- CramHacks
- Posts
- [CramHacks] Newsletter #11: The Open Source Security Index
[CramHacks] Newsletter #11: The Open Source Security Index
CramHacks Chronicles: Key Insights On Software Supply Chain Risks
Kyle Kelly
November 22, 2023
š„³ Happy Monday! š„³
What a day to have a day. Happy Thanksgiving all!
Software Supply Chain Security
āIn this live discussion, Clint will be interviewing Chris Hughes, President of Aquia and author of āSoftware Transparency: Supply Chain Security in an Era of a Software-Driven Societyā on all things supply chain security.ā
š Iām pumped for this one. I look up to both Clint & Chris; the information and knowledge they share is invaluable and theyāll be talking about Supply Chain!
Make sure to register here! The event is November 29, 2023 at 11 AM PT.
āThe Open Source Security Index is designed to make finding open source security projects easier for everyone.ā
š This is sweet. I love how concise the page is - it definitely serves its purpose. Kudos Andrew Smyth!
Jason Weiss of TestifySec highlights the changes made in the latest revised Secure Software Development Framework (SSDF) Attestation Form.
š I was expecting revisions to make the attestation more concrete and feasible. Clearly CISA had a different agenda š¤£. Luckily the signature section states "To the best of my knowledge, I attest that all requirements outlined above are consistently maintained and satisfied." and therefore, you just need a CEO/COO with no knowledge of the requirements and youāre good to go!
Andrey Lukashenkov, Head of Revenue @ Vulners created the following visual representation of Exploit Prediction Scoring System (EPSS) scores. We know EPSS is dynamic, but what are the odds that these numbers meaningfully fluctuate? Apparently pretty high!
āOWASP dep-scan is an open-source security audit based on known vulnerabilities and advisories for project dependencies. Supports both local repos and container images. Integrates with various CI environments such as Azure Pipelines, CircleCI, and Google CloudBuild. No server is required!ā
š Project maintainer Prabhu Subramanian recently presented the latest work in regards to v5, which the team is hoping to release before the holidays.
āCheckmarx customers can now deploy Mobbās auto-remediation solution for vulnerabilities identified during scans and significantly reduce the time and cost involved in remediating vulnerabilities.ā
š Iāve only watched the How to Fix Code with Mobb video, but based on that - āauto-remediationā is a bit of a stretch. However, I think itās likely an appealing solution for many dev teams.
Stackableās Lars Francke, Lukas Voetmand, and Sƶnke Liebau have made their dreams of a vulnerability management process public, in hopes of stirring conversation and promoting collaboration towards the goals outlined. The overall goal of this process is āto be ready for the requirements of upcoming regulation like the Cyber Resilience Act, EO 14028 and others as well as just ādoing the right thingā.ā
š I can appreciate this - which is why I took some time to provide comments on the public Google doc. Overall, itās a good thought exercise, but I think we have a long ways to go before what is detailed here is obtainable using only open-source projects and without massive overhead. An Application Security Posture Management (ASPM) solution is the closest and best-suited to meet these future needs.
Shoutout to all the others that added comments and proposed solutions.
Fun history lesson on Maven Central and its journey to fielding an estimated one trillion requests in 2023 and housing over half a million projects, with over 12 million project versions.
š Did you know that Sonatype owns Maven Central? Did you know that GitHub owns NPM? Idk what to say about it, but itās interesting.
Until Next Time! š
Hey, you made it to the bottom ā thanks for sticking around!
Questions, ideas, or just want to chat? Slide into my inbox! š
If you think someone could benefit from this, donāt hesitate to forward.
See you next Monday!
-Kyle