Both Grype and Trivy are popular software composition analysis (SCA) tools used predominantly to report on CVEs within container images. However, they can be used in other ways. This post will outline how to scan for CVEs (+GHSAs) and output those results to CSV. Both tools support templates as a way to output the scanning results, this is what we’ll leverage to output results to CSV. Assumes MacOS.

Sharing some highlights and notes from CISA’s SBOM-a-rama I virtually attended. Talks categorized into 3 - Governments & Industry, CISA Working Groups, and Discussion

Previously I said threat modelling was a big theme at the conference, but I think embracing failure would be another. Lots of presenters shared their failures and how they learned from them and grew their programs from those lessons learned. This is something I’ve really got behind recently. Another thought I had when people presented especially around solutions was what’s the role of the product/application security team?

This week I attended OWASP Global AppSec Dublin 2023 and it was good to be back at an OWASP event and connect with some familiar faces but also great to see new faces too. I think the overall attendance was around 500, and it was well-run - we were well-fed and watered! It was also great to see all four keynotes delivered by women. However, I’m still not sure about the rebrand (Open Worldwide Application Security Project). I get you got to keep the wasp though…

Moving from Ubuntu to macOS meant losing native support for Docker but luckily Multipass came to the rescue to give a native like experience.