 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
VALENCIA, Spain — It was a busy Kubecon Europe for improving software supply chain security. That’s a darn good thing because Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021. To which I can only say: Optimists! Fortunately, security companies such as Codenotary are taking steps to protect the supply chain.
In its latest move, Codenotary has added free background vulnerability scanning service to its free and open source Community Attestation Service (CAS) code signing and attestation service to further secure open source supply chains. This new service uses hashes to identify known security vulnerabilities. Then if the scans find any it alerts you to the untrustworthy packages. CAS can then be used to “untrust” any problematic artifacts. This new scanning service is also continuously self-updating so it can help you stay ahead of would-be attackers.
In other words, Dennis Zimmer, Codenotary co-founder and CTO said, “Users of open source software — and that is pretty much everyone — have a free and easy way to ensure the security of their software supply chain which addresses a big and growing problem.”
All this rests on the foundation of the open source immutable database immudb. This is a ledger database that works on an append-only data platform. Like blockchain, it carries built-in cryptographic proof and verification for all entries, but it doesn’t organize them as chains. And, like a time-series database, it tracks changes in data by time-stamping all entries. It can operate both as a key-value store, and/or as a relational database. Providing cryptographic verification of each entry it’s great for verifying the origin of software code.
With this, developers can also attach a Software Bill of Materials (SBOM) for development artifacts. This can include source code, builds, repositories, and more, plus Docker and Kubernetes container images for their software.
What that means for you is the scanning service’s data on problems itself is nigh unto impossible to hack. Immudb is also as quick as a flash. Moshe Bar, co-founder and CEO, claims that it can handle up to 10-million transactions per second. Now, with the release of immudb 1.3 Bar says it has 40% higher performance. In short, no matter how many projects and bugs you must track, the scanning service can keep up with your workflow.
With 1.3 you can also make queries on the key-value level by adding value revisions. So, for example, if you use it for storing data about your project, it’s easy to access historical values for keys such as getting the first version (e.g. revision 1) or another previous value (e.g. version 4).
If this database itself sounds like something you can use for your own projects, for the first time Codenotary is offering support plans. These are:
So whether you simply want to use this new, fast tamper-proof scanner to your development pipeline or use its underlying database for other projects, Codenotary’s services and open source projects both demand your attention.
