OpenSSF Tech Talk Recap: Using the OSPS Baseline to Navigate Standards and Regulations

Takeaways & Learnings

Overview of the SPIFFE/SPIRE CSI Driver

There’s a misconception in Cybersecurity among some that Software Supply Chain Security is just Third Party Risk Mana...

Executive Order (EO) 14028, Improving the Nation’s Cybersecurity was released last year in May.

Understanding and maintaining your software supply chain can be a task that needs 24/7 vigilance.

KubeCon + CloudNativeCon is right around the corner and we are excited to be attending in person!

Heartbleed (CVE-2014-0160) in 2014 left the industry in a scramble...

What is Software Supply Chain security, and why should I care?

Understanding Zero Trust and Its Benefits

A Story of Software and Cats

We’re excited to announce the open-sourcing of Spector.

Kusari is excited to announce the v0.1 beta release of GUAC — Graph for Understanding Artifact Composition.

Working towards determining a persistent database for GUAC

Tim appeared as a guest on the daBOM podcast.

Helm Chart for GUAC

A look into Guidewire's software supply chain security use case and why they are using GUAC

Kusari have just launched a YouTube Channel!

CVE-2023-38545 - HIGH Severity Vulnerability

GUAC's OpenVEX Integration

The missing first step that most organizations are still struggling with

Kusari elected to OpenSSF leadership roles

Kusari raises seed funding

Kusari speaking at FOSDEM and other EU community venues

Nathan Naveen, a 17-year-old high schooler, shares his journey to becoming an intern at Kusari

Today, we find ourselves in a moment akin to proud parents, as we witness a significant milestone in the journey of Graph for Understanding Artifact Composition (GUAC).

The GUAC maintainers are pleased to announce the project has joined the Open Source Security Foundation (OpenSSF) as an Incubating Project.

The recent incident involving the XZ backdoor brings to light the critical importance of vigilance and proactive security measures, while not losing sight of the human element.

Gone are the days when signing containers and running vulnerability scans through CI processes provided a sense of security.

Open source supply chain observability tool standardizes on PostgreSQL

Improving performance with pagination and more

CVE IDs don't tell you much, but somehow we started using them as a proxy for security

The Secure By Design Pledge is a great starting point, but it can’t be the end.

How you handle your dependencies will change how you secure your software supply chain

Only two months left until the Secure Software Development Attestation Form deadline

It's not enough to just have the data, you need to be able to see it.

GUAC v0.8.0 brings support for license information, running vuln scans upon SBOM ingestion, node deletion, and many other improvements.

Actionable insights come from SBOMs plus additional information

Practical ways to protect against AI software attacks

v0.8.0 features new integration with ClearlyDefined

The White House commits $11 million to enhance our collective understanding of the challenges surrounding open source software.

Organizations often struggle to identify vulnerabilities and risks hidden within the layers of dependencies. Address it by using a holistic approach to software security.

Navigating modern software development is a complex challenge. Kusari’s aim is to make it easier.

Secure development starts with developers: bring forth the code masters

Addressing Common Vulnerabilities and Exposures (CVEs) is no longer optional—aiming to eliminate them is a critical priority for securing modern systems.

Amid the flurry of innovation and collaboration at last week's KubeCon North America, a critical theme emerged: the precarious state of open source security.

Open source software powers 96% of modern applications, but it comes with challenges. Companies can secure their supply chains by actively participating in the open source projects they rely on.

Rust is promising for addressing memory safety issues. Improving existing C/C++ toolchains will take time, but these steps help set a realistic path forward.

What are you defending against? From upstream dependencies to code repositories, threat modeling ensures you're prepared to mitigate risks, reduce vulnerabilities, and avoid costly compromises.

Software supply chain security is like a stack of turtles—each layer depends on the integrity of the one below it. Continuous vigilance is key to maintaining security all the way down.

As 2025 approaches, it’s time to revisit our 2024 software supply chain security predictions to see how they held up.

Properly integrating AI into your processes can help identify risks and offer proactive insights, but the final decisions must always remain in human hands.

This year, we focus on the evolving role of AI, pressing software security concerns, and emerging regulations.

Managing software dependencies is an important part of software supply chain security. Here are three approaches you can take to pin your dependencies to known-good versions.

Medical monitors have critical security flaws, allowing unauthorized code execution and patient data leaks.

Cut through the noise to prioritize which vulnerability gets fixed next

Get a clear understanding of the work involved in remediating a vulnerability so you can schedule it in your sprint without blocking feature work.

Creating a secure foundation of trust enables organizations to safely delegate specific actions in the software development life cycle.

Third-party risk management is an important part of protecting your organization. But how do you manage the risks of open source software when you have no vendor relationship?

Once you've discovered the third-party risks in the open source projects you consume, how do you address those risks without having a vendor relationship with the projects?

Kusari is proud to contribute to the Open Source Project Security Baseline, an OpenSSF project to help open source maintainers improve their security posture.

Kusari Platform gives you the information you need to secure your software supply chain.

A hypothetical organization takes the first step on their software supply chain security journey by creating an SBOM for their application.

Once you have multiple releases, you have multiple SBOMs. What can you learn from comparing them?

Comparing two SBOMs is useful, but as your portfolio grows, you need to take a holistic approach.

When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.

The abilities of generative and agentic AI models require a proactive approach to protecting the AI supply chain.

GUAC v0.14.0 includes a Kubescape collector that can be run inside your Kubernetes cluster to watch for new scan results from Kubescape and ingest those results into GUAC

This new book from Michael Liberman and Brandon Lum guides you from the basics of supply chain security through to being a security expert.

A secure and resilient method for distributing software updates is a key part of keeping your supply chain trustworthy.

Transitive dependencies are the invisible majority of your applications. Failure to properly understand them increases your risk.

in-toto helps ensure product integrity by making transparent what steps were performed, by whom, and in what order.

Beyond knowing why transitive dependencies are important, you have to know how to manage them.

Kusari CTO Mike Lieberman shares his thoughts after attending the second-annual VulnCon conference.

Recent funding concerns have highlighted the need for a more resilient system of vulnerability identification.

Many threats present themselves while implementing software. Here's how to find and address them.

Endpoint security is a key part of many IT security efforts, but it’s not always thought about in the specific context of software supply chain security.

The US DoD’s Software Fast-Track Initiative looks to improve software procurement and security. Open source software must be a key part of this.

Asking open source contributors to prove their legal identity doesn’t make software more secure.