Dev & DevSecOps (3)

May 9, 2023

SLSA 1.0 delivers build provenance: What application security teams need to know

OpenSSF's updated Supply-chain Levels for Software Artifacts is an essential tool, but experts say it's not a comprehensive supply chain security tool.
April 19, 2023

Secrets Exposed: The why, the how – and what to do about – secrets security in software

Secrets are increasingly exposed in code, creating a field-day for malicious actors. Here are key takeaways from our Secrets Exposed special report.
April 18, 2023

EU cyber laws ‘will’ make FOSS devs liable

The goal might be laudable, but aspects of the EU law need a major rethink. In this week’s Secure Software Blogwatch, we fear unintended consequences.
April 13, 2023

OSC&R embraces GitHub: Will it move the needle on supply chain security?

Here's what the move means in the short run — and the long term, for the evolution from application security to software software supply chain security.
April 11, 2023

Why 'shift left' is now a dirty term in some security circles

Here's why some security practitioners question the term "shift left" — and what they think application security teams should focus on instead.
April 11, 2023

Has public USB ‘juice jacking’ made it into the wild?

Déjà vu, but carry protection, dev teams traveling with credentials: Theorized as early as 2011, could public-USB attacks have finally gone rogue?
April 5, 2023

With Twitter code in the wild, DevSecOps doubts surface

In this week’s Secure Software Blogwatch, we ponder the unintended consequences of “transparency.”
April 4, 2023

The 3CX attack was targeted — but the plan was broader

The compromise was limited to their app. But there's a bigger lesson: Supply chain security complacency comes with a cost. 
April 4, 2023

Docker's BuildKit adds SBOM attestation capabilities: How they work — and key limitations

Here's what you need to know about BuildKit, how to leverage its SBOM capabilities — and its limitations for comprehensive supply chain security.
March 29, 2023

Do you trust AI to find app sec holes while you sleep?

Purr-fect? Or cat-astrophe? Microsoft wants you to cat nap as its Security Copilot combats software security threats.
March 28, 2023

How bulk pull requests help scale open source bug fixes

Common flaws are duplicated all across the software supply chain. Here's how security researchers want to automate fixes.
March 22, 2023

Jenkins patches high-severity XSS vulnerabilities: Lessons learned from CorePlague

Here's how CorePlague works — and key takeaways from the vulnerabilities for your application security team.

SUBSCRIBE

Get our blog delivered to your in-box weekly to stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

The Art of Security Chaos Engineering The Art of Security Chaos Engineering
Conversations About Threat Hunting and Software Supply Chain Security
ReversingGlass: Happy Birthday, ReversingGlass ReversingGlass: Happy Birthday, ReversingGlass
Glassboard conversations with ReversingLabs Field CISO Matt Rose