JavaScript is not available.

Chainguard Unveils Memory-Safe Linux Distribution

We asked what #VEX is & this pretty much sums it up: “Virtually Everyone is confused at this point & just want know what tool they have run in CI to produce some json file so they can just ship software again Xylophone.” We KNOW you have questions! 🤪

Big week coming up for

Great writeup on the memory safety work we're doing in Wolfi from

@mvizard

securityboulevard.com

Chainguard this week made available a memory-safe distribution of Linux, dubbed Wolfi, that promises to eliminate the root cause of the bulk of known

(Apko works hand in hand with a tool called melange) which produces an SBOM for images with all the packages listed inside, Apko is also used to build

Images with complete SBOMs at build time. Here's Make SBOMs, not GuessBOMs 🧐👇

Make SBOMs, not GuessBOMs: Why we need to shift left on SBOM generation

GuessBOMs, SBOMs generated by reverse-engineering software artifacts, have severe limitations. The optimal point for generating complete SBOMs is at build time. Everything you need to know about...

Jan 28

Are you attending #CloudNativeSecurityCon in Seattle? Come meet us and learn how to secure your software supply chains by default! Full line up here: 🎉

Come see us at CloudNativeSecurityCon in Seattle Feb 1-2!

We're in Seattle next week for CloudNativeSecurityCon NA 2023. Find us at Booth S12 February 1-2 for swag and demos of Chainguard Enforce and Chainguard Images. Everything you need to know about...

Jan 27

Thrilled to be in great company at

@RSAConference

! 👏 #RSAC 👏

@lorenc_dan

will be on a panel with

@CamilleEsq

@ONCD

& Jim Higgins, CISO of

GIF

Friends don't let friends make GuessBOMs! Some thoughts from me on how the industry can improve SBOMs

Make SBOMs, not GuessBOMs: Why we need to shift left on SBOM generation

GuessBOMs, SBOMs generated by reverse-engineering software artifacts, have severe limitations. The optimal point for generating complete SBOMs is at build time. Everything you need to know about...

Jan 26

Date yourself by naming a video game you played as a kid 🎮

162

60 to 70% of browser and kernel vulnerabilities—and security bugs found in C/C++ code bases—are due to memory unsafety. Wolfi by

(call it “undistro) gives developers the secure by default base they need to build software.

Building the first memory safe distro

Thanks to our ISRG partnership, we are enabling memory-safe TLS by introducing Rustls to Wolfi, which now sets the standard for memory safety in distributions. Everything you need to know about...

Is this

? /cc

twitter.com/fasc1nate/stat

This Tweet is unavailable.

Retweeted

erikaheidi@fosstodon.org

@erikaheidi

Jan 25

Here's a quick overview of how to build Wolfi images. I draw this while I waited for a build 😄

The process behind building a Wolfi Image:
1) First, you'll need to figure out which dependencies your image needs, and check which packages are already available on Wolfi.
2) Missing dependencies can be built as apks with melange. Consider submitting your package if it can be useful for other Wolfi users.
3) Use apko to build your Wolfi image and take advantage of built-in SBOMs and fully reproducible builds.

read image description

ALT

We're excited that

's Wolfi distro is enabling memory safe TLS via Rustls and memory safe HTTP via Hyper in curl. And anyone can do it with simple build time flags in curl. Easy peasy memory safety!

Building the first memory safe distro

Thanks to our ISRG partnership, we are enabling memory-safe TLS by introducing Rustls to Wolfi, which now sets the standard for memory safety in distributions. Everything you need to know about...

Nice blog by

and

explaining how we build the Wolfi distro with memory-safety in mind; from using rustls with curl to enabling various gcc flags.

Building the first memory safe distro

Thanks to our ISRG partnership, we are enabling memory-safe TLS by introducing Rustls to Wolfi, which now sets the standard for memory safety in distributions. Everything you need to know about...

@santoshdts

Jan 25

I’m going to

’s upcoming Space on #VEX. Will you join too?

Internet Security Research Group

Jan 25

🥳Wolfi, the world's most secure "undistro" is memory safe!! 🙌 😱 60-70% of browser, kernel vulnerabilities & bugs found in C/C++ code bases are due to memory unsafety. ✅ This class of vulns can be eliminated with the use of memory safe languages. chainguard.dev/unchained/buil

Join us next Tuesday (Jan 31) to talk about VEX and how it will help to make life easier when triaging vulnerabilities and #SBOM so much more useful.

Quote Tweet

twitter.com/i/spaces/1RDGl

Show this thread

Retweeted

Loved seeing

's research in

' Codebook today

Quote Tweet

Sam Sabin

@samsabin923

it's a busy, busy day — a great time for Codebook! today's edition:

cyber hiring demand remains high, despite tech layoffs

CISA releases K-12 report, recommendations

Apple launches new workshops about iPhone privacy settings axios.com/newsletters/ax

If you've been curious about

Enforce, we've just rolled out a massive update to the website! Check it out here: chainguard.dev/chainguard-enf There's way more information, videos/demos, case studies, and guides on how to configure Enforce for all your security needs!

How familiar are you with VEX? 🤝

Huh?
56.4%
Familiar but confused
33.3%
VEXpert
10.3%

39 votesFinal results

#CloudNativeSecurityCon Chainguardian Talks 2/2/23 ✅ 📝 3:50pm Not All That’s Signed Is Secure: Verify the Right Way w/ TUF &

@projectsigstore

, Zack Newman & Marina Moore 🗝️ 4:40pm "Keyless" Code Signing W/o Fulcio, Nathan Smith

#CloudNativeSecurityCon Chainguardian Talks 2/1/23 ✅ 💣 11:00am An Inner Look Into SBOMs

@puerco

🗣️ 1:55pm CNS Landscape panel ft.

@kimsterv

🔐 2:15pm Secure Your Source Repositories: 5 Tips to Get Started

@wflynch

🧠 3:50pm I Really Want to Know What's Behind OICD

👋Come say HI in Seattle @ #CloudNativeSecurityCon! 📍Booth S12 Stop by or come meet us: 🆒 2/1 Ask

@ariadneconill

anything about VEX 1-2pm 🔛 2/2 Meet our founders:

@AikasVille

@kimsterv

@mattomata

12:15-1:15pm Open tweet thread to catch Chainguardian talks! 🧵

GIF

read image description

ALT

Thank you

for defining VEX so well!! 🫰

👀

Quote Tweet

@KaylinTrychon

... once you've done that... stay tuned for something out of @chainguard_dev tomorrow

Show this thread

The lead #ciso practitioner that directs our #cybersecurity analysis explains the criteria and selections behind our recently unveiled Top 10 shortlist. The video highlights three of the 10 companies:

@Lookout

How 10 Companies Made the Shortlist of Cybersecurity Business Enablers

and

@snyksec

accelerationeconomy.com

Kieron Allen and Chris Hughes discuss how our cybersecurity analysts determined which companies made the new Top 10 list of Cybersecurity Business Enablers.

6⃣ We immediately added sbom-scorecard project into the

@wolfi_os

add sbom-scorecard by developer-guy · Pull Request #455 · wolfi-dev/os

🥳

github.com

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com Co-authored-by: Furkan Türkal furkan.turkal@trendyol.com /cc @puerco @dlorenc @tracymiranda @justinabrahms

Per

, "barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government." READ more via

@ryanaraine

@SecurityWeek

: securityweek.com/chainguard-tra

A while ago, there was a great talk recorded about measuring the #SBOM quality in

’s Software Supply Chain Security Leadership Series by the amazing folx

🧵

@KaylinTrychon

Jan 23

NEW:

@ImJasonH

details his journey finding, reporting & working with

@github

to resolve an information leak bug in GitHub's Container Registry (GHCR). Full details here:

GitHub Container Registry private repos sometimes… weren’t

GitHub Container Registry (GHCR) had an information leak bug, where names of private repos were exposed. Here's the background on how it was reported and fixed. Everything you need to know about...

John Speed Meyers and Hackers on the Hill

Jan 23

What does VEX stand for? *wrong answers only* 🧐

With our powers combined, we can solve your supply chain security problems!

Big week coming up for

We’re honored to have been a part of the 100+ hackers invited to brief 20 different congressional offices yesterday! Thank you,

@ncdinglis

for hosting us all. ✨✨

Another day, another new image! Here's our announcement for #Python in Wolfi and

images! ✅ Faster runtime! ✅ Fewer CVEs! ✅ Smaller size! ✅ glibc for compatility and fast package install! ✅ SBOMs! ✅ Signatures! ✅ Magic!

Chainguard Image Now Available for Python 3.11

Chainguard Images now contains Python 3.11.1, giving developers minimal, hardened base images that still contain everything needed to build and run Python apps. Everything you need to know about...

feat: add fluent-bit pkg by tuananh · Pull Request #456 · wolfi-dev/os

Jan 20

It's not self-promotion when it's true 🫰

Do you use

? It's coming to Wolfi!

github.com

WIP, i want to do a bit more testing as well as getting feedback from @patrick-stephens Fixes: #452

If you missed our session on SBOM Quality yesterday, the recording is available here!

crowdcast.io

Software Supply Chain Security Leadership Series: Measuring SBOM Quality

Register now for Software Supply Chain Security Leadership Series: Measuring SBOM Quality on crowdcast, scheduled to go live on January 18, 2023, 12:00 PM EST.

Retweeted

@KaylinTrychon

Jan 19

New research out today from