software supply chain - Chainguard, Inc.

A Crash Course in Software Supply Chain Security

By Zachary Newman in software supply chain on 13 May 2022

Software supply chain security is an enormous problem: it covers everything from build systems to the code in open-source dependencies to package managers to social relationships between developers. Unfortunately, we know about hundreds of supply chain compromises, and there are likely just as many that were never discovered or reported.…

Is Sigstore Susceptible to Psychic Signatures? Sources Say: Sounds Suspect

By Zachary Newman in sigstore on 22 Apr 2022

Does the psychic signature vulnerability also affect Sigstore, a code artifact signing and verification project? The short answer is NO!…

4 Key Sigstore Takeaways: Recap of Twitter Space with Kelsey Hightower

By Lisa Tagliaferri in sigstore on 23 Mar 2022

Kelsey Hightower hosted a Twitter Space on Sigstore: a new standard for signing and verifying software on March 22, 2022. The software industry has been flying blind. It's time we start signing and verifying the stuff we build and ship to the world. Join me and a few…

How Sigstore Can Help You and Your Team Follow the NIST SSDF Recommendations

By Lisa Tagliaferri in nist on 16 Mar 2022

The recently published NIST SSDF Recommendations can seem intimidating; the good news is that the open source project Sigstore can help you and your team meet many of the recommendations.…

SLSA vs. Software Supply Chain Attacks

By John Speed Meyers in slsa on 15 Mar 2022

Past Attacks and How SLSA Helps More than a condiment or dance style, SLSA is a framework for strengthening the security of the software supply chain. SLSA, or supply-chain levels for software artifacts, provides an incremental series of defensive measures that prevents tampering and improves the integrity of a software…

Building trust in our software supply chains with SLSA

By Kim Lewandowski in slsa on 10 Mar 2022

If you’re worried about software supply chain attacks and unsure of how to tackle the problem or align your team on a roadmap, this series on SLSA is for you. What is SLSA?SLSA or “Supply-chain Levels for Software Artifacts” is a framework for ensuring the integrity of software…

I Read NIST 800-218 So You Don’t Have To - Here’s What to Watch Out For

By Dan Lorenc in nist on 03 Mar 2022

Version 1.1 of The Secure Software Development Framework (SSDF): Recommendations for Mitigating the Risk of Software Vulnerabilities from NIST (NIST 800-218) was just published on February 3rd, 2022. The document was first released in September of 2021, but the SSDF program first started in May 2021 after Executive Order…

Knative is now a CNCF project, and why this matters for software security

By Tracy Miranda in knative on 02 Mar 2022

Congratulations to Knative on being accepted as a CNCF incubating project today! All of us at Chainguard are thrilled about this important milestone within the cloud native community. Not least our founders Matt Moore and Ville Aikas who helped create the project, and along with Scott Nichols continue to drive…

Topics