Topic: supply chain security

GitHub improves supply chain security with general availability of Artifact Attestations

GitHub is taking a step forward to help companies improve supply chain security with the release of Artifact Attestations. This new feature allows GitHub users to verify the integrity of GitHub Actions artifacts before they choose to deploy them into their Kubernetes cluster. Artifacts in GitHub are files or collections of files that were created … continue reading

Red Hat Trusted Software Supply Chain gets updated with three new offerings

Red Hat is expanding its Red Hat Trusted Software Supply Chain solution with new offerings that will enable customers to ensure software components are verified and secured.  The first new addition is Red Hat Trusted Artifact Signer, now generally available, which allows developers to cryptographically sign and verify application artifacts with a keyless certificate authority.  … continue reading

Report: Java is the language that’s most prone to third-party vulnerabilities

According to Datadog’s State of DevSecOps 2024 report, 90% of Java services have at least one or more critical or higher severity vulnerabilities.  This is compared to around 75% for JavaScript services, 64% for Python, and 50% for .NET. The average for all languages studied was 47% The company found that Java services are also … continue reading

OpenSSF, CISA, and DHS collaborate on new open-source project for creating SBOMs

A number of security-focused groups have announced they are teaming up on a new open-source project to help secure software supply chains: Protobom. The project was created jointly by the Open Source Security Foundation (OpenSSF), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security Science and Technology Directorate (DHS S&T).  Protobom allows … continue reading

Synopsys hopes to mitigate upstream risks in software supply chains with new SCA tool

Synopsys has released a new solution to help companies manage upstream risks of software supply chains. Black Duck Supply Chain Edition does software composition analysis (SCA) that makes use of a number of security analysis techniques to determine the components in a piece of software, such as package dependency, CodePrint, snippet, binary, and container analysis.  … continue reading

Tidelift introduces new intelligence capabilities for minimizing open-source risk

Tidelift has added new intelligence capabilities that will help customers minimize risk related to using open-source components. These capabilities are being added to Tidelift Subscription, which is a program that provides evaluations on security, licensing, and maintenance risks of open-source software.  The company has access to open-source package intelligence data through partnerships with thousands of … continue reading

Sonatype shines light on current state of supply chain security in latest report

In 2023, there was an 18% decline in the number of open-source projects that are considered to be “actively maintained.” This is according to Sonatype’s Annual State of the Software Supply Chain Report.  The report claims that only 11% of open-source projects are actually actively maintained.  Despite these flaws, Sonatype still says that 96% of … continue reading

CISA releases roadmap for securing open-source software

Securing software supply chains has been a big focus of the Biden administration. In May 2021 President Joe Biden signed an executive order to improve cybersecurity, and since then it has made progress in providing guidance to companies on how to actually meet these cybersecurity goals.  Now the U.S. federal Cybersecurity & Infrastructure Security Agency … continue reading

NIST publishes new draft framework for integrating supply chain security into CI/CD pipelines

The National Institute of Standards and Technology (NIST) published a new draft document that outlines strategies for integrating software supply chain security measures into CI/CD pipelines.  Cloud-native applications typically use a microservices architecture with a centralized infrastructure like a service mesh. These applications are often developed using DevSecOps, which uses CI/CD pipelines to guide software … continue reading

CNCF’s Notary and Notation projects get major update

Notary, the CNCF project that provides cross-industry standards for supply chain security, has announced a major release.  This brings both the Notary Project and Notation Project to version 1.0.0. Notation is a sub-project that implements Notary specifications.  Included in this release are an OCI signature specification, OCI COSE signature envelope, OCI JWS signature envelope, OCI … continue reading

SD Times Open-Source Project of the Week: OSC&R Software Supply Chain Attack Matrix

The OSC&R (Open Software Supply Chain Attack Reference) is an open source framework used for understanding and evaluating existing threats to entire software supply chain security. OSC&R was created to establish a standard language and structure for comprehending and evaluating the tactics, techniques, and procedures (TTPs) utilized by attackers to breach the security of software … continue reading

Tackling today’s software supply chain issues with DevOps-centric security

Developers, and the software they develop, are the most popular attack vector for today’s hackers and bad actors. The many development tools and processes, not to mention thousands of open-source libraries and binaries, all introduce opportunities for malicious or even accidental injection of risk across the entire software supply chain.  In response to this expanding … continue reading

DMCA.com Protection Status