Tag: Software Supply Chain
AWS CodeBuild Webhook Misconfiguration Exposed Admin Access Risk
Tom Smith | | AWS CodeBuild, AWS open source, build pipeline security, CI/CD security, devops security, GitHub security, regex security, Software Supply Chain, webhook misconfiguration, Wiz ResearchAWS fixed webhook filter misconfigurations in CodeBuild that could have allowed unauthorized repository access. No customer impact or malicious code found ...
Codenotary’s Free SBOM Service Tackles the AI Software Supply Chain
Just because AI is writing your code doesn't mean you can stop worrying about software bills of materials. While the quality of AI coding remains open to debate, there's no question that ...
Legit Security AI Tool Uses Threat Feed to Identify Risks to Software Supply Chain
Legit Security this week added a threat feed that DevSecOps teams can use to instantly determine if a newly discovered vulnerability impacts their software supply chain. Built using the Legit VibeGuard tool, ...
Worms in the Supply Chain: Shai-Hulud and the Next DevOps Reckoning
Alan Shimel | | artifact provenance, CI/CD security, continuous verification, credential theft, devops security, devsecops, GitHub tokens, npm malware, OIDC, pipeline security, SBoM, Secure software delivery, Shai-Hulud worm, short-lived tokens, Software Supply Chain, supply chain attackDevOps was supposed to make software delivery faster, safer and more reliable. For the most part, it has. But every so often, something nasty crawls out of the shadows and reminds us ...
Securing the Software Supply Chain with Full Visibility and Compliance
At swampUP 2025 in Napa Valley, JFrog’s Yossi Shaul, senior vice president of DevOps, joined Alan to reflect on both his personal journey and JFrog’s evolving role in shaping modern software delivery ...
Shai-Hulud Attacks Shake Software Supply Chain Security Confidence
Being the Dune groupie that I am, I couldn't pass up the chance to comment on the "Shai-Hulud" NPM attacks. What a clever name for a worm attack. But as the saying ...
Outages and Security Threats in DevOps Tooling: Cracks in the Foundation
Alan Shimel | | AI-native workflows, CI/CD pipeline security, cloud-native pipelines, DevOps breaches, DevOps outages, DevOps resilience, GitHub outages, Jira vulnerabilities, platform engineering, secure delivery, Software Supply ChainAlan warns that DevOps toolchains — from GitHub to Jira — are showing cracks, with outages and breaches threatening delivery resilience. He urges platform engineers to design for failure, harden security, and ...
Survey Surfaces Uneven Adoption of SBOMs to Secure Software
A survey of 100 security professionals finds nearly half (48%) of security professionals admit their organizations are falling behind on meeting software bill material (SBOM) requirements as specified by the U.S. Office ...
Checkmarx Surfaces Malicious Effort to Compromise Software Supply Chains
Checkmarx, this week, reported it has discovered malicious software packages that, in addition to injecting malware capable of bypassing endpoint security to exfiltrate data, also provide persistent remote access and control of ...
Endor Labs Extends Microsoft SCA Alliance to GitHub
Endor Labs has allied with GitHub to integrate its software composition analysis (SCA) tools directly within DevOps workflows ...
North Korea’s Lazarus Group Targets Developers, Supply Chain
North Korea’s notorious Lazarus Group is using an advanced malicious implant to target cryptocurrency wallets and spreading it via legitimate GitHub profile and possibly through npm packages. The ongoing campaign, dubbed Operation Marstech ...
Proactive Dependency Management: Reducing Risk and Improving Software Quality
Justin Young | | dependencies, Dependency Management, devops, open-source components, quality, risk, Software Supply ChainManaging dependencies isn’t just best practice, it is an essential ongoing process. Implement these strategies in your projects to stay ahead of potential issues and ensure your software remains reliable, secure and ...
