bpmcdevitt/security_tools
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

updated sbom section

Browse source
This commit is contained in:
Brendan McDevitt 2022-08-17 21:55:22 -05:00
parent bafcd1c85f
commit f6f2c3d69c
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
notes/notes_from_blackhat_2022.md
View file

@ -14,6 +14,9 @@ Some concepts in general that i noted:
Concepts that I learned about:
#### SBOM
Software Bill of Materials. CISA has been pushing it for about a year or maybe a little bit more now. This is basically a list of an inventory of software, the version numbers, ecosystems, their dependencies. An entire trail of what is actually installed on this system. You can't secure something without knowing exactly what is inside of it. There are weird edge cases that have come up in the recent past IE log4j log4shell vulnerabilities that go a little bit deeper into what is required to determine vulnerability or not.
These two urls have all the goto: resources for deep-diving SBOM:
- [cisa](https://www.cisa.gov/sbom)
- [ntia](https://ntia.gov/SBOM)
#### VEX
Vulnerability exploitability exchange.
This can be thought of as a machine-readable security advisory. There is alot of documentation about this one, and I need to learn about it further.