Operations | Monitoring | ITSM | DevOps | Cloud

Understanding Zero-Day Vulnerabilities in Software Supply Chain

A Node.js module with nearly two million downloads a week was compromised after the library was injected with malicious code programmed to steal bitcoins in wallet apps. Join us as we delve into a real-world zero-day supply chain attack. Understand the response that followed, and how attacks like this can be mitigated. Learn from David Gonzalez, Principal Engineer at Cloudsmith and Member of the Node.js security working group, as he walks us through the incident.

Mastering Open Source Security: Your Guide to S2C2F

Welcome to our 2nd blog in our series on how to securely consume Open Source Software (OSS). Attacks targeting OSS are on the rise, making the security of your software supply chain a top priority. The 1st blog gave an overview of some of the most common types of attacks. Today we’ll explore the Secure Supply Chain Consumption Framework (S2C2F) that can help you mitigate against these attacks.

The Dangers Lurking in Open Source Software

Our 1st blog in our series on securely consuming OSS. Today, I'll give an overview of some of the most common types of attacks from consuming OSS. Open-source software (OSS) fuels innovation. Over 96% of commercial applications rely on at least one OSS component (Synopsys, 2023). At Cloudsmith, we champion OSS and understand its indispensable role in today's software landscape. However, the escalating threat of supply chain attacks targeting OSS demands a robust defence.

Securely Connect Cloudsmith to your CI/CD using OIDC Authentication

Are your CI/CD pipelines at risk? They might be if you use long-lived, static credentials and tokens. Long-lived, static credentials and tokens are one of the most common causes of data breaches in cloud environments. CI/CD tools need access to cloud services to publish artifacts, deploy software, and access resources on their cloud provider. So, they need credentials. It's tempting to hard-code them. But that's a bad idea.

Re-Imagining Cloudsmith.io

When a headhunter reached out to me about the CEO role at Cloudsmith (where I started in August!), one of the first things I did was sign up for a trial account. The product's depth and sophistication really impressed me, and contributed to my decision to go ahead with the interviews. (Glad I did.) They were right; our web interface is still largely a Django web app, tightly coupled to the back end, and you can see the Bootstrap showing everywhere.

Introducing Cloudsmith Navigator: Your Trusted Guide to OSS Package Quality

Discover Cloudsmith Navigator: a revolutionary tool designed to guide software engineering teams in selecting top-quality open source packages. By analyzing and scoring thousands of packages based on security, maintenance, and documentation, Navigator simplifies the package selection process. Choosing the right software package for your project can sometimes feel like finding a needle in a haystack.

Welcoming new leadership at Cloudsmith - a note from Alan Carson

Alan Carson writes about his experience and journey with Cloudsmith, as new CEO Glenn Weinstein steps in as leadership. I heard something recently, that resonated, about success. In a simple (but not easy) three-step plan; success happens when the following three things align: A great example is, of course, Steve Jobs and Apple. The contrarian idea was that every single human would need a personal computer. He was proven right. And he executed expertly (with a few ups and downs obviously!)