POPULARITY
Send us Fan MailYour software is only as trustworthy as the dependencies you quietly inherit and attackers know it. Today I break down the NCSC warning on software supply chain security and why open source package ecosystems have become a high-value target for real-world compromises that spread fast through CI/CD pipelines.I walk through the attack patterns that keep showing up in incidents: maintainer account compromise, expired domain takeover, typosquatting, and credential chaining. We connect each technique to the CISSP mindset so you can spot it in scenario questions and, more importantly, recognise it in your own environment. Along the way, I explain why Node.js, Python, and Rust projects are especially exposed, how automation can turn “latest version” convenience into an enterprise incident, and why developer environments often become an overlooked attack surface.Then we get practical with controls you can actually implement: pausing automatic dependency updates when compromise is suspected, adding human approval for critical packages, rotating credentials immediately, enforcing MFA on developer and registry accounts, and using private or trusted registries to mirror and vet dependencies. I also zoom out to show how to build supply chain security into the secure SDLC with software composition analysis (SCA), code signing, checksum verification, audit logging, continuous monitoring, and an SBOM so you can respond fast when a package turns toxic.If this helps you tighten your dependency management and level up your CISSP prep, subscribe, share this with a teammate, and leave a quick review so more security pros can find the show.Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
In the security news this week: FCC router bans and the hidden firmware update problem Why extending support timelines actually improves security Github supply chain concerns and the evolving SBOM ecosystem CRA and NIS2 compliance deadlines are getting very real The EU Cyber Resilience Act's 24-hour vulnerability disclosure requirement Security regulation: vertical vs horizontal compliance models Vehicle-to-load EV systems powering homes during outages Solar, batteries, AI farms, and the future economics of electricity Data centers consuming regional power grids BitLocker “Yellow Key” fallout and large-scale remediation challenges AI-generated PowerShell fixes and the rise of vibe scripting Linux kernel exploits, module jail, and default deny strategies Medical biometric data theft and why fingerprints are terrible passwords Interpol cybercrime operations across the MENA region OT security, connected vehicles, and accepting real-world risk The crew also discusses threat intelligence obligations under the CRA, the operational realities of patching at enterprise scale, the economics of secure-by-default systems, and why making security cheaper than insecurity might finally move the industry forward. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-927
In the security news this week: FCC router bans and the hidden firmware update problem Why extending support timelines actually improves security Github supply chain concerns and the evolving SBOM ecosystem CRA and NIS2 compliance deadlines are getting very real The EU Cyber Resilience Act's 24-hour vulnerability disclosure requirement Security regulation: vertical vs horizontal compliance models Vehicle-to-load EV systems powering homes during outages Solar, batteries, AI farms, and the future economics of electricity Data centers consuming regional power grids BitLocker "Yellow Key" fallout and large-scale remediation challenges AI-generated PowerShell fixes and the rise of vibe scripting Linux kernel exploits, module jail, and default deny strategies Medical biometric data theft and why fingerprints are terrible passwords Interpol cybercrime operations across the MENA region OT security, connected vehicles, and accepting real-world risk The crew also discusses threat intelligence obligations under the CRA, the operational realities of patching at enterprise scale, the economics of secure-by-default systems, and why making security cheaper than insecurity might finally move the industry forward. Show Notes: https://securityweekly.com/psw-927
In the security news this week: FCC router bans and the hidden firmware update problem Why extending support timelines actually improves security Github supply chain concerns and the evolving SBOM ecosystem CRA and NIS2 compliance deadlines are getting very real The EU Cyber Resilience Act's 24-hour vulnerability disclosure requirement Security regulation: vertical vs horizontal compliance models Vehicle-to-load EV systems powering homes during outages Solar, batteries, AI farms, and the future economics of electricity Data centers consuming regional power grids BitLocker "Yellow Key" fallout and large-scale remediation challenges AI-generated PowerShell fixes and the rise of vibe scripting Linux kernel exploits, module jail, and default deny strategies Medical biometric data theft and why fingerprints are terrible passwords Interpol cybercrime operations across the MENA region OT security, connected vehicles, and accepting real-world risk The crew also discusses threat intelligence obligations under the CRA, the operational realities of patching at enterprise scale, the economics of secure-by-default systems, and why making security cheaper than insecurity might finally move the industry forward. Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-927
In the security news this week: FCC router bans and the hidden firmware update problem Why extending support timelines actually improves security Github supply chain concerns and the evolving SBOM ecosystem CRA and NIS2 compliance deadlines are getting very real The EU Cyber Resilience Act's 24-hour vulnerability disclosure requirement Security regulation: vertical vs horizontal compliance models Vehicle-to-load EV systems powering homes during outages Solar, batteries, AI farms, and the future economics of electricity Data centers consuming regional power grids BitLocker "Yellow Key" fallout and large-scale remediation challenges AI-generated PowerShell fixes and the rise of vibe scripting Linux kernel exploits, module jail, and default deny strategies Medical biometric data theft and why fingerprints are terrible passwords Interpol cybercrime operations across the MENA region OT security, connected vehicles, and accepting real-world risk The crew also discusses threat intelligence obligations under the CRA, the operational realities of patching at enterprise scale, the economics of secure-by-default systems, and why making security cheaper than insecurity might finally move the industry forward. Show Notes: https://securityweekly.com/psw-927
G7 countries release AI SBOM guidance Dell confirms its SupportAssist software causes Windows BSOD crashes Dirty Frag sequel arrives as Fragnesia Get the show notes here: https://cisoseries.com/cybersecurity-news-g7-releases-ai-sbom-dell-supportassist-bsod-dirty-frag-sequel/ Huge thanks to our episode sponsor, Doppel Social engineering attacks look trustworthy — a routine request, an internal email, a familiar face on a call. But Doppel sees through the disguise. Our AI-native platform detects and disrupts attacks across every channel, while training employees to recognize deepfakes and deception. We fight relentlessly to protect your business, brand, and people. Doppel. Outpacing what's next in social engineering. Learn more at doppel.com.
Patch Tuesday. Global agencies update SBOM guidance. Iran-linked espionage group Seedworm breached a major South Korean electronics manufacturer. A telehealth platform breach affects 716,000. Foxconn confirms a cyberattack. Maria Varmazis has an update on orbital data centers. A lawmaker questions surveillance pricing. Brandon Karpf, friend of the show, is talking with Dave about "Japan's space systems face growing cybersecurity threats." Robotic lawnmowers on the cutting edge. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today Brandon Karpf, friend of the show, is talking with Dave about "Japan's space systems face growing cybersecurity threats." Selected Reading Microsoft Fixes 17 Critical Flaws in May Patch Tuesday (Infosecurity Magazine) Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises (SecurityWeek) Adobe Patches 52 Vulnerabilities in 10 Products (SecurityWeek) Fortinet, Ivanti Patch Critical Vulnerabilities (SecurityWeek) Chipmaker Patch Tuesday: Intel and AMD 70 Vulnerabilities (SecurityWeek) ICS Patch Tuesday: New Security Advisories From Siemens, Schneider, CISA (SecurityWeek) Global Cyber Agencies Issue New SBOMs for AI Guidance to Tackle AI Supply Chain Risks (Infosecurity Magazine) Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign (SECURITY.COM) 716,000 Impacted by OpenLoop Health Data Breach (SecurityWeek) Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files (The Register) Congressman launches inquiry into how food retailers use surveillance pricing (The Record) Orbital Inference Data Center Bets On Space GPUs (IEEE Spectrum) Cowboy Space raises $275 million to launch AI data centers on brand-new rocket (Space.com) Yarbo responds to robot flaws that could mow down their owners (Malwarebytes) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry's most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Is your Java application actually secure, or does it just look that way? In this episode of the Foojay Podcast, Frank is joined by Steve Poole and David Welch, both from HeroDevs, to dig deep into the state of Java security in 2025 and beyond.Steve introduces the concept of zombie dependencies: end-of-life libraries that appear safely dormant but are quietly accumulating vulnerabilities waiting to bite you. David, a co-chair of the CVE Automation Working Group, explains what a CVE actually is, how the identification and disclosure process works in practice, and why AI tools like Mythos are dramatically accelerating the pace at which new vulnerabilities are found — on both sides of the wall.Together they cover how CVEs in the Java runtime are handled through coordinated disclosure, why Maven Central is safer than most ecosystems but not a silver bullet, and what insurance companies are starting to demand from organizations that haven't cleaned up their dependency trees. They also discuss practical steps any Java developer can take today, from generating an SBOM and running Snyk or Trivy, to adopting OpenRewrite and Renovate in your pipelines, and why vibe coding with AI tools may be quietly making your security posture worse if you are not reviewing the dependency choices being made for you.A candid, occasionally alarming, and ultimately optimistic conversation about a problem the Java community is well-positioned to lead on.Steve PooleLinkedInFoojay Author profileCrossing the River Styx: Spring Boot 3.5 and the Zombie Dependency ProblemWhy Java Developers Over-Trust AI SuggestionsDavid WelchLinkedInContent00:00 Introduction of topics and guests04:00 What are Zombie dependencies?05:36 What are CVEs?11:39 How Mythos and other AI tools are influencing the CVE reporting process16:53 How CVEs in the Java runtime are handled21:30 How the industry is looking at the increased security threats30:17 Developers need to make better decisions "the first time" and use the right tools31:42 Keep your OS, JVM, and dependencies up-to-date! Insurance companies will force you...44:48 How "safe" is Maven Central compared to other repository systems50:48 What you can do as a Java developer to make your apps safer59:01 Should we be scared for the following years and be careful with vibe coding?01:04:27 Conclusion
In the Elixir Wizards season 15 premiere, host Charles Suggs is joined by Holden Oullette, Senior Security Software Engineer at Netflix and maintainer of Sobelow, to talk about how security is evolving in the Elixir ecosystem. We discuss how certain features of the Elixir programming language (like functional patterns and server-side rendering) provide natural immunity against some common vulnerabilities, and what that means as the language continues to grow. Holden shares how tools like Sobelow are adapting and how new technologies like LLMs and Elixir's type system may help to strengthen security practices. We cover supply chain risks, ecosystem-level responsibility and reputation management, and how initiatives like AEGIS are prepping the community for more widespread adoption. We wrap with practical tips for teams to be more security-minded throughout the software development lifecycle without slowing everything down. Key topics discussed in this episode: How Elixir's design influences secure-by-default development Security tradeoffs between server-side and client-heavy architecture Supply chain risks and what the ecosystem is doing to prepare Static analysis with tools like Sobelow and AST-based pattern matching Where LLMs fit into modern security workflows The role of Elixir's upcoming type system in improving tooling Securing CI/CD pipelines and production environments Balancing development speed with security requirements Dependency management and vulnerability monitoring The AEGIS Initiative and ecosystem-wide security efforts Links mentioned: Holden's GitHub https://github.com/houllette Elixir Programming Language https://elixir-lang.org/ Security-focused static analysis for the Phoenix Framework https://github.com/nccgroup/sobelow Code Security for Builders https://semgrep.dev/ Erlang Ecosystems Foundation https://erlef.org/ Phoenix Framework https://www.phoenixframework.org/ WebSockets https://hexdocs.pm/phoenix_live_view/Phoenix.LiveView.Socket.html https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API Open Worldwide Application Security Project https://owasp.org/ https://github.com/elixir-ecto/ecto Log4j Vulnerability https://www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know React2Shell Vulnerability https://www.finra.org/guidance/guidance/cybersecurity-advisory-react2shell The Heartbleed Bug https://www.heartbleed.com/ Elixir Type System https://hexdocs.pm/elixir/main/gradual-set-theoretic-types.html Holden Oullette “Securing the Future: A Roadmap to Making Elixir the Safest Language” ElixirConf 2024 https://youtu.be/gpvKxS6sY8Y Aegis Initiative: Supply Chain Security & Compliance Initiative https://security.erlef.org/aegis/ OIDC Tokens https://openid.net/ Anthropic's Claude Mythos & Cybersecurity https://red.anthropic.com/2026/mythos-preview/ Igniter Code Generation Framework https://github.com/ash-project/igniter https://smartlogic.io/podcast/elixir-wizards/s13-e01-igniter-code-generation-zach-daniel/ Secure-by-default open source software https://www.chainguard.dev/ https://www.docker.com/ https://github.com/dependabot https://docs.aws.amazon.com/apigatewayv2/latest/api-reference/apis-apiid-models.html https://nixos.org/ https://smartlogic.io/podcast/elixir-wizards/s14-e08-nix-for-elixir-apps/ https://fedoraproject.org/ https://kubernetes.io/ https://netflix.github.io/chaosmonkey/ https://netflixtechblog.com/all?topic=chaos-monkeySpecial Guest: Holden Oullette.
Lo SBOM, lo strumento per tracciare il software in fase di sviluppo (e facilitare gli update)C'era una volta la complessità. E c'e' ancora. Ma ora cerchiamo di gestirla sempre di piu'. Possiamo farlo, magari mancano ancora tutti i dati, ma si e' iniziato a elencare tutto quello che c'e' dentro, superando le feature di git.Buon ascolto
Viktor Peterson, part of the CISA task force working on SBOM blueprints and co-founder of sbomify, explores the shifting landscape of software supply chain security as the EU's Cyber Resilience Act (CRA) comes into force, a "GDPR moment" for the industry. Beyond mere compliance, Peterson argues that SBOMs provide significant operational value as tools for automated security audits and license management, provided they are generated using ecosystem-specific tools rather than generic scanners. He also points to providing critical security insights into the risks of weaponised code, citing recent incidents where security tools themselves became attack vectors, and emphasises the need for vendor-neutral discovery mechanisms like the Transparency Exchange API (TEA) to secure the software lifecycle. Read a transcript of this interview: https://bit.ly/41eFG34 Subscribe to the Software Architects' Newsletter for your monthly guide to the essential news and experience from industry peers on emerging patterns and technologies: https://www.infoq.com/software-architects-newsletter Upcoming Events: QCon AI Boston 2026 (June 1-2, 2026) Learn how real teams are accelerating the entire software lifecycle with AI. https://boston.qcon.ai QCon San Francisco 2026 (November 16-20, 2026) https://qconsf.com/ The InfoQ Podcasts: Weekly inspiration to drive innovation and build great teams from senior software leaders. Listen to all our podcasts and read interview transcripts: - The InfoQ Podcast https://www.infoq.com/podcasts/ - Engineering Culture Podcast by InfoQ https://www.infoq.com/podcasts/#engineering_culture - Generally AI: https://www.infoq.com/generally-ai-podcast/ Follow InfoQ: - Mastodon: https://techhub.social/@infoq - X: https://x.com/InfoQ?from=@ - LinkedIn: https://www.linkedin.com/company/infoq/ - Facebook: https://www.facebook.com/InfoQdotcom# - Instagram: https://www.instagram.com/infoqdotcom/?hl=en - Youtube: https://www.youtube.com/infoq - Bluesky: https://bsky.app/profile/infoq.com Write for InfoQ: Learn and share the changes and innovations in professional software development. - Join a community of experts. - Increase your visibility. - Grow your career. https://www.infoq.com/write-for-infoq
An airhacks.fm conversation with Holly Cummins (@holly_cummins) about: discussion about Quarkus energy efficiency and performance benchmarks, comparing Quarkus throughput and energy consumption to Spring Boot, the Quarkus Benchmarks repository and Spring-Quarkus performance comparison repository on GitHub, three times throughput and half the energy consumption with Quarkus, Quarkus build-time optimization and tree shaking, monomorphic vs megamorphic dispatching in the JVM, removing reflection at build time, the reactive core built on Vert.x enabling blocking APIs with reactive scalability, Quarkus dev experience and fast reload, build duration comparison between Quarkus and Spring Boot, the Writing Greener Java Applications white paper, the Energy Efficiency across Programming Languages study, Java ranking among the most energy-efficient languages, carbon-aware dispatching and Electricity Maps, zombie deployments and kubernetes cluster waste, serverless architecture with Quarkus on AWS Lambda, SnapStart for sub-second cold starts, Provisioned Concurrency cost savings, GraalVM native binaries vs JVM mode in serverless environments, CycloneDX SBOM generation in Quarkus, build-time vs runtime configuration for ISO 27001 security certification, Kruize Autotune for JVM hyperparameter optimization, JVM tuning folk wisdom and the copy-paste typo anecdote, Francesco Nigro's performance optimization work across the stack from assembly to JVM, Jeff Mesnil leading JBoss energy efficiency efforts, cheese fondue recipe, UK chocolate and Cadbury Roses Holly Cummins on twitter: @holly_cummins
Guest: Dan Lorenc, Founder / CEO, Chainguard Topics: We just saw a security tool (Trivy) get used to pop an AI infrastructure tool (LiteLLM) to eventually pop end users. Have we reached the point where our security tooling is actually our largest unmanaged attack surface? Why now? Software supply chain security had the perennial vibe of "not top concern" for most organizations, right? TeamPCP pushed malicious code to existing GitHub tags. We've been screaming about pinning versions to SHAs for years, but clearly, nobody is listening. Is it time to admit that 'convenience' is the primary enemy of supply chain security? The Axios incident showed a victim compromised in under two minutes. In a world of auto-updating dependencies, is the concept of a human-in-the-loop for software updates officially dead, or do we need to look very hard at version pinning and such? With XZ Utils case, we saw a long-game social engineering attack. Beyond just 'watching npm closely,' what are the realistic architectural safeguards for an org that knows they can't audit every line of an update? We've spent the last three years talking about SBOMs (Software Bill of Materials) like they were a pill for supply chain health. But if the scanner producing the SBOM is the one that's compromised, isn't the SBOM just a signed receipt for your own house being on fire? What is the one practical thing they can do to ensure their CI/CD isn't a credential-exfiltration-as-a-service platform? Resources: Video version North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack EP100 2022 Accelerate State of DevOps Report and Software Supply Chain Security EP116 SBOMs: A Step Towards a More Secure Software Supply Chain EP226 AI Supply Chain Security: Old Lessons, New Poisons, and Agentic Dreams EP24 Linking Up The Pieces: Software Supply Chain Security at Google and Beyond Matt Levine blog
Parce que… c'est l'épisode 0x737! Shameless plug 14 au 17 avril 2026 - Botconf 2026 20 au 22 avril 2026 - ITSec Code rabais de 15%: Seqcure15 28 et 29 avril 2026 - Cybereco Cyberconférence 2026 9 au 17 mai 2026 - NorthSec 2026 3 au 5 juin 2026 - SSTIC 2026 19 septembre 2026 - Bsides Montréal 1 au 3 décembre 2026 - Forum INCYBER - Canada 2026 24 et 25 février 2027 - SéQCure 2027 Description Contexte et rappel de l'épisode précédent Dans cet épisode technique, l'animateur reçoit à nouveau François Proulx pour faire le point sur une cyberattaque majeure dont les développements ont explosé depuis leur dernière conversation. L'épisode précédent portait sur une première attaque contre Trivy, un outil d'analyse de sécurité open source développé par l'entreprise israélienne Aqua Security. Trivy est massivement utilisé par de grandes entreprises pour inventorier les composants open source d'un projet (SBOM) et identifier les vulnérabilités associées (CVE). C'est précisément cette popularité qui en a fait une cible de choix. La deuxième vague : une réponse aux incidents incomplète À peine 20 jours après l'attaque initiale de fin février, Trivy a été compromis une seconde fois. La raison : Aqua Security n'avait pas révoqué la totalité des jetons d'accès (tokens) lors de sa réponse aux incidents. L'entreprise a attendu plusieurs jours avant de faire appel à une firme externe (Mend), ce qui lui a valu des critiques. Dans leur communiqué, ils ont admis avoir oublié de révoquer un token — et pas n'importe lequel : il s'agissait d'un token encore plus privilégié que celui utilisé lors de la première attaque, donnant accès à des dépôts privés internes contenant potentiellement de la propriété intellectuelle sensible. Cette deuxième attaque a été encore plus dévastatrice : non seulement Trivy a été empoisonné à nouveau, mais les GitHub Actions associées — des composants permettant d'intégrer Trivy dans des pipelines CI/CD — ont également été corrompues, y compris les versions antérieures. Ainsi, des organisations qui croyaient utiliser une version sûre et ancienne se sont retrouvées exposées sans le savoir. Une propagation en cascade Le vecteur initial était une vulnérabilité dans un workflow GitHub Actions du dépôt de Trivy, simple à exploiter mais peu connue. Les attaquants ont obtenu un token leur permettant de compiler et distribuer une version malveillante de Trivy sur les registres officiels — sans modifier le code source visible, ce qui rendait la détection plus difficile. Lorsque Trivy s'exécutait dans le pipeline CI/CD d'une entreprise victime, il agissait comme un info stealer : il exfiltrait les secrets et tokens présents dans l'environnement d'exécution. Ces tokens volés ont ensuite servi à compromettre d'autres projets, créant une chaîne de contamination à plusieurs niveaux : Premier ordre : Trivy lui-même, compromis chez Aqua Security. Deuxième ordre : les entreprises utilisant Trivy dans leurs pipelines, dont Checkmarx, un autre outil de sécurité applicative. Troisième ordre : des projets open source très populaires comme LiteLLM, une bibliothèque d'interfaçage avec des API de modèles de langage (LLM), dont le mainteneur semble avoir été compromis directement via son poste de travail. Environ 72 heures après l'attaque, des entreprises ont commencé à signaler publiquement que leurs tokens avaient été exfiltrés et réutilisés contre elles. Les attaquants se dévoilent Durant le week-end du 20 mars, le groupe responsable s'est révélé sur Twitter sous le nom Team PCP, en défaçant des dépôts GitHub pour prouver leurs accès. Ils ont ensuite établi des partenariats avec des groupes spécialisés dans les rançongiciels pour monétiser les accès obtenus — une évolution logique pour des acteurs en possession de téraoctets de secrets volés. Le FBI a officiellement nommé ce groupe et demandé à toutes les entreprises américaines victimes de déposer plainte. Selon François Proulx, le profil comportemental des attaquants — messages puérils, communication sur Telegram, manière de se vanter publiquement — laisse fortement penser qu'il s'agit d'adolescents, probablement situés hors du territoire américain, ce qui complique les poursuites. Pour entraver les équipes de réponse aux incidents, les attaquants ont utilisé des centaines de comptes GitHub légitimes achetés sur le marché noir (probablement issus de logs d'info stealers) pour inonder les fils de discussion d'incidents avec des commentaires génériques automatisés, rendant toute coordination difficile. Le problème structurel des dépendances transitives François Proulx soulève un enjeu critique lié à l'écosystème npm : la façon dont les contraintes de version sont définies dans les fichiers package.json. Lorsqu'une dépendance est déclarée de manière vague (ex. : axios: ^1.x), une mise à jour de routine peut automatiquement introduire une version compromise sans que le développeur s'en rende compte. La bibliothèque Axios, extrêmement populaire, a notamment été touchée dans cette attaque. Même avec un fichier de verrouillage (lock file), le risque n'est pas nul : une alerte de hash incohérent pourrait être ignorée ou, pire, conduire un développeur à régénérer le lock file en gelant ainsi la version malveillante. Ce que les développeurs peuvent faire François Proulx recommande deux mesures concrètes : Utiliser des outils de vérification en temps réel qui interceptent les téléchargements de composants npm ou PyPI pour les comparer à des listes de composants malveillants mises à jour plusieurs fois par heure. Adopter une période de gel (cool-off period) avant d'utiliser une nouvelle version d'une dépendance, afin de laisser à la communauté le temps de détecter d'éventuels problèmes. Il mentionne également Bagle, leur propre outil open source d'analyse locale, qui permet de détecter des secrets mal stockés sur un poste de travail (variables d'environnement, fichiers temporaires, etc.) sans rien envoyer à l'extérieur. Conclusion Au moment de l'enregistrement, le 2 avril, l'attaque était toujours en cours. Une grande partie des victimes ne sait même pas encore qu'elle a été compromise. Les semaines à venir risquent de révéler l'ampleur réelle des dégâts, notamment via les dépendances transitives. Cet épisode illustre à quel point la sécurité de la chaîne d'approvisionnement logicielle reste largement sous-estimée — et que ce réveil collectif, bien que douloureux, était peut-être nécessaire. Notes Teknik - Hackerbot-claw Collaborateurs Nicolas-Loïc Fortin François Proulx Crédits Montage par Intrasecure inc Locaux virtuels par Riverside.fm
Daniel Bardenstein, CEO and co-founder of Manifest Cyber, opens with a candid assessment: the fundamental problem hasn't changed since Log4Shell. Organizations still don't understand what's inside the software and AI they build and buy. A recent Manifest Cyber study found a 40-50% gap between how well CISOs believed their security posture was managed and how their own AppSec teams rated the reality. Traditional SCA tools bury analysts in alerts without enabling response. Third-party tools hand out letter grades without reflecting actual empirical risk. The result is what Bardenstein calls the illusion of transparency -- confidence in visibility that doesn't actually exist. The hidden sources of risk go deeper than most teams realize. C/C++ code underpins critical infrastructure across medical devices, automotive, defense, and financial services -- yet most scanning tools can't effectively analyze it. Third-party binaries carry serious risk that vendors rarely disclose. Open source libraries that haven't been updated in years represent quiet exposure. And AI adoption is adding a new layer of opacity: datasets of unknown provenance, open-weight models with untested risk profiles, and AI-embedded applications where organizations have no visibility into what models or agents are operating underneath. Bardenstein frames the path forward in three dimensions: rapid response when a new issue emerges, proactive inventory and monitoring of critical dependencies, and supply chain risk stopped at the procurement gate before it enters the enterprise. When customers demand SBOMs as a condition of doing business, vendors improve -- and those improvements flow to all their other customers as well. Manifest Cyber sees this market dynamic as one of the most powerful forces for making the software ecosystem more secure. The conversation also takes on accountability. Drawing on his time leading technology strategy at CISA, Bardenstein argues that the burden of transparency must fall on the people who write software, not those who buy and use it. The "transparency tax" -- the hidden cost of cheap or opaque technology -- only surfaces after something goes wrong, in the form of incident response, people-hours, and exposure. Compliance drivers like the EU Cyber Resilience Act are reinforcing this shift, but market pressure from major banks, pharmaceutical companies, and government is already moving faster than regulation. Manifest Cyber automates the hard work: generating SBOMs, analyzing binaries, surfacing risk in C/C++ and third-party dependencies, and enabling fast, owner-assigned remediation. One customer went from zero to generating SBOMs across their entire fleet in 90 seconds -- without touching a command line. The platform is built to keep engineer velocity high, surface risk in plain language for procurement and risk teams, and make supply chain security accessible to the entire organization, not just the AppSec team. This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight GUEST Daniel Bardenstein, CEO and Co-Founder, Manifest Cyber LinkedIn: https://www.linkedin.com/in/bardenstein/ RESOURCES Manifest Cyber: https://www.manifestcyber.com Are you interested in telling your story? ▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full ▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight ▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight KEYWORDS Daniel Bardenstein, Manifest Cyber, Sean Martin, Marco Ciappelli, brand spotlight, brand marketing, marketing podcast, software supply chain security, SBOM, Software Bill of Materials, AIBOM, AI supply chain, Log4Shell, software transparency, SCA tools, C/C++ security, open source risk, Secure by Design, EU Cyber Resilience Act, supply chain risk management, third-party risk, RSAC Conference 2026, cybersecurity Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
This interview was recorded for GOTO State of the Art in November 2025.https://gotopia.techRead the full transcription of this interview here:https://gotopia.tech/articles/425Adrian Mouat - Developer Relations at Chainguard & Author of 'Using Docker'Charles Humble - Freelance Techie, Podcaster, Editor, Author & ConsultantRESOURCESAdrianhttps://bsky.app/profile/adrianmouat.comhttps://twitter.com/adrianmouathttps://github.com/amouathttps://linkedin.com/in/adrianmouathttp://www.adrianmouat.comCharleshttps://bsky.app/profile/charleshumble.bsky.socialhttps://linkedin.com/in/charleshumblehttps://mastodon.social/@charleshumblehttps://conissaunce.comLinkshttps://images.chainguard.devhttps://www.cisa.gov/sbomhttps://www.chainguard.dev/supply-chain-security-101/the-npm-registry-cant-protect-you-the-new-javascript-supply-chain-attackshttps://oxide-and-friends.transistor.fm/episodes/discovering-the-xz-backdoor-with-andres-freundhttps://edu.chainguard.devDESCRIPTIONIn this State of the Art episode, Charles Humble speaks with Adrian Mouat, Developer Relations at Chainguard and author of "Using Docker", about the evolution of container security and the persistent challenge of outdated packages.Adrian explains how traditional Linux distributions weren't designed for the immutable, frequently-replaced nature of containers, leading to security vulnerabilities that scanners detect but teams struggle to address. He discusses how Chainguard tackles this problem by building everything from source using Wolfi, creating minimal "distroless" images with near-zero CVEs, and how concepts like SBOMs, attestations, and defense in depth are reshaping security practices.The conversation also covers major security incidents including the XZ Utils backdoor and Shai-hulud attacks, emphasizing the importance of building from source, using short-lived credentials, and replacing rather than updating containers – practices pioneered by companies like Google that are gradually spreading across the industry.RECOMMENDED BOOKSAdrian Mouat • Using Docker • https://amzn.to/3PEYIJLLiz Rice • Container Security • https://amzn.to/3oU4iJeLiz Rice • Kubernetes Security • https://www.oreilly.com/library/view/kubernetes-security/9781492039075BlueskyInstagramLinkedInFacebookCHANNEL MEMBERSHIP BONUSJoin this channel to get early access to videos & other perks:https://www.youtube.com/channel/UCs_tLP3AiwYKwdUHpltJPuA/joinLooking for a unique learning experience?Attend the next GOTO conference near you! Get your ticket: gotopia.techSUBSCRIBE TO OUR YOUTUBE CHANNEL - new videos posted daily!
As RSAC 2026 approaches, Daniel Bardenstein, CEO and Co-Founder of Manifest, joins hosts Sean Martin and Marco Ciappelli to unpack the growing disconnect between how security leaders perceive their AI and software supply chain posture and what practitioners on the ground actually experience. Drawing from Manifest's new research report — Beyond the Black Box — Bardenstein connects the dots between shadow AI, SBOM adoption gaps, and a dangerous pattern: history is repeating itself as organizations rush to adopt AI with the same disregard for security that characterized the early cloud era. In a wide-ranging pre-event conversation ahead of RSAC 2026, Daniel Bardenstein, CEO and Co-Founder of Manifest, explores what it means to truly secure the software and AI supply chain — not just check the compliance box. Manifest's new research report, Beyond the Black Box, surveyed more than 300 security and AI leaders globally to understand the reality of AI adoption and software supply chain risk. One of the most striking findings was not a statistic, but a structural problem: a significant perception gap exists between how confident executive security leadership feels about their AI security posture and how unprepared frontline practitioners actually are. Where there is misalignment, Bardenstein notes, there is risk. The conversation draws a vivid parallel to the cloud adoption wave of a decade ago, when organizations rushed to SaaS and cloud infrastructure without thinking through security implications — and gave birth to entire new industries to clean up the mess. Today, the same dynamic is playing out with AI. Nearly two-thirds of the survey respondents reported encountering shadow AI within their organizations, as employees freely use tools like ChatGPT, DeepSeek, or locally downloaded models without centralized governance. When that AI eventually gets embedded into software that organizations build, deploy, and sell, the blind spots compound. SBOMs — software bills of materials — represent a promising step toward supply chain transparency, and Bardenstein credits the US government's regulatory nudging for driving adoption. Manifest's research shows that roughly 60% of organizations are now generating SBOMs, a meaningful milestone. But generation is not governance. Too many organizations treat an SBOM as a compliance artifact — a JSON file on a hard drive — rather than an operational tool that could dramatically accelerate vulnerability response, regulatory compliance, and incident management. The prescription has been filled; it's just not being taken. To reframe the urgency, Bardenstein introduces the concept of the "transparency tax" — the hidden cost organizations pay in time, money, and risk when they build or buy opaque technology. Just as consumers demand ingredient labels on food, Carfax reports on used cars, and active ingredient disclosures on prescriptions, the technology sector needs to normalize the same transparency for software and AI. For organizations willing to do the math, the case for investing in supply chain visibility becomes not just a security argument, but a business one. Heading into RSAC 2026, Manifest will not have a booth but will be active across the conference floor, meeting with customers, partners, and prospects. Bardenstein will appear on an invite-only panel alongside leadership from Corridor Dev, 1Password, and Google to discuss secure software and secure AI. The team is also planning to announce new platform capabilities designed to close the governance gaps their research surfaced — helping organizations move fast without creating the kind of blind spots that make AI adoption a liability rather than an advantage. Tune in for this sharp, candid pre-event conversation — and look for the full on-location Brand Spotlight recorded live at RSAC 2026 in San Francisco.
This week, Dave talks with Jean-Paul Bergeaux, CTO for Federal for GuidePoint Security, about OMB rescinding two Biden era orders, which had mandated that agencies require a software bill of materials (SBOM) from software vendors. Ben shares a follow-up story on the Anthropic/Pentagon dustup. Dave has the latest on the new National Cyber Strategy from the White House. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. Links to today's stories: Anthropic sues the Trump administration after it was designated a supply chain risk Trump Admin Cyber Strategy Centers Private Sector in Offensive Cyber Operations Get the weekly Caveat Briefing delivered to your inbox. Like what you heard? Be sure to check out and subscribe to our Caveat Briefing, a weekly newsletter available exclusively to N2K Pro members on N2K CyberWire's website. N2K Pro members receive our Thursday wrap-up covering the latest in privacy, policy, and research news, including incidents, techniques, compliance, trends, and more. This week's Caveat Briefing covers kids' online safety proposals and Anthropic's suit against the Pentagon. Curious about the details? Head over to the Caveat Briefing for the full scoop and additional compelling stories. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you. Learn more about your ad choices. Visit megaphone.fm/adchoices
Send a textStop guessing which software to trust. We break down a clear, repeatable path to evaluate commercial off-the-shelf tools, open source projects, custom third‑party builds, and cloud services so you can pass CISSP Domain 8.4 with confidence and protect your environment in the real world. We start with exam-winning tactics—how to slow down, read for intent, and think like a manager—then move into concrete practices that tame software risk without stalling delivery.You'll hear how to interrogate vendor claims, separate real certifications from marketing fluff, and judge patch cadences and incident response maturity. We dig into open source realities: vetting contributors, scanning dependencies against the NVD, building and maintaining an SBOM, and avoiding abandoned projects that explode under pressure. For third-party development, we outline what strong contracts look like—SLAs with teeth, security clauses, indemnity—and the proof you should see: code audits, SAST/DAST, penetration tests, and meaningful logging around integrations.Cloud isn't a shortcut; it's a shift in responsibility. We map the questions that matter for SaaS, IaaS, and PaaS: data protection, tenant isolation, hypervisor hardening, API security, and event visibility into your SIEM. Then we stitch it all into an evaluation workflow you can run every time: functional fit, vendor validation, layered security assessment, compliance and licensing review, sandbox integration testing, and a deployment plan that defines fix‑forward and rollback before anything hits production. Wrap it with monitoring, periodic reassessment, and documentation that procurement, IT, and security can actually use, and you've built a trustworthy software supply chain.If this helped you think sharper about software risk and the CISSP exam, subscribe, share it with a teammate, and leave a quick review telling us your top vendor vetting question. Your feedback shapes future episodes.Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
There is a question that sounds almost embarrassingly simple. After a vulnerability is discovered in a piece of widely used software — something like Log4Shell, which shook the security world and left hundreds of thousands of organizations exposed overnight — the question organizations scrambled to answer was this: where is this code, and what does it touch? Most couldn't answer it. Not the Fortune 500 companies. Not the government agencies. Not the critical infrastructure operators. Not the hospitals or the banks or the utilities. They had built and bought mountains of software over years and decades, and when the moment came to understand what was actually inside it, they were effectively blind. That gap is exactly what Daniel Bardenstein set out to close when he co-founded Manifest Cyber in 2023. And in a conversation on ITSPmagazine's Brand Highlight series, he made a case for technology transparency that is hard to argue with — not because it's technically complex, but because the analogy he draws is so strikingly obvious once you hear it. "If you want to buy a house, you get to go inside the house, do the home inspection," he said. "You want to buy food from the grocery store — you can look at the ingredients. Even our clothes tell you what they're made of, how to care for them, and where they're from." But software? The technology running hospital MRI machines, weapon systems, financial infrastructure, water delivery? No transparency required. No ingredient label. No inspection rights. Just trust. That trust, as Log4Shell demonstrated, is a vulnerability in itself. Bardenstein came to this problem with credentials that few founders in the space can claim. Before starting Manifest, he spent four and a half years in the US government leading large-scale cyber programs and serving as technology strategy lead at CISA — the Cybersecurity and Infrastructure Security Agency. He saw firsthand how defenders are perpetually at a disadvantage, operating without the basic visibility they need to do their jobs. His mission became building the tools to change that. The problem, he's quick to point out, has not improved in the years since Log4Shell. Software supply chain attacks have multiplied — XZ Utils, NPM Polyfill, and others following the same pattern: trusted software becomes the attack vector, and it spreads fast. Meanwhile, most security teams are still operating with SCA tools that generate noisy, overwhelming alerts and vendor risk programs built on Excel spreadsheets and questionnaires rather than actual empirical data about the security of what they're buying. "Security teams have a false sense of security," Bardenstein said. The gap between what organizations think they know and what they actually know about their software supply chains remains dangerously wide. Manifest Cyber addresses this across the full lifecycle. For organizations that build software, the platform maps every open source dependency, assesses it for risk, and ensures developers can write more secure code without losing velocity. For organizations that buy software — which is everyone — it finds risks before procurement, then continuously monitors every third party component so that when something breaks, they know the blast radius in seconds, not weeks. The timing matters. Regulation is catching up to the problem. The EU AI Act, the Cyber Resilience Act, and a growing body of global policy are beginning to demand exactly the kind of software supply chain transparency that Manifest is built to provide. Organizations that wait to build this capability will find themselves scrambling to comply — those that build it in now will have it as a competitive advantage. The ingredient label for software has always been missing. Manifest Cyber is writing it. ________________________________________________________________ Marco Ciappelli interviews Daniel Bardenstein, CEO & Co-Founder of Manifest Cyber, for ITSPmagazine's Brand Highlight series. HOST Marco Ciappelli — Co-Founder & CMO, ITSPmagazine | Journalist, Writer & Branding Advisor
Send a textWant a clear path from CISSP to top-tier pay without getting lost in buzzwords? We break down five high-income specialties that pair perfectly with CISSP leadership: modern GRC, cloud security as code, AI ethics and governance, advanced identity, and software supply chain security. Along the way, we unpack how AI reasoning tools like Claude Code Security are reshaping AppSec by cutting false positives and detecting logic flaws scanners miss, and we translate that shift into concrete workflows, better guardrails, and faster delivery.We start with the career pivot many leaders are making—moving from generalist security management to “decision architect.” That means pairing risk fluency with hands-on understanding of Terraform, Kubernetes, and CI/CD gates, then proving value through resilient architectures and evidence-driven dashboards for boards. You'll hear why GRC is exploding under new enforcement trends, how to automate continuous evidence to beat audit fatigue, and where vCISO opportunities command premium rates when strategy meets measurable outcomes.From there, we get practical. We walk through cloud guardrails that stop drift before it hits prod, share how to navigate shared responsibility with AWS and Azure, and outline identity-first zero trust that tames API key sprawl and enables passwordless access. On AI, we go deep on shadow AI containment, prompt-injection red teaming, model transparency, and data loss prevention tuned for embeddings—governance that accelerates, not blocks. Finally, we turn to software supply chain security: SBOM mandates, signed artifacts, dependency risk, and the DevSecOps policies that keep pipelines moving while raising assurance.If you're mapping your next move, we also compare salary bands across roles and highlight bridge certifications—CISM for program leadership, AI governance credentials for compliance depth, and CISA for audit rigor—to level up fast. Subscribe, share this with a teammate plotting their niche, and leave a quick review to tell us which specialty you're pursuing next.Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
OMB's new memo rescinds the Biden‑era requirements and shifts software and hardware security to an agency‑driven, risk‑based model. SBOMs and attestations move from “must” to “may.” That means CIOs and CISOs can tailor what they ask for from vendors, but they'll also carry the burden of proving those choices keep mission systems safe. We'll dig into what this change unlocks and where it could create blind spots with Jean‑Paul Bergeaux, Federal CTO at GuidePoint Security.See Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Today on the Federal Drive with Terry Gerton The White House has scrapped the one‑size‑fits‑all SBOM mandate and told agency leaders to own their cyber risk. Now flexibility meets accountability The government's first $1 million antitrust whistleblower award could reshape how companies think about risk... and about their own employees A new Executive Order aims to rethink how the nation tackles addiction, shifting from treatment alone to a broader, community‑anchored approach to recoverySee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Federal Tech Podcast: Listen and learn how successful companies get federal contracts
Twenty years ago, the concept of Bring Your Own Device (BYOD) entered the federal IT landscape with the advent of network-connected devices like Blackberries—sometimes even within secure federal networks. This slow start has exploded into a federal information technology system with sensors on satellites, submarines, and everywhere in between. That "in between" can include on-prem networks, multiple clouds, and hybrid clouds. Today, we sit down with Ryan Leiws, the CEO of Rancher Government Solutions, to look at some of the challenges in managing this dispersed environment and how to manage it. Lewis describes how Rancher connects hybrid environments using containers and Kubernetes for secure orchestration. Lewis emphasizes continuous compliance and DevSecOps via Rancher's Carbide stack, SBOM-level visibility, and rapid recovery in contested, denied/disconnected/intermittent/limited (DDIL) environments. Lewis notes that Rancher's declarative stack reduces maintenance and allows simple app redeployment. They also emphasize portability, cost efficiency, and alignment with zero-trust principles, with upcoming hardened features. = Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com
Подкаст RadioDotNet выпуск №130 от 2 февраля 2026 года В этом эпизоде вы можете услышать историю про распределённый event sourcing от международного разработчика ПО Altenar. Сайт подкаста: radio.dotnet.ru Boosty (₽): boosty.to/RadioDotNet Темы: [00:02:30] — The State of WebAssembly – 2025 and 2026 platform.uno/blog/the-state-of-webassembly-2025-2026 [00:18:55] — Beyond ASP.NET and Lightweight Alternatives dev.to/kaliumhexacyanoferrat/beyond-aspnet-li... [00:33:25] — Creating a software bill of materials (SBOM) andrewlock.net/creating-a-software-bill-of-materials-... andrewlock.net/creating-sbom-attestations-in-github-a... [00:51:05] — Retrieve method source file location at runtime using Portable PDBs meziantou.net/retrieve-method-source-file-location-a... [01:13:15] — Кратко о разном t.me/epeshkblog/263 aws.amazon.com/blogs/compute/net-10-runtime-now-avail... codingwithcalvin.net/introducing-the-visual-studio-toolbox blog.peterritchie.com/posts/announcing-dotnetpscmds-powershe... habr.com/ru/articles/989396 devblogs.microsoft.com/ifdef-windows/xaml-studio-is-now-open-... Фоновая музыка: Максим Аршинов «Pensive yeti.0.1»
Federal Tech Podcast: Listen and learn how successful companies get federal contracts
One of the biggest trends in software development over the past 10 years is the shift from writing code to "assembling" code from off-the-shelf components. During today's interview with Javed Hasan from Lineaje, we learned that 70% of that pre-assembled code is open source. In other words, an anonymous person in some countries modified software instructions. This casual approach may be fine for small businesses, but an organization like the federal government must be highly cautious. Hasan describes how his company was one of the first to work with the federal government to set standards for this existing code. These initial efforts began ten years ago and resulted in Executive Order #14028, which requires a Software Bill of Materials for any organization selling to the federal government. This initiative expanded in 2021-2022 when NIST published related guidelines. These efforts are a good start. However, federal leaders must evaluate SBOM technology from many perspectives. For example, how to incorporate this mandate into air-gapped networks, legacy COTS, or even in a classified environment. System administrators also need to know if they are exposed. Further, every organization has a varying definition of what "deep software transparency" is. Hassan also discusses Lineage's innovative approach to creating "Gold open source" software, ensuring it is free of malware and vulnerabilities. If you are interested in seeing a demonstration of how Lineaje can help with software forensics, there is an event at the Carahsoft office in Reston, Virginia, on January 30 = = Connect to John Gilroy on LinkedIn https://www.linkedin.com/in/john-gilroy/ Want to listen to other episodes? www.Federaltechpodcast.com
professorjrod@gmail.comIn this episode of Technology Tap: CompTIA Study Guide, we explore a groundbreaking shift in cybersecurity threats focused on operational availability instead of data theft. Using five headline patterns from 2025, including a case where hospital scheduling systems were compromised, we highlight critical lessons for IT skills development and tech exam prep. Learn how these attacks challenge traditional security thinking and why ensuring system availability is vital for technology education and anyone preparing for CompTIA exams.From there, we dig into poisoned updates and the uneasy truth that digital signatures prove origin, not intent. By compromising a vendor's build pipeline, adversaries delivered “trusted” software that waited, watched, and embedded itself as infrastructure. Antivirus didn't catch it; analysts comparing subtle anomalies did. We unpack practical defenses: behavior monitoring for signed code, attestation, SBOM use, and staged rollouts that verify after trust, not just before.Next, the social engineering target shifts to the help desk at 24/7 casinos, where urgency is the culture. With real names, roles, and believable pressure, attackers turned resets into keys. The logs showed everything as legitimate because the system allowed it. We share fixes that work under fire: just-in-time privilege, second-operator verification for high-risk requests, audited callback flows, and playbooks that slow down when stakes go up.Then the cloud nightmare: a leaked admin token, logging disabled, and entire environments—plus backups—deleted. No exotic exploit, just excessive privilege and shared control planes. We break down guardrails that change outcomes: least privilege everywhere, break-glass elevation with time limits, immutable backups in isolated accounts, and monitoring that attackers can't silence.All roads lead to the same insight: humans aren't the weakest link; they're the most overused control. Real resilience comes from systems that assume trust will be abused and still contain damage—observed trust, independent logging, and workflows that don't require perfection from people under pressure. If you're building or defending, this is your blueprint for 2026: reduce blast radius, verify behavior, and never make a human your final barrier.If this hit a nerve or sparked an idea, follow, share with a teammate, and leave a quick review. Tell us: where does your organization rely on trust without verification?Pure Tested PeptidesPremium Peptides for Longevity, muscle growth , weight lossSupport the showArt By Sarah/DesmondMusic by Joakim KarudLittle chacha ProductionsJuan Rodriguez can be reached atTikTok @ProfessorJrodProfessorJRod@gmail.com@Prof_JRodInstagram ProfessorJRod
While our team is out on winter break, please enjoy this episode of Data Security Decoded from our partners at Rubrik. In this episode of Data Security Decoded, host Caleb Tolin sits down with Hayden Smith, CEO of Hunted Labs, as he breaks down how software supply chain attacks really work, why open source dependencies create unseen exposure, and what modern threat actors are doing to exploit trust at scale. Caleb and Hayden dive deep into real-world attacks, emerging TTPs, AI-powered threat hunting, and what organizations must do today to keep pace. Listeners walk away with a clear picture of the problem—and a practical blueprint for reducing supply chain risk. What You'll Learn How modern attackers infiltrate open source ecosystems through fake accounts and counterfeit package contributions. Why dependency chains dramatically amplify both exposure and attacker leverage. How to use threat intelligence and threat hunting to proactively evaluate upstream packages before adoption. Where AI-powered code analysis is changing the ability to discover hidden vulnerabilities and suspicious patterns. Why dependency pinning, SBOM discipline, and continuous monitoring now define a strong supply chain posture. Episode Highlights 00:00 — Welcome + Why Software Supply Chain Risk Matters 02:00 — Hayden's Non-Cyber Passion + Framing Today's Topic 03:00 — Why Open Source Powers Everything—and Why That Creates Exposure 06:00 — The Real Attack Vector: Contribution as Initial Access 08:00 — Inside the Indonesian “Fake Package” Campaign 10:30 — How to Evaluate Code + Contributor Identity Together 12:00 — Threat Hunting and AI-Enabled Code Interrogation 15:00 — The Challenge of Undisclosed Vulnerabilities in Widely Used Components 16:30 — How Recovery Works When Malware Is Already in Your Stack 19:00 — Continuous Monitoring as the Foundation of Modern Supply Chain Security 22:00 — Pinning, Maintainer Analysis, and Code Interrogation Best Practices 24:00 — Where to Learn More About Hunted Labs Episode Resources Hunted Labs — https://huntedlabs.com Hunted Labs Entercept Hunted Labs “Hunting Ground” research blog Open Source Malware (Paul McCarty) Learn more about your ad choices. Visit megaphone.fm/adchoices
This episode tackles the complex challenge of applying the hardware-centric clauses of ISO 13485 to Software as a Medical Device (SaMD). Adnan Ashfaq, founder of Simply Medica, joins Etienne Nichols to dissect how traditional standards intended for physical manufacturing must be creatively interpreted for the virtual world of software development, where apps update weekly and cloud-based systems evolve in real-time. The conversation zeroes in on the often-muddy areas of production and service provision (Clause 7.5), emphasizing that these clauses are far from non-applicable, requiring a "virtual manufacturing space" mindset.A significant focus is placed on the Software of Unknown Provenance (SOUP), treating these building blocks as purchased components that require robust supplier evaluation and validation, bridging Clause 7.5 (production) with Clause 7.4 (purchasing). The discussion extends to crucial concepts like the Software Bill of Materials (SBoM), the complexity of Agile vs. Waterfall approaches within the standard's framework, and the essential role of the new FDA Computer Software Assurance (CSA) guidance in risk assessment.Beyond production, the experts explore the application of resource management (Clause 6), specifically addressing infrastructure, contamination control (malware/ransomware), and the critical need for a well-documented Design Transfer to Production (Clause 7.3.8) evidenced by a complete software release package, including all 62304 requirements. The episode provides actionable insights for quality and compliance professionals struggling to maintain speed and innovation while strictly adhering to regulatory requirements.Key Timestamps01:45 - The changing landscape: Why traditional MedTech rules struggle with modern software updates.03:50 - Historical context of ISO 13485 and its non-distinction between hardware/software.05:05 - Starting Point: Clause 7.5 (Production and Service Provision) and the "Virtual Manufacturing Space" concept.06:20 - Unpacking Software of Unknown Provenance (SOUP) and its link to Clause 7.4 (Purchasing).08:35 - The necessity of validating the development environment (GitHub/GitLab) and building blocks.11:10 - Applying Clause 4.1.6 (Software Validation) to SOUP items and master validation plans.12:20 - Applicable vs. Non-Applicable Clauses: Sterilization/Cleanliness vs. Installation.13:55 - Clause 4.2.3 (Medical Device File) for SaMD: E-labels, UDI, System Architecture, and SBoM.16:30 - Cybersecurity controls and the manufacturer's responsibility for identifying state-of-the-art standards.17:35 - Defining "Production" for continuously updating software and managing significant vs. non-significant changes.20:15 - Clash of Standards: Agile development, ISO 13485, and the missing documentation for version control risk assessment.21:30 - Clause 6.3 & 6.4 (Resource & Work Environment): Looking at data security, access controls, and contamination (malware/ransomware).24:45 - Clause 7.3.8 (Design Transfer to Production): The need for a formal software release package and the importance of the Software Design Trace Matrix.26:00 - The 16 essential documents needed to meet IEC 62304 requirements.27:10 - Production controls when the user influences the outcome (customizable features,...
Nick Kartsioukas joined us to talk about security in embedded systems. Common Vulnerabilities and Exposures (CVE) is the primary database to check your software libraries, tools, and OSs: cve.org. Open Worldwide Application Security Project (OWASP, owasp.org) has information on how to improve security in all kinds of applications, including embedded application security. There are also cheatsheets, Nick particularly recommends Software Supply Chain Security - OWASP Cheat Sheet. Wait, what is supply chain security? Nick suggested a nice article on github.com: it is about your code and tools including firmware update, a common weak point in embedded device security. Want to try out some security work? There are capture the flag (CTF) challenges including the Microcorruption CTF (microcorruption.com) which is embedded security related. We also talked about the SANS Holiday Hack Challenge (also see Prior SANS Holiday Hack Challenges). This episode is brought to you by RunSafe Security. Working with C or C++ in your embedded projects? RunSafe Security helps you build safer, more resilient devices with build-time SBOM generation, vulnerability identification, and patented code hardening. Their Load-time Function Randomization stops the exploit of memory-based attacks, something we all know is much needed. Learn more at RunSafeSecurity.com/embeddedfm. Some other sites that have good information embedded security: This World Of Ours by James Mickens is an easy read about threat modelling Cybersecurity and Infrastructure Security Agency (CISA) is at cisa.gov and, among other things, they describe SBOMs in great detail National Institute of Standards and Technology (NIST) also provides guidance: Internet of Things (IoT) | NIST NIST Cybersecurity for IoT Program NIST SP800-213 IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements There is a group of universities and organizations doing research into embedded security: National Science Foundation Center for Hardware and Embedded Systems Security and Trust (CHEST). Descriptive overview and the site is nsfchest.org European Telecommunications Standards Institute (ETSI) - Consumer IoT Security Camera Ubiquiti configuration issue (what not to do) Finally, Nick mentioned Stop The Bleed which provides training on how you can control bleeding, a leading cause of death. They even have a podcast (and we know you like those). Elecia followed up with Community Emergency Response Teams (CERT). Call your local fire department and ask about training near you! Transcript
Just what’s inside that commercial software you bought? Does it contain open-source components, NPM packages, or other third-party code? How could you find out? The answer is a Software Bill of Materials, or SBOM, a machine-readable inventory of a finished piece of software. Why should you care about SBOMs? Our guest, Natalie Somersall, is here... Read more »
Just what’s inside that commercial software you bought? Does it contain open-source components, NPM packages, or other third-party code? How could you find out? The answer is a Software Bill of Materials, or SBOM, a machine-readable inventory of a finished piece of software. Why should you care about SBOMs? Our guest, Natalie Somersall, is here... Read more »
Software bills of materials or SBOMs are critical to software security and supply chain risk management. Ideally, regardless of the SBOM tool, the output should be consistent for a given piece of software. But that is not always the case. The divergence of results can undermine confidence in software quality and security. In our latest podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Jessie Jamieson, a senior cyber risk engineer in the SEI's CERT Division, sits down with Matt technical director of Risk and Resilience in CERT, to talk about how to achieve more accuracy in SBOMs and present and future SEI research on this front.
Se você acha que segurança em nuvem é só ligar um CSPM e ser feliz, neste episódio a gente mostra que a história é bem mais cabeluda e divertida. Recebemos o Leandro Venâncio para destrinchar desde responsabilidade compartilhada e Zero Trust até o que realmente funciona no dia a dia de clusters Kubernetes sob fogo cruzado. Falamos de cultura, automação e das ciladas que a gente só aprende depois de tomar uns tombos.Partimos do básico bem-feito (identidade, redes e criptografia) e avançamos para governança com políticas (Kyverno/Gatekeeper), esteira com SAST/DAST/SCA, SBOM decente e segredos administrados em KMS/External Secrets. Amarramos com observabilidade, resposta a incidentes e como priorizar risco sem virar refém de dashboards. Spoiler: custo, compliance e performance entram no mesmo bolo e não dá pra fingir que não existem.Entre as pautas, destacamos: como aplicar Zero Trust em workloads efêmeros; por que "shift left" sem operações maduras mais atrapalha que ajuda; e onde CNAPP, CSPM e admission controllers se encontram. E claro, casos reais — porque a teoria é linda, mas a produção é quem manda.#Links Importantes:- Leandro Venâncio - https://www.linkedin.com/in/leandro-venancio/- LowOps cast com Rafael Ferreira - https://www.youtube.com/live/SC6a11HClX4- João Brito - https://www.linkedin.com/in/juniorjbn/- Assista ao FilmeTEArapia - https://youtu.be/M4QFmW_HZh0?si=HIXBDWZJ8yPbpflMO Kubicast é uma produção da Getup, empresa especialista em Kubernetes e projetos open source para Kubernetes. Os episódios do podcast estão nas principais plataformas de áudio digital e no YouTube.com/@getupcloud.
生成AIが書いたコードや音楽に著作権はあるのか?オープンソースのライセンスや法律の違い、そしてAIバンド「Velvet Sundown」や“存在しない記者事件”から見えてくる、AIと人間のクリエイティビティの境界を語りました01:00 生成AIによる動画・画像・音楽は著作権問題が議論されるが「コード」ってどうなの?02:34 アルゴリズムには著作権がないが、書かれたコード自体には著作権がある(ただしAIが書いたものは著作権者が存在しない)03:02 オープンソースのGNUライセンスは、使用したコードの成果物も公開するという決まり05:52 日本とアメリカでも法律が違う。日本では著作人格権が放棄できない06:46 受託開発で納品したコードの権利は納品先のもの。別プロジェクトで同じコードをコピペするとアウト08:10 自社プロダクトのプラグインをパートナー企業が書いた場合:著作権帰属の契約を作った体験談09:50 制作する画像などで(他の)著作物の権利侵害を防ぐためにどこまで”お墨付き”を得られるか弁護士に聞いてみた11:34 オープンソースが不可欠なソフトウエア開発ではSBOM(ソフトウェア部品表)を活用13:30 組み込み系や(大企業の)マネージドではない状態のものは自分たちで部品管理が必要18:08 Margaux Blanchardという存在しない記者が有名メディアに(AI使って巧妙に)虚偽記事を掲載した事件25:09 100万フォロワーを獲得したバンド「Velvet Sundown」は楽曲もメンバーも全てAI製27:14 既存曲からのサンプリング AIによる生成、どう違う?30:18 人間の身体性が絡んだクリエイションと、AIから得るインスピレーションで生まれるものテック業界で働く3人が、テクノロジーとクリエイティブに関するトピックを、視点を行き交わしながら語り合います。及川卓也 @takoratta プロダクトマネジメントとプロダクト開発組織づくりの専門家 自己紹介エピソード ep1, ep2関信浩 @NobuhiroSeki アメリカ・ニューヨークでスタートアップ投資を行う、何でも屋 自己紹介エピソード ep52上野美香 @mikamika59 マーケティング・プロダクトマネジメントを手掛けるフリーランス 自己紹介エピソード ep53Official X: @x_crossing_ https://x-crossing.com
Welcome to The Weekly, produced by TAB Media Group, which publishes The Alabama Baptist and The Baptist Paper. Each episode features news headlines read by TAB Media Group staff and volunteers. New episodes are released weekly on Wednesday mornings. Articles featured in this episode: Giving to Lottie Moon, Annie Armstrong surpasses $278 million Creating a culture of generosity in your church Confluence 2025 brings together college students across Georgia Danny Akin announces retirement plans Tony Evans talks next chapter, upcoming book and undisclosed ‘sin' TN Baptist volunteers offer aid after explosion at plant Remaining Israeli hostages released following ceasefire Celebrating the Cooperative Program with children Teaching churches to count what matters most Florida missions team travels to Chicago ‘to see, to serve' Nigerian official disputes reports of anti-Christian violence Voice of the Martyrs VP shares stories from recent trip Alabama farmers praise guest-worker wage decrease SBOM names Spencer Bell as new associate in office of evangelism, church revitalization 30 ways to honor your pastor Young Alabamian launches campus speaking tour for ‘hard conversations' Check out the Kid's Edition of The Baptist Paper! Visit TAB Media HERE Subscribe on iTunes HERE
Bem-vindos a mais um Kubicast! Neste episódio, recebemos Victor Carvalho para destrinchar o Talos Linux como base enxuta e segura para rodar Kubernetes. Nós comparamos a proposta minimalista do Talos com distros generalistas, e debatemos por que um SO "Kubernetes-first" reduz superfície de ataque e acelera a vida de quem opera clusters no dia a dia.Falamos de segurança no detalhe: kernel hardenizado (KSP), SELinux funcionando de verdade com Kubernetes, criptografia de disco com chaves via TPM/KMS, e o modelo API-driven (sem SSH) que muda a forma como operamos nós. Também discutimos operação e upgrades, incluindo o uso do Talos Factory e de Terraform para padronizar imagens, além de estratégias para controlar endpoints e certificados.Fechamos com experiências reais: comparativos de tempo de provisioning, requisitos mínimos, rede (Flannel vs Cilium), dores comuns (certificados/TLS, IP flutuante) e boas práticas de produção — aquela mistura de técnica com bom humor que só a nossa bancada entrega.Links Importantes:- Victor Cardoso - https://www.linkedin.com/in/victorbmcarvalho/- João Brito - https://www.linkedin.com/in/juniorjbn/- Site oficial do Talos Linux - https://talos.dev- Assista ao FilmeTEArapia - https://youtu.be/M4QFmW_HZh0?si=HIXBDWZJ8yPbpflMHashtags#Talos #TalosLinux #Kubernetes #DevOps #DevSecOps #Kubicast #Containers #Getup #K8s #SELinux #KSP #Terraform #Proxmox #Flannel #Cilium #ZeroTrust #Imutabilidade #Homelab #Observabilidade #SBOMO Kubicast é uma produção da Getup, empresa especialista em Kubernetes e projetos open source para Kubernetes. Os episódios do podcast estão nas principais plataformas de áudio digital e no YouTube.com/@getupcloud.
SBOMs were supposed to be the ingredient label for software—bringing transparency, faster response, and stronger trust. But reality shows otherwise. Fewer than 1% of GitHub projects have policy-driven SBOMs. Only 15% of developer SBOM questions get answered. And while 86% of EU firms claim supply chain policies, just 47% actually fund them.So why do SBOMs stall as compliance artifacts instead of risk-reduction tools? And what happens when they do work?In this episode of AppSec Contradictions, Sean Martin examines:Why SBOM adoption is laggingThe cost of static SBOMs for developers, AppSec teams, and business leadersReal-world examples where SBOMs deliver measurable valueHow AISBOMs are extending transparency into AI models and dataCatch the full companion article in the Future of Cybersecurity newsletter for deeper analysis and more research.
On September 8 the world saw the npm supply chain attack. Fortunately the community reacted in record time to avert a disaster. In todays episode we have Constanze Roedig, Key Researcher at SBA Research, who introduces us to the new buddy of SBoM (Software Bill of Materials): SBoB (Software Bill of Behaviors) and her thoughts on how that new approach to fingerprinting software can help cyber security teams. What's a BoB? It's a detailed runtime behavior profile of software. It expands on the static validation option through SBOMs as it allows security teams to validate the correct execution behavior of deployed software at deploy time or continuously in production. Thanks to eBPF, a malicious behavior such as opening non expected ports or accessing non expected files can therefore be detected.Listen to Constanze who shares the work she and Vadim Bauer, Owner of 8gear, have done on this topic. You will learn about how software vendors can create their own SBOBs, ship them with their container images and how security teams can get alerted or enforce any detected malicious behavior. Make sure to check out their GitHub repo, star it if you like it and try their hands-on tutorial!Links:Constanze LinkedIn: https://www.linkedin.com/in/croedig/Vadim LinkedIn: https://www.linkedin.com/in/vadim-bauer/OBobCtl GitHub Repo: https://github.com/k8sstormcenter/bobctlCloud Native Summit Munich Talk: https://www.youtube.com/watch?v=XETuwndd_mw&index=11&pp=iAQBnpm supply chain attack: https://www.infosecurity-magazine.com/news/npm-supply-chain-attack-averted/
Thank you to the folks at Sustain (https://sustainoss.org/) for providing the hosting account for CHAOSSCast! CHAOSScast – Episode 119 In this episode of CHAOSScast, we have a special episode from our friends at Sustain. Host Richard Littauer from Sustain is joined by guests Ben Nickolls and Andrew Nesbitt to discuss the ecosyste.ms project. They explore how ecosyste.ms collects and analyzes metadata from various open-source projects to create a comprehensive database that can help improve funding allocation. The discussion covers the importance of funding the most critical open-source projects, the existing gaps in funding, and the partnership between ecosyste.ms and Open Source Collective to create funding algorithms that support entire ecosystems. They also talk about the challenges of maintaining data, reaching out to project maintainers, and the broader implications for the open-source community. Hit the download button now! [00:03:16] Andrew and Ben explain ecosyste.ms, what it does, and how it compares to Libraries.io. [00:06:17] Ecosyste.ms tracks metadata, not the packages themselves, and enriches data via dependency graphs, committers, issues, SBOMs, and more. [00:08:12] Andrew talks about finding 1,890 Git hosts and how many critical projects live outside GitHub. [00:09:55] There's a conversation on metadata uses and SBOM parsing. [00:14:07] Richard inquires about the ecosystem.ms funds on their website which Andrew explains it's a collaboration between Open Collective and ecosyste.ms. that algorithmically distributes funds to the most used, not most popular packages. [00:17:03] Ben shares how this is different from previous projects and brings up a past project, “Back Your Stack” and explains how ecosyste.ms is doing two things differently. [00:20:17] Ben explains how it supports payouts to other platforms and encourages maintainers to adopt funding YAML files for automation. Andrew touches on efficient outreach, payout management, and API usage (GraphQL). [00:26:54] Ben elaborates on how companies can fund ecosyste.ms (like Django) instead of curating their own lists and being inspired by Sentry's work with the Open Source Pledge. [00:30:50] Andrew speaks about scaling and developer engagement and emphasizes their focus is on high-impact sustainability. [00:34:06] Richard asks, “Why does it matter?” Ben explains that most current funding goes to popular, not most used projects and ecosyste.ms aims to fix the gap with data backed funding, and he suggests use of open standards like 360Giving and Open Contracting Data. [00:37:04] Andrew shares his thoughts on funding the right projects by improving 1% of OSS, you uplift the quality of millions of dependent projects with healthier infrastructure, faster security updates, and more resilient software. [00:39:53] Find out where you can follow ecosyste.ms and the blog on the web. Quotes: [00:12:36] “I call them interesting forks. If a fork is referenced by a package, it'll get indexed.” [00:23:25] We've built a service that now moves like $25 million a year between OSS maintainers on OSC.” [00:34:41] “We don't have enough information to make collective decisions about which projects, communities, maintainers, should receive more funding.” [00:35:41] “The NSF POSE Program has distributed hundreds of millions of dollars of funding to open source communities alone.” [00:37:05] “If you have ten, twenty thousand really critical open source projects, that actually isn't unachievable to make those projects sustainable.” Spotlight: [00:40:53] Ben's spotlight is Jellyfin. [00:41:38]** **Andrew's spotlight is zizmor. [00:43:39] Richard's spotlight is The LaTeX Project. Panelist: Richard Littauer Guests: Ben Nickolls Andrew Nesbitt Links: CHAOSS (https://chaoss.community/) CHAOSS Project Twitter (https://twitter.com/chaossproj?lang=en) CHAOSScast Podcast (https://podcast.chaoss.community/) podcast@chaoss.community (mailto:podcast@chaoss.community) Alice Sowerby LinkedIn (https://www.linkedin.com/in/alice-sowerby-ba692a13/?originalSubdomain=uk) SustainOSS (https://sustainoss.org/) podcast@sustainoss.org (mailto:podcast@sustainoss.org) richard@sustainoss.org (mailto:richard@sustainoss.org) SustainOSS Discourse (https://discourse.sustainoss.org/) SustainOSS Mastodon (https://mastodon.social/tags/sustainoss) SustainOSS Bluesky (https://bsky.app/profile/sustainoss.bsky.social) SustainOSS LinkedIn (https://www.linkedin.com/company/sustainoss/) Open Collective-SustainOSS (Contribute) (https://opencollective.com/sustainoss) Richard Littauer Socials (https://www.burntfen.com/2023-05-30/socials) Ben Nickolls LinkedIn (https://www.linkedin.com/in/benjamuk/) Andrew Nesbitt Website (https://nesbitt.io/) Andrew Nesbitt Mastodon (https://mastodon.social/@andrewnez) Octobox (https://github.com/octobox) ecosyste.ms (https://ecosyste.ms/) ecosyste.ms Blog (https://blog.ecosyste.ms/) Open Source Collective (https://oscollective.org/) Open Source Collective Updates (https://opencollective.com/opensource/updates) Open Source Collective Contributions (https://opencollective.com/opensource) Open Source Collective Contributors (https://opencollective.com/open-source) Open Collective (https://opencollective.com/) 24 Pull Requests (https://24pullrequests.com/) Libraries.io (https://libraries.io/) The penumbra of open source (EPJ Data Science) (https://epjdatascience.springeropen.com/articles/10.1140/epjds/s13688-022-00345-7) FOSDEM '25- Open source funding: you're doing it wrong (Andrew and Ben) (https://fosdem.org/2025/schedule/event/fosdem-2025-5576-open-source-funding-you-re-doing-it-wrong/) Vue.js (https://vuejs.org/) thanks.dev (https://thanks.dev/home) StackAid (https://www.stackaid.us/) Back Your Stack (https://backyourstack.com/) NSF POSE (https://www.nsf.gov/funding/initiatives/pathways-enable-open-source-ecosystems) Django (https://www.djangoproject.com/) GitHub Sponsors (https://github.com/sponsors) Sustain Podcast-Episode 80: Emma Irwin and the Foss Fund Program (https://podcast.sustainoss.org/80) Sustain Podcast- 3 Episodes featuring Chad Whitacre (https://podcast.sustainoss.org/guests/chad-whitacre) Sustain Podcast- Episode 218: Karthik Ram & James Howison on Research Software Visibility Infrastructure Priorities (https://podcast.sustainoss.org/218) Sustain Podcast-Episode 247: Chad Whitacre on the Open Source Pledge (https://podcast.sustainoss.org/247) Invest in Open Infrastructure (https://investinopen.org/) 360Giving (https://www.360giving.org/) Open Contracting Data Standard (https://standard.open-contracting.org/latest/en/) Jellyfin (https://opencollective.com/jellyfin) zizmor (https://github.com/zizmorcore/zizmor) The LaTeX Project (https://www.latex-project.org/) Special Guests: Andrew Nesbitt, Benjamin Nickolls, and Richard Littauer.
Разбираем Thoughtworks Technology Radar Vol.32: где Adopt/Trial/Hold и что реально полезно DevOps-командам в 2025. AI-ассистенты (Cursor, QCLI, Claude), Observability (OpenTelemetry, Alloy/Loki), безопасность (SBOM) и практичные инструменты. О ЧЁМ ВЫПУСК • Как читать Tech Radar и зачем он инженерам/архитекторам. • AI-ассистенты для кодинга: опыт Copilot, Cursor, QCLI (Claude Sonnet), цены и риски. • Observability сейчас: OpenTelemetry, Grafana Alloy, Loki v3, зачем это бизнесу. • Безопасность: почему SBOM в Adopt и как это помогает на проектах. • Архитектурные решения без бюрократии: ADR, ответственность команд. • Инструменты из «Тулов»: UV (Python), Renovate, Vite, D2/JSON Crack, и где они заходят. ССЫЛКИ
Dennis and Lindsey talk through the continuing fallout of the Salesloft Drift incident (2:05) in light of the disclosure of several new companies that are involved, including Cloudflare, which published an excellent post-mortem on the intrusion. Then they discuss the new Shared Vision of SBOM for Cybersecurity published by CISA, NSA, and many foreign government cybersecurity agencies, and talk about why this is coming out now (17:54).
Farmers Insurance discloses a data breach affecting over a million people. Agentic AI tools fall for common scams. A new bill in Congress looks to revive letters of marque for the digital age. Cybercriminals target macOS users with the Shamos infostealer. New Android spyware masquerades as antivirus to target Russian business executives. CISA seeks public comments on SBOM updates. A major third party electronics manufacturer reports a ransomware attack. Salesforce patches multiple vulnerabilities in its Tableau products. Over 370,000 user Grok conversations were accidentally indexed by Google. Ben Yelin examines the UK's decision to drop digital backdoor requirements. WIRED gets duped by an AI author. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies joins to discuss the U.K. dropping ‘back door' demand for Apple user data. Read the article Ben discusses. If you enjoyed this conversation and want to hear more from Ben, check out our Caveat podcast here. Selected Reading Farmers Insurance Data Breach Impacts Over 1 Million People (SecurityWeek) "Scamlexity": When Agentic AI Browsers Get Scammed (Guardio) Bill would give hackers letters of marque against US enemies (The Register) Fake macOS help sites push Shamos infostealer via ClickFix technique (Help Net Security) New Android malware poses as antivirus from Russian intelligence agency (Bleeping Computer) CISA Requests Public Feedback on Updated SBOM Guidance (SecurityWeek) Electronics manufacturer Data I/O reports ransomware attack to SEC (The Record) Salesforce patches multiple flaws in Tableau Server, at least one critical (Beyond Machines) 370,000 Grok AI chats leaked after being indexed on Google (Cyber Daily) How WIRED Got Rolled by an AI Freelancer (WIRED) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
When security becomes more than a checkbox, the conversation shifts from “how much” to “how well.” At Black Hat USA 2025, Sean Martin, CISSP, Co-Founder of ITSPmagazine, and Viktor Petersson, Founder of an SBOM artifact platform, unpack how regulatory forces, cultural change, and AI innovation are reshaping how organizations think about security.Viktor points to the growing role of Software Bill of Materials (SBOMs) as not just a best practice, but a likely requirement in future compliance frameworks. The shift, he notes, is driven largely by regulation—especially in Europe—where security is no longer a “nice to have” but a mandated operational function. Sean connects this to a market reality: companies increasingly see transparent security practices as a competitive differentiator, though the industry still struggles with the hollow claim of simply being “secure.”AI naturally dominates discussions, but the focus is nuanced. Rather than chasing hype, both stress the need for strong guardrails before scaling AI-driven development. Viktor envisions engineers supervising fleets of specialized AI agents—handling tasks from UX to code auditing—while Sean sees AI as a way to rethink entire operational models. Yet both caution that without foundational security practices, AI only amplifies existing risks.The conversation extends to IoT and supply chain security, where market failures allow insecure, end-of-life devices to persist in critical environments. The infamous “smart fish tank” hack in a Las Vegas casino serves as a reminder: the weakest link often isn't the target itself, but the entry point it provides.DEFCON, Viktor notes, offers a playground for challenging assumptions—whether it's lock-picking to illustrate perceived versus actual security, or examining the human factor in breaches. For both hosts, events like Black Hat and DEFCON aren't just about the latest vulnerabilities or flashy demos—they're about the human exchange of ideas, the reframing of problems, and the collaboration that fuels more resilient security strategies.___________Guest:Viktor Petersson, Founder, sbomify | On LinkedIn: https://www.linkedin.com/in/vpetersson/Hosts:Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.comMarco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com___________Episode SponsorsThreatLocker: https://itspm.ag/threatlocker-r974BlackCloak: https://itspm.ag/itspbcwebAkamai: https://itspm.ag/akamailbwcDropzoneAI: https://itspm.ag/dropzoneai-641Stellar Cyber: https://itspm.ag/stellar-9dj3___________ResourcesLearn more and catch more stories from our Black Hat USA 2025 coverage: https://www.itspmagazine.com/bhusa25ITSPmagazine Webinar: What's Heating Up Before Black Hat 2025: Place Your Bet on the Top Trends Set to Shake Up this Year's Hacker Conference — An ITSPmagazine Thought Leadership Webinar | https://www.crowdcast.io/c/whats-heating-up-before-black-hat-2025-place-your-bet-on-the-top-trends-set-to-shake-up-this-years-hacker-conferenceCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More
In this episode of RCA Radio, host Brandon Miller is joined by cybersecurity experts Jason Tugman of Regulatory Compliance Associates® and Mustanger Ali of BSI to unpack the evolving landscape of cybersecurity in medical devices. Together, they explore the latest FDA and EU guidance, the growing expectations for connected device security, and the top gaps companies face when bringing products to market. From threat modeling and SBOMs to legacy device challenges and global regulatory alignment, this episode offers practical insights for MedTech developers navigating today's complex cybersecurity requirements. Whether you're launching a new device or updating an existing one, this conversation is packed with actionable advice to help you stay secure and compliant.
In this episode, I sit down with Daniel Bardenstein, CTO & Co-Founder of Manifest Cyber.We discussed the AI supply chain security, including open source risks, AIBOMs, best practices for CISOs, and regulatory approaches in the U.S. and EU.We dove into:What is the same and different between the risks AI introduces across the enterprise compared to open source software, and where and how the two converge.The rise of an “AIBOM” and why it is becoming a critical part of enterprise risk management in the AI EraThe work Daniel and others are doing as part of a Tiger Team defining “SBOM-for-AI-Use Cases”.Why is it so difficult for organizations to gain visibility into their AI models' internals, especially training data, model provenance, and pipeline dependencies?Where CISOs and security teams can get started when it comes to understanding where and how AI is being used and avoiding some mistakes.Gaps among the current waves of AI security startups and how they contrast with the approach Manifest is taking when managing AI supply chain risks.Real-world insights and examples of how organizations operationalize SBOM for risk reduction.Key differences between the U.S. and EU regarding regulatory approaches to AI and supply chain security risks.
News includes the major OTP 28 release with priority messages functionality, ElixirConf EU 2025 videos starting to appear including Chris McCord's keynote on his new phoenix.new service and James Arthur's introduction of Phoenix Sync for real-time database synchronization, the EEF board election results and their new role as a CVE Numbering Authority for the Hex ecosystem, upcoming co-located hooks and macro components in LiveView, updates to the Elixir Lua package and MDEx with its new Markdown sigil, a new convention for AI-friendly usage_rules.md files in hex packages, and more! Show Notes online - http://podcast.thinkingelixir.com/255 (http://podcast.thinkingelixir.com/255) Elixir Community News https://www.honeybadger.io/ (https://www.honeybadger.io/?utm_source=thinkingelixir&utm_medium=podcast) – Honeybadger.io is sponsoring today's show! Keep your apps healthy and your customers happy with Honeybadger! It's free to get started, and setup takes less than five minutes. https://www.erlang.org/news/180 (https://www.erlang.org/news/180?utm_source=thinkingelixir&utm_medium=shownotes) – OTP 28 release announcement with new priority messages functionality and SBOM support https://www.erlang.org/eeps/eep-0076 (https://www.erlang.org/eeps/eep-0076?utm_source=thinkingelixir&utm_medium=shownotes) – EEP 76 specification for priority messages in OTP 28 https://www.youtube.com/playlist?list=PLvL2NEhYV4Zu421KzHuLICUqieJXI2o_Z (https://www.youtube.com/playlist?list=PLvL2NEhYV4Zu421KzHuLICUqieJXI2o_Z?utm_source=thinkingelixir&utm_medium=shownotes) – ElixirConf EU 2025 YouTube playlist with conference videos https://www.youtube.com/watch?v=ojLVHc4gLk&list=PLvL2NEhYV4Zu421KzHuLICUqieJXI2oZ&index=3 (https://www.youtube.com/watch?v=ojL_VHc4gLk&list=PLvL2NEhYV4Zu421KzHuLICUqieJXI2o_Z&index=3?utm_source=thinkingelixir&utm_medium=shownotes) – Chris McCord's keynote "Code Generators are Dead. Long Live Code Generators" https://x.com/chris_mccord/status/1923417060593356889 (https://x.com/chris_mccord/status/1923417060593356889?utm_source=thinkingelixir&utm_medium=shownotes) – Chris McCord's announcement about phoenix.new paid service https://phoenix.new/ (https://phoenix.new/?utm_source=thinkingelixir&utm_medium=shownotes) – Chris McCord's new phoenix.new paid service at Fly.io https://www.youtube.com/watch?v=4IWShnVuRCg&list=PLvL2NEhYV4Zu421KzHuLICUqieJXI2o_Z&index=2 (https://www.youtube.com/watch?v=4IWShnVuRCg&list=PLvL2NEhYV4Zu421KzHuLICUqieJXI2o_Z&index=2?utm_source=thinkingelixir&utm_medium=shownotes) – James Arthur's keynote "Introducing Phoenix Sync" from ElixirConf EU https://github.com/electric-sql/phoenix_sync/ (https://github.com/electric-sql/phoenix_sync/?utm_source=thinkingelixir&utm_medium=shownotes) – Phoenix Sync GitHub repository for real-time sync to Postgres-backed Phoenix apps https://hexdocs.pm/phoenix_sync/readme.html (https://hexdocs.pm/phoenix_sync/readme.html?utm_source=thinkingelixir&utm_medium=shownotes) – Phoenix Sync documentation on HexDocs https://github.com/josevalim/sync (https://github.com/josevalim/sync?utm_source=thinkingelixir&utm_medium=shownotes) – José Valim's sync project that inspired Phoenix Sync https://erlef.org/blog/eef/election-2025-results (https://erlef.org/blog/eef/election-2025-results?utm_source=thinkingelixir&utm_medium=shownotes) – EEF board election results for Cohort C https://x.com/TheErlef/status/1924531926008004633 (https://x.com/TheErlef/status/1924531926008004633?utm_source=thinkingelixir&utm_medium=shownotes) – EEF Twitter announcement of election results https://erlef.org/blog/eef/election-2025-candidates (https://erlef.org/blog/eef/election-2025-candidates?utm_source=thinkingelixir&utm_medium=shownotes) – Information about the EEF election candidates https://erlef.org/blog/security/eef-cna-announcement (https://erlef.org/blog/security/eef-cna-announcement?utm_source=thinkingelixir&utm_medium=shownotes) – EEF becomes CVE Numbering Authority for Hex and BEAM ecosystem https://github.com/erlef-cna (https://github.com/erlef-cna?utm_source=thinkingelixir&utm_medium=shownotes) – EEF CNA GitHub organization https://cna.erlef.org/ (https://cna.erlef.org/?utm_source=thinkingelixir&utm_medium=shownotes) – EEF CNA website https://github.com/surface-ui/surface (https://github.com/surface-ui/surface?utm_source=thinkingelixir&utm_medium=shownotes) – Surface UI project for server-side rendering components https://github.com/phoenixframework/phoenixliveview/pull/3810 (https://github.com/phoenixframework/phoenix_live_view/pull/3810?utm_source=thinkingelixir&utm_medium=shownotes) – Draft PR for co-located hooks and macro components in LiveView https://github.com/tv-labs/lua (https://github.com/tv-labs/lua?utm_source=thinkingelixir&utm_medium=shownotes) – Elixir Lua package v0.2.x release by TvLabs https://x.com/davydog187/status/1925186045156463034 (https://x.com/davydog187/status/1925186045156463034?utm_source=thinkingelixir&utm_medium=shownotes) – Dave's tweet about ElixirConf EU Luerl talk https://www.youtube.com/watch?v=4YBBoXXH_98 (https://www.youtube.com/watch?v=4YBBoXXH_98?utm_source=thinkingelixir&utm_medium=shownotes) – "Lua on the BEAM" talk by Dave Lucia & Robert Virding https://discord.gg/6Ukp9vpj (https://discord.gg/6Ukp9vpj?utm_source=thinkingelixir&utm_medium=shownotes) – Discord link for Lua community https://x.com/germsvel/status/1922602086065148093 (https://x.com/germsvel/status/1922602086065148093?utm_source=thinkingelixir&utm_medium=shownotes) – German Velasco's video highlighting LiveDebugger tool https://bsky.app/profile/germsvel.com/post/3lp4snnkpj225 (https://bsky.app/profile/germsvel.com/post/3lp4snnkpj225?utm_source=thinkingelixir&utm_medium=shownotes) – German Velasco's BlueSky post about LiveDebugger https://podcast.thinkingelixir.com/249 (https://podcast.thinkingelixir.com/249?utm_source=thinkingelixir&utm_medium=shownotes) – Thinking Elixir episode 249 featuring LiveDebugger discussion https://hexdocs.pm/mdex/MDEx.Sigil.html (https://hexdocs.pm/mdex/MDEx.Sigil.html?utm_source=thinkingelixir&utm_medium=shownotes) – MDEx v0.7 documentation for new ~MD sigil https://hexdocs.pm/autumn (https://hexdocs.pm/autumn?utm_source=thinkingelixir&utm_medium=shownotes) – Autumn syntax highlighter package that works with MDEx https://github.com/leandrocp/mdex_mermaid (https://github.com/leandrocp/mdex_mermaid?utm_source=thinkingelixir&utm_medium=shownotes) – MDEx Mermaid plugin for adding mermaid support to Markdown https://bsky.app/profile/zachdaniel.dev/post/3lpofyykwds2i (https://bsky.app/profile/zachdaniel.dev/post/3lpofyykwds2i?utm_source=thinkingelixir&utm_medium=shownotes) – Zach Daniel's BlueSky post about usage_rules.md convention https://hexdocs.pm/usage_rules (https://hexdocs.pm/usage_rules?utm_source=thinkingelixir&utm_medium=shownotes) – Usage rules package documentation https://github.com/ash-project/usage_rules/ (https://github.com/ash-project/usage_rules/?utm_source=thinkingelixir&utm_medium=shownotes) – Usage rules GitHub repository https://blogs.windows.com/windowsdeveloper/2025/05/19/the-windows-subsystem-for-linux-is-now-open-source/ (https://blogs.windows.com/windowsdeveloper/2025/05/19/the-windows-subsystem-for-linux-is-now-open-source/?utm_source=thinkingelixir&utm_medium=shownotes) – Microsoft announcement about Windows Subsystem for Linux going open source https://www.zdnet.com/article/believe-it-or-not-microsoft-just-announced-a-linux-distribution-service-heres-why/ (https://www.zdnet.com/article/believe-it-or-not-microsoft-just-announced-a-linux-distribution-service-heres-why/?utm_source=thinkingelixir&utm_medium=shownotes) – ZDNet article explaining Microsoft's Linux strategy and Azure statistics Do you have some Elixir news to share? Tell us at @ThinkingElixir (https://twitter.com/ThinkingElixir) or email at show@thinkingelixir.com (mailto:show@thinkingelixir.com) Find us online - Message the show - Bluesky (https://bsky.app/profile/thinkingelixir.com) - Message the show - X (https://x.com/ThinkingElixir) - Message the show on Fediverse - @ThinkingElixir@genserver.social (https://genserver.social/ThinkingElixir) - Email the show - show@thinkingelixir.com (mailto:show@thinkingelixir.com) - Mark Ericksen on X - @brainlid (https://x.com/brainlid) - Mark Ericksen on Bluesky - @brainlid.bsky.social (https://bsky.app/profile/brainlid.bsky.social) - Mark Ericksen on Fediverse - @brainlid@genserver.social (https://genserver.social/brainlid) - Dave Lucia - @davydog187 (https://x.com/davydog187)
The introduction of the Cyber Resilience Act (CRA) marks a major shift for the software industry: for the first time, manufacturers are being held accountable for the cybersecurity of their products. Olle E. Johansson, a long-time open source developer and contributor to the Asterisk PBX project, explains how this new regulation reshapes the role of software creators and introduces the need for transparency across the entire supply chain.In this episode, Johansson breaks down the complexity of today's software supply ecosystems—where manufacturers rely heavily on open source components, and end users struggle to identify vulnerabilities buried deep in third-party dependencies. With the CRA in place, the burden now falls on manufacturers to not only track but also report on the components in their products. That includes actively communicating which vulnerabilities affect users—and which do not.To make this manageable, Johansson introduces the Transparency Exchange API (TEA), a project rooted in the OWASP CycloneDX standard. What started as a simple Software Bill of Materials (SBOM) delivery mechanism has evolved into a broader platform for sharing vulnerability information, attestations, documentation, and even cryptographic data necessary for the post-quantum transition. Standardizing this API through Ecma International is a major step toward a scalable, automated supply chain security infrastructure.The episode also highlights the importance of automation and shared data formats in enabling companies to react quickly to threats like Log4j. Johansson notes that, historically, security teams spent countless hours manually assessing whether they were affected by a specific vulnerability. The Transparency Exchange API aims to change that by automating the entire feedback loop from developer to manufacturer to end user.Although still in beta, the project is gaining traction with organizations like the Apache Foundation integrating it into their release processes. Johansson emphasizes that community feedback is essential and invites listeners to engage through GitHub to help shape the project's future.For Johansson, OWASP stands for global knowledge and collaboration in application security. As Europe's regulatory influence grows, initiatives like this are essential to build a stronger, more accountable software ecosystem.GUEST: Olle E Johansson | Co-Founder, SBOM Europe | https://www.linkedin.com/in/ollejohansson/HOST:Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | https://www.seanmartin.comSPONSORSManicode Security: https://itspm.ag/manicode-security-7q8iRESOURCESCycloneDX/transparency-exchange-api on GitHub: https://github.com/CycloneDX/transparency-exchange-apiVIDEO: The Cyber Resilience Act: How the EU is Reshaping Digital Product Security | With Sarah Fluchs: https://youtu.be/c30eG5kzqnYLearn more and catch more stories from OWASP AppSec Global 2025 Barcelona coverage: https://www.itspmagazine.com/owasp-global-appsec-barcelona-2025-application-security-event-coverage-in-catalunya-spainCatch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More
Helen Oakley, Senior Director of Product Security at SAP, and Dmitry Raidman, Co-founder and CTO of Cybeats, joined us live at the RSAC Conference to bring clarity to one of the most urgent topics in cybersecurity: transparency in the software and AI supply chain. Their message is direct—organizations not only need to understand what's in their software, they need to understand the origin, integrity, and impact of those components, especially as artificial intelligence becomes more deeply integrated into business operations.SBOMs Are Not Optional AnymoreSoftware Bills of Materials (SBOMs) have long been a recommended best practice, but they're now reaching a point of necessity. As Dmitry noted, organizations are increasingly requiring SBOMs before making purchase decisions—“If you're not going to give me an SBOM, I'm not going to buy your product.” With regulatory pressure mounting through frameworks like the EU Cyber Resilience Act (CRA), the demand for transparency is being driven not just by compliance, but by real operational value. Companies adopting SBOMs are seeing tangible returns—saving hundreds of hours on risk analysis and response, while also improving internal visibility.Bringing AI into the SBOM FoldBut what happens when the software includes AI models, data pipelines, and autonomous agents? Helen and Dmitry are leading a community-driven initiative to create AI-specific SBOMs—referred to as AI SBOMs or AISBOMs—to capture critical metadata beyond just the code. This includes model architectures, training data, energy consumption, and more. These elements are vital for risk management, especially when organizations may be unknowingly deploying models with embedded vulnerabilities or opaque dependencies.A Tool for the Community, Built by the CommunityIn an important milestone for the industry, Helen and Dmitry also introduced the first open source tool capable of generating CycloneDX-formatted AISBOMs for models hosted on Hugging Face. This practical step bridges the gap between standards and implementation—helping organizations move from theoretical compliance to actionable insight. The community's response has been overwhelmingly positive, signaling a clear demand for tools that turn complexity into clarity.Why Security Leaders Should Pay AttentionThe real value of an SBOM—whether for software or AI—is not just external compliance. It's about knowing what you have, recognizing your crown jewels, and understanding where your risks lie. As AI compounds existing vulnerabilities and introduces new ones, starting with transparency is no longer a suggestion—it's a strategic necessity.Want to see how this all fits together? Hear it directly from Helen and Dmitry in this episode.___________Guests: Helen Oakley, Senior Director of Product Security at SAP | https://www.linkedin.com/in/helen-oakley/Dmitry Raidman, Co-founder and CTO of Cybeats | https://www.linkedin.com/in/draidman/Hosts:Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.comMarco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com___________Episode SponsorsThreatLocker: https://itspm.ag/threatlocker-r974Akamai: https://itspm.ag/akamailbwcBlackCloak: https://itspm.ag/itspbcwebSandboxAQ: https://itspm.ag/sandboxaq-j2enArcher: https://itspm.ag/rsaarchwebDropzone AI: https://itspm.ag/dropzoneai-641ISACA: https://itspm.ag/isaca-96808ObjectFirst: https://itspm.ag/object-first-2gjlEdera: https://itspm.ag/edera-434868___________ResourcesLinkedIn Post with Links: https://www.linkedin.com/posts/helen-oakley_ai-sbom-aisbom-activity-7323123172852015106-TJeaLearn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsa-conference-usa-2025-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage______________________KEYWORDShelen oakley, dmitry raidman, sean martin, rsac 2025, sbom, aisbom, ai security, software supply chain, transparency, open source, event coverage, on location, conference______________________Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverageWant to tell your Brand Story Briefing as part of our event coverage? Learn More
Topics covered in this episode: How to Write a Git Commit Message Caddy Web Server Some new PEPs approved juv Extras Joke Watch on YouTube About the show Sponsored by Posit Connect: pythonbytes.fm/connect Connect with the hosts Michael: @mkennedy@fosstodon.org / @mkennedy.codes (bsky) Brian: @brianokken@fosstodon.org / @brianokken.bsky.social Show: @pythonbytes@fosstodon.org / @pythonbytes.fm (bsky) Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too. Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it. Brian #1: How to Write a Git Commit Message Chris Beams 7 rules of a great commit message Separate subject from body with a blank line Limit the subject line to 50 characters Capitalize the subject line Do not end the subject line with a period Use the imperative mood in the subject line Wrap the body at 72 characters Use the body to explain what and why vs. how Article also includes Why a good commit message matters Discussion about each of the 7 rules Cool hat tips to other articles on the subject “Keep in mind: This has all been said before.” Each word is a different link. Michael #2: Caddy Web Server via Fredrik Mellström Like a more modern NGINX Caddy automatically obtains and renews TLS certificates for all your sites. Caddy's native configuration is a JSON document. Even localhost and internal IPs are served with TLS using the intermediate of a fully-automated, self-managed CA that is automatically installed into most local trust stores. Configure multiple Caddy instances with the same storage, and they will automatically coordinate certificate management as a fleet. Production-grade static file server. Brian #3: Some new PEPs approved PEP 770 – Improving measurability of Python packages with Software Bill-of-Materials Accepted for packaging Author: Seth Larson, Sponsor Brett Cannon “This PEP proposes using SBOM documents included in Python packages as a means to improve automated software measurability for Python packages.” PEP 750 – Template Strings Accepted for Python 3.14 Author: Jim Baker, Guido van Rossum, Paul Everitt, Kaudai Aono, Lysandros Nikolaou, Dave Peck “Templates provide developers with access to the string and its interpolated values before they are combined. This brings native flexible string processing to the Python language and enables safety checks, web templating, domain-specific languages, and more.” Michael #4: juv A toolkit for reproducible Jupyter notebooks, powered by uv. Create, manage, and run Jupyter notebooks with their dependencies Pin dependencies with PEP 723 - inline script metadata Launch ephemeral sessions for multiple front ends (e.g., JupyterLab, Notebook, NbClassic) Powered by uv for fast dependency management Use uvx to run jupyterlab with ephemeral virtual environments and tracked dependencies. Extras Brian: Status of Python versions new-ish format Use this all the time. Can't remember if we've covered the new format yet. See also Python endoflife.date Same dates, very visible encouragement to move on to Python 3.13 if you haven't already. Michael: Python 3.13.3 is out. .git-blame-ignore-revs follow up Joke: BGPT (thanks Doug Farrell)