Sorry Blackberry: You Are Part of the Supply Chain

Today, reporters Betsy Woodruff Swan and Eric Geller at Politico published a story: “BlackBerry resisted announcing major flaw in software powering cars, hospital equipment.”  They outline how BlackBerry willfully hid the fact that their key operating system QNX contained a collection of vulnerabilities (originally discovered and named BadAlloc by Microsoft). It seems other companies affected by BadAlloc announced the issue way back in May. Not so...

Read More

What is VEX and What Does it Have to Do with SBOMs?

Recently, we have been fielding many inquiries here at aDolus regarding “VEX.” If you are not familiar with this mysterious abbreviation, you’ve fortunately landed in the right place. This blog post explains what VEX is and the crucial role VEX plays within the Software Bill of Material (SBOM) space.

Read More

NTIA Publishes Minimum Components of an SBOM

In today’s blog post I’d like to recognize all the hard work done by NTIA (National Telecommunications and Information Administration) and congratulate them on publishing the minimum elements for a Software Bill of Materials… more commonly referred to as an SBOM. In particular, I’d like to give a shout-out to Allan Friedman who has been championing the SBOM cause for some time now. It’s good to see his committed effort captured in this...

Read More

Unpacking EO14028: Improving the Nation's Cybersecurity - Pt. 4

Section 3 - Less Fog, More Cloud

Section 3: Modernizing Federal Government Cybersecurity of the Executive Order is all about government agencies moving to the cloud and doing it right. If you are someone who believes that the cloud has absolutely no place in the industrial control systems (ICS) world, you are going to hate this section.

Read More

Unpacking EO14028: Improving the Nation's Cybersecurity - Pt. 3

So you don’t sell to the Feds…

Today’s blog is going to take a break from analyzing a specific section of the Executive Order on Improving the Nation’s Cybersecurity and focus on who will be impacted by the order.

I got thinking about this last week when Tom Clary posted this insightful comment on LinkedIn:

[This] Executive Order in no way compels private sector critical infrastructure to do anything different. It seems intended to better protect...

Read More

Unpacking EO14028: Improving the Nation's Cybersecurity - Pt. 2

 

Removing Barriers to Sharing Threat Information

On Friday we dissected Section 4: Enhancing Software Supply Chain Security of the new Executive Order on Improving the Nation’s Cybersecurity. Today we will look at Section 2: Removing Barriers to Sharing Threat Information. We’ve also updated the EO14028 Timeline I posted previously to include Section 2 deadlines:

Read More

Unpacking EO14028: Improving the Nation's Cybersecurity - Pt. 1

 

Late Wednesday night President Biden signed the Executive Order on Improving the Nation’s Cybersecurity.  

Compared to any Executive Order (EO) I’ve seen, this is a massive and complex policy document: the average length of an EO has been under 3½ pages; most are just 1 or 2 pages. This EO weighs in at 18 pages with 74 actionable directives. Forty-five of those directives have defined due dates, many linked to the completion of other directives....

Read More

Verve Industrial and aDolus Partner to Reduce ICS Software Supply Chain Risk

Verve embeds aDolus’ ability to generate SBOMs and validate components

aDolus Technology Inc., a global authority on software intelligence for critical infrastructure, today announced its partnership with Verve Industrial, a leading industrial control system management and cyber security provider. The partnership brings the power of the aDolus FACT™ platform’s IoT/OT SBOM (software bill of materials) analysis and validation into Verve’s...

Read More

Three Things the SolarWinds Supply Chain Attack Can Teach Us

 Just in case you missed it, a software supply chain attack on the US government and industries is consuming the waking hours of everyone involved in cyber security this week. The attack involved the insertion of a compromised DLL infected with the SUNBURST malware directly into the DevOps environment of SolarWinds’ Orion network monitoring and management software. It was a cunning and subtle infiltration: the package was signed with a valid...

Read More