Our Blog

Your Vibe Coding Project is Infested with Vulnerabilities! Building software with AI has gone from science fiction to everyday reality. Your AI-coded project may work perfectly… until hackers find the flaws. In this post, we will cover the way from AI-generated code full of findings and vulnerabilities to a trusted product by walking through an […]

Imagine the workload on a developer: a long day of coding, deadlines looming, and then the dreaded SAST report arrives. Hundreds of findings, each one a potential vulnerability, each one requiring careful attention. The process is repetitive, time-consuming, and, let’s be honest, sometimes a demoralizing drudgery. And the situation is only getting worse; code generation […]

This article was do-written with Viktor Kartashov and Daniel Nebenzahl. The Auditor’s Litmus Test: Can You Prove Your Builds? “Can you prove, definitively, that every container image you ship was built exactly the way you claim?” Most auditors expect a swift, confident answer – not weeks of frantic YAML refactoring. The SLSA (Supply-chain Levels for […]

Co-written with Viktor Kartashov. The NIST SP 800–190 standard provides structured guidelines to secure containerized applications ,  covering everything from image provenance to runtime controls. As container use explodes in fast-paced DevOps environments, aligning with these requirements becomes both essential and challenging. But SP 800–190 here is just a use case . The bigger idea is to […]

What Is in-toto and How Does It Protect the Software Supply Chain? Software supply chain attacks, like those seen in recent years – 3CX, Codecov, and Solarwinds – have highlighted the fragility of traditional development pipelines. In response, the open-source community developed in-toto, a framework to ensure integrity at every step of software delivery. In-toto […]

In today’s software development landscape, the diversity of developer profiles is both a strength and a vulnerability. The attached taxonomy—ranging from well-intentioned but imperfect “Good Developers” to “Citizen Developers” using AI-generated code, and even “Malicious Developers”—highlights how varying levels of experience, intent, and behavior can pose significant software development lifecycle (SDLC) risks. Scribe Security addresses […]

At Scribe Security, we believe the future of cybersecurity hinges on securing software supply chains from the inside out. That’s why we’re proud to collaborate with the National Cybersecurity Center of Excellence (NCCoE) on its Software Supply Chain and DevOps Security Practices project. This initiative convenes public and private sector technology contributors to explore how […]

Most software organizations use multiple platforms for code management, build, registry, delivery, and deployment. Governing the security of the SDLC and software supply chain requires a unified platform that extends beyond GitHub’s native capabilities. Effective risk management demands clear traceability and governance from code to cloud—ensuring every container image and released artifact is linked to […]

The landscape of federal software security is undergoing a significant transformation. In January 2025, the White House issued a new Executive Order focusing on strengthening the security and transparency of third-party software supply chains used by federal agencies. This mandate introduces crucial changes that software providers need to understand and prepare for, especially given the […]

In today’s rapidly evolving software development landscape, security and compliance have become paramount. As organizations increasingly rely on third-party components and open-source software, understanding what’s inside your software has never been more critical. Enter the Software Bill of Materials (SBOM)—a detailed list of all components, libraries, and dependencies that make up your software. Integrating SBOMs […]