- [CramHacks] Newsletter #11: The Open Source Security Index
[CramHacks] Newsletter #11: The Open Source Security Index
CramHacks Chronicles: Key Insights On Software Supply Chain Risks
🥳 Happy Monday! 🥳
What a day to have a day. Happy Thanksgiving all!
Software Supply Chain Security
“In this live discussion, Clint will be interviewing Chris Hughes, President of Aquia and author of ‘Software Transparency: Supply Chain Security in an Era of a Software-Driven Society’ on all things supply chain security.”
👋 I’m pumped for this one. I look up to both Clint & Chris; the information and knowledge they share is invaluable and they’ll be talking about Supply Chain!
Make sure to register here! The event is November 29, 2023 at 11 AM PT.
“The Open Source Security Index is designed to make finding open source security projects easier for everyone.”
👋 This is sweet. I love how concise the page is - it definitely serves its purpose. Kudos Andrew Smyth!
👋 I was expecting revisions to make the attestation more concrete and feasible. Clearly CISA had a different agenda 🤣. Luckily the signature section states "To the best of my knowledge, I attest that all requirements outlined above are consistently maintained and satisfied." and therefore, you just need a CEO/COO with no knowledge of the requirements and you’re good to go!
Andrey Lukashenkov, Head of Revenue @ Vulners created the following visual representation of Exploit Prediction Scoring System (EPSS) scores. We know EPSS is dynamic, but what are the odds that these numbers meaningfully fluctuate? Apparently pretty high!
“OWASP dep-scan is an open-source security audit based on known vulnerabilities and advisories for project dependencies. Supports both local repos and container images. Integrates with various CI environments such as Azure Pipelines, CircleCI, and Google CloudBuild. No server is required!”
“Checkmarx customers can now deploy Mobb’s auto-remediation solution for vulnerabilities identified during scans and significantly reduce the time and cost involved in remediating vulnerabilities.”
👋 I’ve only watched the How to Fix Code with Mobb video, but based on that - “auto-remediation” is a bit of a stretch. However, I think it’s likely an appealing solution for many dev teams.
Stackable’s Lars Francke, Lukas Voetmand, and Sönke Liebau have made their dreams of a vulnerability management process public, in hopes of stirring conversation and promoting collaboration towards the goals outlined. The overall goal of this process is “to be ready for the requirements of upcoming regulation like the Cyber Resilience Act, EO 14028 and others as well as just ‘doing the right thing’.”
👋 I can appreciate this - which is why I took some time to provide comments on the public Google doc. Overall, it’s a good thought exercise, but I think we have a long ways to go before what is detailed here is obtainable using only open-source projects and without massive overhead. An Application Security Posture Management (ASPM) solution is the closest and best-suited to meet these future needs.
Shoutout to all the others that added comments and proposed solutions.
Fun history lesson on Maven Central and its journey to fielding an estimated one trillion requests in 2023 and housing over half a million projects, with over 12 million project versions.
👋 Did you know that Sonatype owns Maven Central? Did you know that GitHub owns NPM? Idk what to say about it, but it’s interesting.
Until Next Time! 👋
Hey, you made it to the bottom – thanks for sticking around!
Questions, ideas, or just want to chat? Slide into my inbox! 💌
If you think someone could benefit from this, don’t hesitate to forward.
See you next Monday!