝗮𝗰𝗵 𝘄𝗶𝘁𝗵 𝗱𝗶𝘀𝘁𝗶𝗻𝗰𝘁 𝗰𝗵𝗮𝗿𝗮𝗰𝘁𝗲𝗿𝗶𝘀𝘁𝗶𝗰𝘀: 1️⃣ SPDX (Software Package Data Exchange): A mature and comprehensive format designed for detailed software component descriptions. SPDX offers a rich vocabulary to capture information like licenses, copyrights, and relationships between components. 2️⃣ CycloneDX: A lightweight and user-friendly format gaining popularity for its focus on simplicity. CycloneDX prioritizes ease of use and focuses on essential component data, including identification, versioning, and vulnerabilities. 𝗞𝗲𝘆 𝗗𝗶𝗳𝗳𝗲𝗿𝗲𝗻𝗰𝗲𝘀: ▪️ Information Depth: SPDX offers a broader range of data points compared to CycloneDX's focus on core component details. ▪️ Complexity: SPDX has a steeper learning curve due to its comprehensive nature, while CycloneDX is designed for ease of use and adoption. ▪️ Use Cases: #SPDX excels in scenarios requiring in-depth license management and detailed component relationships. #CycloneDX is well-suited for vulnerability identification and streamlined SBOM generation. The optimal #SBOM format depends on your specific needs. Consider factors like the required level of detail, integration with existing tools, and organizational priorities. 🌲 Root helps software producers and consumers share and contextualize these security artifacts as a software #security information broker. When you enhance these SBOMs with #CSAF/#VEX information, this level of transparency becomes a business accelerant.

Thrilled to have spoken at #GitOpsCon! 🚀 It's an amazing hub for knowledge-sharing & bringing ideas to life. Thank you for having me OpenGitOps & The Linux Foundation. Let’s keep the conversation going, check out Root. #OSSummit #OpenSource

I’ve heard one message over and over again from software producers: Collaborating on vulnerability information with customers and consumers is painful, time-consuming, and very (very) inefficient. Chalk it up to serendipity; that’s exactly the message we are hearing from the world-leading vulnerability management experts at the first-ever #VulnCon24 this week. I couldn’t think of a more fitting place and time to start talking about what we’re working on next. A few days ago, we announced that we’re launching Root.io, a software supply chain security company dedicated to helping software producers share the amazing work their AppSec teams are doing to secure their software with those that care most: their users and customers. I am super excited to be on this journey with Ian R., Mickey Gordon, Benji Kalman, Ayse Kaya, and the rest of our brilliant and dedicated team. I want to thank our co-founders — Gil Zimmermann, Ron Zalkind, and Tsahy Shapsa — and our amazing investors for believing in our mission and helping us get to this moment. Extra special thanks to our users and advisors, who teach us so much every day. I’ll be posting more on how we plan to achieve this ultra-important mission over the next several weeks. Meanwhile, we are working hard to build our new platform with our incredible early adopters. Please reach out if you want to be an early adopter or learn more. If you are at VulnCon this week, hit me up. #softwaresecurity #Root #softwaresupplychainsecurity #sbom #vex