AppSec & Supply Chain Security

March 23, 2023

The Week in Security: NuGet hit by typosquatting, fake ChatGPT plug-in hijacks Facebook accounts

Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond.

Read More about The Week in Security: NuGet hit by typosquatting, fake ChatGPT plug-in hijacks Facebook accounts

The Week in Security: NuGet hit by typosquatting, fake ChatGPT plug-in hijacks Facebook accounts

March 22, 2023

Jenkins patches high-severity XSS vulnerabilities: Lessons learned from CorePlague

The vulnerabilities left the door open to malicious plug-in updates. Here's what you need to know.

Read More about Jenkins patches high-severity XSS vulnerabilities: Lessons learned from CorePlague

Jenkins patches high-severity XSS vulnerabilities: Lessons learned from CorePlague

March 21, 2023

How to mitigate secrets risk — and prevent future breaches

Software secrets are in the crosshairs of malicious actors. Here are three key steps to mitigate risk — and best practices your team can take to prevent future breaches.

Read More about How to mitigate secrets risk — and prevent future breaches

How to mitigate secrets risk — and prevent future breaches

March 20, 2023

Application security practices are maturing — but it's a work in progress

While best practices adoption for AppSec is up, many supply chain security problems remain, the OpenSSF SLSA framework survey shows.

Read More about Application security practices are maturing — but it's a work in progress

Application security practices are maturing — but it's a work in progress

March 15, 2023

GitHub enforces 2FA — it’s about time (given the state of supply chain security)

GitHub just got a little safer, by finally forcing users into two-factor authentication. What took you so long, Microsoft?

Read More about GitHub enforces 2FA — it’s about time (given the state of supply chain security)

GitHub enforces 2FA — it’s about time (given the state of supply chain security)

March 13, 2023

Fixing secrets leaks requires holistic software stack protection

The recent hacks at CircleCI and other organizations show that your software supply chain may be a grab bag of software secrets. Only an end-to-end security approach can solve the problem.

Read More about Fixing secrets leaks requires holistic software stack protection

Fixing secrets leaks requires holistic software stack protection

March 13, 2023

When it comes to financial services, mind the gaps in your AppSec testing

Why you need to upgrade to software supply chain security: Adversaries can compromise your organization without comprehensive malware identification.

Read More about When it comes to financial services, mind the gaps in your AppSec testing

When it comes to financial services, mind the gaps in your AppSec testing

March 8, 2023

Why software transparency is critical: Understanding supply chain security in a software-driven society

Here's an overview of our upcoming book, with highlights and key takeaways from each chapter.

Read More about Why software transparency is critical: Understanding supply chain security in a software-driven society

Why software transparency is critical: Understanding supply chain security in a software-driven society

March 7, 2023

App sec is addicted to vulnerability reporting: Why supply chain security requires evolution

Teams are mired in CVEs, the NVD (which is fed by CVE data), and the CVSS. Experts explain why it's time to modernize.

Read More about App sec is addicted to vulnerability reporting: Why supply chain security requires evolution

App sec is addicted to vulnerability reporting: Why supply chain security requires evolution

March 7, 2023

White House cyber strategy: A love/hate story

In a first, the Biden administration will hold software developers accountable for vulnerabilities. Naturally, it’s dividing opinions

Read More about White House cyber strategy: A love/hate story

White House cyber strategy: A love/hate story

March 1, 2023

3 reasons to upgrade your AppSec testing to tackle supply chain security

Modern software development is a primary target for supply chain attacks. Here's why traditional application security testing alone is not up to the job.

Read More about 3 reasons to upgrade your AppSec testing to tackle supply chain security

3 reasons to upgrade your AppSec testing to tackle supply chain security

February 27, 2023

Lessons learned from the CircleCI secrets breach

The CircleCI breach reveals a bigger story on secrets. Matt Rose and Chris Wilder discuss lessons learned in this webinar

Read More about Lessons learned from the CircleCI secrets breach

Lessons learned from the CircleCI secrets breach

February 23, 2023

How C-SCRM could fill the gaps on supply chain security

The new CISA office could make a big difference — and even lead to a new discipline dedicated to software supply chain security

Read More about How C-SCRM could fill the gaps on supply chain security

How C-SCRM could fill the gaps on supply chain security

February 23, 2023

Why devs and repos spill secrets

The Circle CI breach and other recent hacks expose why the secrets problem is so prolific. Here's what you need to know.

Read More about Why devs and repos spill secrets

Why devs and repos spill secrets

February 21, 2023

OSC&R targets software supply chain attacks

Modeled after MITRE ATT&CK, OSC&R aims to improve software supply chain security. Experts share its hits — and misses.

Read More about OSC&R targets software supply chain attacks

OSC&R targets software supply chain attacks