Rewatch this Cloud Native Computing Foundation (CNCF) #CNSCon Talk by our very own Adolfo García Veytia - it's rich in demos showing off many #bomshell capabilities! https://lnkd.in/eaPPYqkC #SBOM #SoftwareSupplyChain #SoftwareBillofMaterials #protobom
Stacklok
Computer and Network Security
Seattle, Washington 1,526 followers
Build securely
About us
From the founders of projects such as sigstore and kubernetes, Stacklok is a community-centric software supply chain security startup.
- Website
-
https://stacklok.com
External link for Stacklok
- Industry
- Computer and Network Security
- Company size
- 11-50 employees
- Headquarters
- Seattle, Washington
- Type
- Privately Held
- Founded
- 2023
- Specialties
- security, devsecops, supplychainsecurity, developer tooling, github repo management, dependency management, Secure GitHub Actions, supply chain security, and software supply chain security
Locations
-
Primary
Seattle, Washington, US
Employees at Stacklok
Updates
-
Come and learn more about the advanced real-time software supply chain threat protections we are innovating at Stacklok!
Just as Generative AI has unlocked developer productivity, so too has it also increased attacker productivity. Developers can now generate basic apps with a few prompts, and so too can attackers craft software to execute harmful payloads in a few minutes. It does not stop there though, they can also craft entire new online identities in seconds and they are doing so to game (a highly game'able) system. Reputation farming is becoming more prolific and is an attack vector that is targeting established OSS projects. This is why we built the oss-trust graph at Stacklok and are already starting to see it's utility as a means of threat heuristics around who actually builds the software that the runs the internet. At Stacklok we are approaching software supply chain security using our own home-brewed machine learning approach , specially tailored to advanced real-time threat analysis of open source. Rather then churning over the same old risk metrics, we are seeking to create new categories. We have combined our long history of activity in open source, with new novel approaches to addressing this immediate need there is within the software supply chain and the brave new (AI generative) world we have at hand. If you interested to learn more, please just reach out and happy to chat! #cybersecurity, #devsecops, #opensource #aisecurity
-
-
In this introductory guide Juan Antonio "Ozz" Osorio dives into Writing Minder rule types using Open Policy Agent and Rego. https://lnkd.in/gt2tbfj8
-
The scary thing with malicious packages like this is that traditional SCA tools won’t flag them during the few hour attack ‘window’. (Attackers publish, use and de-publish these very quickly). Installing one on a developers desktop will cause all kinds of problems for your org. Put a tool like Trusty in your developer inner-loop process to help your teams avoid this kind of content in the first place. Nice work Trusty team!
On July 22nd, our Trusty team flagged a malicious npm package, next-react-notify, shortly after it was published. This package is a modified version of the popular call-bind with an added malicious script. Our detection system identified suspicious metadata signals, revealing a complex attack. Key indicator: a preinstall hook in the package.json file which silently executes and deletes the downloader script. Read Poppaea McDermott's analysis of this attack here: https://bit.ly/46mhGgg #cybersecurity #opensource
North Korean State Actors Exploit Open Source Supply Chain via Malicious npm Package
stacklok.com
-
On July 22nd, our Trusty team flagged a malicious npm package, next-react-notify, shortly after it was published. This package is a modified version of the popular call-bind with an added malicious script. Our detection system identified suspicious metadata signals, revealing a complex attack. Key indicator: a preinstall hook in the package.json file which silently executes and deletes the downloader script. Read Poppaea McDermott's analysis of this attack here: https://bit.ly/46mhGgg #cybersecurity #opensource
North Korean State Actors Exploit Open Source Supply Chain via Malicious npm Package
stacklok.com
-
In this Cloud Native Computing Foundation (CNCF) #CloudNativeSecurityCon talk Sigstore founders Luke Hinds and Bob Callaway discuss the origins of sigstore and their experience growing a large community. Plus, the ongoing work to integrate Sigstore into Homebrew, PyPI, Maven Central and the Sigstore roadmap priorities and where the project is heading in the future. 📺 Watch here: https://lnkd.in/euKanfNi #CNSCon
Sigstore: Past, Present and Future Directions - Luke Hinds, Stacklok & Bob Callaway, Google
https://www.youtube.com/
-
Want to know what Tacos de Canasta and Software Supply Chain Security have in common? Join Adolfo García Veytia, Luke Hinds & Stacey Potter as they dive in to both during our first Securi-Taco Tuesday episode (available on-demand). https://lnkd.in/eE8PytGk
Stacklok User Group: Securi-Taco Tuesdays with special guest Luke Hinds
https://www.youtube.com/
-
Even though pinning GitHub Actions to commit SHAs is only way to use an action as an immutable release, only 2% of public GitHub repos have pinned actions (shout-out to Fabian Kammel for his research on this). One reason this practice isn't more common is the worry that you might not get updates for the actions if they're pinned. But if you're a Dependabot user, you can use our #oss Frizbee tool + Dependabot to automatically pin your GitHub Actions (and also, pin your container images!), and use Dependabot to keep them updated. Stackers Juan Antonio "Ozz" Osorio and Jakub Hrozek demo how this works in this Cloud Native Computing Foundation (CNCF) livestream with CNCF Ambassador Taylor Thomas: https://lnkd.in/gqYvM7Fj Thanks Taylor for chatting with us!
CNL: How to automate pinning container images by their digests
https://www.youtube.com/
-
We welcomed three amazing new Stackers this week! Doug Wright is our new VP of Engineering, who joins us from the cybersecurity firm Arctic Wolf. Doug has 18+ years of experience in managing development teams and extensive experience building SaaS products. We're thrilled to have him lead our global engineering organization and product development process. Doug is based in sunny Southern California 😎 Gokul Raju joins us as a Staff Product Manager, focused on building out the product roadmap and capabilities of trustypkg.dev to help developers understand whether the OSS packages they're using are malicious, deprecated, or pose a supply chain risk. Gokul joins us from Harness, where he drove Harness' product-led growth strategy and built capabilities for Harness' CD product. He works in our Shoreditch, London office. 🇬🇧 👨🏻💻 A. is the newest member of our fantastic frontend engineering team, joining us from Fuse Financial Technologies. He'll also be working out of our office in Shoreditch, London. ☕ Welcome to the team, Doug, Gokul, and Alex! We're beyond thrilled to have you here!
-
-
Looking for an easy way to detect malicious, deprecated, or unsafe #oss dependencies in your code? We just released a new GitHub Action that can automatically check your PRs for unsafe open source dependencies, and provide a list of safer alternatives. Using the Trusty Dependency Risk Action can help you avoid taking a dependency on OSS software that is: - Malicious, deprecated, or archived (as reported by OSV.dev, GitHub, or package managers) - Not being actively maintained - From an unverified source - Likely to be a typosquat / supply chain attack Try it out and let us know what you think! 👀 Blog post with more background: https://lnkd.in/gRG2PnjY ✅ Direct link to install the Trusty Dependency Risk Action: https://lnkd.in/g7RJTAVa
-