Read as
Why this module exists. Modern applications are 80-90% third-party code by line count. Dependency security — knowing what you depend on, monitoring for vulnerabilities, controlling supply chain risk — is the practitioner programme that catches Log4j, XZ, and the next supply chain attack. This module covers SBOM, SCA tooling, and operational patterns.
Why this module exists. Your application’s CVE exposure is mostly in its dependencies, not its own code. Managing that exposure requires inventory, monitoring, and a remediation cadence.
SBOM — the Software Bill of Materials
An SBOM is the declared list of components in a software artefact. Two standard formats:
- CycloneDX: OWASP-led. JSON/XML. Strong tooling support.
- SPDX: Linux Foundation. Tag/Value or JSON. Strong tooling support.
Both formats record: components, versions, licenses, suppliers, hashes, relationships.
Need a real pentest?
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.
Book VAPT scoping call
Replies in 4 working hrs · India-only · Senior consultants