The Dirty Secret of Cybersecurity Standards
We made our first public comment on a software security standard, the NIST’s cybersecurity framework.…
SLSA vs. Software Supply Chain Attacks
Past Attacks and How SLSA Helps More than a condiment or dance style, SLSA is a framework for strengthening the security of the software supply chain. SLSA, or supply-chain levels for software artifacts, provides an incremental series of defensive measures that prevents tampering and improves the integrity of a software…
How to Make Package Signing Useful
The Case for Farm-to-Table Package SigningThe benefits and limitations of signing an open source package–using a private key to create a unique digital signature–are a surprisingly contentious topic. One of the maintainers associated with the Python Package Index maintainer has a cogent blog post called “Why Package Signing…