Our Blog

Cyber Risk
Barak Brudo Using Valint To Apply Policies To Your SDLC

Valint is the main Scribe tool for creating, managing, signing, and verifying evidence. In a previous post, we covered the theory of using signing and verifying evidence as a main tool in validating the security of your CI/CD pipeline. As a short reminder, Scribe’s proposed model includes several building blocks that can be shuffled and […]

Read more
Cyber Risk
Barak Brudo CISA’s Secure Software Self-Attestation Common Form: A Turning Point for Liability

On September 2022, the United States Office of Management and Budget (OMB) issued a landmark memo regarding the steps needed to secure your software supply chain to a degree acceptable by the US federal government. Any company that wishes to do business with the government and any federal agency producing software needs to comply with […]

Read more
Cyber Risk
Barak Brudo How To Avoid CVE Burnout and Alert Fatigue in Vulnerability Scans?

CVE (Common Vulnerabilities and Exposures) scans are essential to securing your software applications. However, with the increasing complexity of software stacks, identifying and addressing all CVEs can be challenging. One of the biggest issues with CVE scans today is the prevalence of false positives, where a vulnerability is identified in a package that is not […]

Read more
Cyber RiskAn image representing safe harbor
Barak Brudo Providing a Safe Harbor From Liability for Software Producers

On March 2023 the White House released a new National Cybersecurity Strategy. The strategy outlines a list of 5 pillars the White House considers critical to improving cybersecurity for all Americans, both public and private sector. The third pillar deals with the drive to shape market forces to improve security and resilience. Part of that […]

Read more
Cyber Risk
Barak Brudo Charting the Future of SBOM: Insights From CISA’s New Guide: Shifting the Balance of Cybersecurity Risk

On April 2023 CISA released a new joint guide for software security called Shifting the Balance of Cybersecurity Risk: Security-by-Design and Default Principles. The Guide was composed with the cooperation of 9 different agencies including the NSA, Australian Cyber Security Centre (ACSC), and Germany’s Federal Office for Information Security (BSI), among others. The fact that […]

Read more
Cyber RiskAn image illustrating AI goes wrong
Barak Brudo What Happens When an AI Company Falls Victim to a Software Supply Chain Vulnerability

On March 20th OpenAI took down the popular generative AI tool ChatGPT for a few hours. It later admitted that the reason for the outage was a software supply chain vulnerability that originated in the open-source in-memory data store library ‘Redis’.   As a result of this vulnerability, there was a time window (between 1-10 am […]

Read more
Cyber RiskAn abstract image of documents sharing
Barak Brudo What We Can Learn From CISA’s SBOM Sharing Lifecycle Report

On April 2023 DHS, CISA, DOE, and CESER released a report titled ‘Software Bill of Materials (SBOM) Sharing Lifecycle Report’. The purpose of the report was to examine the current ways in which people are sharing SBOMs as well as outline, in general terms, how this sharing could be done better, with greater sophistication to […]

Read more
Cyber Risk
Barak Brudo From Chaos to Clarity: How to Secure Your Supply Chain with Attestations

As everyone is getting progressively more aware, protecting your software supply chains should be a vital part of every organization’s cyber security strategy. One of the main difficulties in creating a comprehensive strategy to mitigate software supply chain threats is the complexity and diversity of supply chains. Each supply chain is unique, and the elements […]

Read more
Cyber RiskAn image illustrating approved code
Barak Brudo Using the 3CX Desktop App Attack To Illustrate the Importance of Signing and Verifying Software

In late March 2023, security researchers exposed a threat actor’s complex software supply chain attack on business communication software from 3CX, mainly the company’s voice and video-calling desktop app. The researchers warned that the app was somehow trojanized and that using it could expose the organization to a possible exfiltration scheme by a threat actor. […]

Read more
Cyber RiskAn image of a person peering through a pipeline
Barak Brudo How Confident Are You With What’s Really Happening Inside Your CI/CD Pipeline? The Elements You Should Be Securing, and How

CI/CD pipelines are notoriously opaque as to what exactly takes place inside. Even if you’re the one who wrote the YAML config file (the pipeline list of instructions) how can you be sure that everything takes place exactly as described? Worse, most pipelines are completely ephemeral so even if something bad happens there are no […]

Read more
1 2 3 4