How Do I Secure My Software Supply Chain? | SBOM Risks, Threats, and Best Practices Explained

Description

Securing your software supply chain means identifying and managing the risks hidden inside every open-source component, library, and dependency your application relies on — and that process starts with understanding what's actually in your software. OPSWAT's George Prichici walks through the threat landscape, the weak links attackers exploit, and what organizations need to do beyond generating an SBOM. You'll learn how modern software development's reliance on open-source components creates compounding risk through transitive dependencies, why a Software Bill of Materials (SBOM) is the foundation of supply chain visibility, and what compliance and risk management obligations now apply across critical infrastructure sectors including defense, energy, banking, and manufacturing. *TOPICS COVERED* - What a Software Bill of Materials (SBOM) is and why it matters for application security - How open-source dependencies and transitive dependencies introduce hidden risk - The threat landscape targeting software supply chains and the weak links attackers exploit - Why SBOM alone is not sufficient and what additional steps organizations must take - Compliance and transparency requirements affecting critical infrastructure verticals - Best practices for managing software supply chain risk in high-sensitivity environments *KEY MOMENTS* 00:00 How to secure the software supply chain (webinar goals) 02:00 Why critical infrastructure teams prioritize supply chain security 03:50 What is an SBOM and why it matters 07:10 Why transitive dependencies break SBOM visibility 09:00 SBOM regulations (CISA, NSA, NCSC, EU, ISO) 11:00 SBOM vs SCA: inventory vs vulnerability mapping 12:40 How typosquatting hits npm and PyPI 16:10 How to secure the AI supply chain (pickle RCE, PyTorch typosquats) 19:50 Seven weak links: open source, licenses, SBOM gaps, vendors 26:00 How to block malware in container images 27:30 How to prevent secrets leaking into Git history 30:10 How to add a CI/CD security overlay (SBOM, CVEs, malware, secrets) *KEY CONCEPTS* - SBOM (Software Bill of Materials): A detailed inventory of all open-source and closed-source components, libraries, and dependencies used in a software application, used to provide transparency into what a piece of software is made of and the risks associated with its ingredients. - Transitive dependencies: Software components that are not directly imported by a developer but are pulled in automatically as dependencies of the libraries they do use, creating layers of indirect risk that may not be immediately visible. - Typosquatting: An attack technique where a threat actor publishes a malicious software package under a name that closely resembles a legitimate, widely used library, hoping developers will accidentally install it by mistyping the package name. - SCA (Software Composition Analysis): The process of mapping the components identified in an SBOM to known vulnerabilities, providing the vulnerability management layer that complements the inventory function of an SBOM. *OPSWAT SOCIAL* -*Website:* https://opswat.com -*LinkedIn:* https://linkedin.com/company/opswat -*Reddit:* https://reddit.com/r/OPSWAT/ -*Twitter:* https://twitter.com/opswat -*Facebook:* https://facebook.com/opswat -*Instagram:* https://instagram.com/opswat #SoftwareSupplyChain #SBOM #CriticalInfrastructure #SupplyChainSecurity