OSV.dev, the community vulnerability database aggregation service for open source crosses the 100k mark (115,054 vulns), thanks to the OpenSSF OSV schema (github.com/ossf/osv-schema) standardization across 24 language and distro ecosystems!

Bloody oath can someone fix #NVD , say 50+ #infosec pros incl. Dan Lorenc (or words to that effect)

One source tells me a CNA punted NVD a bunch of borked CVE data/files and it's still cleaning up the mess because... legacy tech. Couldn't confirm

thestack.technology/nvd-crisis-vul…

#MisCONfigured is just around the corner...

Time to unveil our star-studded speaker line-up 📢

🎤 Corey Quinn from The Duckbill Group
🎤 Christopher Hughes
🎤 Tyler Waldo from Salesforce
🎤 Dan Lorenc from Chainguard ⛓️

Secure your spot below! 🔍
wiz.io/events/misconf…

Bogus CVE of the day, in which the only concession for the maintainer is a “** DISPUTED **” tag that doesn’t even show up on the imported record on the NVD website.

'free software is free as in free puppy. You can adopt it for free but then you need to take care of it'

Hey NYC friends! We're doing a Chainguard ⛓️ happy hour tomorrow at Magic Hour Rooftop from 4-6:30.

Join us then!

Hayden Blauzvern from Google's open source security team discusses how Sigstore is prioritizing package managers as the main avenue for Sigstore adoption.
Learn more about Sigstore: openssf.org/projects/sigst…
#SOSSCommunity

The U.S. government has a Microsoft problem.

Market dominance, inertia, and savvy PR have almost completely insulated the hack-plagued company from meaningful oversight, even as Biden officials preach corporate accountability.

My new WIRED story: wired.com/story/the-us-g…

Ok but only if we get to call it *WonK'

The end of GitHub PATs: You can’t leak what you don’t have chainguard.dev/unchained/the-… from Chainguard ⛓️ by Matt Moore ⛓🚀

We've been tuning bincapz to reduce false positives after scanning it across all the packages in Wolfi OS.

Give it a try, the results are getting really good: github.com/chainguard-dev…

📖 CloudSecList Issue 233 just got released, w/ content from Mitiga Stedi Palo Alto Networks @OrcaSec and more!

cloudseclist.com/issues/issue-2…

I clicked 'show more' on this and learned nothing new. I'm not sure what that says.

Every good blog post or document starts as like 9 bullets with random indentation.

'Those sources said the breach appears to have started when the attackers somehow gained access to the company’s Gitlab code repository, and in that repository was a token or credential that gave the bad guys access to Sisense’s Amazon S3 buckets in the cloud.' - Bearer…

Secure products, not security products!

A great read. Thanks for supporting the real open source message Steven J. Vaughan-Nichols.

When it was alleged that OpenTofu 'stole' HashiCorp's code, it was all over the IT news. Now that OpenTofu has proved that those allegations were false and self serving, I hope that the news is just as widespread.

Really impressed by how quickly the valkey community has come together and established a place to continue work.

Looking forward to their first release! github.com/valkey-io/valk…

'fauxpen source' is perfect.

The LF's work here often goes unseen, but they're a huge force protecting OSS, even when it's not popular.

theregister.com/2024/04/12/lin…