One of the risks of the software supply chain is secrets leaking. Secrets are all around the software supply chain; developers and the CI\CD pipelines need to use secrets to access the SCM, the pipeline, the artifact registries, the cloud environments, and external services. And when secrets are everywhere, it is a question of time […]
Read moreIn early August, the U.S. National Institute of Standards and Technology (NIST) released a draft 2.0 version of its landmark Cybersecurity Framework, first published in 2014. A lot has changed over the past 10 years, not least of which is the rising level of cybersecurity threats that the original document set out to help critical […]
Read moreWe’ve all heard a lot about SBOMs recently. We heard about their usefulness, their composition, and their requirements for security and regulation. This time I want to take the time to talk about a little less-known segment of the CyclonDX SBOM – the Dependency Graph. Unlike the name implies the Dependency Graph is not a […]
Read moreA lot of words have been written in the past few years about the SBOM – Software Bill Of Materials. With all this exposure people feel they know what it is well enough to explain – it’s a list of software ingredients, it’s important for transparency and security, and it helps expose transient dependencies. All […]
Read moreValint is the main Scribe tool for creating, managing, signing, and verifying evidence. In a previous post, we covered the theory of using signing and verifying evidence as a main tool in validating the security of your CI/CD pipeline. As a short reminder, Scribe’s proposed model includes several building blocks that can be shuffled and […]
Read moreOn September 2022, the United States Office of Management and Budget (OMB) issued a landmark memo regarding the steps needed to secure your software supply chain to a degree acceptable by the US federal government. Any company that wishes to do business with the government and any federal agency producing software needs to comply with […]
Read moreCVE (Common Vulnerabilities and Exposures) scans are essential to securing your software applications. However, with the increasing complexity of software stacks, identifying and addressing all CVEs can be challenging. One of the biggest issues with CVE scans today is the prevalence of false positives, where a vulnerability is identified in a package that is not […]
Read moreOn March 2023 the White House released a new National Cybersecurity Strategy. The strategy outlines a list of 5 pillars the White House considers critical to improving cybersecurity for all Americans, both public and private sector. The third pillar deals with the drive to shape market forces to improve security and resilience. Part of that […]
Read moreOn April 2023 CISA released a new joint guide for software security called Shifting the Balance of Cybersecurity Risk: Security-by-Design and Default Principles. The Guide was composed with the cooperation of 9 different agencies including the NSA, Australian Cyber Security Centre (ACSC), and Germany’s Federal Office for Information Security (BSI), among others. The fact that […]
Read moreOn March 20th OpenAI took down the popular generative AI tool ChatGPT for a few hours. It later admitted that the reason for the outage was a software supply chain vulnerability that originated in the open-source in-memory data store library ‘Redis’. As a result of this vulnerability, there was a time window (between 1-10 am […]
Read more