sbom sboms and LLMs By seclists.org Published On :: Wed, 11 Sep 2024 17:52:39 GMT Posted by Dave Aitel via Dailydave on Sep 11People doing software security often use LLMs more as orchestrators than anything else. But there's so many more complicated ways to use them in our space coming down the pipe. Obviously the next evolution of SBOMs <https://www.cisa.gov/resources-tools/resources/cisa-sbom-rama> is that they represent not just what is contained in the code as some static tree of library dependencies, but also what that code does in a summary fashion... Full Article
sbom Re: sboms and LLMs By seclists.org Published On :: Thu, 12 Sep 2024 10:18:40 GMT Posted by Isaac Dawson via Dailydave on Sep 12Well this is rather timely! Although I'm not sure using an LLM for the behavioral aspect is entirely necessary. I've been working on an experimental system that does just what you talk about for dependencies ( https://docs.gitlab.com/ee/user/application_security/dependency_scanning/experiment_libbehave_dependency.html, pre-alpha!). My solution uses static analysis because I'm a fan of determinism. Snark aside, looking at behaviors... Full Article
sbom Re: sboms and LLMs By seclists.org Published On :: Thu, 12 Sep 2024 20:19:48 GMT Posted by Adrian Sanabria via Dailydave on Sep 12We've been talking about and giving "Beyond the SBOM" presentations for a while now, but to your point, I don't see anyone actually doing it. If Solarwinds said "here's a script that will lock down your host firewall to just the outbound access our tools need to update themselves", that would be amazing, and would have saved everyone some time and trouble a few years ago. [image: image.png] And Biden's EO... Full Article
