#softwaresupplychainsecurity — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #softwaresupplychainsecurity, aggregated by home.social.
-
A new article is live on Cyfinoid Research:
AppSec in the New Security Cost Model
https://cyfinoid.com/appsec-in-the-new-security-cost-model/
The core argument is simple. AppSec is still reacting to AI by improving the vulnerability queue. Better reachability, exploitability scoring, CVE enrichment, and prioritization help, but they were designed around an older cost model.
AI changes attacker iteration cost. The defender bottleneck is increasingly verification capacity.
Can we safely validate, fix, test, deploy, and monitor changes at the required pace?
That changes how we should think about AppSec programs. Smaller stacks matter. Attack surface reduction matters. Bug-class elimination matters. Compensating controls need expiry and replacement plans. Test coverage becomes a security capability. Safe remediation throughput becomes a useful metric.
I also connect this to Goldratt’s Theory of Constraints and the SaaS vs in-house ownership tradeoff, especially for SMBs.
The question is no longer only which vulnerability should be fixed first. The question is how much verified remediation an organization can safely produce.
-
#Checkmarx is breached again via its Jenkins plugin GitHub repo compromised in a software suply chain hack:
#SoftwareSupplyChainSecurity
👇 -
Precision Container Security with Docker and Black Duck
#Docker #Partnerships #Products #DockerHardenedImages #Scanner #Softwaresupplychainsecurity #VEXhttps://www.docker.com/blog/precision-container-security-with-docker-and-black-duck/
-
Precision Container Security with Docker and Black Duck
#Docker #Partnerships #Products #DockerHardenedImages #Scanner #Softwaresupplychainsecurity #VEXhttps://www.docker.com/blog/precision-container-security-with-docker-and-black-duck/
-
Precision Container Security with Docker and Black Duck
#Docker #Partnerships #Products #DockerHardenedImages #Scanner #Softwaresupplychainsecurity #VEXhttps://www.docker.com/blog/precision-container-security-with-docker-and-black-duck/
-
Precision Container Security with Docker and Black Duck
#Docker #Partnerships #Products #DockerHardenedImages #Scanner #Softwaresupplychainsecurity #VEXhttps://www.docker.com/blog/precision-container-security-with-docker-and-black-duck/
-
Precision Container Security with Docker and Black Duck
#Docker #Partnerships #Products #DockerHardenedImages #Scanner #Softwaresupplychainsecurity #VEXhttps://www.docker.com/blog/precision-container-security-with-docker-and-black-duck/
-
Reclaim Developer Hours through Smarter Vulnerability Prioritization with Docker and Mend.io
#Docker #Partnerships #Products #DockerHardenedImages #Softwaresupplychainsecurity #VEX -
Reclaim Developer Hours through Smarter Vulnerability Prioritization with Docker and Mend.io
#Docker #Partnerships #Products #DockerHardenedImages #Softwaresupplychainsecurity #VEX -
Reclaim Developer Hours through Smarter Vulnerability Prioritization with Docker and Mend.io
#Docker #Partnerships #Products #DockerHardenedImages #Softwaresupplychainsecurity #VEX -
Reclaim Developer Hours through Smarter Vulnerability Prioritization with Docker and Mend.io
#Docker #Partnerships #Products #DockerHardenedImages #Softwaresupplychainsecurity #VEX -
Reclaim Developer Hours through Smarter Vulnerability Prioritization with Docker and Mend.io
#Docker #Partnerships #Products #DockerHardenedImages #Softwaresupplychainsecurity #VEX -
#Checkmarx GitHub Actions and Open VSX extensions hacked and replaced with malware by the same TeamPCP who hacked Trivy last week.
#SoftwareSupplyChainSecurity
👇
https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html -
Announcing Docker Hardened System Packages
#Products #Security #Docker #DockerHardenedImages #Security #Securitypackages #Softwaresupplychainsecurityhttps://www.docker.com/blog/announcing-docker-hardened-system-packages/
-
Announcing Docker Hardened System Packages
#Products #Security #Docker #DockerHardenedImages #Security #Securitypackages #Softwaresupplychainsecurityhttps://www.docker.com/blog/announcing-docker-hardened-system-packages/
-
Announcing Docker Hardened System Packages
#Products #Security #Docker #DockerHardenedImages #Security #Securitypackages #Softwaresupplychainsecurityhttps://www.docker.com/blog/announcing-docker-hardened-system-packages/
-
Announcing Docker Hardened System Packages
#Products #Security #Docker #DockerHardenedImages #Security #Securitypackages #Softwaresupplychainsecurityhttps://www.docker.com/blog/announcing-docker-hardened-system-packages/
-
Announcing Docker Hardened System Packages
#Products #Security #Docker #DockerHardenedImages #Security #Securitypackages #Softwaresupplychainsecurityhttps://www.docker.com/blog/announcing-docker-hardened-system-packages/
-
One last story for the week/month: Harness makes its #artifactregistry generally available beyond early preview customers, with a security twist that could challenge established players such as #jfrog
https://www.techtarget.com/searchsoftwarequality/news/366639489/Harness-Artifact-Registry-strengthens-supply-chain-governance #devsecops #appdev #softwaresupplychainsecurity
-
Hardened Images Are Free. Now What?
#Docker #Company #Engineering #Products #Security #Solutions #DHI #DockerHardenedImages #DockerScout #Security #Softwaresupplychainsecurity -
Hardened Images Are Free. Now What?
#Docker #Company #Engineering #Products #Security #Solutions #DHI #DockerHardenedImages #DockerScout #Security #Softwaresupplychainsecurity -
Hardened Images Are Free. Now What?
#Docker #Company #Engineering #Products #Security #Solutions #DHI #DockerHardenedImages #DockerScout #Security #Softwaresupplychainsecurity -
Hardened Images Are Free. Now What?
#Docker #Company #Engineering #Products #Security #Solutions #DHI #DockerHardenedImages #DockerScout #Security #Softwaresupplychainsecurity -
Hardened Images Are Free. Now What?
#Docker #Company #Engineering #Products #Security #Solutions #DHI #DockerHardenedImages #DockerScout #Security #Softwaresupplychainsecurity -
Malicious updates were published to official #dYdX trading packages on #npm and #PyPI, delivering a wallet stealer and remote access malware.
Malware was published via compromised maintainer accounts:
#SoftwareSupplyChainSecurity
👇
https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.html -
#Python : Malicious #PyPI Package called 'sympy-dev' Impersonates #SymPy, Deploys XMRig Miner on Linux Hosts:
#SoftwareSupplyChainSecurity
👇
https://thehackernews.com/2026/01/malicious-pypi-package-impersonates.html -
Brett Smith, distinguished software developer at #AI and #datamanagement software and services company SAS, has spent nine of his 13 years with the company focused on #softwaresupplychainsecurity, managing #DevSecOps and compliance for a 3,000-developer organization. He shares the good, the bad and the ugly of the journey to date, and his outlook for the future in this week's episode of the #ITOps Query #vodcast:
-
Safer Docker Hub Pulls via a Sonatype-Protected Proxy
#Docker #Partnerships #Products #DockerHub #NexusRepository #Softwaresupplychainsecurityhttps://www.docker.com/blog/safer-docker-hub-pulls-via-a-sonatype-protected-proxy/
-
Believe it or not, things got a little spicy in #softwaresupplychainsecurity this week, with #Docker, Inc calling out Chainguard as it made its catalog of #DockerHardenedImages free under an #Apache2 license (to which Chainguard had some answers).
In the meantime, #Chainguard launched EmeritOSS, a new support option for deprecated #OSS projects. #opensourcesecurity
-
Believe it or not, things got a little spicy in #softwaresupplychainsecurity this week, with #Docker, Inc calling out Chainguard as it made its catalog of #DockerHardenedImages free under an #Apache2 license (to which Chainguard had some answers).
In the meantime, #Chainguard launched EmeritOSS, a new support option for deprecated #OSS projects. #opensourcesecurity
-
Believe it or not, things got a little spicy in #softwaresupplychainsecurity this week, with #Docker, Inc calling out Chainguard as it made its catalog of #DockerHardenedImages free under an #Apache2 license (to which Chainguard had some answers).
In the meantime, #Chainguard launched EmeritOSS, a new support option for deprecated #OSS projects. #opensourcesecurity
-
Believe it or not, things got a little spicy in #softwaresupplychainsecurity this week, with #Docker, Inc calling out Chainguard as it made its catalog of #DockerHardenedImages free under an #Apache2 license (to which Chainguard had some answers).
In the meantime, #Chainguard launched EmeritOSS, a new support option for deprecated #OSS projects. #opensourcesecurity
-
Believe it or not, things got a little spicy in #softwaresupplychainsecurity this week, with #Docker, Inc calling out Chainguard as it made its catalog of #DockerHardenedImages free under an #Apache2 license (to which Chainguard had some answers).
In the meantime, #Chainguard launched EmeritOSS, a new support option for deprecated #OSS projects. #opensourcesecurity
-
#VSCode: 24 malicious VS Code and #OpenVSX extensions are stealing developer credentials - spreading through popular names like Flutter, React, and Tailwind.
Full list of malicious VSCode extensions in the article below:
#SoftwareSupplyChainSecurity
👇
https://thehackernews.com/2025/12/glassworm-returns-with-24-malicious.html -
Sometimes I wonder what would happen if
oss developers simply list out every single bug report they receive on their website and clearly note we don’t have resources to fix it.
And then list every single mega corp that uses that OSS library and clearly send out message informing the world we don’t fix bugs and since all of these orgs don’t like helping anyone using them is vulnerable.
May be just may be that would give people an idea about putting pressure on wrong set of individuals.
But most importantly it will make it clear for people where the responsibility of security for your customers lie with you or with third party.
#softwaresupplychainsecurity #supplychaincompromise #opensource
-
It's the first on-location episode of #ITOps Query! At #GitHubUniverse, Katie Norton, Research Manager for IDC's #DevSecOps and #softwaresupplychainsecurity practice, explains how a new extension to GitHub's #CodeQL reflects increased awareness of security as a dimension of code quality and much more! https://youtu.be/eCU3OKgOTWY?si=ndH9I3kyYiErc2Qz
-
A new wave of #softwaresupplychainsecurity tools is emerging to tackle #vulnerabilitymanagement for customers using hosted services that deliver fortified container and application images or artifacts. #OSS #cybersecurity #vulnerabilityremediation #chainguard #docker #cloudsmith #containersecurity #SaaS https://www.techtarget.com/searchitoperations/news/366625212/Software-supply-chain-security-tools-take-on-toil-for-users
-
A new wave of #softwaresupplychainsecurity tools is emerging to tackle #vulnerabilitymanagement for customers using hosted services that deliver fortified container and application images or artifacts. #OSS #cybersecurity #vulnerabilityremediation #chainguard #docker #cloudsmith #containersecurity #SaaS https://www.techtarget.com/searchitoperations/news/366625212/Software-supply-chain-security-tools-take-on-toil-for-users
-
A new wave of #softwaresupplychainsecurity tools is emerging to tackle #vulnerabilitymanagement for customers using hosted services that deliver fortified container and application images or artifacts. #OSS #cybersecurity #vulnerabilityremediation #chainguard #docker #cloudsmith #containersecurity #SaaS https://www.techtarget.com/searchitoperations/news/366625212/Software-supply-chain-security-tools-take-on-toil-for-users
-
A new wave of #softwaresupplychainsecurity tools is emerging to tackle #vulnerabilitymanagement for customers using hosted services that deliver fortified container and application images or artifacts. #OSS #cybersecurity #vulnerabilityremediation #chainguard #docker #cloudsmith #containersecurity #SaaS https://www.techtarget.com/searchitoperations/news/366625212/Software-supply-chain-security-tools-take-on-toil-for-users
-
A new wave of #softwaresupplychainsecurity tools is emerging to tackle #vulnerabilitymanagement for customers using hosted services that deliver fortified container and application images or artifacts. #OSS #cybersecurity #vulnerabilityremediation #chainguard #docker #cloudsmith #containersecurity #SaaS https://www.techtarget.com/searchitoperations/news/366625212/Software-supply-chain-security-tools-take-on-toil-for-users
-
"Another wakeup call:" A #softwaresupplychain attack on a widely used GitHub Actions repository renews experts' calls for better #buildpipeline security. #CICD #softwaresupplychainsecurity #GitHubActions https://www.techtarget.com/searchitoperations/news/366621078/GitHub-Actions-supply-chain-attack-spotlights-CI-CD-risks
-
⚠️#GitHub: Critical security incident involving the popular tj-actions/changed-files GitHub Action which contained credentials/secrets exfiltration malware! ☣️ (CVE-2025-30066)
#SoftwareSupplyChainSecurity
#tjactions
👇
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised -
Log4Shell Vulnerability | Why it Still Exists and How to Protect Yourself | Contrast Security – Source: securityboulevard.com https://ciso2ciso.com/log4shell-vulnerability-why-it-still-exists-and-how-to-protect-yourself-contrast-security-source-securityboulevard-com/ #ApplicationDetectionandResponse(ADR) #Thirdpartysoftwarevulnerabilities #managedsecurityserviceproviders #softwaresupplychainsecurity #rssfeedpostgeneratorecho #opensourcesecurityrisks #SecurityBloggersNetwork #Log4Shellremediation
-
Timely for #Halloween - Joshua Corman and I discuss the scariest story I know of in IT - the mounting threats to the #cybersecurity of critical infrastructure.
"We live in glass houses. And people are about to start throwing rocks."#ITOps #podcast #SBOM #softwaresupplychainsecurity #volttyphoon #secops #undisruptable27 -
North Korea IT Worker Scam Brings Malware and Funds Nukes – Source: securityboulevard.com https://ciso2ciso.com/north-korea-it-worker-scam-brings-malware-and-funds-nukes-source-securityboulevard-com/ #SecurityChallengesandOpportunitiesofRemoteWork #DeepFakeandOtherSocialEngineeringTactics #IdentityandAccessManagement #SecurityBoulevard(Original) #softwaresupplychainsecurity #rssfeedpostgeneratorecho #Analytics&Intelligence #RegulatoryCompliance #SecuringOpenSource #SecurityOperations #Governance
-
#OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt in a manner similar to the recent XZ incident:
#SoftwareSupplyChainSecurityhttps://thehackernews.com/2024/04/openjs-foundation-targeted-in-potential.html
https://thehackernews.com/2024/04/openjs-foundation-targeted-in-potential.html
-
Sisense Hacked: CISA Warns Customers at Risk – Source: securityboulevard.com https://ciso2ciso.com/sisense-hacked-cisa-warns-customers-at-risk-source-securityboulevard-com/ #DeepFakeandOtherSocialEngineeringTactics #IdentityandAccessManagement #SecurityBoulevard(Original) #softwaresupplychainsecurity #rssfeedpostgeneratorecho #DigitalTransformation #RegulatoryCompliance #ApplicationSecurity #SecuringOpenSource #SecurityOperations #CyberSecurityNews #EditorialCalendar #IndustrySpotlight #Cyberlaw
-
FCC: Phone Network Bugs Must Be Fixed — But are SS7/Diameter Beyond Repair? – Source: securityboulevard.com https://ciso2ciso.com/fcc-phone-network-bugs-must-be-fixed-but-are-ss7-diameter-beyond-repair-source-securityboulevard-com/ #SecurityChallengesandOpportunitiesofRemoteWork #DeepFakeandOtherSocialEngineeringTactics #FederalCommunicationsCommission #IdentityandAccessManagement #SecurityBoulevard(Original) #softwaresupplychainsecurity #rssfeedpostgeneratorecho #Analytics&Intelligence #SocialX
-
Biden Review Board Gives Microsoft a Big, Fat Raspberry – Source: securityboulevard.com https://ciso2ciso.com/biden-review-board-gives-microsoft-a-big-fat-raspberry-source-securityboulevard-com/ #SecurityChallengesandOpportunitiesofRemoteWork #MicrosoftAzureActiveDirectory #IdentityandAccessManagement #SecurityBoulevard(Original) #softwaresupplychainsecurity #rssfeedpostgeneratorecho #Analytics&Intelligence #CyberSafetyReviewBoard #MicrosoftAzureSecurity #azureactivedirectory #SecurityOperations