Last month I came upon this article from Dark Reading. It looked very familiar. It didn’t take me long to realize that the GitHub cross-workflow artifact poisoning vulnerability discussed in the article bore a striking resemblance to the GitHub cross-workflow cache poisoning vulnerability we reported on in March 2022. GitHub workflows—A key component of GitHub […]
With the growing use of third-party components and lengthy software supply chains, attackers can now compromise many software packages simultaneously via a single exploit. In response to this new attack vector, more development and DevOps teams, as well as security professionals, are looking to incorporate a Software Bill of Materials (SBOM). The software supply chain […]
The risks faced by software supply chains have taken their place at the forefront of conversations in the cybersecurity ecosystem. This is partly due to the increased frequency of these supply chain attacks, but also because of the potentially far-reaching impacts they have when they do happen. Figures from 2021 showed software supply chain attacks […]
The global software supply chain is always under threat from cyber criminals who threaten to steal sensitive information or intellectual property and compromise system integrity. These issues may impact commercial companies as well as the government’s ability to securely and reliably deliver services to the public. The United States Office of Management and Budget (OMB) […]
When three U.S. government agencies get together to “strongly encourage” developers to adopt certain practices, you should pay attention. The CISA, NSA, and ODNI, in recognition of the threat of cyber-hackers and in the wake of the SolarWinds attack, announced that they will be jointly publishing a collection of recommendations for securing the software supply […]
The US government is in the process of revamping its cybersecurity policies. This includes the release of Secure Software Development Framework (SSDF) version 1.1 by the National Institute of Standards and Technology (NIST), which aims to reduce security vulnerabilities across the Software Development Life Cycle (SDLC). The document provides software vendors and acquirers with “a […]
A new software supply chain attack designed to extract data from applications and websites was found in over two dozen NPM packages.
GitGat is a set of self-contained OPA (Open Policy Agent) policies written in Rego. GitGat evaluates the security settings of your SCM account and provides you with a status report and actionable recommendations.
You cannot trust the signed products and updates of vendors and your very own code might have already been modified or added to. What, then, can you do to really be certain you are not installing malicious files into your system?
On March 22nd NIST released the final version of the SSDF 1.1 (Secure software development framework). We’ll take a look at some of the differences between the final version and the previous draft.