Chris Hughes

@stevespringett Yeah that seems like a broad interpretation that overlooks the reality that there’s no contractual relationship and most FOSS is provided as-is, and they owe the consumers nothing, including an SBOM.

Public Service Announcement (PSA). Free and Open Source Software (FOSS) contributors/maintainers are not your suppliers. That is all.

@nnennahacks @tonylturner @psvann Glad you’re enjoying it!

Nerding out on this read currently 🤓 from @ResilientCyber and @tonylturner on all things software supply chain security! Definitely inspiring a future blog post 👀✍🏽 thanks for the rec, @psvann 🙌🏽

“It’s important to influence designers of future computers and software so that security controls can be installed before the fact and as an integral part of the system”

@lorenc_dan I run my own fiber and mine my own silicon too.

if you’re not rolling your own compiler I don’t trust you compilers have to be one of the most easy things to implement and they're such a core component to any service. Own your compiler.

The Elusive Built-in not Bolted-on A look at CISA's "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default" publication via ⁦@ResilientCyber⁩

@utollwi Thanks for the share!

@allanfriedman Look forward to seeing everyone there!

Reminder - if you'll be at RSA, and want to a chance to meet your fellow SBOM enthusiasts (and probably more than a few skeptics) - join us Monday evening for a chance to hang out and have an irreverent conversation about the future of regs. eventbrite.com/e/rsa-2nd-annu…

As an industry we’re best-practices rich and implementation poor.

@lorenc_dan FedRAMP CISO? 😆

When you first become a CISO you must become one of the following: LinkedIn CISO, FedRAMP CISO, VC CISO, "cool" CISO, politician CISO, RSA CISO, prepper CISO. I don't make the rules.

PiPI package "keep" used a malicious version of "requests" as a dependency. It was used to steal passwords. These attacks keep coming. bleepingcomputer.com/news/security/…

@BogieBalkansky @chainguard_dev Definitely one of the most critical areas of cybersecurity and IT and Chainguard is an industry leader on this front!

Software supply chain #security is not just the top #CISO priority, it is one of the biggest imperatives in tech today. @chainguard_dev is leading the way to help address this immense challenge. sequoiacap.com/article/partne… #cybersecurity #infosecurity #itsecurity

@lorenc_dan @allanfriedman 👀

A prospective customer just asked us for an SBOM as part of vendor diligence today for the first time ever. I bet somewhere, @allanfriedman shed a single tear.

Excellent article discussing the value and shortfalls of SBOM’s for software supply chain security and how coupling SBOM with SLSA helps fill some gaps. It touches on: - Responding to build tampering attacks such as Solarwinds an…lnkd.in/g95rje8z lnkd.in/gd3wz-ZJ

Awesome article comparing Falco and GuardDuty for Amazon Web Services (AWS) EKS Threat Detection by two of my colleagues Dustin Whited and Dakota Riley They discuss: - Kubernetes adoption - Shared Responsibility Model in the con…lnkd.in/gXne_NKX lnkd.in/gvZAFiav

About a month ago I had the chance to join NDIA New England to speak on a panel titled "Zero Trusts Given" with Dave Lago, Patrick Perry and moderator Ryan Heidorn The recording for our talk, which starts at the 1 hour 45 minute mark, along with the rest…lnkd.in/gkBNtyW2

Yes, another Software Supply Chain Security post today, no I'm not sorry. -- "The Office of Management and Budget is preparing to release new requirements around software supply chain and cybersecurity, according to a top federal…lnkd.in/gBb4_3qb lnkd.in/gQT8DksU

I'm a big fan of excellent writing and articles and War on the Rocks puts out some great ones. That's why I was excited to see them publish an article on the Open Source Software (OSS) and Software Supply Chain challenges, and it…lnkd.in/gyyRG9dR lnkd.in/ghGA_RjW

National Institute of Standards and Technology (NIST) has just released the final version of 800-161 r1 "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations". This guidance comes at a critical time, as the software supply c…lnkd.in/gYd3WTMN

It’s a day of the year where I have to admit to my IT/Cyber peers that I’ve never seen Star Wars I’m sorry to let you all down. #cyber #starwars