ActiveState today announced it is rebranding and relaunching its product as an open source management platform to help enterprises manage open source complexities, ensure supply chain security, and streamline DevSecOps. The platform, which integrates with existing tools, aims to proactively manage open-source risks by providing tools for discovery, analysis, remediation, and governance. It offers a … continue reading
GitHub is taking a step forward to help companies improve supply chain security with the release of Artifact Attestations. This new feature allows GitHub users to verify the integrity of GitHub Actions artifacts before they choose to deploy them into their Kubernetes cluster. Artifacts in GitHub are files or collections of files that were created … continue reading
Red Hat is expanding its Red Hat Trusted Software Supply Chain solution with new offerings that will enable customers to ensure software components are verified and secured. The first new addition is Red Hat Trusted Artifact Signer, now generally available, which allows developers to cryptographically sign and verify application artifacts with a keyless certificate authority. … continue reading
According to Datadog’s State of DevSecOps 2024 report, 90% of Java services have at least one or more critical or higher severity vulnerabilities. This is compared to around 75% for JavaScript services, 64% for Python, and 50% for .NET. The average for all languages studied was 47% The company found that Java services are also … continue reading
A number of security-focused groups have announced they are teaming up on a new open-source project to help secure software supply chains: Protobom. The project was created jointly by the Open Source Security Foundation (OpenSSF), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security Science and Technology Directorate (DHS S&T). Protobom allows … continue reading
Synopsys has released a new solution to help companies manage upstream risks of software supply chains. Black Duck Supply Chain Edition does software composition analysis (SCA) that makes use of a number of security analysis techniques to determine the components in a piece of software, such as package dependency, CodePrint, snippet, binary, and container analysis. … continue reading
Tidelift has added new intelligence capabilities that will help customers minimize risk related to using open-source components. These capabilities are being added to Tidelift Subscription, which is a program that provides evaluations on security, licensing, and maintenance risks of open-source software. The company has access to open-source package intelligence data through partnerships with thousands of … continue reading
In 2023, there was an 18% decline in the number of open-source projects that are considered to be “actively maintained.” This is according to Sonatype’s Annual State of the Software Supply Chain Report. The report claims that only 11% of open-source projects are actually actively maintained. Despite these flaws, Sonatype still says that 96% of … continue reading
Securing software supply chains has been a big focus of the Biden administration. In May 2021 President Joe Biden signed an executive order to improve cybersecurity, and since then it has made progress in providing guidance to companies on how to actually meet these cybersecurity goals. Now the U.S. federal Cybersecurity & Infrastructure Security Agency … continue reading
The National Institute of Standards and Technology (NIST) published a new draft document that outlines strategies for integrating software supply chain security measures into CI/CD pipelines. Cloud-native applications typically use a microservices architecture with a centralized infrastructure like a service mesh. These applications are often developed using DevSecOps, which uses CI/CD pipelines to guide software … continue reading
Notary, the CNCF project that provides cross-industry standards for supply chain security, has announced a major release. This brings both the Notary Project and Notation Project to version 1.0.0. Notation is a sub-project that implements Notary specifications. Included in this release are an OCI signature specification, OCI COSE signature envelope, OCI JWS signature envelope, OCI … continue reading
The OSC&R (Open Software Supply Chain Attack Reference) is an open source framework used for understanding and evaluating existing threats to entire software supply chain security. OSC&R was created to establish a standard language and structure for comprehending and evaluating the tactics, techniques, and procedures (TTPs) utilized by attackers to breach the security of software … continue reading
