App Sec & Supply Chain Security
GitHub Fights Forks — Millions of Them — Huge Software Supply Chain Security FAIL
Richi Jennings | | Apiiro, App Sec & Supply Chain Security, AppSec & Supply Chain Security, dependency confusion, dependency confusion attacks, GitHub, github application security, github bug, GitHub Exploit, GitHub repositories, GitHub Security Measures, github security scanning, GitHub Security Vulnerabilities, Open Source and Software Supply Chain Risks, open source software supply chain, open source software supply chain security, repo confusion, SB Blogwatch, secure software supply chain, software supply chain, software supply chain attack, software supply chain attacks, software supply chain automation, software supply chain hygiene, software supply chain risk, Software Supply Chain risks, software supply chain security, Software Supply Chain Security Weaknesses, supply chain, supply chain security, Supply-Chain Insecurity
Forking hell: Scrotebots clone thousands of projects, injecting malware millions of times ...
Security Boulevard
Don’t let CVEs distract you: Shift your AppSec team’s focus to malware
Chasing vulnerabilities can be a time-consuming and time-wasting pursuit for application security (AppSec) teams. A big part of the problem has been the sheer volume of vulnerabilities being reported in recent years, ...
Zero trust and threat modeling: Is it time for AppSec to get on board?
As the use of zero-trust architecture grows, it's becoming apparent to threat modelers that if they want to reap benefits, they will need to modify their existing practices to do it. ...
AI needs transparency: How software supply chain security tools can help secure ML models
Solutions designed to protect the software supply chain can also be used to protect machine learning (ML) models from similar attacks.Two such solutions: The Supply-chain Levels for Software Artifacts (SLSA) framework and ...
How legacy AppSec is holding back Secure by Design
After years of headline-popping software supply chain–related breaches — think SolarWinds, Log4j, 3CX, and MOVEit — software security advocates agree that organizations have to change the way they tackle application security (AppSec) ...
5 best practices for putting SBOMs to work with CI/CD
Software bills of materials (SBOMs) have become a central component of enterprise efforts to secure the software supply chain. President Biden's 2021 Executive Order on Improving the Nation's Cybersecurity, EO 14028, made ...
IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations
ReversingLabs has identified connections between a malicious campaign that was recently discovered and reported by the firm Phylum and several hundred malicious packages published to the NuGet package manager since the beginning ...
How mature is your open-source risk management? S2C2F helps map out dependencies
The Secure Supply Chain Consumption Framework (S2C2F) from the Open Source Security Foundation (OpenSSF) is a useful resource for enterprise software teams addressing risks from open-source dependencies ...
App sec prioritization is priority No. 1 for CISOs
As application security and DevSecOps teams try to get the most bang for their app sec buck, one of the perennial problems has been figuring out where to focus their secure coding ...