The project was created jointly by the Open Source Security Foundation (OpenSSF), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security Science and Technology Directorate (DHS S&T). 

Protobom allows companies to read software bill of materials (SBOM) data, create their own SBOMs, and translate SBOMs into different standard formats. 

According to OpenSSF, there are many SBOM formats and schemas out there, which can be challenging for companies. The goal of the new project is to provide a “format-neutral data layer on top of the standards that lets applications work seamlessly with any kind of SBOM.”

OpenSSF also explained that by integrating Protobom into applications that link SBOM and vulnerability information, organizations will be able to more quickly access the necessary patches and mitigations to keep their software supply chains safe. 

“Vulnerabilities in software are a key risk in cybersecurity, with known exploits being a primary path for bad actors to inflict a range of harms. By leveraging SBOMs as key elements of software security, we can mitigate the risk to the software supply chain and respond to new risks faster, and more efficiently,” said Allan Friedman, senior advisor and strategist at CISA. “Protobom is a step towards greater efficiency and interoperability by translating across the widely used formats so that tools and organizations can focus on what’s important. It is a positive solution that helps shape a more transparent software-driven world.”

Omkhar Arasaratnam, general manager of OpenSSF, added: “Protobom not only simplifies SBOM creation, but also empowers organizations to proactively manage the risk of their open source dependencies. The security of open source software requires partnership between the public sector, private sector and the community. The OpenSSF is proud to be a part of this mission.”

The post OpenSSF, CISA, and DHS collaborate on new open-source project for creating SBOMs appeared first on SD Times.

By comparison, Nokia’s Symbian system was the target of about 19% of attacks, iOS accounted for 0.7%, and Windows Mobile and BlackBerry both were targeted at 0.3%, the study found.

The world’s most widely used mobile operating system, Android is the prime target for malware attacks “due to its market share and open-source architecture,” the study explained. The OS is also vulnerable because of the staggering proportion of users still running older versions of Android software.

The study revealed that 44% of Android users still run versions 2.3.3 through 2.3.7—known as “Gingerbread”—all of which were released in 2011 with a plethora of security vulnerabilities that were fixed in later versions.

The report, “Threats to Mobile Devices Using the Android Operating System,” is addressed to police, fire, emergency-medical and security personnel. “The growing use of mobile devices by federal, state and local authorities makes it more important than ever to keep mobile OS patched and up-to-date,” it stated.

It also detailed the different ways these malware attacks are delivered, and how to mitigate the threat.

SMS texts represented about half of all malicious applications circulating through older versions of Android OS. The study recommended installing Android security suites, such as AVG Antivirus, Lookout and Norton.

Another attack mode is through rootkits, or stealthy malware that evades normal detection and logs the user’s locations, keystrokes and passwords. “In late 2011, a software developer’s rootkit was discovered running on millions of mobile devices,” the study stated. It’s an easy fix, though, by installing Carrier IQ Test.

The last crafty form of malware delivery comes from fake Google Play domains, created by cybercriminals to steal login and financial information as users browse and download apps from a lookalike Play Store. The fix isn’t rocket science. According to the study, simply “install only approved applications” and “regularly update antivirus software.”

The post Seventy-nine percent of mobile malware attacks directed at Android OS appeared first on SD Times.