develop.secure.software | Practical knowledge for dev and release teams

Software Supply Chain Security

Software supply chain security top of mind for dev teams — but detection lags

Carolynn van Arsdale

A survey of more than 300 software professionals found the threat of supply chain attacks looms large—but efforts to...

Secure Software Blogwatch

Rejoice, devs and all! Privacy Pass standard nukes CAPTCHAs

Richi Jennings

Apple is to support the new Privacy Pass standard, to “attest” that its users aren’t robots. Google is expected to be...

Software Supply Chain Security

Software supply chain alert: ‘7 million’ cleartext access tokens in Travis CI logs

Richi Jennings

Travis CI cleartext logs are trivially easy to access—all 770 million of them. And researchers have found lots of...

Software Supply Chain Security

A (partial) history of software supply chain attacks

Paul Roberts

SolarWinds put software supply chain hacks on the radar. But attacks aren’t new. In fact, they’re much older than you...

Software Security

5 CI/CD breaches analyzed: Why you need to update your software security approach

Carolynn van Arsdale

Omer Gil and Daniel Krivelevich outlined the top 10 CI/CD security risks at RSA Conference, analyzing five recent...

Software Supply Chain Security

MITRE’s System of Trust: A proposed standard for software supply chain security

Paul Roberts

MITRE’s System of Trust framework is aiming to standardize how software supply chain security is assessed. MITRE's...

Secure Software Blogwatch

How to make C++ memory-safe? Chrome targets UAF bugs with garbage collection

Richi Jennings

The solution to use-after-free bugs is to *not* free memory. Google’s Chrome team is the latest group to jump on the...

Threat Research

Go below the surface on tampering: The trouble with software integrity validation

Karlo Zanki

The growing number of software supply chain attacks is putting pressure on validation of software integrity

Secure Software Blogwatch

Proposal: It’s time to regulate and license devs

Richi Jennings

Software engineers are engineers. So why don’t we regulate them—as we do other professions that build critical...

Threat Research

NPM coinminer: What you see is not always what you get

Karlo Zanki

Source code analysis is always useful. It helps you detect threats early in the dev process. But it shouldn’t be the...

Software Supply Chain Security

Software supply chain security top of mind for dev teams — but detection lags

Carolynn van Arsdale

A survey of more than 300 software professionals found the threat of supply chain attacks looms large—but efforts to...

Secure Software Blogwatch

Rejoice, devs and all! Privacy Pass standard nukes CAPTCHAs

Richi Jennings

Apple is to support the new Privacy Pass standard, to “attest” that its users aren’t robots. Google is expected to be...

Software Supply Chain Security

Software supply chain alert: ‘7 million’ cleartext access tokens in Travis CI logs

Richi Jennings

Travis CI cleartext logs are trivially easy to access—all 770 million of them. And researchers have found lots of...

Software Supply Chain Security

A (partial) history of software supply chain attacks

Paul Roberts

SolarWinds put software supply chain hacks on the radar. But attacks aren’t new. In fact, they’re much older than you...

Software Security

5 CI/CD breaches analyzed: Why you need to update your software security approach

Carolynn van Arsdale

Omer Gil and Daniel Krivelevich outlined the top 10 CI/CD security risks at RSA Conference, analyzing five recent...

Software Supply Chain Security

MITRE’s System of Trust: A proposed standard for software supply chain security

Paul Roberts

MITRE’s System of Trust framework is aiming to standardize how software supply chain security is assessed. MITRE's...

Secure Software Blogwatch

How to make C++ memory-safe? Chrome targets UAF bugs with garbage collection

Richi Jennings

The solution to use-after-free bugs is to *not* free memory. Google’s Chrome team is the latest group to jump on the...

Threat Research

Go below the surface on tampering: The trouble with software integrity validation

Karlo Zanki

The growing number of software supply chain attacks is putting pressure on validation of software integrity

Secure Software Blogwatch

Proposal: It’s time to regulate and license devs

Richi Jennings

Software engineers are engineers. So why don’t we regulate them—as we do other professions that build critical...

Threat Research

NPM coinminer: What you see is not always what you get

Karlo Zanki

Source code analysis is always useful. It helps you detect threats early in the dev process. But it shouldn’t be the...