Does your organization keep a software supply inventory with dependencies?
|||||||||||||||||............. 55% ⭐ No yt.strms.net/nwaJa
||||||||||||||................ 45% ⭐ Yes yt.strms.net/fqg9I
Software supply chain vulnerabilities have resulted in large-scale attacks in recent years. Understanding the supply chain in an organization is difficult since so much software uses external dependencies. Further, many different applications distributed across a network add additional complexity and make software inventory difficult.
Thank you to all of our Patrons for sponsoring DFIR Science. Especially The Ranting Geek. Thank you so much! And welcome to our newest Patron Kelsey Loftus - ✨ Supporter and newest subscriber Thanh nguyen huu !
00:00 Software Supply Chain
00:17 Getting Syft from Git
01:14 Syft test run
01:43 Syft local directory scan
02:36 Output overview
03:07 Search for specific installed software dependencies
03:31 Download Grype from Git
04:20 Run grype on syft sbom
04:58 Find specific vulnerability with grype
05:19 grype detail output for vulnerable path
05:56 syft and grype network scanning design
In this video we show how to automate network asset scanning - either a Linux/Unix server, docker container, MacOS workstation, or Windows client. We use Syft to create a Software Bill of Materials (SBOM) based on a Linux directory scan. This SBOM, if stored centrally, can be used to quickly identify which applications are installed in a system as well as what dependencies that software has installed.
We then use grype to conduct a vulnerability assessment on the resulting SBOM to detect software and dependencies with known vulnerabilities. Very often, software dependencies are not properly updated and contain critical vulnerabilities.
Deploy sift on assets in your network to create a weekly software bill of materials. Save the SBOM into a centralized repository or database. Scan all SBOMs with grype to quickly identify exactly which systems have vulnerable software and software dependencies.
Syft also has the ability to scan other containers or output in multiple formats such as Microsoft's SPDX.
bit.ly/2Ij9Ojc - 👍 Subscribe for weekly videos
❤️ Get early access and bonus content - / dfirscience
Links:
* github.com/anchore/syft
* github.com/anchore/grype
Recommend books:
Certified Secure Software Lifecycle Professional All-in-One Exam Guide, Third Edition (amzn.to/3fkRWan) - Part VIII is Secure Software Supply Chains
#supplychain #software #vulnerabilty #incidentresponse
010001000100011001010011011000110110100101100101011011100110001101100101
Help make DFIR tutorials
👍 Subscribe → bit.ly/2Ij9Ojc
🛒 Shop → swag.dfir.science
❤️ Patreon → / dfirscience
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Tools to manage your KZread channel: www.tubebuddy.com/DFIRScience
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing and will probably allow its use.