Dev & DevSecOps

June 1, 2023

When byte code bites: Who checks the contents of compiled Python files?

ReversingLabs researchers identified a PyPI attack using compiled Python code to evade detection — possibly the first PYC file direct-execution attack.
June 1, 2023

The state of app sec with Chris Romeo: The year of the application is near

ConversingLabs caught up with Chris Romeo of Kerr Ventures at RSA Conference 2023 to talk about the state of application security. Watch (or listen) — and learn.
May 31, 2023

‘Extinction risk’: Could code-writing AI wipe out humans via software backdoors?

Experts warn ChatGPT-based coding could do to us what an asteroid did to the dinosaurs. Hype — or heads-up to reckon with?
May 30, 2023

App sec and AI: Can this new supply chain risk be contained by tools such as NeMo Guardrails?

Here's a look at this first example of tools to manage the risk from generative AI — and analysis of the scope of that risk to the software supply chain.
May 23, 2023

PyPI paused as automated attack overwhelms admins

Python Package Index was flooded with malicious typo-squatting packages. Weekend warriors quit defense and hit the pause button.
May 9, 2023

Red teamers take on AI at DEF CON 31

It takes a village... In Las Vegas, researchers play capture the flag to find vulnerabilities in tools like ChatGPT — with a White House assist.
May 9, 2023

SLSA 1.0 delivers build provenance: What application security teams need to know

OpenSSF's updated Supply-chain Levels for Software Artifacts is an essential tool, but experts say it's not a comprehensive supply chain security tool.
April 19, 2023

Secrets Exposed: The why, the how – and what to do about – secrets security in software

Secrets are increasingly exposed in code, creating a field-day for malicious actors. Here are key takeaways from our Secrets Exposed special report.
April 18, 2023

EU cyber laws ‘will’ make FOSS devs liable

The goal might be laudable, but aspects of the EU law need a major rethink. In this week’s Secure Software Blogwatch, we fear unintended consequences.
April 13, 2023

OSC&R embraces GitHub: Will it move the needle on supply chain security?

Here's what the move means in the short run — and the long term, for the evolution from application security to software software supply chain security.
April 11, 2023

Why 'shift left' is now a dirty term in some security circles

Here's why some security practitioners question the term "shift left" — and what they think application security teams should focus on instead.
April 11, 2023

Has public USB ‘juice jacking’ made it into the wild?

Déjà vu, but carry protection, dev teams traveling with credentials: Theorized as early as 2011, could public-USB attacks have finally gone rogue?


Get the Best of the ReversingLabs newsletter delivered to your in-box weekly to stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

ConversingLabs Cafe: Chris Romeo on the state of application security ConversingLabs Cafe: Chris Romeo on the state of application security
Conversations About Threat Hunting and Software Supply Chain Security
Behaviors & Diffs: Better Together for Software Supply Chain Security Behaviors & Diffs: Better Together for Software Supply Chain Security
Glassboard conversations with ReversingLabs Field CISO Matt Rose
Software Package Deconstruction: Deconstructing UPS Ship Manager Software Package Deconstruction: Deconstructing UPS Ship Manager
Analyzing Risks To Your Software Supply Chain