anchoreMay 26, 2025

When using open source software, YOU become the security supplier.

Discover how SCA scanning helps manage this responsibility and protect your applications from vulnerabilities like Log4j and XZ Utils: https://anchore.com/software-supply-chain-security/software-composition-analysis/

#SoftwareCompositionAnalysis #SCA #OpenSource

anchoreMay 20, 2025

With up to 90% of applications built on open source code, SCA tools are no longer optional—they're essential.

Learn how Software Composition Analysis protects your organization from supply chain vulnerabilities: https://anchore.com/software-supply-chain-security/software-composition-analysis/

#SoftwareCompositionAnalysis #SCA

Everything You Need to Know About Software Composition Analysis (SCA)

Learn the ins and outs of software composition analysis along with expert tips for implementation from the cybersecurity experts at Anchore.

Anchore
Rene RobichaudJan 17, 2025

Google Releases Open Source Library for Software Composition Analysis
https://www.securityweek.com/google-releases-open-source-library-for-software-composition-analysis/

#Infosec #Security #Cybersecurity #CeptBiro #Google #OpenSourceLibrary #SoftwareCompositionAnalysis

Antonio Francesco SardellaNov 7, 2024

Your CI/CD pipeline is vulnerable, but it's not your fault - Elad Pticha, Oreen Livni

https://youtu.be/3dHZ-l3XSsE

#defcon32 #security #cybersecurity #infosec #hacking #appsec #applicationsecurity #cicd #gha #github #githubactions #sca #softwarecompositionanalysis

DEF CON 32 - Your CI CD Pipeline Is Vulnerable, But It's Not Your Fault - Elad Pticha, Oreen Livni

YouTube
Antonio Francesco SardellaSep 28, 2023

https://stiankri.substack.com/p/manifest-confusion-in-pypi

#security #cybersecurity #websecurity #appsec #applicationsecurity #hacking #python #pypi #manifestconfusion #supplychain #dependencies #sca #softwarecompositionanalysis

Manifest Confusion in PyPI

How some Python tools interpret dependencies differently.

stiankri's blog
InfoQSep 13, 2023

⚠️ Beware of "alert fatigue" in your security processes!

Learn why integrating #SoftwareCompositionAnalysis in your CI/CD pipeline is crucial for safeguarding your software from vulnerabilities: https://bit.ly/3LnT6Ci

#InfoQ article by Lukáš Křečan

#Java #SCA #CI #CD #SecurityVulnerabilities

Dealing with Java CVEs: Discovery, Detection, Analysis, and Resolution

This article discusses the role of SCA in CI/CD pipelines, emphasizing human oversight for accurate vulnerability assessment and the importance of specialized security tools.

InfoQ
Gareth Emslie 🇿🇦 🇪🇦 🇨🇭Dec 28, 2022
Log4Shell, a critical vulnerability discovered in December 2021 and officially tracked as CVE-2021-44228, has had a long-lasting impact, prompting enterprises to adopt software composition analysis and secure supply chain management practices. Despite receiving patches and widespread attention, it remains a common cause for security breaches a year later. https://www.csoonline.com/article/3684108/log4shell-remains-a-big-threat-and-a-common-cause-for-security-breaches.html#tk.rss_all #Log4Shell #CVE2021-44228 #SoftwareCompositionAnalysis #SecureSupplyChainManagement
Log4Shell remains a big threat and a common cause for security breaches

Log4Shell is likely to remain a favored vulnerability to exploit as organizations lack visibility into their software supply chains.

CSO Online
Antonio Francesco SardellaNov 30, 2022

"Invisible npm malware – evading security checks with crafted versions" by Or Peles, JFrog Vulnerability Research Team Leader

https://jfrog.com/blog/invisible-npm-malware-evading-security-checks-with-crafted-versions/

#npm #appsec #applicationsecurity #security #cybersecurity #sca #softwarecompositionanalysis #malware #evasion #jfrog #dependencies #infosec #hacking

Invisible npm malware - evading security checks with crafted versions | JFrog

The npm CLI has a very convenient and well-known security feature – when installing an npm package, the CLI checks the package and all of its dependencies for well-known vulnerabilities – The check is triggered on package installation (when running npm install) but can also be triggered manually by running npm audit. This is an …

JFrog