Avatar photo
Josh Bressers
Anchore
Josh Bressers is the Vice President of Security at Anchore, where he guides security features and serves as a public evangelist on topics like compliance, open source, and software supply chain security. With a career spanning over 20 years, Josh has a deep-rooted history in the open-source security community. Prior to Anchore, he built the product security team at Elastic and was an early member of the Red Hat Security Response Team, where he later founded the Product Security Team. Josh is a passionate contributor to the security community, he hosts both the "Open Source Security Podcast" and the "Hacker History Podcast." Josh is an active member of the OpenSSF where he also co-leads the SBOM Everywhere project.

NPM Supply Chain Breach Response for Anchore Enterprise and Grype Users

NPM Supply Chain Breach Response for Anchore Enterprise and Grype Users

| | Blog
On September 8, 2025 Anchore was made aware of an incident involving a number of popular NPM packages to insert malware. The technical details of the attack can be found in the Aikido blog post: npm debug and chalk packages compromised After an internal audit, Anchore determined no Anchore products, ... Read More
Anchore
Navigating the New Compliance Frontier

Navigating the New Compliance Frontier

| | Blog
If you develop or use software, which in 2025 is everyone, it feels like everything is starting to change. Software used to exist in a space where we could do almost anything they wanted and it didn’t seem like anyone was really paying attention. We all heard stories about mission ... Read More
Anchore

OpenSSF SBOM Coffee Club is exactly what you think it is

| | Blog
For the last 7 years CISA has been one of the major public stewards of SBOMs – publishing many whitepapers, hosting a multitude of meetings, and evangelizing the term so nearly everyone in the industry now recognizes. For those of us who have been working in the SBOM community over ... Read More
Anchore
Open Source and foreign influence, should we panic?

Open Source and foreign influence, should we panic?

| | Blog, Container Security, DevSecOps, Docker, Kubernetes
Updated 2025-09-08 to add notes about the similar fast-glob package. Wired recently published an article titled Security Researchers Warn a Widely Used Open Source Tool Poses a ‘Persistent’ Risk to the US which paints a dire picture of a popular open source Go package named easyjson. This sounds like it ... Read More
Anchore
The Dangers of a Log4j Worm

The Dangers of a Log4j Worm

| | Apache Log4j, Log4Shell, worm
Earlier this week there was a report of a Log4j worm found in the wild that exploits the Log4Shell vulnerability. Thankfully, the worm discovered didn’t actually work. However, this should come as a warning to everyone that patching Log4j is extremely important. A successful Log4j worm could have disastrous consequences ... Read More
Security Boulevard

Role Playing an Incident, Except it’s Fun

|
At RSA Conference 2018 USA I had the pleasure of holding the same session twice. Normally this would mean doing the same basic thing the second time, but my session was rather unique: I held a role-playing event that was very heavy on randomness. I’ve participated in and hosted security ... Read More
RSAConference Blogs RSS Feed