February 7, 2023

C-SCRM: We’re from the government — and we’re here to help with software supply chain security

A whole alphabet soup of agencies, offices and councils are springing up in D.C. and beyond. They’re trying to help us with software supply chain security.
January 31, 2023

Google's open source team layoffs: Your software supply chain security is at risk

Firing ‘the best of the best’ in open source does not bode well for software security. Will the last to leave please turn off the lights?
January 30, 2023

6 misconceptions about Software Bills of Materials

SBOMs could become Software Bills of Mediocrity. But not if we can agree on their value for software supply chain security. Chris Romeo explains.
January 24, 2023

Move over, npm: Now VS Code extensions can’t be trusted

It’s super easy to spoof Visual Studio Code extensions. And it’s incredibly hard to detect. In this week’s Secure Software Blogwatch, we run and hide.
January 23, 2023

AI unleashed: Are you prepared for the next generation of software supply chain attacks?

ChatGTP and GitHub Copilot seem like a win for developers — under pressure to release new features continuously. But the code produced by generative AI needs serious scrutiny.
January 18, 2023

Supply chain security and compliance: Why software organizations should get out in front of requirements

Get out in front of software supply chain compliance requirements for a competitive advantage. Here's what your software organization needs to know.