Security News
Each of these "Bricks" is itself the product of a long supply chain, making the software supply chain a concept that encompasses every facet of IT: from hardware, to source code written by developers, to third-party tools and platforms, but also data storage and all the infrastructures put in place to develop, test and distribute the software. Software supply chains have many grey areas that are not addressed by traditional security methods.
In brief Google has released a new open source software tool to help businesses better understand the risks to their software supply chains by aggregating security metadata into a queryable, standardized database. The Graph for Understanding Artifact Composition, or "GUAC" - pronounced like the avocado dip - "Aggregates and synthesizes software security metadata at scale and makes it meaningful and actionable," Google said in a blog post.
Software supply chain risk has grown to be a significant concern for organizations as cyber attackers look to take advantage of the accelerating digitalization that has seen many enterprises significantly increase their reliance on cloud-based solutions and services, as well as third-party service providers. In this Help Net Security video, Marc Woolward, Global CTO & CISO at vArmour, talks about notable supply chain attacks and predicts how they will evolve in 2023.
Google on Thursday announced that it's seeking contributors to a new open source initiative called Graph for Understanding Artifact Composition, also known as GUAC, as part of its ongoing efforts to beef up the software supply chain. "GUAC addresses a need created by the burgeoning efforts across the ecosystem to generate software build, security, and dependency metadata," Brandon Lum, Mihai Maruseac, and Isaac Hepworth of Google said in a post shared with The Hacker News.
Where are we today and what are some of the tailwinds driving the implementation of AI into supply chains, especially coming out of COVID? Where do we see the future of AI in modern supply chains and in the supply chains of the future?
As software supply chain security becomes more and more crucial, security, DevSecOps, and DevOps teams are more challenged than ever to build transparent trust in the software they deliver or use. We at Scribe Security recently launched a new platform to address these urgent needs by enabling its users to build trust in their software across teams and organizations.
Open-source software is a critical element of the software supply chain in companies of all sizes, but there are new security concerns for the open-source software supply chain - calling for better approaches to packaging security, according to VMware. Top-level findings from The State of the Software Supply Chain: Open Source Edition 2022, show that OSS is clearly fulfilling stakeholder expectations for cost efficiency, increased flexibility, and developer productivity.
Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. The attack relies on a small time difference in the return of a "404 Not Found" error when searching for a private compared to a non-existent package in the repository. While the response time difference is only a few hundred milliseconds, it is enough to determine whether a private package exists to perform package impersonation attacks.
With that in mind, they decided to take the lead and become the first vendor to introduce the concept of a Hub for security evidence about software products and have launched a friendly and easy-to-use platform. Software security evidence hub: While most other Software Supply Chain security solutions ignore the need to make software products' security transparent to customers, buyers, and security teams, Scribe's platform introduces a hub for security evidence.
Software supply chains at risk: The account takeover threat. A software supply chain attack consists of targeting software repositories or download locations, in order to spread malware instead of or in addition to legitimate software.