GitHub brings its suite of supply chain security features to Go

Go is receiving a boost from GitHub with the company bringing its supply chain security features to the Google-designed language.

According to GitHut, Go is currently the fourth most-popular language on GitHub. The Go community embraced GitHub and now the company is returning the favour by helping them to discover, report, and prevent security vulnerabilities.

Steve Francia, Product Lead of Go Language at Google, said:

“Go was created, in part, to address the...

Former NSA executive Jacob DePriest now heads GitHub’s security operations

GitHub has announced that former NSA (National Security Agency) senior executive Jacob DePriest is now heading its security operations.

Open source evangelist DePriest built the NSA’s Developer Experience from scratch and helped the agency’s developers contribute to the work of others. The NSA’s historically lengthy approval process was reduced from weeks to mere hours in some cases.

A 2019 post on the US Intelligence Careers website explains why DePriest has a...

2021 State of DevOps report highlights factors that lead to success

Puppet’s latest State of DevOps report arrives ten years after the first edition and highlights that successful DevOps is dependent on a number of factors.

The first State of DevOps report was released when DevOps was only discussed by some cutting-edge decision-makers. A decade on, 83 percent now report their organisations are implementing DevOps practices.

Michael Stahnke, VP of Platform at CircleCI, said:

“In ten years, we've gone from hype to practice...

Report: Sec and DevOps split on who is responsible for software security

Solar Eclipse

IT security and development teams are divided over who is and who should be responsible for securing software, a new report from cybersecurity company Venafi has shown.

When asked who is responsible for software security at their organisations, the sample of 1,000 DevOps and Sec professionals were equally split, with 48% saying development were and 48% saying IT security were.

Of far greater concern is the divide over who should be responsible for software security. Only...

Addressing software security for financial services in 2021

Companies operating in the financial services arena today must adhere to a whole host of complex regulatory standards, which makes perfect sense given both the assets and information managed by such firms are valuable and sensitive, and as a result, highly targeted by sophisticated cyber attackers daily.

Compounding these challenges is the large volume of personally identifiable information (PII) that such organisations handle too, which is subject to a plethora of industry...

Google’s latest framework aims to prevent SolarWinds-like supply chain attacks

Google has unveiled a new framework called Supply chain Levels for Software Artifacts, or SLSA (pronounced "salsa").

The intention of SLSA is to help prevent the growing number of devastating supply chain attacks in recent years—such as the SolarWinds and CodeCov hacks.

Google describes SLSA as "an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain."

The company says that SLSA is inspired by its own...

Sonatype Lift uses deep code analysis to suggest bug fixes

Sonatype has launched a new deep code analysis platform called Lift which can detect a wide range of bug types.

Lift detects bugs ranging from style issues to complex coding errors commonly found in first-party source code and third-party open source libraries.

Research from Veracode last year found that open-source libraries cause security flaws in around 70 percent of apps. However, open-source libraries are often critical to projects.

Using a deep code...

At DevSecCon24, find out how to build a Security Champions programme to scale your team

Next week, we’re looking forward to bringing together the amazing speakers, attendees and sponsors of DevSecCon24 to discuss, debate and understand how a Security Champions programme can work. As Snyk’s Field CTO, I’ll be leading a panel with stellar DevSecOps leaders from Twilio, Atlassian and Pearson to delve into how to get started, the challenges and the fine-tuning. Here’s a taster of where the discussion might lead.

The concept of a Security Champions...

Trend Micro partners with Snyk to fight open-source bugs

Cybersecurity leader Trend Micro is partnering up with application security platform Snyk to fight open-source bugs.

Research from Veracode last year found that open-source libraries cause security flaws in 70 percent of apps. Snyk itself has observed a 2.5x growth in open-source vulnerabilities over the past three years.

However, open-source is vital to the advancement of the software development industry. Snyk estimates that around 80 percent of application today is...

GitLab: 2020 was a ‘catalyst for DevOps maturation’

GitLab’s fifth annual DevSecOps survey reveals that last year was pivotal for the maturation of DevOps.

The only silver lining from the disaster of a year that was 2020 is that it helped to highlight inefficiencies with legacy processes and technologies. As the world looks to "build back better" from the pandemic, the work of DevOps teams should provide some inspiration.

Eric Johnson, CTO at GitLab, said:

“This year’s Global DevSecOps Survey shows that...