- [CramHacks] Newsletter #6: is coffee supply chain?
[CramHacks] Newsletter #6: is coffee supply chain?
CramHacks Chronicles: Key Insights On Software Supply Chain Risks
🥳 Happy Monday! 🥳
This week we’re in Key Largo, FL 👀. This trip used to be a lot more enjoyable when I was living in NY - I miss San Diego. That said, work is going well and the food here is delicious. I do think it’s time for a CramHacks private jet because these red-eye flights are really taking a toll on me.
Shoutout to all our new subscribers! I was half-asleep one night and dropped a post on r/cybersecurity, only to recognize a few days later that we flew 🛫 past 100 subscribers.
As the end of year starts to slow down for Holidays, I’m beginning to fill my schedule with speaking opportunities. I have some scheduled already, but would love to do more! If you’re a part of a community interested in Software Supply Chain Security, no matter the size, shoot me an email and let’s schedule something 🙂.
Software Supply Chain Security
Jeff Luszcz discusses software composition analysis (SCA) and why your SBOM or supply chain security products are likely not giving you the expected coverage for the latest cURL vulnerability and other vulnerabilities impacting (mostly C/C++) packages.
👋 I wanted to start off this week with the simplest expression of how messy is software supply chain security.
Exhibit A: The definition of Software Supply Chain Security as per Synopsys:
“The software supply chain is anything and everything that touches an application or plays a role, in any way, in its development throughout the entire software development life cycle (SDLC). Software supply chain security is the act of securing the components, activities, and practices involved in the creation and deployment of software. That includes third-party and proprietary code, deployment methods and infrastructure, interfaces and protocols, and developer practices and development tools.”
Yep, that’s right… EVERYTHING IS SOFTWARE SUPPLY CHAIN SECURITY. Heck, developers not having coffee readily available is a software supply chain incident.
The question is really, where do we draw the line for what gets included in a software bill of materials (SBOM)? Recent vulnerabilities promote the importance of system packages and the alike be included, but what’s next, every driver, operating system, kernel version, what the dev had for breakfast?
🙌PREACH🙌 HashiCorp's CEO, Dave McJannet, believes that traditional open-source licensing models are unsustainable for businesses in Silicon Valley as they leave innovations vulnerable to commercial exploitation by competitors, prompting HashiCorp's switch to a more restrictive license.
👋 I love me some open source but sheesh, some of these communities put in a lot of blood, sweat, and tears just to have someone profit off their backs. I don’t know what the solution is, but it’s something we should really be talking about.
Thank you Joe Fay & The Stack for the article.
A repository of reports (OSV Format) for malicious packages identified in Open Source package repositories. 🔥
👋 This is a solution for a problem we really shouldn’t really have - in my opinion, this should be the responsibility of the package managers. NPM for example is flooded with malicious packages; even when taken down, there’s no notice or flag to notify developers they are using a known malicious package - this should be baked in to
“Named after the smallest octopus, Wolfi is a lightweight GNU software distribution which is designed around minimalism, making it well-suited for containerized environments built with apko.”
👋 This is a 🔥 project and it’s been exciting to follow, even if I’ve only known about it for a few months.
Build security into software products by design,
consume only high-value open source software, components, and projects, and
require software manufacturers to demonstrate their approach to vetting OSS used in their products.
“The EU assumes all open-source developers are commercial programmers and that your Fortune 500 company will take care of all the CRA's paperwork”
Cybersecurity Executive Order (EO)
Secure Software Development Framework (SSDF)
FDA Ensuring Cybersecurity of Medical Devices/Section 524B
Until Next Time! 👋
Hey, you made it to the bottom – thanks for sticking around!
Questions, ideas, or just want to chat? Slide into my inbox! 💌
If you think someone could benefit from this, don’t hesitate to forward.
See you next Monday!