How a Security Team use Policy as Code for Open Source Security

Announcements

SafeDep Team

• Oct 22, 2024 • 1 min read

SBOM is being mandated in certain regulated industries, especially for tracking open source dependencies. However the usefulness of SBOM, which is basically an inventory, is the tooling and use-cases around it. Conventional SCA tools are notorious for false positives and noise. Ability to prevent insecure or risky open source components proactively is required to maintain a healthy and trustworthy open source software supply chain. In this talk, we look at how to use vet for establishing security guardrails against risky OSS components. We also look at a case study of how a security team leverage vet's policy as code feature for enforcing opinionated security policies.

vet
sbom
sql
cloud

Author

SafeDep Team

safedep.io

The Latest from SafeDep blogs

Follow for the latest updates and insights on open source security & engineering

Malware

node-env-resolve: npm Package Installs a Full RAT

node-env-resolve is a malicious npm package that installs a full-featured remote access trojan on developer machines. The RAT streams screens, captures audio, steals browser history, and gives full...

Malware

exiouss: Cookie Stealer Bundled in npm Exam Cheat

exiouss on npm is the latest package from the loltestpad campaign — the same attacker who published the ixpresso-core Windows RAT in April. It bundles a dormant ChatGPT cookie stealer alongside an AI...

Malware

common-tg-service: 502 npm Versions Hijack Telegram

common-tg-service ships 502 npm versions of a Telegram account-takeover framework with hardcoded 2FA credentials, IMAP-based code harvesting, and forced session eviction. Its companion package...

Malware

PyTorch Lightning Compromised: Shai-Hulud Worm Reaches PyPI

PyPI yanked PyTorch Lightning versions 2.6.2 and 2.6.3 after both embedded a two-stage credential-stealing payload. Any import of the library spawns an 11MB obfuscated JavaScript worm identical to...

View All Blogs