What Has Changed in NIST’s Cybersecurity Framework 2.0 and Why Should You Care?
In early August, the U.S. National Institute of Standards and Technology (NIST) released a draft 2.0 version of its landmark Cybersecurity Framework, first published in 2014. A lot has changed over the past 10 years, not least of which is the rising level of cybersecurity threats that the original document ... Read More
CISA’s secure software self-attestation common form is a liability nightmare
On September 2022, the United States Office of Management and Budget (OMB) issued a landmark memo regarding the steps needed to secure your software supply chain to a degree acceptable by the US federal government. Any company that wishes to do business with the government and any federal agency producing ... Read More
How to avoid CVE burnout and alert fatigue in vulnerability scans?
An image of red alertsCVE ( Common Vulnerabilities and Exposures) scans are essential to securing your software applications. However, with the increasing complexity of software stacks, identifying and addressing all CVEs can be challenging. One of the biggest issues with CVE scans today is the prevalence of false positives, where a ... Read More
Providing a Safe Harbor From Liability for Software Producers
An image of a life preserverOn March 2023 the White House released a new National Cybersecurity Strategy . The strategy outlines a list of 5 pillars the White House considers critical to improving cybersecurity for all Americans, both public and private sector. The third pillar deals with the drive to shape ... Read More
Charting the Future of SBOM: Insights From CISA’s New Guide: Shifting the Balance of Cybersecurity…
Charting the Future of SBOM: Insights From CISA’s New Guide: Shifting the Balance of Cybersecurity RiskOn April 2023 CISA released a new joint guide for software security called Shifting the Balance of Cybersecurity Risk: Security-by-Design and Default Principles. The Guide was composed with the cooperation of 9 different agencies including ... Read More
What Happens When an AI Company Falls Victim to a Software Supply Chain Vulnerability
An image illustrating AI goes wrongOn March 20th OpenAI took down the popular generative AI tool ChatGPT for a few hours. It later admitted that the reason for the outage was a software supply chain vulnerability that originated in the open-source in-memory data store library ‘Redis’.As a result of this vulnerability, there ... Read More
What We Can Learn From CISA’s SBOM Sharing Lifecycle Report
An abstract image of documents sharingOn April 2023 DHS, CISA, DOE, and CESER released a report titled ‘Software Bill of Materials (SBOM) Sharing Lifecycle Report ‘. The purpose of the report was to examine the current ways in which people are sharing SBOMs as well as outline, in general terms, ... Read More
Using the 3CX Desktop App Attack To Illustrate the Importance of Signing and Verifying Software
illustration of approved softwareIn late March 2023, security researchers exposed a threat actor’s complex software supply chain attack on business communication software from 3CX, mainly the company’s voice and video-calling desktop app. The researchers warned that the app was somehow trojanized and that using it could expose the organization to a ... Read More
How confident are you with what’s really happening inside your CI/CD pipeline?
How confident are you with what’s really happening inside your CI/CD pipeline? The elements you should be securing, and howPipeline securityCI/CD pipelines are notoriously opaque as to what exactly takes place inside. Even if you’re the one who wrote the YAML config file (the pipeline list of instructions) how can you ... Read More
What can you do with an SBOM today?
Software Bill Of Materials BlueprintWe can all agree that computer software is a complicated construct composed of numerous diverse components. Open-source software is becoming ever more common as a building block in software. This phenomenon is accompanied by an increase in exploitable vulnerabilities so it is little wonder that being ... Read More