TestifySec

The CrowdStrike software 'update' heard around the world - Cole Kennedy 🔐 🔗, CEO & co-founder of TestifySec. CrowdStrike just caused the largest IT outage in history. An update to the data their software uses to identify threats caused the Windows kernel to crash. While Microsoft may need to address some serious design issues, let's focus on CrowdStrike. The file that caused the incident was entirely full of null characters. I don't know what CrowdStikes testing and valiation process looks like, but I do know that most enterprises can make this mistake without propper verification. Lets take a look at some compliance documents to see what we are REQUIRED to do. NIST 800-53 SA-11 According to NIST 800-53 SA-11, both moderate and high baselines require: ☑ Developing and implementing a plan for ongoing security and privacy assessments. ☑ Performing unit, integration, system, and regression testing/evaluation at an organization-defined frequency. ☑ Producing evidence of the execution of the assessment plan and the results of the testing. ☑ Implementing a verifiable flaw remediation process and correcting flaws identified during testing and evaluation. If compliant, CrowdStrike should have had a comprehensive testing and evaluation plan and evidence of its execution. Implementing Verification Processes Ensuring compliance and avoiding such catastrophic failures require stringent verification processes. Verification processes ensure that developers do not bypass testing protocols. This is where frameworks like in-toto and guidelines from NIST 800-204D come into play. in-toto Framework #intoto provides a mechanism to secure the software supply chain, ensuring that every step of the software development process is verified. This means that every step in the SDLC is tracked and verified, ensuring that no unauthorized changes are made. NIST 800-204D This publication outlines strategies for integrating software supply chain security into DevSecOps CI/CD pipelines. It emphasizes the importance of securing the entire software supply chain (SSC) by integrating security assurance measures into CI/CD pipelines. This framework provides actionable measures to enhance the security of cloud-native applications by addressing threats from both malicious actors and due diligence lapses. The CrowdStrike incident underscores the importance of rigorous testing and verification processes. By adhering to frameworks like NIST 800-53 and integrating security measures outlined in NIST 800-204D and the in-toto framework, companies can significantly reduce the risk of outages caused by shipping the wrong, or improperly tested software. We are hosting a webinar on in-toto next week where we are going to be talking about this. You can register under our events on this company page. Read the full article with links to references here: https://lnkd.in/d5BdNSU5

Great interview from our colleague, Justin Cappos, "You just need to actually check that the steps that they are suppose to do for testing their software were actually performed when that software was released." Justin is an associate professor of computer science and engineering at New York University and one of the creators of #intoto, alongside Santiago Torres Arias. As an #opensource project apart of Cloud Native Computing Foundation (CNCF), in-toto is a framework that can help secure and verify all the steps of the software supply chain. We are hosting a webinar to where you can learn more about in-toto and its capabilities July 23 with #intoto steering committee member Santiago Torres Arias, contributor John Kjell and user Ian Dunbar-Hall. This video has been clipped from ABC News and the full video can be found on their website.

#OpenSource community call in less than 4 hours... We know it's Friday and you deserve to enjoy your weekend... but before you do, join us TODAY for the #Witness and #Archivista Community call at 11:00 am Eastern. Come help us make these opensource projects better and if you have never used them, maybe they are the right fit for you to simplify evidence collection and ensure your software stays secure. Details to join are below. The Linux Foundation Cloud Native Computing Foundation (CNCF)#intoto

Excited to join the in-toto community for a webinar on securing CI/CD pipelines with in-toto! Learn from Santiago Torres Arias (in-toto Steering Committee) and John Kjell (in-toto Maintainer) who have an immense amount of knowledge. I'll be speaking to the end user perspective. Make sure to attend it on July 23 to hear more! #DevOps #CyberSecurity #InToto #CNCF

Beware of the Wild Hacker! In this talk that John Kjell gave at #SecureChainCon, we dive into the world of cybersecurity and witness a wild hacker using a powerful typo squatting attack. But fear not, we have a solution! Go #Witness Go, a tool that wraps around the process and captures all the metadata, collecting the evidence and providing valuable insights into the build process. With Witness, you can easily detect compromised container images and take necessary actions to secure your systems. 💪🛡️ But that's not all! We also explore #Archivista, an evidence storage tool that allows you to store the created attestations. Once we have all the information, we can verify the container image and ensure it aligns with our policies. However, the journey doesn't end there. We need a reliable way to run these containers or workloads in production. Stay tuned later this week to learn about the next step with Archivista Data Provider, a gatekeeper external data provider that queries Archivista for you. Join us in this exciting adventure as we unravel the world of cybersecurity and learn how to protect ourselves from the wild hackers! Everyone Deserves Secure Software! #cybersecurity #intoto #opensource Ortelius Open Source

DevSecOps: Moving from Implicit Trust to Explicit Proof The shift from #DevOps to #DevSecOps has addressed the deep problems of independent development and operations, enhancing site reliability and accelerating SaaS growth. There is a growing demand from governments and businesses that their suppliers attest to following a secure software development process. Organizations aren’t just looking for a verbal “trust us, we got this!” from suppliers when it comes to demonstrating secure software development practices. Instead, they are demanding their suppliers rapidly mature and rigorously define how their software is built to be resilient in the face of evolving cybersecurity threats. Discover how you can transition from implicit trust to explicit proof in your supply chain with TestifySec. Check out the article below to learn more and send us a message to chat. #SupplyChainSecurity #CyberSecurity #Witness #intoto

Enhance the security and integrity of your CI/CD pipelines with in-toto! Join our upcoming webinar to discover how in-toto can put #attestations in action to streamline regulatory compliance, prevent unauthorized changes, and ensure comprehensive auditing. Gain practical insights and strategies from experts: 🎤 Santiago Torres Arias, an Assistant Professor of Electrical and Computer Engineering at Purdue University and a member of the in-toto steering committee. 🎤 John Kjell, Director of Open Source at TestifySec and a maintainer on in-toto. 🎤 Ian Dunbar-Hall, Head of Open Source Program Office at Lockheed Martin and an in-toto user/integrator. Perfect for DevOps leaders, CISOs, ISSMs, and security professionals, you don't want to miss this opportunity to safeguard your software development process. Register now! #DevOps #CyberSecurity #InToto #OpenSource Cloud Native Computing Foundation (CNCF) The Linux Foundation

John Kjell recently gave a talk at #CNSCON titled "Demystify Modern Signing: Keys, Certs, and Envelopes,' which focused on practical aspects of cryptographic signing tools used in software supply chain security, specifically those from projects like Sigstore’s Cosign, Notation, The Update Framework (TUF), and #intoto. John didn't delve into complex mathematical concepts like elliptic curves, prime numbers in cryptography, or modular exponentiation. 😉 Instead, he covered: Key Algorithms: How the tools implement and utilize various cryptographic algorithms. Signing Envelopes: The format and structure used to wrap the signed data. Certificates: The role of certificates in the signing and verification process. Verification: How these tools verify signatures to ensure data integrity and authenticity. Additionally, he shared: 🔸 Differentiate between signing and verification versus encryption and decryption. 🔹 Explore the design decisions made by each tool (Cosign, Notation, TUF, and in-toto’s Witness project). 🔸 Discuss the emerging trend of identity-based signing using short-lived keys and certificates. 🔹 Demonstrate how to verify signatures using basic CLI commands like openssl and shasum. 🔸 This practical approach aims to provide a deeper understanding of the operational aspects of these tools and their applications in securing software supply chains. Thank you to Cloud Native Security Con and The Linux Foundation for creating a great event and community to discuss the critical aspects of supply chain security and much more. #linuxfoundation #cybersecurity #devops

Thank you FINOS for creating a great community for us to be apart of. We are excited to contribute to this vibrant ecosystem.

Ensuring software provenance and security in your CI/CD pipeline can be tough. We’re curious—what’s your biggest challenge in this area? Take our quick poll and let us know. Your input will help us understand the common pain points and work on better solutions. Vote now and share your thoughts in the comments! #Software #Provenance #SupplyChainSecurity #DevOps