Docker's BuildKit adds attestation: How it works and key limitations
Here's what you need to know about BuildKit and its Supply Chain Levels for Software Artifacts (SLSA) provenance capabilities for SBOMs.
AppSec & Supply Chain Security
Docker's BuildKit adds attestation: How it works and key limitations
The 3CX breach was targeted — but the plan was broader
The compromise was limited to their app. But there's a bigger lesson: Supply chain security complacency comes with a cost.
How bulk pull requests help scale open source bug fixes
Flaws quickly spread across the supply chain. Here's how researchers at Alpha Omega and beyond are automating fixes.
The Week in Security: NuGet hit by typosquatting, fake ChatGPT plug-in hijacks Facebook accounts
Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond.
Jenkins patches high-severity XSS vulnerabilities: Lessons learned from CorePlague
The vulnerabilities left the door open to malicious plug-in updates. Here's what you need to know.
How to mitigate secrets risk — and prevent future breaches
Software secrets are in the crosshairs of malicious actors. Here are three key steps to mitigate risk — and best practices your team can take to prevent future breaches.
.webp&w=3840&q=75)
Application security practices are maturing — but it's a work in progress
While best practices adoption for AppSec is up, many supply chain security problems remain, the OpenSSF SLSA framework survey shows.
GitHub enforces 2FA — it’s about time (given the state of supply chain security)
GitHub just got a little safer, by finally forcing users into two-factor authentication. What took you so long, Microsoft?
Fixing secrets leaks requires holistic software stack protection
The recent hacks at CircleCI and other organizations show that your software supply chain may be a grab bag of software secrets. Only an end-to-end security approach can solve the problem.
When it comes to financial services, mind the gaps in your AppSec testing
Why you need to upgrade to software supply chain security: Adversaries can compromise your organization without comprehensive malware identification.
Why software transparency is critical
Understanding supply chain security is critical in a software-driven society. Here's an overview of our upcoming book.
App sec is addicted to vulnerability reporting: Why supply chain security requires evolution
Teams are mired in CVEs, the NVD (which is fed by CVE data), and the CVSS. Experts explain why it's time to modernize.
White House cyber strategy: A love/hate story
In a first, the Biden administration will hold software developers accountable for vulnerabilities. Naturally, it’s dividing opinions
3 reasons to upgrade your AppSec testing to tackle supply chain security
Modern software development is a primary target for supply chain attacks. Here's why traditional application security testing alone is not up to the job.
Lessons learned from the CircleCI secrets breach
The CircleCI breach reveals a bigger story on secrets. Matt Rose and Chris Wilder discuss lessons learned in this webinar