OWASP Global AppSec Lisbon 2024

You may have noticed that the number of new vulnerabilities being reported is increasing at a significant rate (over 15% in 2023). For many organisations who already struggle to keep on top of the vulnerabilities to be fixed, this is not good news and there is always the danger that you may miss the really important one which leads to an incident resulting in a data exploit, ransomware attack or similar issue.


And with legislation now starting to demand a greater focus on improving software security and resilience across many sectors this significant challenge needs some new approaches.


This talk will demonstrate how you can manage software vulnerabilities more effectively by increasing the software transparency of all of the components used in your application through the use of Software Bill of Materials (SBOMs) and in particular CycloneDX. A SBOM provides a better understanding of how all of the components (particularly 3rd party sourced components) are used which will then enable the impact that a vulnerability could have on the users of the application to be better understood. 


A key use case for SBOMs is as part of a vulnerability management activity. However many of the reported vulnerabilities are not exploitable in the context in which the application has been constructed and valuable time and resources can be wasted by fixing vulnerabilities which are not necessary. Fortunately, there is a developing solution for this problem and by leveraging a number of OWASP projects and standards, organisations will be able to focus on the vulnerabilities which represent the greatest risk and save valuable time and effort in the remediation process.