Welcome to our 2nd blog in our series on how to securely consume Open Source Software (OSS). Attacks targeting OSS are on the rise, making the security of your software supply chain a top priority. The 1st blog gave an overview of some of the most common types of attacks. Today we’ll explore the Secure Supply Chain Consumption Framework (S2C2F) that can help you mitigate against these attacks.

Our 1st blog in our series on securely consuming OSS. Today, I'll give an overview of some of the most common types of attacks from consuming OSS. Open-source software (OSS) fuels innovation. Over 96% of commercial applications rely on at least one OSS component (Synopsys, 2023). At Cloudsmith, we champion OSS and understand its indispensable role in today's software landscape. However, the escalating threat of supply chain attacks targeting OSS demands a robust defence.

Are your CI/CD pipelines at risk? They might be if you use long-lived, static credentials and tokens. Long-lived, static credentials and tokens are one of the most common causes of data breaches in cloud environments. CI/CD tools need access to cloud services to publish artifacts, deploy software, and access resources on their cloud provider. So, they need credentials. It's tempting to hard-code them. But that's a bad idea.

When a headhunter reached out to me about the CEO role at Cloudsmith (where I started in August!), one of the first things I did was sign up for a trial account. The product's depth and sophistication really impressed me, and contributed to my decision to go ahead with the interviews. (Glad I did.) They were right; our web interface is still largely a Django web app, tightly coupled to the back end, and you can see the Bootstrap showing everywhere.

Discover Cloudsmith Navigator: a revolutionary tool designed to guide software engineering teams in selecting top-quality open source packages. By analyzing and scoring thousands of packages based on security, maintenance, and documentation, Navigator simplifies the package selection process. Choosing the right software package for your project can sometimes feel like finding a needle in a haystack.

Alan Carson writes about his experience and journey with Cloudsmith, as new CEO Glenn Weinstein steps in as leadership. I heard something recently, that resonated, about success. In a simple (but not easy) three-step plan; success happens when the following three things align: A great example is, of course, Steve Jobs and Apple. The contrarian idea was that every single human would need a personal computer. He was proven right. And he executed expertly (with a few ups and downs obviously!)

Learn all about how Cloudsmith ensures robust cloud-native software artifact management, emphasizing authentication, license compliance, and vulnerability mitigation, all while maintaining a holistic approach to security.

Discover the pivotal role of artifact management platforms in software delivery. Learn how Cloudsmith streamlines storage, boosts security, scales effortlessly, and more. Elevate your software delivery with indispensable tools and insights. The tools and strategies you employ in software delivery can make all the difference when distributing and managing software. As the intricacies of software projects amplify, the call for streamlined, secure, and adaptable solutions becomes undeniable.

Explore Cloudsmith’s powerful OKTA integration for user and user group management. Dive into the benefits, security considerations, and best practices to optimize user access, streamline workflows, and bolster security in your software operations. User management is the backbone of secure and efficient software operations. As businesses grow and evolve, the tools they use must keep pace. Enter OKTA and Cloudsmith.

Dive into the world of universal artifact management with our comprehensive guide. Discover the role of Cloudsmith in streamlining software artifact management, the advantages of a cloud-native approach, and the tangible benefits of a dedicated platform for software distribution. Navigating the software development world can sometimes feel like deciphering a new language.