Tips for Securing the Software Supply Chain
“Software supply chain attacks are at the top of all CISOs’ minds,” says ReliaQuest CISO Jeff Music. Music attributes the popularity of software supply chain attacks to the fact that these attacks are relatively easy to conduct and have a significant payoff for the attacker. “This is especially the case if the vulnerable hardware or…
How to Reduce Code Risk Using Pipelineless Security
Secrets embedded in source code pose a risk to developers and the organizations they work in. Secrets can be used to take over both user and service accounts, which can lead to sensitive data exposure, operational risks, and financial or reputational damage. There are many commercial and open source projects available to detect hardcoded secrets,…
Software Supply Chain Security Needs a Bigger Picture
The intricate labyrinth of open source dependencies across the global software supply chain has created an application security puzzle of mammoth proportions. Whether open source or closed, most of the world’s software today is built on third-party components and libraries. Consequently, one piece of vulnerable code in even the smallest of open source projects can…
Log4j and the Role of SBOMs in Reducing Software Security Risk
Recent high-profile cybersecurity incidents such as the SolarWinds attack and the Apache Log4j vulnerability have exposed the threats associated with the software supply chain. These can range from fairly simple exploits of known vulnerabilities to very sophisticated attacks, sponsored by nation-state actors. The annual spending on enterprise software — also known as commercial off-the-shelf or…
JFrog’s New Tools Flag Malicious JavaScript Packages
DevOps security firm JFrog released three open source security tools in response to recent issues with software registry npm to help JavaScript developers detect and prevent the installation of problematic packages. Software supply chain attacks are becoming a big problem in the open source software ecosystem, with attackers sneaking information stealers, keyloggers, and other types…
