Software supply chain and vulnerability assessment with syft and grype

Software supply chain vulnerabilities have resulted in large-scale attacks in recent years. Understanding the supply chain in an organization is difficult since so much software uses external dependencies. Further, many different applications distributed across a network add additional complexity and make software inventory difficult.

In this video, we show how to automate network asset scanning - either a Linux/Unix server, docker container, MacOS workstation, or Windows client. We use Syft to create a Software Bill of Materials (SBOM) based on a Linux directory scan. This SBOM, if stored centrally, can be used to quickly identify which applications are installed in a system as well as what dependencies that software has installed.

We then use grype to conduct a vulnerability assessment on the resulting SBOM to detect software and dependencies with known vulnerabilities. Very often, software dependencies are not properly updated and contain critical vulnerabilities.

Deploy sift on assets in your network to create a weekly software bill of materials. Save the SBOM into a centralized repository or database. Scan all SBOMs with grype to quickly identify exactly which systems have vulnerable software and software dependencies.

Syft also has the ability to scan other containers or output in multiple formats such as Microsoft’s SPDX.

👍 Subscribe for weekly videos

❤️ Get early access and bonus content - https://www.patreon.com/dfirscience

Links:

• https://github.com/anchore/syft
• https://github.com/anchore/grype

Related books:

• Certified Secure Software Lifecycle Professional All-in-One Exam Guide, Third Edition - Part VIII is Secure Software Supply Chains