DruBOM: An SBOM for Drupal
DruBOM is a Software Bill of Materials (SBOM) for Drupal. It is a list of all the dependencies of a Drupal project, including the Drupal core, modules, themes, and libraries.
Guest Blog
Spotlight on the OpenSSF AI/ML Working Group
By Mihai Maruseac and Jay White What do open source software, security and AI/ML have in common? The intersection of these topics is what the OpenSSF AI/ML Working Group tackles....
Beyond Scores with OpenSSF Scorecard: Granular Structured Results for Custom Policy Enforcement
OpenSSF Scorecard is a tool to help open source projects reduce software supply-chain risks. Scorecard analyzes projects against a series of heuristics and generates scores from 0–10 for the project — 0 meaning that the project employs high-risk practices and 10 meaning that the project follows security best practices.
Static Binary Analysis: A Final Exam for Software Supply Chain Protection
The compromise of VoIP provider 3CX is just one of the latest incidents to highlight gaps in software supply chain security - and the need for a new approach to supply chain risk management, writes Charlie Jones of ReversingLabs.
Scaling Up Supply Chain Security: Implementing Sigstore for Seamless Container Image Signing
In this post, we will explore how Yahoo leverages Sigstore, in concert with Athenz, an open source platform for managing X.509 certificates, as an internal Certificate Authority, to sign and verify container images.Â
OpenVEX and Open Source Vulnerability Scanners: How the Dynamic Duo Improves Vulnerability Management
Open source vulnerability scanners now increasingly support OpenVEX, helping open source users reduce the pain of managing vulnerabilities and the burden of false positives. These new integrations with OpenVEX can provide rich context on vulnerabilities in a piece of software, ensuring better scanner results such as a reduced false positive rate.
Finding And Fixing Bugs in Open Source Software at Scale with a Grant from Alpha-Omega
OpenRefactory is working alongside Alpha-Omega's principals to report security vulnerabilities at scale in open source projects. It works with the maintainers to get the vulnerabilities fixed.
How to Use Open Source to Help Comply with SCM Best Practices: A Tutorial on Combining OpenSSF Scorecard and Legitify
A few weeks ago, the OpenSSF Best Practices Working Group published the Source Code Management (SCM) Best Practices guide. This guide is the result of a collaboration of multiple leading security community members under the OpenSSF umbrella. The SCM Best Practices guide provides a comprehensive set of recommendations for securing SCM platforms like GitHub and GitLab.…
Safeguarding Your Data – How to Harden Your Systems
In our increasingly digitized world, data reigns supreme. Alongside traditional valuable information like customer records and bank details, data on interactions and activity has become more valuable to companies. As data has become critical, it is also more at risk from theft or attacks like ransomware. According to IBM, the average data breach cost worldwide…
Running Sigstore as a Managed Service: A Tour of Sigstore’s Public Good Instance
While several articles have been published about how to run your own Sigstore instance, it’s useful to understand how the public good instance is administered – both in terms of configuration and also policies and best practices.