One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8327500 |
| Date de publication | 2023-04-13 12:04:31 (vue: 2023-04-13 17:07:23) |
| Titre | Sécurité de la chaîne d'approvisionnement pour GO, partie 1: Gestion de la vulnérabilité Supply chain security for Go, Part 1: Vulnerability management |
| Texte | Posted by Julie Qiu, Go Security & Reliability and Oliver Chang, Google Open Source Security Team High profile open source vulnerabilities have made it clear that securing the supply chains underpinning modern software is an urgent, yet enormous, undertaking. As supply chains get more complicated, enterprise developers need to manage the tidal wave of vulnerabilities that propagate up through dependency trees. Open source maintainers need streamlined ways to vet proposed dependencies and protect their projects. A rise in attacks coupled with increasingly complex supply chains means that supply chain security problems need solutions on the ecosystem level. One way developers can manage this enormous risk is by choosing a more secure language. As part of Google\'s commitment to advancing cybersecurity and securing the software supply chain, Go maintainers are focused this year on hardening supply chain security, streamlining security information to our users, and making it easier than ever to make good security choices in Go. This is the first in a series of blog posts about how developers and enterprises can secure their supply chains with Go. Today\'s post covers how Go helps teams with the tricky problem of managing vulnerabilities in their open source packages. Extensive Package Insights Before adopting a dependency, it\'s important to have high-quality information about the package. Seamless access to comprehensive information can be the difference between an informed choice and a future security incident from a vulnerability in your supply chain. Along with providing package documentation and version history, the Go package discovery site links to Open Source Insights. The Open Source Insights page includes vulnerability information, a dependency tree, and a security score provided by the OpenSSF Scorecard project. Scorecard evaluates projects on more than a dozen security metrics, each backed up with supporting information, and assigns the project an overall score out of ten to help users quickly judge its security stance (example). The Go package discovery site puts all these resources at developers\' fingertips when they need them most-before taking on a potentially risky dependency. Curated Vulnerability Information Large consumers of open source software must manage many packages and a high volume of vulnerabilities. For enterprise teams, filtering out noisy, low quality advisories and false positives from critical vulnerabilities is often the most important task in vulnerability management. If it is difficult to tell which vulnerabilities are important, it is impossible to properly prioritize their remediation. With granular advisory details, the Go vulnerability database removes barriers to vulnerability prioritization and remediation. All vulnerability database entries are reviewed and curated by the Go security team. As a result, entries are accurate and include detailed metadata to improve the quality of vulnerability scans and to make vulnerability information more actionable. This metadata includes information on affected functions, operating systems, and architectures. With this information, vulnerability scanners can reduce the number of false po |
| Envoyé | Oui |
| Condensat | 0646 2022 about accepted access accurate accurately across actionable active actually additional additionally adopting advancing advisories advisory affect affected all allowing along also always amounts analysis analyze application appreciated appreciates architectures are aren assigns attacks automated automatically backed barriers because been before beta between blog both bring browse bug but called can capabilities case chain chains chang change checksum choice choices choosing ci/cd citizen class clear client code codebases collaborating coming command commit commitment committed compatible complex complexities complicated comprehensive compromised connecting consider consumers continue contribute contributions could coupled cover coverage covers critical curated cuts cybersecurity data database database; dependable dependencies dependency deprecated describes detailed details determine dev developers development difference difficult directly discovery documentation does doesn down dozen each early easier easy ecosystem ecosystems editor effort efforts eligible encouraged end engineering enormous ensures enterprise enterprises entries environment evaluates even ever every example excluded exploitable extension extensive false feedback files filter filtering financial finding fingertips first fix focus focused following format fortunately found from frustration function functions future general get git gives good google govulncheck granular hardening has hashes have help helping helps high history how important impossible improve incident include includes including incorporate incorporated increase increasingly industry information informed insights installment integration intelligently introduced issues its itself json judge julie known language large last latest less level lifecycle like line links low machine made maintainers majority make making manage management managing manually many marked match matches may means metadata metrics minimal mission modern more most multi must narrow need new next noise noisy not now number often oliver one only open openssf operating osv out over overall package packages page part particular path path: pipeline policy positive positives possible post posted posts potentially precise present prioritization prioritize problem problems process production productive profile program project projects propagate properly proposed protect provide provided provides providing purpose puts qiu quality quickly read readable recent reduce reducing released relevant reliability reliable remediation removes report reporting reports resources result results reviewed rewards rise risk risky run scale scanner scanners scanning scans score scorecard seamless secure securely securing security see september series served simply site software solutions source specific spend spent stance static step stop streamlined streamlines streamlining such supply supporting symbol systems taking task team teams tell ten than thanks them then these they though threats through throughout tidal time today tool tools treats tree trees tricky triggered under underpinning understand undertaking unfixed upgrade urgent use user users uses using version versions vet volume vuln vulnerabilities vulnerability vulnerable wasted watch wave way ways weeks when whether which will would writing year yet your “unexecuted” |
| Tags | Tool Vulnerability |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.