Atlassian has added an extensible catalog for tracking software components, dubbed Compass, to its portfolio of DevOps tools along with an Atlassian Data Lake and Atlassian Analytics cloud service that makes it simpler to aggregate and query data collected from the company’s portfolio of tools. In addition, Atlassian is making its Atlas collaboration framework—formerly known […]
Google Allies With GitHub to Secure Software Supply Chains
Google today revealed it has been working with GitHub to create a forgery-proof method for signing source code as part of an ongoing effort to better secure software supply chains. Bob Callaway, technology lead for open source software supply chain security at Google, said a prototype of this method, written in the Go programming language, […]
Linux Foundation Lists Top Open Source Libraries
The Linux Foundation today published a report that provides access to eight lists of the top 500 open source libraries being used by organizations as part of an ongoing effort to help better secure software supply chains. The Census II of Free and Open Source Software—Application Libraries report is based on usage data from providers […]
Codenotary Launches Cloud Service to Generate SBOMs
Codenotary has launched a Codenotary Cloud platform that can automatically generate a software bill of materials (SBOM) and make it easier to discover what components have been included in an application. Moshe Bar, Codenotary CEO, said that capability can also play a key role in identifying which components in an application might contain, for example, […]
Using Open Source to Secure Software Supply Chains
Recently, there’s been a lot of attention paid to software supply chain security. In particular, here’s a quote from the May 2021 presidential executive order on improving the nation’s cybersecurity: “The Federal government must … advance toward zero trust architecture; accelerate movement to secure cloud services, including … platform as a service (PaaS).” There are […]
Log4j: It’s All About the Supply Chain, Baby!
In 2021, the security story in DevOps and DevSecOps has been the supply chain. So, it’s only fitting that we are currently experiencing the mother of all supply chain issues with the Log4j Log4Shell RCE vulnerability to close out the year. I won’t waste your time rehashing what Log4j is, why it’s so dangerous and […]
Codenotary Uses Immutable Database to Verify Software Artifacts
Codenotary today unfurled a free notarization and verification service for open source artifacts and containers to enable IT organizations to track the provenance of the components that make up their applications. Dennis Zimmer, Codenotary CTO, said the Community Attestation Service is based on an immutable open source immudb database that cryptographically attaches an identity to […]
Sonatype Report Shows Spike in Supply Chain Attacks
Sonatype today released a report that finds there has been a 650% year-over-year increase in supply chain attacks aimed at upstream public repositories. Cybercriminals hope to compromise these repositories by injecting malware into software components that many organizations might be using, according to the report. The seventh annual State of the Software Supply Chain Report […]
Sophos Acquires Refactr to Advance DevSecOps
Sophos this week revealed it has acquired Refactr, a provider of an automation platform that makes it simpler to add static and dynamic security scanning and application testing to a DevOps pipeline. Terms of the deal were not disclosed. Joe Levy, Sophos CTO, said Sophos will extend the Refactr DevSecOps automation platform to add security […]
Unifying Partner Ecosystems With a Distributed Ledger
Blockchain has become famous in recent years for powering the cryptocurrency craze. But the fundamentals behind blockchain could prove helpful in other areas of the data economy, too. Because, as the value of data rises, so does the need for accurate, real-time data sharing across multiple partners. As we saw recently, global trade is surprisingly […]