App Sec & Supply Chain Security
‘Polyfill’ Supply Chain Threat: 4x Worse Than We Thought
Spackle attack: Chinese company takes over widely used free web service—almost 400,000 websites at risk ...
‘Perfect 10’ Apple Supply Chain Bug — Millions of Apps at Risk of CocoaPods RCE
Tim looks grim: 10 year old vulnerabilities in widely used dev tool include a CVSS 10.0 remote code execution bug ...
GitHub Fights Forks — Millions of Them — Huge Software Supply Chain Security FAIL
Forking hell: Scrotebots clone thousands of projects, injecting malware millions of times ...
Don’t let CVEs distract you: Shift your AppSec team’s focus to malware
Chasing vulnerabilities can be a time-consuming and time-wasting pursuit for application security (AppSec) teams. A big part of the problem has been the sheer volume of vulnerabilities being reported in recent years, ...
Zero trust and threat modeling: Is it time for AppSec to get on board?
As the use of zero-trust architecture grows, it's becoming apparent to threat modelers that if they want to reap benefits, they will need to modify their existing practices to do it. ...
AI needs transparency: How software supply chain security tools can help secure ML models
Solutions designed to protect the software supply chain can also be used to protect machine learning (ML) models from similar attacks.Two such solutions: The Supply-chain Levels for Software Artifacts (SLSA) framework and ...
How legacy AppSec is holding back Secure by Design
After years of headline-popping software supply chain–related breaches — think SolarWinds, Log4j, 3CX, and MOVEit — software security advocates agree that organizations have to change the way they tackle application security (AppSec) ...
5 best practices for putting SBOMs to work with CI/CD
Software bills of materials (SBOMs) have become a central component of enterprise efforts to secure the software supply chain. President Biden's 2021 Executive Order on Improving the Nation's Cybersecurity, EO 14028, made ...
IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations
ReversingLabs has identified connections between a malicious campaign that was recently discovered and reported by the firm Phylum and several hundred malicious packages published to the NuGet package manager since the beginning ...
