2 Posts, 384 Following, 320 Followers · Maker, breaker and fixer of software. Adventures in #appsec and #agile: beny23.github.io he/him| Infosec Exchange
With the first half of 2023 over, I figured I would take some time and review the data and highlight some of the most interesting data points so far this year. This GitHub repo contains the code for all the data and graphs this blog uses.| JerryGamblin.com
The question of automatic dependency updates came up in our Slack channel the other day. There was a lot of nodding on how it is a good thing. Tools like Dependabot and Renovate were mentioned. Yet I was a dissenting voice. Why? The case for automatic dependency updates is simple and seductive: A bot would automatically scan your dependencies in your source code and create pull requests to update your libraries to the latest versions, sometimes even automatically merging it in.| beny23.github.io
In this post, I am going to look at an increasingly important part of securing applications: Your supply chain. This includes every library, tool or service that you are using to build, run and monitor your service. When the log4shell vulnerability hit, it wasn’t just a matter of looking at the dependencies that your source code pulls in, but also at the infrastructure you’re using and the build pipeline. Have you had a look at the vulnerability reports of your dependencies lately?| beny23.github.io
