InfoQ Homepage Software Supply Chain Content on InfoQ
-
Azul Joins the Effort of Improving Supply Chain Security by Launching Vulnerability Detection SaaS
November, 2nd: Azul released a new security product that intends to offer a solution to the increased risk of enterprise software supply chain attacks, compounded by severe threats such as Log4Shell. Azul Vulnerability Detection is a new SaaS that continuously detects known security vulnerabilities in Java applications. In addition, they promise not to affect the application’s performance.
-
AWS Adds Container Lens to Well-Architected Framework
AWS has added a new container lens to its Well-Architected Framework. This new technical paper outlines best practices sourced from the community, AWS partners, and AWS's internal container technology specialists. These best practices provide guidance for running high-performance, reliable, and secure container workloads. The paper also includes reference architectures for a few common use cases.
-
Google Distroless Images Achieve SLSA Level 2
Google announced that their distroless builds meet level 2 of the Supply chain Levels for Software Artifacts (SLSA). Level 2 requires that the build process for these images is tamper resistant. This improves on their previous release which saw all images being signed with cosign.
-
Google 2022 Accelerate State of DevOps Report Finds Strong Culture Predictive of Strong Performance
Google has released their findings from the 2022 Accelerate State of DevOps Report. This year's report focused on security with a specific emphasis on the software supply chain. The report found a broad adoption of the inspected practices with organizations that have a high-trust, low-blame culture leading the way in both security and operational practices.
-
Undistro Wolfi Designed to Mitigate Software Supply Chain Risk
Chainguard has announced the general availability of Wolfi, a new Linux distribution designed for container environments and built to ensure a secure software supply chain. Wolfi is designed to be a minimal distribution that provides a build-time SBOM for all included packages.
-
GitHub Extends Its Supply Chain Security to Rust
GitHub has brought Rust support to its supply chain security feature. Aimed to ensure your project and its dependencies are free of vulnerabilities, GitHub supply chain security includes a database of advisories, a dependency graph analyzer, and Dependabot alerts and security updates.
-
Veracode Report Shows Signs of Progress in Securing Software Supply Chain
Veracode's recently released State of Software Security report found a general decline in the number of known security vulnerabilities found in third-party libraries along with a trend towards smaller applications being scanned more regularly for issues. It also finds that the industry still has a long way to go.
-
Software Supply Chain Security Project in-toto Accepted into CNCF Incubator
The CNCF Technical Oversight Committee (TOC) has accepted the in-toto project as a CNCF incubating project. The in-toto project aims to cryptographically protect the entire software build and delivery process - the “supply chain” - from malicious actors.
-
Securing the Open-Source Software Supply Chain
Recent findings by security researchers at SonarSource showed multiple security vulnerabilities in popular package managers, including Pip, Yarn, Composer, and others. Package managers, though, are not the only weak link in the open source security chain. InfoQ has spoken with Sonatype CTO Brian Fox.
-
OpenSSF Announces the Alpha-Omega Project to Improve Software Supply Chain Security
The Open Source Security Foundation (OpenSSF) in partnership with Google and Microsoft have announced the Alpha-Omega Project to improve supply chain security across open source software (OSS) projects. The project will focus on improving the security posture of the most widely deployed and critical OSS projects.
-
Google and GitHub Announce OpenSSF Scorecards v4 with New GitHub Actions Workflow
GitHub and Google have announced the version 4 release of the Open Source Security Foundation (OpenSSF)'s Scorecards project. Scorecards is an automated security tool that identifies risky supply chain practices in open source projects. This release includes a new Scorecards GitHub Action, new security checks, and a large increase in the repositories included in the foundations weekly scans.
-
Aqua Security Reports Large Increase in Supply Chain Attacks
Aqua Security's recent report highlights the increasing threat of supply chain attacks. According to the report, supply chain attacks grew by 300% from 2020 to 2021 while the level of security across software development environments remained low. Google and the CNCF have recently released papers detailing approaches to improving the security of the supply chain.