Chris Hughes

@stevespringett Yeah that seems like a broad interpretation that overlooks the reality that there’s no contractual relationship and most FOSS is provided as-is, and they owe the consumers nothing, including an SBOM.

Public Service Announcement (PSA). Free and Open Source Software (FOSS) contributors/maintainers are not your suppliers. That is all.

“It’s important to influence designers of future computers and software so that security controls can be installed before the fact and as an integral part of the system”

As an industry we’re best-practices rich and implementation poor.

PiPI package "keep" used a malicious version of "requests" as a dependency. It was used to steal passwords. These attacks keep coming. https://t.co/5s4v5ArAQt

Excellent article discussing the value and shortfalls of SBOM’s for software supply chain security and how coupling SBOM with SLSA helps fill some gaps. It touches on: - Responding to build tampering attacks such as Solarwinds an…https://t.co/pN8U5LxUDk https://t.co/AUsWoWHdww

Awesome article comparing Falco and GuardDuty for Amazon Web Services (AWS) EKS Threat Detection by two of my colleagues Dustin Whited and Dakota Riley They discuss: - Kubernetes adoption - Shared Responsibility Model in the con…https://t.co/JJMzqR0Ood https://t.co/Aa3MlFyKIv

About a month ago I had the chance to join NDIA New England to speak on a panel titled "Zero Trusts Given" with Dave Lago, Patrick Perry and moderator Ryan Heidorn The recording for our talk, which starts at the 1 hour 45 minute mark, along with the rest…https://t.co/E7sFHcPLjo

Yes, another Software Supply Chain Security post today, no I'm not sorry. -- "The Office of Management and Budget is preparing to release new requirements around software supply chain and cybersecurity, according to a top federal…https://t.co/BUIMFSgPqb https://t.co/Pj83YH8cbq

I'm a big fan of excellent writing and articles and War on the Rocks puts out some great ones. That's why I was excited to see them publish an article on the Open Source Software (OSS) and Software Supply Chain challenges, and it…https://t.co/lckwPZvMeW https://t.co/qpljPlYcie

National Institute of Standards and Technology (NIST) has just released the final version of 800-161 r1 "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations". This guidance comes at a critical time, as the software supply c…https://t.co/4tjzKs3wZV