Welcome to our blog

Get the latest insights from our team & community.

  • supply chain security

Your Developer Workforce is Larger Than You Think

By using open source software, you expose yourself to the influence of thousands of developers whom you don’t know and should not necessarily trust. Analyzing author behavior is critical to securing your software supply chain.

Aaron Bray - May 18, 2021
  • supply chain security

Build System and Version Control Compromises - the New Normal

While SolarWinds made headlines within the last few months for the sheer scope of impact, a sharp uptick in build and version control system compromises have followed in the intervening months, targeting third-party tools and open source applications.

Aaron Bray - April 25, 2021
  • supply chain security

What the History of Software Supply Chain Attacks Says About Today’s Risk

Despite attracting major media attention in the wake of the recent SolarWinds breach, software supply chain attacks are not a new concept. In this post, we take a look at the last forty years and examine how software supply chain attacks became such a big issue.

Aaron Bray - April 21, 2021
  • supply chain security

Internally Hosted Dependencies: A Losing Battle

Dependency confusion allows bad actors to emulate internal software packages to gain access to developer workstations and critical build infrastructure. Understand this entirely new supply chain issue and how to manage against it.

Aaron Bray - March 23, 2021
  • supply chain security

Repo Jacking: Hidden Danger in Broken Links

Repo jacking is an insidious software supply chain issue. Attackers can take over upstream packages if the original owner changes or deletes his/her username.

Aaron Bray - March 17, 2021
  • supply chain security

How to Understand and Defend Against SolarWinds-Type Attacks

In late 2020, one of the most devastating cyber attacks of the last decade was discovered: the SolarWinds breach.

Aaron Bray - January 09, 2021
  • technical

The Anatomy of a Malicious Package (Part 2)

Picking up where we left off in the last article, it's time to start thinking about improving our situation.

Aaron Bray - August 28, 2020
  • technical

The Anatomy of a Malicious Package

What does a malicious package actually look like in practice? We'll walk through some hypothetical exercises to see how malware generally works, and what sort of functions we might expect, from relatively simple and temporary, to complex.

Aaron Bray - August 21, 2020
  • supply chain security

The State of the NPM Ecosystem

What does the upstream for major packages really look like? Over the past few years, the shape of the open source ecosystem landscape has shifted drastically, exploding both in the volume of published code, and also the number of dependencies that live upstream from a given library.

Aaron Bray - August 10, 2020
  • supply chain security

Typosquatting and Other Attacks Against Open Source Dependencies

In November of 2018 a malicious Javascript package was identified and subsequently removed from the NPM ecosystem. Attacks of this nature are only increasing.

Louis Lang - July 27, 2020