I work for a software/system development company and I'm looking to improve how we manage information security within our development process. Much of what I have found in my initial research is focused on managing vulnerabilities within a company's IT infrastructure, and not in the products they develop and deploy. I particularly want an approach (and tools) that can help track assets, what third-party components have gone into our products, and what vulnerabilities exist. Does anybody have any experience combining asset tracking and vulnerability management for such a purpose?
Are there any tools out there that integrate tracking of what third-party components are included within a product/release and then provide some kind of continued vulnerability assessment against known vulnerabilities?
I'm envisioning a tool that could plugin to whatever build system each development team employed to automatically create a software BOM of sorts and then keep track of which builds are still being used in production and compare the active components with known vulnerability databases.
