3/23/23: Lessons from SVB & SLSA
We found a vulnerability in GitHub Actions
This vulnerability bypasses allowed Workflow settings by using commits from forked repositories. We’ve summarized how it works & what to watch out for, and open-sourced a tool called clank to help aid detection for users!
What does the National Cybersecurity Strategy mean for us?
The document is 39 pages long, so to spare you time, we’ve written a quick synopsis and what the immediate implications will be on our blog.?
SVB: The biggest bank failure since 2008
Similar to every SVB customer, we’ve had quite a week. Our CEO Dan Lorenc spoke to The New Stack to share how our company values guided us as we tackled the SVB crisis and lessons learned.?
SLSA Survey + Insights
We discussed the adoption and application of software supply chain security frameworks with the Eclipse Foundation, Rust Foundation & OpenSSF. Listen to the recording here.
Wise words from our co-founders on context-sensitive policies
?"Sometimes, you don’t want to outright block a piece of software, but perhaps you want to be extra cautious about how it is allowed to run. For this the execution context of the software is helpful because it lets you know how the software will be invoked...
With context-sensitive policies you can check properties like If package X is present, make sure it doesn’t have any credentials or make sure it is running inside of a strong sandbox."
For more software supply chain security nuggets like this, subscribe at go.chainguard.dev/news!
Cybersecurity | CMO | Xoogler
1 年If you want it sent directly to your inbox you can sign up here:https://www.chainguard.dev/newsletter