fsebugoutzone.org:9999

       Post ALFVpw7HSDkh9jeuvY by kentoseth@fosstodon.org
 (DIR) More posts by kentoseth@fosstodon.org
 (DIR) Post #ALECoIL9lNClDQh2Ei by AIaYYAle4i1uKmKpqy.gme@bofh.social
       2022-07-06T22:06:21.090810Z
       
       0 likes, 0 repeats
       
       The one thing that concerns me about all these repos leaving #GitHub is this now significantly increases the risk and liklihood for an adversary to commit (pun intended) a supply-chain attack against free/ popular open source projects.Say what you want about GitHub, and #Microsoft, but the one thing all those projects benefitted from was the juggernaut that is Microsoft Information and Network #security policies, standards, guidelines, and practices.As someone who works in information security and whose job is to regularly review current and emerging supply chain tactics used by adversaries, this scares the fuck out of me.
       
 (DIR) Post #ALFVpw7HSDkh9jeuvY by kentoseth@fosstodon.org
       2022-07-07T12:26:37Z
       
       0 likes, 0 repeats
       
       @gme &gt; policies, standards, guidelines, and practices.How many of these are just box-ticking?The only risks I can think of are attacks during migration, squatting &amp; attacking the CI/CD pipeline (which already happens regardless)
       
 (DIR) Post #ALFVpwdXWHYYlmkgD2 by AIaYYAle4i1uKmKpqy.gme@bofh.social
       2022-07-07T13:14:14.893741Z
       
       0 likes, 0 repeats
       
       If you think Governance and Compliance is just &quot;box ticking&quot; then you, sir, are part of the problem.Security needs to be baked-in.From the beginning.At every level.From design, development, and deployment.It has to be the mindset of the organization.Of the developers.Of the Supply Chain.It has to be demanded from employees.And from vendors. (GitHub is a vendor by the way. So is Codeberg.)Microsoft has one of the best security research teams on the planet. They have an in-house Red Team that is constantly probing and checking their infrastructure (which GitHub is part of) for weaknesses.They offer above standard bug bounties for white &amp; gray hat researchers to report findings to them discretely.And they are constantly auditing their entire CI/CD pipeline for bugs and vulnerabilities.Are they perfect? No. No Company is. No software is.But Microsoft knows what&#39;s at stake, and they have very deep pockets in the event someone wants to sue them. Simply put, they have a vested interest in ensuring their products and services are as secure as they possibly can be.Does the company running Codeberg even have an information security group? What about Gitlab? How is Codeberg and Gitlab protecting the projects and code that it hosts?These are legitimate questions that if people aren&#39;t asking (and getting serious answers) before just blindly throwing their code across the fence and hoping and praying for the best.
       
 (DIR) Post #ALFW2jx7zRPbCB11Ky by AIaYYAle4i1uKmKpqy.gme@bofh.social
       2022-07-07T13:16:34.486647Z
       
       0 likes, 0 repeats
       
       If you think Governance and Compliance is just &quot;box ticking&quot; then you, sir, are part of the problem.Security needs to be baked-in.From the beginning.At every level.From design, development, and deployment.It has to be the mindset of the organization.Of the developers.Of the Supply Chain.It has to be demanded from employees.And from vendors. (GitHub is a vendor by the way. So is Codeberg.)Microsoft has one of the best security research teams on the planet. They have an in-house Red Team that is constantly probing and checking their infrastructure (which GitHub is part of) for weaknesses.They offer above standard bug bounties for white &amp; gray hat researchers to report findings to them discretely.And they are constantly auditing their entire CI/CD pipeline for bugs and vulnerabilities.Are they perfect? No. No Company is. No software is.But Microsoft knows what&#39;s at stake, and they have very deep pockets in the event someone wants to sue them. Simply put, they have a vested interest in ensuring their products and services are as secure as they possibly can be.Does the company running Codeberg even have an information security group? What about Gitlab? How is Codeberg and Gitlab protecting the projects and code that it hosts?These are legitimate questions that if people aren&#39;t asking (and getting serious answers) before just blindly throwing their code across the fence and hoping and praying for the best then the developers are doing a disservice to themselves and the Community.