SBOMs are critical to AppSec — but only the first step in your journey
Here's what to focus on for a comprehensive approach to application security across your entire software development pipeline.
John P. Mello Jr.
Freelance technology writer. John's work has appeared in the The Boston Globe and Boston Herald, as well as CFO, CIO, CSO, and Inc. magazines. He is a former managing editor of the Boston Business Journal and Boston Phoenix, as well as a staff writer for Government Security News.
Posts from John P. Mello Jr.
SBOMs are critical to AppSec — but only the first step in your journey
Packagist PHP repo supply chain attack: 3 key takeaways
A PHP repository vulnerability threatened millions of sites. Here's why you need to make an SBOM the first step in your software supply chain security journey.
Gartner: Knowing your software's ingredients is critical to managing risk
With third-party sources — and supply chain attacks surging — Gartner expects adoption of SBOMs to go from less than 5% now to 60% in 2025
OpenSSF's npm best practices: A solid first step for supply chain security — but trust issues remain
Here's what you need to know about the new OpenSSF npm security best practices.
The SBOM is evolving: 4 key trends boosting software supply chain security
Software bills of materials will never be a panacea for software supply chain security. Here are key trends that will deliver some welcome evolution, however.
6 reasons AppSec teams should shift gears and go beyond legacy vulnerabilities
The National Vulnerability Database represents a minority of software supply chain threats. With attacks surging, teams must shift focus from vulnerabilities to malware.
NVD Analysis: Why you need to modernize your application security
The National Vulnerability Database does not tell the full story of software risk. Here's why the NVD — and your AppSec approach — needs to be modernized.
OpenSSF's open source security mobilization initiative: Inside the 10-point action plan
Here is a run-down of the 10 streams from OpenSSF's Open Source Software Security Mobilization Plan.