Webinar
Practical Workflows for Managing Vulnerabilities Using Cloudsmith
Things you’ll learn
- Software Supply Chain Securely
- Vulnerability Management
- Cloudsmith
- Security
- Workflow Optimization
Speakers
Summary
Join us for a webinar on actionable vulnerability management workflows for your software pipelines using Cloudsmith. Understand the critical need to protect your organization’s software integrity from supply chain attacks and hidden vulnerabilities. Learn how Cloudsmith serves as your organization’s central source of truth for builds, mitigating risks, optimizing workflows, and ensuring global distribution. Explore Cloudsmith Navigator to safeguard your IP and prevent security breaches. Don’t risk the consequences of insecure software. Register now!
Transcript
- 00:00:00Ciara CareyHi, I'm Ciara Carey, and this is Cloudsmith's webinar on all things supply chain security and artifact management. Cloudsmith is the only cloud native universal artifact management platform for securing, for securely developing and distributing software. With cyber threats on the rise, effective vulnerability management is more important than ever.
- 00:00:21Ciara CareyToday's topic is on Practical Vulnerability Management Workflows with Cloudsmith. I'm going to start with an overview of vulnerability management, bring in how Cloudsmith can help, and then I'm going to bring on our VP of product, **Alison Sickelka**, who can talk about who has molded some of these features, and can talk about how Cloudsmith, as your single source of truth, is a great tool to enhance your vulnerability management workflows.
- 00:00:47Ciara CareyAnd then I'm going to finish with a little demo. Okay, so let's start at the start. What's a vulnerability? A vulnerability is a flaw in your organization's software and it leaves your [00:01:00] software open to attack. It's a potential gateway for attackers to exploit, leading to severe consequences for your organization.
- 00:01:08Ciara CareyExamples of critical vulnerabilities are log4shell, Heartbleed and Shellshock the infamous slug for Shell two years ago now, it was capable of facilitating remote code execution. It's a nightmare scenario for any system. So there's a lot of vulnerability terminology. I'm going to. I'll touch on a few of the things I'm going to talk about later.
- 00:01:33Ciara CareySo CVEs are common vulnerabilities and exposures. It's a program that serves to standard, it's a standardized framework for identifying a cataloging security vulnerabilities. There'll be one CVE ID per vulnerability, and each record will have assigned an ID number and a brief description. It's a standardized way to track and record your vulnerabilities.
- 00:01:56Ciara CareyAnd it's kind of, it's the, it's the thing that's used in the [00:02:00] industry. But has CVE on it's known, it's not enough. You need to have a score to help you prioritize it. And the Common Vulnerability Scoring System, or CVES, is a framework for rating the severity of your vulnerabilities. It's based on the ease and impact of a scale impact of a vulnerability on a scale from 1 to least severe, to 10 to most severe.
- 00:02:26Ciara CareyThese scores can be translated to CVE, Ratings for easier understanding. So 10 is critical and we have high, medium, and low as well. The log4shell vulnerability was an easy to exploit remote code execution vulnerability with enormous reach. And it was assigned a CVES severity of 10 or critical in the CVE rating system.
- 00:02:51Ciara CareySo we've talked about vulnerabilities, but. Have we talked about vulnerability management? Vulnerability management is the process of identifying, [00:03:00] assessing, prioritizing, and mitigating security vulnerabilities within your software organization. This is a really hard problem. And the biggest problem is scale.
- 00:03:10Ciara CareyThe sheer volume of software and dependencies used in modern applications. It makes it really difficult to track and to monitor. The dynamic nature of vulnerabilities, with new threats emerging daily, requiring constant vigilance. The need to prioritize vulnerabilities based on severity and potential impact, with limited resources.
- 00:03:34Ciara CareyAnd often, the sort of, the lack of communication between development and security teams can lead to delays and remediation efforts. So what does a successful vulnerability program look like? You probably have dedicated teams overseeing vulnerability management efforts. You have visibility in all, on all your artifacts, including your dependencies.[00:04:00]
- 00:04:00Ciara CareyYou have policies for when developers are ingesting dependencies so that you're not consuming vulnerable packages from the get go. You have good collaboration between security and dev teams and you have a way of tracking CVEs and prioritizing updates. And you can you have adopted streamline vulnerability identification assessment and mitigation processes.
- 00:04:29Ciara CareyOkay, well, how can Cloudsmith help? Well, Cloudsmith serves as your centralized platform for managing software artifacts, offering comprehensive visibility into dependencies and vulnerabilities across your organization's software supply chain. By integrating scanning policy enforcement and automation capabilities, Cloudsmith empowers organizations to proactively identify, assess, and mitigate vulnerabilities, mitigating risks effectively.
- 00:04:58Ciara CareyOne of the best places to [00:05:00] stop vulnerabilities is that ingestion and Cloudsmith recommends that you consume all your open source using package managers, Maven, NuGet, Docket, NPM, PIP, and so that you have a consistent way of consuming your open source dependencies. Cloudsmith enables you to use all this native tooling for the package managers to to help you consume open source dependencies securely.
- 00:05:26Ciara CareyWe also recommend that you proxy and cache your, your public registries through Cloudsmith's upstreams. This gives you control of all your dependencies, all your software, where you can apply policies policies to your software to deal with vulnerabilities. Cloudsmith also offers a tool called Navigator, which gives you insights into the quality of open source packages that you might consume.
- 00:05:53Ciara CareySo before you introduce new dependencies into your system, check it with Navigator to make sure it's of good [00:06:00] quality.
- 00:06:00Ciara CareyCloudsmith also empowers you to enforce rules with Cloudsmith's policy management tools. You can stop vulnerabilities in packages above a certain level from being deployed or downloaded. For particularly difficult vulnerabilities, you can actually have deny list rules to stop packages with.
- 00:06:21Ciara CareyKnown bad vulnerabilities like log4shell from entering your bill system. You can also manage licenses using our policy management system.
- 00:06:31Ciara CareyCloudsmith scans every package and dependency on upload for malware and also scans it for CVEs. You can also re scan vulnerabilities using our API. And you can quarantine if vulnerabilities are found above a certain level.
- 00:06:48Ciara CareyCloudsmith is a great tool for auditing all your software in your organization. We also calculate a signature for every file that is uploaded, and you can verify [00:07:00] this.
- 00:07:00Ciara CareyIf you're a third party distributor of software, Cloudsmith lets you know who has who has consumed your, who has consumed your software, who has downloaded your software using entitlement tokens. This is important to do with vulnerability management when you find a vulnerability above a certain threshold that you want to contact your customers.
- 00:07:23Ciara CareyAnd automation, our APIs and our webhooks facilitate integrations, empowering you to harness security tools beyond Cloudsmith. So now
- 00:07:33Ciara CareyI'm going to introduce you to **Alison Sickelka**, VP of Product. Hi, Alison. Hi. Hey, so do you want to tell us about your role in Cloudsmith? Yeah,
- 00:07:46Alison Sickelkalike Ciara said, I'm **Alison Sickelka** and I head up product at Cloudsmith. So I help us figure out. what we need to build to make sure we're delivering value to our customers.
- 00:07:57Alison SickelkaI've been with Cloudsmith for just over two [00:08:00] years and it's been really exciting to watch the evolution around artifact management and software supply chain during my time here.
- 00:08:08Ciara CareyAnd why is like artifact management important to organizations? Yeah,
- 00:08:14Alison Sickelkaultimately, artifact management is at the core of software supply chain security.
- 00:08:19Alison SickelkaSo what used to be a nice to have a central store of all of your artifacts is becoming critical to be able to respond to remediate and ensure the security of your software supply chain. You know, that that central store of truth lets you easily understand what's in your supply chain. It lets you make sure you have the right controls in place on what sort of artifacts can get into your supply chain from the start, and it helps you quickly understand if you're impacted when an incident does occur, you can quickly come into Cloudsmith and understand where you're impacted.
- 00:08:55Alison SickelkaAnd start your remediation efforts from
- 00:08:57Ciara Careythere. Yeah, I remember [00:09:00] when Log4Shell came about about two years ago, and our CTO, Lee Skillen, he wrote an article about how to help our users deal with this really difficult vulnerability and let them know if they're vulnerable to it by searching Cloudsmiths searching your organization and your repositories, and he also brought in some features that For log4shell specifically, and I think that's kind of berthed other features in Cloudsmith.
- 00:09:28Ciara CareyThat wasn't so much a question, but is that where you see, is that where you saw a changing point in Cloudsmith? Yeah, so
- 00:09:36Alison Sickelkalog4shell happened. I want to say maybe a month after I started here. And it was really great to see how we could help customers who are using us as a single source of truth.
- 00:09:48Alison SickelkaAnd sort of the power that came with having that central store of all artifacts for some of our customers. You essentially, you know, when, when an incident like that happens, You don't want to have to be [00:10:00] wondering about the impact and chasing down and spending time, even just knowing whether you're impacted.
- 00:10:06Alison SickelkaYou want to immediately be able to start remediation and so seeing that happen, seeing Lee jump in and help customers understand how they could start to understand impact and begin remediation. It was really great to see that.
- 00:10:20Ciara CareyYeah, so how does, like, artifact management and vulnerability management, how do they relate to each other?
- 00:10:28Ciara CareyYeah, so, so,
- 00:10:29Alison Sickelkaultimately, artifact management gives you the central source of truth for everything, for every artifact that's used in your system. As you mentioned at the start, Ciara, we recommend that customers are proxying and caching even open source dependencies through us. There's been an explosion in the use of open source software over the past 10 years, and having that central store for all of that data makes it much easier to be able to manage manage and [00:11:00] respond to incidents that happen.
- 00:11:02Alison SickelkaSo, step one is having that central source of truth. From there, you need to be able to have insights and information about those packages. So what are the CVEs? What's the license information? What's the quality of this package? And be able to have that insight. And then Cloudsmith provides that control plane through policy management.
- 00:11:20Alison SickelkaSo you can say, Based on what I know about this package, do I want to let my end users, my customers access this package or not? And you can programmatically set up those policies and be able to have that control plane over what's happening in your software supply
- 00:11:36Ciara Careychain. Cool. And I know what, before package, before policy management, we had We scanned packages and images, did is, was it from customers that were asking scanning alone isn't enough.
- 00:11:51Ciara CareyWe need, we need a manager to put rules on that. How did that come about?
- 00:11:56Alison SickelkaYeah, so it was always somewhere we wanted to get. [00:12:00] That that control plane, that idea of being able to have control has always been important to us from the beginning, and part of that is just that we have a lot of empathy for our customers who are delivering software at scale.
- 00:12:12Alison SickelkaAnd so we have some really large organizations who are using our tools, and so they don't have time to. Go in and evaluate each CVE that's coming up and decide whether they should or shouldn't let it be part of their software supply chain. They need automation and they need policies around that so that they can, they can manage that quality at scale.
- 00:12:33Alison SickelkaAnd so you know, I think what we, what we really saw it after log4shell and just generally the past few years. In the artifact management space is an expectation of having this level of control and automation around policies and around CV ease. So. Yes, I think we saw a shift in what our customers were asking for as they understood more the value that can come from having that central source of truth and then just [00:13:00] being able to level up from knowing CVEs to having policies to having automation around those policies to be able to begin remediation.
- 00:13:10Ciara CareyAnd how do we power that automation? Yeah, so
- 00:13:14Alison Sickelkawe think it's really important to keep in mind. The end developer experience whether that's the end developer who's trying to pull that package, making sure they understand why that package is getting blocked, but also what can they do now that that package has been blocked and to help security teams understand what types of packages are.
- 00:13:33Alison SickelkaMy customers are my users trying to pull through Cloudsmith. And so we automate. Everything has been in the Tao of Cloudsmith from the beginning. It's a lofty goal. It takes work to get there. And even our customers, you know, like I said, it's a journey around their mitigation strategies. But investing in things like making sure we have APIs in place, making sure we have webhooks in place, building from there and understanding what does a notification system look like, where do our [00:14:00] customers need this information to show up in their workflows and just really working with our customers to understand end to end that experience around, Oh, I've had a policy violation.
- 00:14:10Alison SickelkaWhat do I do next? And making sure that we're helping make that a great experience for them too.
- 00:14:15Ciara CareyYeah. It's like the full circle to something actionable. It's not enough to know something. It's like for that to drive something else. Yeah. Yeah. So let's talk about some of the features that Cloudsmith has around vulnerability management.
- 00:14:30Ciara CareyI'm going to start my favorite feature. It's upstreams. Yeah.
- 00:14:34Alison SickelkaYeah, that's, that's so. Cloudsmith offers the ability to configure upstreams within your repositories and what that lets you do is essentially access packages from a source outside of Cloudsmith. So you're able to set up the major registries, like the popular open source registries, like NPM, PyPy, Maven Central, that you can access all of those packages through [00:15:00] Cloudsmith and cache those packages in Cloudsmith.
- 00:15:03Alison SickelkaYou know. Similar to the just the evolution of artifact management from a store to that control plane. Originally, upstreams were valuable for customers because they were able to have that copy accessible. So if something happened with the upstream, it became unavailable that they didn't lose critical software critical dependencies for their software.
- 00:15:22Alison SickelkaBut and we'll touch on this as we expand on some of the features, but that started to become. more of a software supply chain perspective of being able to make sure that those packages that you're sourcing from an upstream pass through your policy checks and are of a quality that you want in your software supply chain.
- 00:15:40Ciara CareyOh, cool. I remember there was one particular type of, I'm not sure, a threat, I think it was called instead of an attack, where a package called leftpad was taken off. The NPM registry that, and so like kind of broke the internet because everybody was using this little package to, in their, in their in their projects or [00:16:00] in their, in their software.
- 00:16:01Ciara CareyAnd they couldn't build their projects because it was gone from the public registry. And if you had an upstream set up with Cloudsmith, you would have that cached already. So that's one of the, that's like a. Classic benefit. Yeah, that's right.
- 00:16:14Alison SickelkaThat's that's that's you know, it's sort of the original. What artifact management is known for is having that availability in that central store.
- 00:16:21Alison SickelkaAnd so that's definitely a great benefit of having your upstreams configured through Cloudsmith.
- 00:16:27Ciara CareyOkay, so next next feature is scanning.
- 00:16:31Alison SickelkaYeah, so Once you have that central store, you want to understand more about the quality of the packages that are in your system. And so, we offer the ability to have your packages scanned to understand the CVEs that are associated with those packages.
- 00:16:47Alison SickelkaSo on that first upload, we check those packages on your behalf against our scanner, and we provide that CVE information to you in the application through APIs, things like that. [00:17:00] And help you start to build up an understanding of what, what does my exposure to CVEs look like within my supply chain?
- 00:17:08Ciara CareyYeah. And you can actually you can trigger a web hook on this, on the on the scammers list as well.
- 00:17:14Alison SickelkaThat's right. So you can. As soon as the package gets scanned, you can have those results show up somewhere in your chat tool. In your email, different things like that. You can have that show up where you where your team that needs to understand and respond to that are.
- 00:17:30Alison SickelkaYou can have that show up there through our web hooks and through automation. I think it's also worth noting, you know, CVE are one piece of security and compliance that matters to our customers. Things like license, signatures some, some other package integrity pieces. We also are extracting that information and making that available both for policies and for just for the knowledge and information around those packages.
- 00:17:56Ciara CareyOh, cool. And you can access that kind of information through, like, APIs and that kind [00:18:00] of thing? Yep, that's right. Cool. Okay, next feature is quarantining. Yeah, so
- 00:18:06Alison Sickelkaquarantining is is a package status, so you can apply the quarantine status to a package, and at that point, it will not be available to be downloaded, and it ultimately underpins our policy management feature that we'll talk about as well, but it's a status that you can apply to any package, anytime, through the UI, through the API based on webhooks, things like that.
- 00:18:29Alison SickelkaYou can, you can build, you can build your own Workflows to apply this quarantine status to a package, which essentially means that as soon as a package is in quarantine, no one within your organization can now download that package.
- 00:18:43Ciara CareyOkay, so you mentioned Policy Manager. Do you want to, do you want to talk about that?
- 00:18:47Ciara CareyIt's kind of relatively recent and we are adding to it kind of all the time. Yeah, so like I
- 00:18:52Alison Sickelkasaid at the start, you know, this idea of that control plane. Has been foundational to Cloudsmith from the start that once you have all your [00:19:00] artifacts in a central store, you have knowledge built up around those artifacts that you should be able to use that knowledge to apply controls to your software.
- 00:19:07Alison SickelkaAnd so policy management is the backbone of that. Like you said, it's relatively new. I want to say maybe March of 2023 was the first iteration of policy management, but we let our customers build policies around things like licenses, CVEs and now we have package deny policies as well. And so we'll continue to expand and grow that policy feature set based on what is important to our customers.
- 00:19:35Ciara CareyAnd for the deny policy, it's quite a hammer policy. You can stop a package from being used within your organization.
- 00:19:44Alison SickelkaThat's right. So if you went back to that log4shell example, as soon as that happened, as soon as that was announced, you could go into Cloudsmith and you could immediately use, use that deny policy to stop any downloading of that package [00:20:00] moving forward.
- 00:20:00Alison SickelkaAnd then you can begin your remediation effort once you've put that block in place.
- 00:20:06Ciara CareyYeah, I can imagine like some desperate zero day vulnerability comes in and you can set up a rule straight away. So you feel a little more kind of safe. Yeah,
- 00:20:17Alison Sickelkafor that, for zero day for sure. And then, you know, for some of our larger organizations, they've built up knowledge internally about unsafe packages that they want to block as well.
- 00:20:27Alison SickelkaAnd so they can use that package deny policy to be able to implement those blocks across their organization through Cloudsmith.
- 00:20:34Ciara CareyYeah. One thing I heard about like vulnerability management is like, say for log4shell, the security professionals came in, they scrubbed the system of all log4shell and then it gets reintroduced somehow by developers.
- 00:20:49Ciara CareySo that's why we need features like this. It just like kind of sneaks its way back in unless you have like policies around ingestion. Yeah,
- 00:20:57Alison Sickelkapolicies around ingestion and then [00:21:00] that central store, right? If, if you, if you as a security team don't have a place where you can apply those, that, that that policy, then anybody can be using anything within your organization.
- 00:21:11Ciara CareyOkay. And so I'm going to bring back in, I mentioned before about Navigator. It's this new tool that we have to help our customers decide if a dependency is, is worthy of being brought into your organization or not. How is that related to vulnerability management?
- 00:21:27Alison SickelkaYeah. So vulnerability management is just one piece of having a software supply chain security strategy.
- 00:21:35Alison SickelkaYou're frameworks develop in this space. Things like SLSA. And some other policies in this space. There are some other frameworks in this
- 00:21:43Ciara Careyspace. S2, C2F is the one I really like for consuming open source securely. Yeah.
- 00:21:49Alison SickelkaAnd so a lot of these new frameworks are, are responding to, or addressing the idea that at the very start of deciding what you want to include in your software [00:22:00] supply chain.
- 00:22:00Alison SickelkaYou can understand what a quality package is. You can have integrity around the packages that are being used within your organization. And so Navigator essentially brings together a view of the packages available on popular open source registries and applies a quality score, a perspective on the quality of those packages.
- 00:22:22Alison SickelkaIt takes into account different things like Is it well maintained? When was the last update? Things like that and starts to have that viewpoint on quality that you can start to use at the, at the very beginning of deciding what should be in your software supply chain. So CVE mitigation, you know, that's sort of That's sort of further down but really at the start of deciding what you want to be dependent on or what dependencies you want to use within your software supply chain.
- 00:22:46Alison SickelkaNavigator helps you make better choices up front.
- 00:22:49Ciara CareyYeah, I'm seeing a lot of talk about bringing developers into the security conversation and how they're responsible for bringing a lot of these dependencies [00:23:00] with. possible vulnerability in. And so we need tools to empower them to make good decisions.
- 00:23:06Alison SickelkaYeah. Ultimately you want your developers to be able to ship fast. And so you want to have a set of policies and practices in place that help them make better choices in a way that still lets them focus on the things that are critical to their job, which is delivering software for your business.
- 00:23:26Ciara CareyFinally how do you think our evolving vulnerability management features, how did you see vulnerability management evolving in Cloudsmith? Yeah. So, so we like
- 00:23:38Alison Sickelkato listen to our customers and understand how they are thinking about software supply chain security. We're interested in things like the life cycle of a package and understanding what information and knowledge you can, you can gain from understanding the life cycle and the provenance of a package within your system things like that package quality that I mentioned that information [00:24:00] around our quality scores and navigator, but also things like security score cards.
- 00:24:03Alison SickelkaThere's a lot of data out there that we can feed into our system. So we want to just continually be building up the knowledge and insights we have around a package and then make sure that that knowledge and information is available to our customers to be able to build their policies and make good decisions around that.
- 00:24:19Ciara CareyYeah, it's looking forward to it. Well, right now we already have a good few features around vulnerability managing to help our customers. And I'm going to do a demo now. So say a little prayer to the gods. I'm going to share my screen. Thank you so much, Alison. And let me share my screen and show some of those lovely features.
- 00:24:38Ciara CareyOkay.
- 00:24:39Ciara CareySo this is a little Python project with a an old version of requests, which has a few vulnerabilities. These vulnerabilities are moderate, so they're not that high, but I'm going to show you how to push package just to Cloudsmith, have them scan for vulnerabilities, find the vulnerabilities in question, and then [00:25:00] alert by means of Linear, using webhooks and Zapier to create a new task in Linear that shows that you need to eventually update this package because it's, has some vulnerabilities in it.
- 00:25:13Ciara CareyOkay, so let's run this. And this action just pushes it to Cloudsmith.
- 00:25:19Ciara CareyGreat, so while it's building there, I'm going to show you Cloudsmith. This is the Cloudsmith repository that I'm going to push everything to. It's empty at the moment. I have already set up an upstream. To PyPy and I've set it to cache and proxy from PyPy. This means that all dependencies used in my Python project will be brought into Cloudsmith and it means that all the scanning and all the Policy rules that I've set up will apply to any all those packages and all those dependencies
- 00:25:56Ciara CareyI've also set up a webhook You can see some of the [00:26:00] packages being brought in now. I've also set up a webhook and this webhook Is triggered on the scan results So I'll just show you that now. Let's edit it.
- 00:26:11Ciara CareySo I'm just subscribing to package security scan completed and then it will trigger a webhook that I'm using in Zapier and then Zapier will check if a vulnerability is present and open a linear task for the right project. Okay, so let's see that running now. It should be should be nearly pulled all those packages in.
- 00:26:38Ciara CareyOkay, so we have our requests our requests Package has been brought in as it's detected vulnerabilities. Oh, there's another one here. Your, your lib3. And so if we go to linear, we can see that it's created two new tasks. These two packages have have a vulnerability in it of medium level. [00:27:00] So that's great.
- 00:27:01Ciara CareyWe've set up a, Linear notification to the right team to to go about and solve those vulnerabilities.
- 00:27:11Ciara CareyI'd like to see how we can automatically quarantine packages of high or above, and these were just moderate. So let's just start again. Let's delete all these lads. Let's go back into my workflow in GitHub actions. Go into my Project and I'm going to yeah,
- 00:27:33Ciara CareyI'm going to bring in an older version of requests that has an issue
- 00:27:37Ciara Careywith the vulnerability higher than higher than that's higher above. So let's see, we've deleted everything from our Cloudsmith workflow.
- 00:27:48Ciara CareyIf I commit this change, it will automatically kick off. GitHub action.
- 00:27:53Ciara CareyOkay, great. So while it's building there, I'm going to show you the organization's policy [00:28:00] management tool. You can see over on the left hand side here, all the sections around policy management. You can have policies around authentication, around licensing, no GPL licenses please around vulnerabilities and deny lists, that big hammer to stop a vulnerable package from getting into your organization.
- 00:28:20Ciara CareyWe're only going to set up a vulnerability policy. I've one prepared earlier. It's the webinar demo one. We have this policy is only for the vulnerability workflow repository that I'm using. You can see here, it's actually this package query is a really powerful Boolean syntax that you can use to have fine grain logic around Your policy rules and who it applies to you can also I'm going to make sure that it's just for my repository.
- 00:28:53Ciara CareyYou can set the level from critical high, medium, low, depending on. What rule you want to set up and [00:29:00] Allison, you can also decide not to quarantine the package, right? You can just alert people.
- 00:29:05Alison SickelkaYeah, that's right. If you wanted to build the workflow that Ciara shows here where you don't necessarily stop the build or block it with the package and instead you just alert on those on those violations, you can do that as well.
- 00:29:18Ciara CareyCool. So I'm just going to cancel out of this here because I've already created this policy rule. And let's go back into my repo.
- 00:29:28Ciara CareyOh yes, here we go. We have a bold package request that has a detected vulnerabilities and these vulnerabilities violate our new policy. This package is in violation of the following rules and it shows you the rule in question. And this is above a certain severity. So you cannot deploy or download this package and you can see here in linear, it's created a new A new task for for the [00:30:00] high level of vulnerability for this request package.
- 00:30:05Ciara CareyOkay, great. I'm going to finish sharing my screen.
- 00:30:09Ciara CareyHey, Alison, I'll bring you back on stage. Yeah. Yeah, so you can actually create. Loads of different workflows with Cloudsmith around vulnerability management using our webhooks, our APIs. I didn't show you how we can also attach an SBOM to your images. You can you can also schedule rescans because sometimes you, you use a package, it has no vulnerabilities, but at a later stage, They are discovered, and so you may need to schedule re scans for packages.
- 00:30:40Ciara CareySo, Alison, we've explored the importance of vulnerability management, and how Cloudsmith provides solutions to address these challenges. Cloudsmith is a central place to control all your organization software, and of course its dependencies. We have an integrated scanner and policy management to help you control [00:31:00] artifact ingestion, and we have automation to help you build actionable workflows.
- 00:31:05Ciara CareyI encourage you to explore Cloudsmith further. Come to our webpage, Cloudsmith. com, open up a chat, start a free trial. It's like we want to hear more of you. We want you using these features. We want to hear your feedback. Any last words, Alison?
- 00:31:23Alison SickelkaYeah, no, I think you covered most of it. You know, we think that artifact management is core to software supply chain security, and we're eager to help our customers secure their software supply chain.
- 00:31:35Alison SickelkaWe have knowledge, insights and control built into our platform, and we hope that folks find that valuable and come and understand the benefits of artifact management.
- 00:31:45Ciara CareyYeah, this is it. So thank you so much, Alison. And thanks everybody for joining us today. Oh, to let you know, we're going to KubeCon in Paris.
- 00:31:53Ciara CareySo you can talk to us there as well. For more information on Cloudsmith, start a free trial and come to our website, [00:32:00] Cloudsmith. com. Thanks again for coming today. Bye.