@chainguard Enforce now automates #SBOMs, but execs and an early customer say they aren't the ultimate answer to #softwaresupplychainsecurity.

https://www.techtarget.com/searchitoperations/news/366545164/Chainguard-automates-SBOMs-but-has-Images-based-agenda

#vulnerabilityscanning #softwaresecurity #cybersecurity #containerimages #chainguardimages #wolfi

It absolutely blows me away how much smaller the #CVE surface area is for #Chainguard #Images versus the mainstream container images for popular opensource projects:

python: 647 vulns
cgr.dev/chainguard/python: 0

nginx: 78 vulns
cgr.dev/chainguard/nginx: 0

Now, granted many of these CVEs are worthless, but who wants to track and manage that kind of noise? Not me!

I'd also complain about the lack of #SBOMs in the upstream opensource projects, but the tooling still sucks there.

Neue Episode vom Release.Patch.Repeat. An der Schwachstellenfront war es auffallend ruhig. Bekannte #vulnerabilities werden aktiv mit Malware beschossen. Außerdem gibt's Interessantes zu Open Source und die Forderung nach SBOMs. Forschende haben Manager gefunden, die zur Ausbeutung loyaler Fachkräfte neigen. Im Strategie-Teil geht es um #zerotrust. Außerdem gibt’s Reports und ein ITSiG 3.0 hat kurz reingeschaut.

https://release-patch-repeat.letscast.fm/episode/drpr00006-open-source-malware-und-menschen

#kritis #opensource #sboms #cybersicherheit #itsicherheit

Every new #Flux CD release includes a bunch of amazing features. @fluxcd is one of the communities that take software S3C seriously and provide features to mitigate the risks of them such as providing #SBOMS and #SLSA attestations using @docker #Buildx!

https://cncf.io/blog/2023/03/06/flux-february-2023-update/

#SBOMs are not as simple as they seem.

I saw now several talks about companies using #kyverno to restrict deployments made to production.
They only allow deployments where #trivy or other scanners report a certain low amount of vulnerabilities. Also #sboms are checked for existence. Sometimes even more restrictions apply.

How do these companies handle then third party #docker images needed ? For example some official Python images?
Having some kind of automatic mirror of requested applications to fetch them and build the needed things on their own systems ?
Just blocking and tell them “yeah please wait few days until we work on that ticket”

It seems I am confusing or missing something…

Well this happened. #JReleaser is now capable of producing #SBOMs thanks to an integration with #Syft. You don't need Syft pre-installed on your environment, JReleaser takes care of that

https://jreleaser.org/guide/early-access/reference/catalog/sbom/syft.html

#Build #recorder: a system to capture detailed information

An issue that is currently plaguing a number of people working in #SBOMs is that, given a generated binary artifact of a project, it is not easy (or even possible) to point back to the exact files that were used for creating it.
...
This work has been the result of a 2022 Google Summer of Code project for the GFOSS organization.
https://fosdem.org/2023/schedule/event/sbom_build_recorder/

#FOSDEM @eellak

Referenced link: https://hubs.la/Q01yx4Th0
Originally posted by The Linux Foundation / @linuxfoundation@twitter.com: https://twitter.com/ZephyrIoT/status/1616058891355168768#m

RT by @linuxfoundation: .@linuxfoundation's @_kate_stewart discussed #opensource #SBOMs #ZephyrRTOS #ELISAProject & @SPDXTeam w/ @securityweekly. Watch it here: https://hubs.la/Q01yx4Th0 @SCMagazine @ZephyrIoT @ProjectELISA #security #linux

If you're looking for an SCA and/or DAST tool that doesn't break the bank, check out SOOS, it's pretty rad and has super simple pricing: https://soos.io/

#SCA #SBOM #SBOMs #DAST #CycloneDX

SBOMs are emerging as a requirement in some Federal and private contracts, & Gartner is predicting a sharp rise among #criticalinfrastructure organizations. Learn more about #SBOMs and how they can reduce risk: http://ow.ly/CjVM50MjihY
#infosec #cybersecurity #CISO #riskmanagement

RT @GitGuardian
Check out our recap of #CyberTechNYC 2022 from our Developer Advocate @mcdwayne. Recap of presentations from @Cybercoopss, @jossefharush , Jason Manar @KaseyaCorp.

#SBOMs, Securing the #SupplyChain, #Data Security, and more..

https://blog.gitguardian.com/cybertech-nyc-2022/

@foone And THIS is why #SBOMs exist.

GUAC provides a central source for information about the security and provenance of an application by collecting materials like #SBOMs, vulnerability scan results, and signed attestations. The great talk by @mlieberman85 and @mihaimaruseac about it👇
https://www.youtube.com/watch?v=xFRNgIEzbkA

One of the most incredible talks by @puerco about his experience in the Kubernetes Release Engineering Team about making Kubernetes SLSA Level 3 compliant, how they use @projectsigstore #cosign to sign and verify releases, how they generate #SBOMs etc. 👇

https://www.youtube.com/watch?v=rGHIu_AWAzE

Highly informative talk by
@puerco about his experience in the K8s Release Engineering Team about making K8s SLSA Level 3 compliant, how they use @projectsigstore #cosign to sign and verify releases, how they generate #SBOMs etc.

Watch the recording
https://www.youtube.com/watch?v=rGHIu_AWAzE

Highly informative talk by
@puerco about his experience in the K8s Release Engineering Team about making K8s SLSA Level 3 compliant, how they use @projectsigstore #cosign to sign and verify releases, how they generate #SBOMs etc.

Watch the recording
https://www.youtube.com/watch?v=rGHIu_AWAzE

RT @developerguyba@twitter.com

One of the most incredible talks by @puerco@twitter.com about his experience in the Kubernetes Release Engineering Team about making Kubernetes SLSA Level 3 compliant, how they use @projectsigstore@twitter.com #cosign to sign and verify releases, how they generate #SBOMs etc. 👇

https://www.youtube.com/watch?v=rGHIu_AWAzE

🐦🔗: https://twitter.com/developerguyba/status/1592215864237064192

A long-waited talk just has been shared by @orasproject. In that talk, you will discover all the recent updates in the @oci_org@birdsite.wilde.cloudto manage the relationships between the objects, such as #sboms, #provenance, #signatures, and OCI images 🏅
https://www.youtube.com/watch?v=VZckJNkJ0nQ

Let's learn more about how we can combine these two excellent projects @AquaSecTeam's #Trivy and @projectsigstore tools, to generate and sign #SBOMs 👇 Thanks to @itaysk for sharing such great details with us 🥳

≫ 📸 youtu.be/i_9bV08CTao
≫ 🧵 https://twitter.com/itaysk/status/1588802909327618048