October 2023 Summaries
3 posts from Cloudsmith
Filter
Month:
Year:
Post Summaries
Back to Blog
The threat of supply chain attacks targeting open-source software (OSS) is escalating and requires a robust defense. Common types of attacks include typosquatting, where malicious packages are published with similar names to popular ones, and dependency confusion, where attackers find or guess package names in private repositories and pull in public packages instead. Maintainer-based threats also exist, such as hijacked credentials and good maintainers going rogue. Abandoned OSS projects pose a security risk due to unpatched vulnerabilities, which can range from low-severity issues to critical ones enabling Remote Code Execution. The infamous Log4Shell vulnerability highlights the threat of OSS vulnerabilities, with attacks often being easy to exploit and hard to detect. The Open Source Security Foundation's Secure Supply Chain Consumption Framework provides essential guidelines and best practices to mitigate these risks when consuming OSS.
Oct 25, 2023
1,617 words in the original blog post.
Cloudsmith's CI/CD pipelines are at risk due to the use of long-lived, static credentials and tokens. This can lead to data breaches in cloud environments. A better approach is to use OpenID Connect (OIDC) authentication, which provides a more secure way to handle authentication than hard-coded credentials or long-lived API tokens. Cloudsmith now supports OIDC natively, allowing users to authenticate against their API, CLI, and users with format-specific endpoints like Ruby, NuGet, Terraform, or Docker. By using OIDC, users can securely authenticate into Cloudsmith without storing long-lived secrets in their CI/CD platform, have more granular control over how workflows use credentials, and avoid the need to rotate API tokens. Cloudsmith's updated workflow with GitHub Actions using OIDC provides a secure and convenient way for software engineers to manage their workflows.
Oct 16, 2023
924 words in the original blog post.
Cloudsmith is re-examining its web product to prioritize customer experience and developer productivity. The current UI is considered too cluttered and not guiding users through a coherent experience. Cloudsmith aims to create a more streamlined interface that nurtures new trial users and makes it easier for experienced customers to get the most out of their tools. A project has been launched to rewrite the web product, with initial prototypes showing promise. The company invites customers and supporters to provide feedback on the new version before its launch.
Oct 09, 2023
443 words in the original blog post.