sbomx

Executive Order on Improving the Nation’s Cybersecurity whitehouse.gov/briefing-room/… via @whitehouse

Incident report on malicious takeover of ctx package on PyPI has been published. Read details, mitigation, analysis, and more at python-security.readthedocs.io/pypi-vuln/inde…

The Open Source Software Security Mobilization Plan 8112310.fs1.hubspotusercontent-na1.net/hubfs/8112310/…

Dependency-Track v4.5.0 now available. This release adds support for exploit prediction (EPSS), VEX, non-public vulnerabilities, and much more. issuewire.com/owasp-makes-si… #SBOM #SaaSBOM #VEX #OWASP #CycloneDX

This release is pretty epic. A real game changer for organisations consuming SBOMs. Thank you @stevespringett, @nscur0, and all the contributors. #sbom

Excited to share my thoughts on cloud security in Forbes: forbes.com/sites/forbesfi…

@albertlacambra You will always have dependencies. You just have to keep an eye on them and use as little as possible

@sbom_x Just go back to java ee and snippets copy paste. Ist the simplest and more efficient and secure way to work 😉

When will we learn? drewdevault.com/2022/05/12/Sup… "Congratulations to Rust for its first (but not its last) supply-chain attack this week!"

Don’t know where to start to learn more about supply chain security? Good news! We created a Software Supply Chain Reading List Get it 📚 blog.chainguard.dev/a-crash-course/

New Typosquating Attack on npm Package ‘colors’ Using Cross-language Technique Explained whitesourcesoftware.com/resources/blog…

Introducing Open Source Insights data in BigQuery to help secure software supply chains @googlecloud cloud.google.com/blog/products/… "This dataset provides access to critical software supply chain information for developers, maintainers and consumers of open-source software."

The 5×5—Reflections on trusting trust: Securing software supply chains atlanticcouncil.org/content-series… "It is like we built a digital Manhattan on a foundation of quicksand and swamps"

The Cybersecurity Coalition group has published its SBOM position paper! Check it out here. It talks about factors such as gaps in the ability to distribute and automate consumption of SBOMs, and open questions around what does SBOM mean in the cloud? cybersecuritycoalition.org/reports/cybers…

Email domain for NPM lib with 6m downloads a week grabbed by expert to make a point theregister.com/2022/05/10/sec… via @theregister

@lrvick We could go on for a long time ...

@lrvick 3/n naver.com,747 microsoft.com,708 npmjs.com,659 gmx.de,602 ya.ru,471 pm.me,463 aliyun.com,412 web.de,411 hotmail.co.uk,391

1. Buy expired NPM maintainer email domains. 2. Re-create maintainer emails 3. Take over packages 4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed 5. Enjoy world domination.

#CloudNativeLive: Looking forward to learning, Protecting Software Supply Chains using @kyverno Started in < 30 mint youtube.com/watch?v=jXnDzY…

software supply chain security covered by Forbes forbes.com/sites/curtissi…

@snyksec Tnx for your excellent analysis at snyk.io/blog/npm-depen… and don't worry, the "malicious actor" is one of our interns 😎 who was tasked to research dependency confusion as part of our continuous attack simulations for clients. (1/2)