InfoQ Homepage Software Supply Chain Content on InfoQ
-
JFrog Integrates Runtime Security for Enhanced DevSecOps Platform
JFrog has introduced JFrog Runtime to its suite of security capabilities, adding real-time vulnerability detection to its software supply chain platform. This update is aimed at developers and DevSecOps teams working with Kubernetes clusters and cloud-native applications.
-
Applying Zero-Trust Security to Docker Containers
Several strategies exist to apply the principles of zero-trust security to development environments based on Docker Desktop to protect against the risks of security breaches, Docker senior technical leader Jay Schmidt explains.
-
Over 100K+ Sites Hit by Polyfill.io Supply Chain Attack
E-Commerce security firm Sansec unveiled a new supply chain attack affecting the Polyfill JS service when accessed through a number of CDNs hosting it. According to Sansec, over 100K sites were hit. The original author of the service, Andrew Betts, suggested removing Polyfill from any sites using it.
-
GitHub Enables Dependabot via GitHub Actions, Improves Supply Chain Security
GitHub has released two features to improve the security and resilience of repositories. The first feature allows Dependabot to run as a GitHub Actions workflow using hosted and self-hosted runners. The second release introduces the public beta of Artifact Attestations, simplifying how repository maintainers can generate provenance for their build artifacts.
-
GUAC Joins OpenSSF as Incubating Project
The Graph for Understanding Artifact Composition (GUAC) has joined the Open Source Security Foundation (OpenSSF) as an incubating project. GUAC provides a tool and underlying API to analyse and visualise software bill of materials (SBOM) along with threat intelligence feeds to determine whether vulnerabilities impact an application.
-
Do Gen AI and OSS Regulation Bring Us Further Away from Exiting the Dependency Hell?
“The security of the software supply chain problem” still persists according to the yearly State Of Supply Chain report. It improved, but there is still a long way to go, given that 96% of all vulnerable downloads were avoidable. Besides the usual insights of how far from exiting the "dependency hell" we are, the novel challenges of 2023 include the legislative adoption of Gen AI-associated risks.
-
TorchServe Potentially Exposed to Remote Code Execution
Israeli-based security company Oligo has uncovered multiple vulnerabilities in TorchServe, the tool used to serve PyTorch models, that could allow an attacker to run arbitrary code on vulnerable systems. The vulnerabilities have been promptly fixed in TorchServe version 0.82.
-
GitHub Dependabot Gets Customizable Auto-Triage Rules to Reduce False Positives
After launching Dependabot's auto-dismiss policies a few months ago to reduce the number of false positive alerts, GitHub is now adding custom rules support for developers to define the criteria to auto-dismiss and reopen alerts.
-
Go 1.21 Toolchain is Now Reproducible to Help Safeguard from Supply-Chain Attacks
Go 1.21 toolchain is the first Go toolchain to be perfectly reproducible. This makes it possible to reduce the risk that a malicious actor can tamper with the output binaries, explains Google engineer Russ Cox, to carry through a supply chain attack.
-
OpenSSF New Manifesto Urges the Software Industry to Take Responsibility for Open Source Security
The Open Source Consumption Manifesto from OpenSSF aims to make the software industry more aware of its responsibility when it comes to ensuring the software supply chain remains secure and healthy.
-
Google Announces Graph for Understanding Artifact (GUAC) v0.1
The Open Source Security Team at Google has recently introduced GUAC (Graph for Understanding Artifact) v0.1, a tool designed for security professionals. GUAC focuses on metadata synthesis and aggregation, addressing the requirement outlined in the U.S. Executive Order on Cybersecurity. This tool aims to assist security professionals in assessing the security posture of the supply chain.
-
Manifest Confusion Paves the Way to New npm Supply Chain Threats
A recent report by former npm engineering manager Darcy Clarke found that the npm registry does not validate manifest information against the contents of its corresponding package tarball. This creates a double source of truth that attackers can exploit to hide scripts or dependencies, says Clarke.
-
GitHub Announces Code Scanning and Security Advisory Support for Swift
GitHub has launched code scanning support for Swift in beta and announced it will include Swift security advisories in its Advisory Database to extend the capabilities of its Dependabot vulnerability monitor.
-
Google Open Sources Bazel Plugin to Automate Secure Distroless Image Creation
Google and Bazel consulting firm Aspect announced version 1.0 of Bazel plugin rules_oci. Aimed to simplify secure container image creation using Bazel with special emphasis on Distroless images, the new plugin obsoletes rules_docker and improves it on a number of counts.
-
AWS Supply Chain Now Generally Available with New Features
AWS’s Supply Chain cloud application has recently been made generally available, offering unified data, actionable insights powered by machine learning, and contextual collaboration features to reduce costs and mitigate risk.