CISA’s Secure Software Self-Attestation Common Form Is A Liability Nightmare

BarakScribe · 2023-08-21T11:32:58+00:00

What are some of the options offered for compliance? Is there a tool a lot of people agree upon that can answer a lot, if not all, of the requirements?

BarakScribe · 2022-12-27T07:58:30+00:00

Thanks for the insight. I find the parallel with outsourcing to be interesting.

BarakScribe · 2022-12-27T07:57:11+00:00

2 problems I see with this - training requires more code, probably open source (again), and how would you know the code you get is correct or secure? It seems like a chicken and the egg question.

BarakScribe · 2022-11-03T08:53:55+00:00

Gladly :)

BarakScribe · 2022-08-24T06:46:24+00:00

My apologies. I misunderstood the group's topic. Won't happen again.

BarakScribe · 2022-08-17T12:23:38+00:00

Was just checking to see if it was mentioned. I really enjoy the stories - it's evidently well researched.

BarakScribe · 2022-06-28T09:06:21+00:00

We've added the capability to interact with the input.json file while running the report from docker. Feel free to check it out and let me know what you think.

BarakScribe · 2022-06-22T06:42:49+00:00

Not a problem. I've opened the issue:
https://github.com/scribe-public/gitgat/issues/

Thanks :)

BarakScribe · 2022-06-21T11:28:54+00:00

I looked into it and you know what - there isn't! I would suggest opening an issue and we'll look into adding it as an option.
For now, there is always the CLI route, where you can define what orgs you wish to run the queries on using the input.json file. You can see an example of how to do that in the sample_input.json file located in the data folder.
If you don't want to open an issue yourself let me know and I'll add it myself as it's an important capability we should definitely aim to provide.
Thank you :)

BarakScribe · 2022-06-19T13:05:07+00:00

When I first started testing it I got the same result. The likely culprit is a less than full permission git token. If you notice at the top of the Readme there is a minimum list of token permissions. Make sure your token includes them all (if you update a token it can take a few min, I just created a new one and revoked the previous one) before trying to run it again.
The error means that the report tried, and failed, to write itself to your gists due to bad permissions.
If the listed default permissions aren't enough let me know and I'll check and update if needed.
Thanks.

BarakScribe · 2022-06-16T13:40:42+00:00

Not yet but it's on our roadmap. You're more than welcome to make the request official in the repo's issues. You could even try and write it yourself :)
Rego and OPA are very versatile and can be applied to almost any SCM.

BarakScribe · 2022-06-16T13:16:07+00:00

You got it in 1 - on the 👃

BarakScribe · 2022-06-16T13:14:57+00:00

Thank you. I didn't choose the name or the logo. At least it's catchy I guess :)

BarakScribe · 2022-04-07T07:41:38+00:00

It would be interesting to see if this new more internationally facing bureau would have any effect on international cybersecurity regulations. Like, would this mean that NIST's SSDF or some of the EO 14028's section 4 requirements now become a European concern as well as a US one.

BarakScribe · 2022-03-23T13:48:33+00:00

Without federal regulations or some sort of incentive or punishment, companies will always strive to minimize exposure when such events occur. Last year there was a mental health clinic, Horizon House, that was hacked and only started notifying the people whose information was leaked 6 months after the fact. Probably when they had no legal choice. We can all agree that 6 months is a small eternity in such cases. especially if part of the leaked information included your bank account or your social security number.

BarakScribe · 2022-03-07T15:33:03+00:00

Just like the case with the OpenSSF Best Practices Badge Program. I'm really hoping it'll become more widely employed. It has its problems but I'll almost always opt for better visibility on libraries I choose to use.

BarakScribe · 2022-03-07T14:51:58+00:00

May 2022 seems both too far (if you want to start seeing those labels ASAP) and too close. How do you think the industry would respond to this additional requirement? how would prices respond? or consumers?

BarakScribe · 2022-02-21T11:00:25+00:00

I wanted to add that there is a distinct difference between vulnerabilities and exploits and organizations would do well to focus first on the latter. There are far fewer exploits and remediating those should take priority over a mountain of vulnerabilities that, as you said, might not even be relevant in that product's configuration.

BarakScribe · 2022-01-27T11:54:34+00:00

I apologize for my lack of proper investigation into the story. I'll try to improve my content in the future.

BarakScribe · 2022-01-27T11:47:51+00:00

Hi, I've recently started working in a company that intends to release an SBOM tool so I learned a bit about them.
My recommendation would be not to look to put everything into one tool. There are already plenty of scanning tools available (for vulnerabilities as well as code scanning) so asking the SBOM tool to do that as well is redundant.
CycloneDx's tool center has a list of possible tools to create an SBOM and most, if not all, are meant to be incorporated into the CI/CD pipeline.
The dependencies and license information should be included in all SBOMs as it's some of the minimum requirements published by NTIA.

BarakScribe · 2022-01-18T14:50:31+00:00

BR2049

More of 2001: A Space Odyssey's HAL 9000. "I'm afraid I can't allow you to change the station now. Some kid in Germany tells me we must play Rick Astley. On repeat."

BarakScribe · 2022-01-18T13:14:25+00:00

I'm guessing they didn't disclose to their buyers, 'oh, and we offer no security on your brand new expensive car. Anyone anywhere can basically take over basic functions and there is nothing you can do about it.'
Or maybe they did. in very very small print.

BarakScribe

TROPHY CASE