Open source adoption has expanded beyond our wildest imaginations, and with it, modern enterprises are developing increasingly complex software projects. As this complexity has increased, reliance on automation has skyrocketed. The slow, manual security practices of the 20th century can’t keep up.

The tension between these ever-accelerating development practices and the inertia of yesterday’s security techniques came to a breaking point at the end of 2021 when Log4Shell was disclosed. Even now, two years later, the initial impact is over but we’re still feeling the aftershocks and just now starting to see how the old status quo has actually been disrupted.

In this presentation we will explore the limitations of conventional Software Composition Analysis (SCA) techniques developed in the late 1990s, catalog the promises and ultimate failures of vulnerability-description initiatives like the Common Vulnerability Scoring System (CVSS), and dive into the depths of a relatively new tool - the Software Bill of Materials (SBOM).

SBOMs are deceptively simple: they’re just documents that provide objective, factual details of the software components within a project. This deep inspection is the foundation upon which we can build better risk assessment tools, using modern vulnerability assessment tools such as the Exploit Prediction Scoring System (EPSS).

We’ll wrap up with a vision of the not-so-distant future and some practical takeaways you can integrate into to your existing workflows right away as you make the move from DevOps to DevSecOps.