CSA Official Press Release
Anchore to Contribute Grype Open Source Vulnerability Data to the Global Security Database
Contribution of Grype vulnerability data will advance software vulnerability intelligence and empower users of the Global Security Database to create secure software
SEATTLE - March 29, 2022 - Today the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, announced that the Global Security Database Working Group will receive a contribution of open source vulnerability data from Anchore, a leader in software supply chain security. The contribution will include the enriched vulnerability details used by Anchore’s open source Grype vulnerability scanner.
The Global Security Database Working Group is a broad-based initiative to improve vulnerability discovery, reporting, publication, tracking, and classification in order to radically increase public visibility into critical vulnerabilities. As the requirements for vulnerability identifiers change rapidly, the need surfaced for deeper reporting, clear information, and reduced latency. The working group’s founding members are Josh Bressers, vice president of security at Anchore, and Kurt Seifried, director of special projects at the Cloud Security Alliance.
“Software supply chain security is more important now than ever before. The foundation of supply chain security revolves around software bill of materials and also open and accurate vulnerability data,” said Josh Bressers, vice president of security at Anchore. “I am ecstatic that the Cloud Security Alliance is taking on the challenge of making vulnerability data more open and accurate. Anchore’s Grype data will make a great addition in helping towards the goals of open and accurate data.”
“As an industry, we are challenged by insufficient coverage of the probable vulnerabilities that exist in the wild, due to inadequate industry standards for identifying vulnerabilities and a predisposition to not share vulnerability data among many. We appreciate Anchore's valuable contributions, both in volunteer research contributions into building our Global Security Database (GSD) project and in providing vulnerability data to enrich GSD,” said Jim Reavis, co-founder and CEO, Cloud Security Alliance.
Anchore’s open source project Grype is an easy-to-integrate vulnerability scanning tool for container images and filesystems. This developer-friendly tool helps practitioners secure the software supply chain and protect cloud-native applications.
“As an industry, it's vital that we start talking about how to address the problems around vulnerability discovery, reporting, publication, tracking, and classification. Anchore's contribution of open source vulnerability data serves to jumpstart this conversation and will help immeasurably as we work to make vulnerability data more accurate,” commented Kurt Seifried.
Those interested in participating and sharing ideas can join the Cloud Security Alliance Circle community here or get more information on the Cloud Security Alliance’s website and on GlobalSecurityDatabase.org.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
Anchore is a leader in software supply chain security and enables organizations to protect cloud-native applications against software supply chain attacks. Anchore technology embeds continuous security and compliance checks at every stage of the software development process to prevent security risks from reaching production. Large enterprises and government agencies use Anchore solutions to generate a comprehensive software bill of materials, pinpoint vulnerabilities, identify malware, and discover unprotected credentials that can lead to hacks and ransomware. With an API-centric approach, Anchore solutions integrate into the tools developers already use to detect issues earlier, saving time and lowering the cost to fix vulnerabilities. Anchore is recognized on the Forbes 2022 list of America’s Best Startup Employers. To learn more visit www.anchore.com.
About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.
For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.