@stevespringett.bsky.social
Father, husband, cybersecurity professional, lover of all things that go “vrooom”, and avid watch collector. Creator of OWASP Dependency-Track. Chair of OWASP CycloneDX and Ecma TC54. OWASP Global Board of Directors. https://about.me/stevespringett
The Authoritative Guide to AI/ML-BOM from CycloneDX just dropped. Full transparency into your AI supply chain: security, compliance, data lineage, reproducibility. AI regulations are here. Be ready.
#AI #AIBOM #SBOM #OWASP #CycloneDX
cyclonedx.org/guides/
Always been a fan of BSD and really excited to see the new direction, starting with 15.
https://canartuc.medium.com/freebsd-laptop-support-why-linux-shouldnt-get-comfortable-02a31fc611be
I made a new thing! like the semver package, but for PURLs: www.npmjs.com/package/purl
`npx purl $specifier` or `npx purl $purl` will validate, normalize, and provide parse info.
add `--check` & it'll contact the relevant registry & verify the package and version exist
(you can import it too)
Compliance doesn't have to mean endless spreadsheets. 📉
@stevespringett.bsky.social on machine-readable attestations: "A single attestation can attest to multiple standards simultaneously. This saves a l... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
What you intended to build vs. what you actually built.
@stevespringett.bsky.social explains the power of the Manufacturing BOM to catch drift and compromise in the build pipeline. Don't trust the source;... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
"The format doesn't really matter... It's really about the content."
We hosted @stevespringett.bsky.social, Chair of the CycloneDX WG, to discuss why the industry needs to stop fighting format wars and st... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
CycloneDX v1.7 is here!
The latest release strengthens software & system transparency with:
- Cryptography BOM (CBOM)
- Data provenance & citations
- Intellectual property visibility
Learn more: cyclonedx.org/news/cyclone...
#OWASP #SBOM #CBOM #CyberSecurity
Huge congrats to the team. Well deserved! Nest Rocks 🤘
🎉 Big news from the OWASP Nest Team! 🎉
We're thrilled to share that OWASP Nest has officially been promoted from the Incubator level to the Lab level!
www.linkedin.com/feed/update/...
For those of you that despise Liquid Glass, there's a way to disable it on macOS Tahoe.
defaults write -g com.apple.SwiftUI.DisableSolarium -bool YES
This reddit thread has more info.https://www.reddit.com/r/macapps/comments/1nz6tco/open_source_disable_liquid_glass_with_solidglass/
Liquid Glass looks cool in reviews, but is a hot mess on your own device. The thing I hate: everything’s exaggerated in the same way a five year old exaggerates. I have never used accessibility features and shouldn’t have to in order to fix broken design. Buttons, corners: 🤮. Too much wasted space.
Join us on Wed May 28, 2025 in Barcelona for a hands-on hackathon to test Beta 1 of the Transparency Exchange API (TEA) — a new way to securely exchange SBOMs, attestations & more.
Free registration, thanks to @owasp.org and Ecma International.
cyclonedx.org/events/hacka...
#CycloneDX #SBOM
“CVE Data Usage and Satisfaction Survey”
Ends today, April 4, 2025, at 11:59 PM ET!
CVE content consumers, & defenders, this is your opportunity to help enhance the CVE Program & its service offerings
Access the survey here:
forms.office.com/g/hx168RPctg
Join our community meeting next Wednesday, 2nd April at 4-5PM UTC for a presentation from our friends at #Monzo Bank!
Learn how Monzo replaced a proprietary vulnerability scanner with @cyclonedx.bsky.social #SBOMs & Dependency-Track.
Calendar Invite: dub.sh/dtcalendar
Zoom Link: dub.sh/dtzoom
Identifying software is hard!
I'll be on a panel with @stevespringett.bsky.social (OWASP), MegaZone (F5), and Christopher Turner (NIST) at VulnCon to talk about options for software identification in vulnerability management.
9:00 to 9:30 EDT, April 8th.
www.first.org/conference/v...
Honored to be discussing @cyclonedx.bsky.social and machine-readable attestations with Anchore this month. Join me! This is going to be fun and educational for anyone not familiar with CycloneDX Attestations (CDXA). This is an ideal solution for EO 14144 which requires machine-readable attestations.
Understood. And I will absolutely keep that in mind.
@hacks4pancakes.com, you gave one of the best keynotes yesterday at ChiBrrCon that I’ve seen in a very long time. Bravo. Told my wife and a few co-workers about it and the utterly raw impact it had on many in the audience. Any chance of an encore or recording in the future? Best wishes.
How to pass the OWASP MASVS verification by design?
In Admincontrol, our Android app and IOS app passed the @owasp.org MASVS verification by deciding security requirements and -controls using a game. Here is how...https://dev.to/owasp/how-to-pass-the-owasp-masvs-verification-by-design-2cf9 #appsec
The continued innovation happening in @cyclonedx.bsky.social is truly inspiring. This week, its from the cdxgen team with "cdx1", a family of open-source, SOTA machine learning (ML) models purpose-built for xBOM analysis, validation, and reasoning.
www.linkedin.com/pulse/cdx1-u...
#OWASP #SBOM
Why We Chose CycloneDX Over SPDX #sbom #cybersecurity worklifenotes.com/2025/01/21/w...
I have been on Twitter since Feb 2009 and today, I have deactivated the account. While I am unable to make public political statements, it's not that hard to figure out. The projects that I lead or co-lead will continue to have a presence on the site, but I will not.
📌 Excited to share my upcoming book, "Alice and Bob Learn Secure Coding," with you all! Learn from real-world examples, practical advice, and insightful anecdotes. Stay tuned for the release on Feb 5th! shehackspurple.ca/bo...
At the first ever KoalaCon @owasp.org shared insights into how TEA (Transparency Exchange API) can help automate your product lifecycle. This will be essential to dependency management and vulnerability management in the future. And you can be part of it! #cybersec #appsec #dependency-management
KoalaCon 2024 was a huge success. Thank you to all the speakers, including Olle E Johansson, Anthony Harrison, Niklas Düster, Viktor Petersson, and Piotr P. Karwasz. Couldn't attend. No worries, the recording is available on YouTube.
youtu.be/NStzYW4WnEE?...
#OWASP #SBOM #SoftwareTransparency
Black Friday, a day to be exposed to surprising reset password flows. Password in email, repeatedly the same verification token, etc.
Owasp has a great Forgot Password Cheat Sheet if you ever find yourself implementering a forgot password service: cheatsheetseries.owasp.org/cheatsheets/...
🎉 Don't miss out on this thrilling opportunity! Get your SUPER Early Bird Tickets for 2025 #OWASP Global #AppSec EU in Barcelona now! Book your spot at a special discounted rate for the May conference. Hurry, these prices are only for a limited time!!! REGISTER TODAY: owasp.glueup.com/eve...
#AI
Some of the projects I'm involved with have establish bsky account recently. Check out:
OWASP CycloneDX (ECMA-424)
@cyclonedx.bsky.social
OWASP Dependency-Track
@dependencytrack.bsky.social
Ecma Technical Committee 54
@tc54.bsky.social
Yup that was me. Waited a long time just for the invite as well. Would check in from time to time, but over the last month it’s been really interesting to see the growth. Feeling optimistic.
👀