[Owasp-leaders] Dependency-Track v3.2 Released (Resend)

Steve Springett steve.springett at owasp.org
Fri Sep 7 14:31:53 UTC 2018

I’m pleased to announce the immediate availability of OWASP
Dependency-Track v3.2. This is the third major release this year and brings
with it some exciting new features including native support for NPM Audit
API, Sonatype OSS Index, and the ability to customize the way the platform
performs scans by allowing each of the supported scanners (NPM Audit, OSS
Index, and Dependency-Check) to be enabled or disabled independently.

I’m especially excited about the customizable notification features that
allow organizations to subscribe to various types of events for the
alerting of new vulnerabilities, vulnerable dependencies, and analysis
decision changes in the platforms built-in auditing engine. Notifications
can be published to Slack, Microsoft Teams, email, or via outbound webhooks
providing new ways organizations can collaborate and automate the response
of various types of findings.

Dependency-Track is available as a Docker container, self-executing war, or
traditional war.




In related news:
One of the related projects that sprung up from Dependency-Track is the
CycloneDX project, a lightweight software bill-of-material (BoM)
specification with security-first design goals. The specification differs
from most other BoM specs which have traditionally focused on legal,
copyright, license, and compliance use cases, especially around open source
policies and for mergers and acquisitions.

NTIA (the National Telecommunications and Information Administration - part
of the U.S. Government) recently invited myself, commercial vendors, and
others in the industry to participate in discussions around the agencies
recommendations for software transparency (aka: bill of materials). The
NTIA has influence into presidential policy which could have a positive
impact for the government and its vendors. I’ll am participating in two
working groups which focus on software transparency use cases as well as
formats and standards. CycloneDX, originally created for Dependency-Track
but not specific to it, is one of several specifications that will be

Regardless of the BoM spec chosen (or if a new spec is created), my hope is
that the outcome from these sessions will yield a security-focused BoM
specification adopted and recommended by the government which in turn will
drive adoption in the commercial and open source software space. I’ll send
occasional updates from the working groups whenever milestones are achieved.



*Steve Springett*
About:   https://about.me/stevespringett
GitHub:   https://github.com/stevespringett
Keybase:   https://keybase.io/stevespringett   <https://www.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180907/7598d2c6/attachment-0001.html>

More information about the OWASP-Leaders mailing list