OWASP Dependency-Track 5.0 is GA, built for enterprise scale: early adopters ingested 20K+ SBOMs/hour and ran single instances with 250K+ projects and 2M+ components. Now with horizontal HA, crash safe processing, and supply chain integrity checks.
dependencytrack.org#SBOM
OWASP Dependency-Track 5.0 is GA, built for enterprise scale: early adopters ingested 20K+ SBOMs/hour and ran single instances with 250K+ projects and 2M+ components. Now with horizontal HA, crash safe processing, and supply chain integrity checks.
dependencytrack.org
Today, I attended a session on hashtag @DependencyTrack , where an interesting case study on @monzo Bank was presented by Michael Macnair. It highlighted how they transitioned from a traditional security approach to a more SBOM-driven software supply chain security model.
Monzo Bank's Journey to Software Supply Chain Security with SBOMs & Dependency-Track
🔍 Old Approach:
• No SBOM (Software Bill of Materials) generation.
• Security scans were done using proprietary scanners and in-house tools directly on the code.
🚀 New Approach:
• Started generating SBOMs using tools like Syft.
• Pushed these SBOMs to Dependency-Track, a popular SBOM management platform.
• Leveraged SBOM-driven security analysis for better visibility and risk management.
This shift not only improved their security posture but also helped them step into the world of modern software supply chain security, keeping eye on their third party components vulnerabilities, which was lacking in the old architecture.
This case study is a great example of how organizations can move beyond traditional scanning and embrace SBOMs for a more structured and proactive approach to security.
What are your thoughts on this transformation? Have you seen similar shifts in your organization or still waiting to shifts ? Let’s discuss! 🔍💡
Thanks to Michael Macnair for sharing...
#OWASP#OpenSource#CyberSecurity#SBOM#CycloneDX#DependencyTrack#SoftwareSupplyChainSecurity
Join our community meeting next Wednesday, 2nd April at 4-5PM UTC for a presentation from our friends at #Monzo Bank!
Learn how they replaced a proprietary vulnerability scanner with #CycloneDX#SBOMs & DT.
Calendar: dub.sh/dtcalendar
Zoom: dub.sh/dtzoom
OWASP Members change the world. Your membership helps shape the organization and drives our projects and community. If you are not a member or are due for renewal within 60 days, please join or renew today and get 10-25% off!
owasp.org/membership > Memberships > Apply
As a reminder, you can watch the recordings, and access the slides, of all previous meetings here: github.com/DependencyTrac…
The next community meeting will take place as per usual schedule on December 4th. See you there!
The team decided to skip this month’s community meeting, which was originally scheduled for tomorrow (Nov. 6th).
Since the last meeting, we released version 4.12.1 (docs.dependencytrack.org/changelog/#v4-…). We’re aiming to release 4.12.2 in about a week’s time.
Join us in tomorrow's community meeting at 4PM UTC to learn about the new version 4.12.0, which is scheduled for release later today! github.com/DependencyTrac…
Fantastic news for @QuarkusIO users! It's now easier than ever to generate accurate CycloneDX SBOMs for your applications. Massive kudos to the Quarkus team for the thoughtful and developer-friendly implementation!
We released Quarkus 3.14.3 with some additional bugfixes and a new feature SBOM generation. We don't usually add new features in micro but this is part of the preparation for our upcoming 3.15 LTS release. buff.ly/3B1Wr7G
We'd like to take this opportunity to thank the team at @IBM around Melba Lopez and Caroline Lee, who generously hosted all previous community meetings on their WebEx account. Thanks so much!
With the upcoming community meeting on Sept 4th, we're switching from WebEx to @owasp's Zoom. The calendar invite was updated accordingly.
If you imported the invite to a calendar app, please verify whether the Zoom details are present, and re-import the invite if they're not.
Couldn’t attend this week’s Dependency-Track community meeting? No0WPvVCRyLjwe’ve got the recording.
@nscur0 leads us through the project roadmap. We also have special guests from the CycloneDX #cryptography working group presenting #CBOM. Don’t miss it.
youtube.com/watch?v=0WPvVC…
CBOMs are sexy, you know this right? So if you agree, you should attend the @CycloneDX_Spec meeting tomorrow where you'll learn all about how sexy they are
linkedin.com/events/depende…
Join us for our next community meeting on January 31st at 3PM UTC (10:00am U.S. Eastern)!
Agenda:
- Project / Release Update (~15 min)
- How IBM CISO uses Dependency-Track (~10 min)
- Q&A (~30 min)
Calendar invite:
calendar.google.com/calendar/event…#OWASP#SBOM#CycloneDX#EO14028
123K Followers 8K FollowingDepartment of Cyber WAR.
Member of the Counter Spider Collective.
Wielder of AI to defend in Cyber Space.
Ralph Vibe Specialist.
VibeOps Operator!
17K Followers 599 FollowingHead of Application Security focused on all things #AppSec. Occasionally dabble in my own research. Also keen gamer and aspiring photographer.
216K Followers 525 FollowingWe improve the security of apps with community-led open source projects, 260 local chapters, and tens of thousands of members worldwide. Famous for OWASP Top 10
7K Followers 2K Following#SBOM Champion. Full service technocrat. Now at @CISAgov, formerly NTIA. Lapsed{engineer, academic, author}. Personal Account.
398 Followers 3K FollowingHusband. Proud Dad. Working for @norsys. Programming languages explorer. Concerned by climatic changes. Know nothing. Tweets & opinions are my own.
160 Followers 283 FollowingI am first and foremost a human being.
I know who I am, where I stand in the universe and what my earthly mission is here. IYKYK.
117 Followers 981 Followingconocimientos de cuerpo humano y en lo espiritual, lo perfecto lo que es transmitido por informacion o guia de el que solo es,como el viento Dios, todopoderoso
1 Followers 180 FollowingCombat-Tested Counter-Espionage for American Companies Former Army 35M HUMINT Collector | Iraq Veteran | Ethical OSINT Sweeps That Stop Cold Insider Threats
216K Followers 525 FollowingWe improve the security of apps with community-led open source projects, 260 local chapters, and tens of thousands of members worldwide. Famous for OWASP Top 10
57K Followers 873 FollowingBuilding communities one event at a time. Thirteen years, over eight hundred events, and we're just getting started.
@[email protected]
770 Followers 730 FollowingWe are a global non-profit organization dedicated to promoting best practices for developing and delivering secure and reliable software, hardware and services.
16K Followers 1K FollowingWe bring the expertise of one of the world’s largest security portfolios to help our customers navigate the changing threat landscape.
4K Followers 2K FollowingThe Worlds Largest Repository of Freely Available Analytics on Hundreds of Thousands of Open Source Projects, Contributors, Organizations, Languages, etc.
777 Followers 11 FollowingThe OWASP Global Summit is a place to sit down together - taking time to discuss and work out plans, projects, and solutions for the appsec future.
1K Followers 275 FollowingWeekly episodes provided by co-hosts Vandana Verma, Matt Tesauro, and Mark Miller. If it's OWASP, if it's Cybersecurity... we'll be talking about it.
2K Followers 75 FollowingComprehensive and timely vulnerability intelligence, breach data and risk ratings. A Flashpoint company. Follow @FlashpointIntel for updates.
967 Followers 8 FollowingOWASP CycloneDX is a modern standard for the software supply chain. Software Bill of Materials (SBOM), SaaSBOM, Cryptography (CBOM), AI/ML-BOM, VDR/VEX...