1 views collected around this technical thread.
This article explains how Software Bill of Materials (SBOM) mirrors hardware BOMs, outlines their core differences, presents best practices, tools, and implementation strategies to improve supply‑chain transparency, compliance, and security for modern software development.
This article explains how Software Bill of Materials (SBOM) serves as a digital map for component dependency and change management, detailing its functions in visualizing dependencies, detecting version conflicts, ensuring license compliance, and providing supply‑chain risk alerts, ultimately improving development efficiency, security, and regulatory compliance.
The article examines the critical importance of software supply chain security, outlines frequent attacks and real‑world cases, discusses national standards and compliance measures, and highlights emerging AI‑driven and blockchain‑based innovations that aim to protect the entire software lifecycle.
AI programming assistants such as GitHub Copilot and Cursor can be hijacked through poisoned configuration files that hide malicious prompts using invisible Unicode characters, exposing developers to risks like data leakage, DDoS, cryptomining and trojan injection, so they must avoid unknown configs, sandbox generated code, and employ static analysis and AI audits to mitigate threats.
This article outlines ten essential best‑practice principles for implementing a Secure Development Lifecycle (SDL), covering top‑down leadership, alignment with existing management systems, visualizable processes, security goal classification, componentized security capabilities, supply‑chain management, service‑oriented SDL, DevSecOps toolchains, continuous optimization, and staff training.
A security research team created a counterfeit VSCode extension in half an hour, demonstrated how easily malicious code can be injected and distributed through the VSCode Marketplace, and revealed that dozens of high‑value companies, security firms and even a national court were compromised, highlighting critical gaps in extension vetting and supply‑chain protection.
The article explains software supply chain security by describing how source code becomes artifacts, the role of hashes and digital signatures, and how frameworks like SLSA and Sigstore provide attestations and trusted signing to ensure provenance and protect against tampering.
This article explains how to generate and verify software artifact provenance with the Witness framework in non‑GitHub ecosystems, covering installation, key creation, configuration, running, signing, and policy verification to achieve higher SLSA levels.
This article translates Google's SLSA framework paper, explaining software supply chain threats, the four SLSA levels, mitigation strategies, a provenance generation example, and concluding with its impact on software security, while also noting related DevOps certification offerings.
This article explains what an SBOM (Software Bill of Materials) is, its purpose for software supply‑chain visibility and risk management, compares it with SLSA and Black Duck, outlines best‑practice recommendations, and lists popular tools for generating SBOMs.
This article explains what a Software Bill of Materials (SBOM) is, compares it with SLSA and Black Duck, outlines best practices for creating and maintaining SBOMs, and reviews popular tools for generating SBOMs to improve software supply chain security.
This article explains the SLSA (Supply chain Levels for Software Artifacts) framework, outlines common software supply‑chain threats, details the four SLSA levels and their requirements, discusses limitations, and reviews tools such as OpenSSF Scorecard, slsa‑verifier and Sigstore for improving software artifact integrity.
This article examines the rising software supply‑chain security risks in fast‑paced agile development, outlines regulatory pressures, and presents a comprehensive management framework—including policies, dynamic asset views, full‑lifecycle risk identification, and DevSecOps practices—to help enterprises mitigate vulnerabilities and ensure secure delivery.
The 2023 DevSecOps forecast highlights five major trends—including prioritizing software supply‑chain security, embedding security education in DevOps, pervasive AI/ML across the SDLC, deeper value‑stream analysis, and left‑shifting observability—while emphasizing zero‑trust, SBOM adoption, and the growing role of security in cloud‑native environments.
The article explains why software supply chain security is increasingly critical, introduces the SLSA (Supply‑Chain Levels for Software Artifacts) framework and its three trust boundaries, outlines common risk points from code commit to package distribution, and discusses mitigation strategies such as mandatory code review, robot‑account controls, and automation.
The 2022 Accelerate State of DevOps Report reveals that while application‑level security scanning in CI/CD pipelines is widely adopted, organizational culture, cloud adoption, and performance metrics significantly influence DevOps effectiveness, with overall performance declining amid pandemic‑related challenges.
The article explains how vulnerabilities in version control systems and CI/CD pipelines can expose the software supply chain to attacks and provides best‑practice recommendations for hardening VCS configurations, branch protection, least‑privilege access, secure testing environments, and credential management.
In a detailed interview, XMirror Security founder Zi‑Ya discusses the origins of his team, the core elements of DevSecOps, the innovative code‑vaccine technology combining IAST and RASP, maturity stages of development security in China, and future trends in software‑supply‑chain security.
This article presents a comprehensive set of fifteen best‑practice guidelines—nine pre‑inclusion checks and six post‑inclusion usage rules—covering design review, code quality, automated testing, debugging, licensing, transitive dependencies, security, and upgrade strategies to ensure a robust and secure software supply chain.
This article presents fifteen practical guidelines for managing software dependencies, covering pre‑inclusion checks such as design review, code quality, testing, security, licensing, and transitive dependencies, as well as post‑use practices like encapsulation, isolation, update strategies, and continuous monitoring to maintain a secure and reliable supply chain.