In this introductory guide Juan Antonio "Ozz" Osorio dives into Writing Minder rule types using Open Policy Agent and Rego. https://lnkd.in/gt2tbfj8
Stacklok
Computer and Network Security
Seattle, Washington 1,524 followers
Build securely
About us
From the founders of projects such as sigstore and kubernetes, Stacklok is a community-centric software supply chain security startup.
- Website
-
https://stacklok.com
External link for Stacklok
- Industry
- Computer and Network Security
- Company size
- 11-50 employees
- Headquarters
- Seattle, Washington
- Type
- Privately Held
- Founded
- 2023
- Specialties
- security, devsecops, supplychainsecurity, developer tooling, github repo management, dependency management, Secure GitHub Actions, supply chain security, and software supply chain security
Locations
-
Primary
Seattle, Washington, US
Employees at Stacklok
Updates
-
The scary thing with malicious packages like this is that traditional SCA tools won’t flag them during the few hour attack ‘window’. (Attackers publish, use and de-publish these very quickly). Installing one on a developers desktop will cause all kinds of problems for your org. Put a tool like Trusty in your developer inner-loop process to help your teams avoid this kind of content in the first place. Nice work Trusty team!
On July 22nd, our Trusty team flagged a malicious npm package, next-react-notify, shortly after it was published. This package is a modified version of the popular call-bind with an added malicious script. Our detection system identified suspicious metadata signals, revealing a complex attack. Key indicator: a preinstall hook in the package.json file which silently executes and deletes the downloader script. Read Poppaea McDermott's analysis of this attack here: https://bit.ly/46mhGgg #cybersecurity #opensource
North Korean State Actors Exploit Open Source Supply Chain via Malicious npm Package
stacklok.com
-
On July 22nd, our Trusty team flagged a malicious npm package, next-react-notify, shortly after it was published. This package is a modified version of the popular call-bind with an added malicious script. Our detection system identified suspicious metadata signals, revealing a complex attack. Key indicator: a preinstall hook in the package.json file which silently executes and deletes the downloader script. Read Poppaea McDermott's analysis of this attack here: https://bit.ly/46mhGgg #cybersecurity #opensource
North Korean State Actors Exploit Open Source Supply Chain via Malicious npm Package
stacklok.com
-
In this Cloud Native Computing Foundation (CNCF) #CloudNativeSecurityCon talk Sigstore founders Luke Hinds and Bob Callaway discuss the origins of sigstore and their experience growing a large community. Plus, the ongoing work to integrate Sigstore into Homebrew, PyPI, Maven Central and the Sigstore roadmap priorities and where the project is heading in the future. 📺 Watch here: https://lnkd.in/euKanfNi #CNSCon
Sigstore: Past, Present and Future Directions - Luke Hinds, Stacklok & Bob Callaway, Google
https://www.youtube.com/
-
Want to know what Tacos de Canasta and Software Supply Chain Security have in common? Join Adolfo García Veytia, Luke Hinds & Stacey Potter as they dive in to both during our first Securi-Taco Tuesday episode (available on-demand). https://lnkd.in/eE8PytGk
Stacklok User Group: Securi-Taco Tuesdays with special guest Luke Hinds
https://www.youtube.com/
-
Even though pinning GitHub Actions to commit SHAs is only way to use an action as an immutable release, only 2% of public GitHub repos have pinned actions (shout-out to Fabian Kammel for his research on this). One reason this practice isn't more common is the worry that you might not get updates for the actions if they're pinned. But if you're a Dependabot user, you can use our #oss Frizbee tool Dependabot to automatically pin your GitHub Actions (and also, pin your container images!), and use Dependabot to keep them updated. Stackers Juan Antonio "Ozz" Osorio and Jakub Hrozek demo how this works in this Cloud Native Computing Foundation (CNCF) livestream with CNCF Ambassador Taylor Thomas: https://lnkd.in/gqYvM7Fj Thanks Taylor for chatting with us!
CNL: How to automate pinning container images by their digests
https://www.youtube.com/
-
We welcomed three amazing new Stackers this week! Doug Wright is our new VP of Engineering, who joins us from the cybersecurity firm Arctic Wolf. Doug has 18 years of experience in managing development teams and extensive experience building SaaS products. We're thrilled to have him lead our global engineering organization and product development process. Doug is based in sunny Southern California 😎 Gokul Raju joins us as a Staff Product Manager, focused on building out the product roadmap and capabilities of trustypkg.dev to help developers understand whether the OSS packages they're using are malicious, deprecated, or pose a supply chain risk. Gokul joins us from Harness, where he drove Harness' product-led growth strategy and built capabilities for Harness' CD product. He works in our Shoreditch, London office. 🇬🇧 👨🏻💻 A. is the newest member of our fantastic frontend engineering team, joining us from Fuse Financial Technologies. He'll also be working out of our office in Shoreditch, London. ☕ Welcome to the team, Doug, Gokul, and Alex! We're beyond thrilled to have you here!
-
Looking for an easy way to detect malicious, deprecated, or unsafe #oss dependencies in your code? We just released a new GitHub Action that can automatically check your PRs for unsafe open source dependencies, and provide a list of safer alternatives. Using the Trusty Dependency Risk Action can help you avoid taking a dependency on OSS software that is: - Malicious, deprecated, or archived (as reported by OSV.dev, GitHub, or package managers) - Not being actively maintained - From an unverified source - Likely to be a typosquat / supply chain attack Try it out and let us know what you think! 👀 Blog post with more background: https://lnkd.in/gRG2PnjY ✅ Direct link to install the Trusty Dependency Risk Action: https://lnkd.in/g7RJTAVa
-
TODAY! Tune in to this Cloud Native Computing Foundation (CNCF) #Livestream as Stackers Juan Antonio "Ozz" Osorio and Jakub Hrozek dive into automating pinning GitHub Actions & container images to digests. 9am PT | 12pm ET | 16:00 UTC | 17:00 BST 📺https://lnkd.in/gZcR4JEX
-
Thanks Pete Soderling for hosting our CEO, Craig McLuckie, on the Zero Prime Ventures podcast! Check out this episode if you're interested in the origins of the #Kubernetes project, and for founder advice on leading startups.
Building the technology is only half the problem and maybe not even the hardest half of the problem. This hard truth from Stacklok CEO and Kubernetes co-creator Craig McLuckie is one engineer-founders need to hear. It's certainly a lesson I've had to learn in my own entrepreneurial journey. Our Zero Prime Ventures podcast conversation covers Craig's thoughts on go-to-market challenges for infra startups, Kubernetes' origins, competition in the Infrastructure-as-a-Service landscape, advice for commercializing OSS projects and optimal team structures in seed-stage companies. Give it a listen at the link in comments.