Topic: supply chain security

Tidelift introduces new intelligence capabilities for minimizing open-source risk

Tidelift has added new intelligence capabilities that will help customers minimize risk related to using open-source components. These capabilities are being added to Tidelift Subscription, which is a program that provides evaluations on security, licensing, and maintenance risks of open-source software.  The company has access to open-source package intelligence data through partnerships with thousands of … continue reading

Sonatype shines light on current state of supply chain security in latest report

In 2023, there was an 18% decline in the number of open-source projects that are considered to be “actively maintained.” This is according to Sonatype’s Annual State of the Software Supply Chain Report.  The report claims that only 11% of open-source projects are actually actively maintained.  Despite these flaws, Sonatype still says that 96% of … continue reading

CISA releases roadmap for securing open-source software

Securing software supply chains has been a big focus of the Biden administration. In May 2021 President Joe Biden signed an executive order to improve cybersecurity, and since then it has made progress in providing guidance to companies on how to actually meet these cybersecurity goals.  Now the U.S. federal Cybersecurity & Infrastructure Security Agency … continue reading

NIST publishes new draft framework for integrating supply chain security into CI/CD pipelines

The National Institute of Standards and Technology (NIST) published a new draft document that outlines strategies for integrating software supply chain security measures into CI/CD pipelines.  Cloud-native applications typically use a microservices architecture with a centralized infrastructure like a service mesh. These applications are often developed using DevSecOps, which uses CI/CD pipelines to guide software … continue reading

CNCF’s Notary and Notation projects get major update

Notary, the CNCF project that provides cross-industry standards for supply chain security, has announced a major release.  This brings both the Notary Project and Notation Project to version 1.0.0. Notation is a sub-project that implements Notary specifications.  Included in this release are an OCI signature specification, OCI COSE signature envelope, OCI JWS signature envelope, OCI … continue reading

SD Times Open-Source Project of the Week: OSC&R Software Supply Chain Attack Matrix

The OSC&R (Open Software Supply Chain Attack Reference) is an open source framework used for understanding and evaluating existing threats to entire software supply chain security. OSC&R was created to establish a standard language and structure for comprehending and evaluating the tactics, techniques, and procedures (TTPs) utilized by attackers to breach the security of software … continue reading

Tackling today’s software supply chain issues with DevOps-centric security

Developers, and the software they develop, are the most popular attack vector for today’s hackers and bad actors. The many development tools and processes, not to mention thousands of open-source libraries and binaries, all introduce opportunities for malicious or even accidental injection of risk across the entire software supply chain.  In response to this expanding … continue reading

Palo Alto Networks introduces new Prisma Cloud Supply Chain Security

Palo Alto Networks, provider of an enterprise cybersecurity platform, announced Prisma Cloud Supply Chain Security. This release works to provide a complete view of where potential vulnerabilities or misconfigurations exist in a software supply chain, enabling organizations to trace and fix them easily.  With Supply Chain Security, Prisma Cloud provides users with full lifecycle visibility … continue reading

DMCA.com Protection Status