Unpacking the CNCF Software Supply Chain Security Best Practices Whitepaper
by Cole Kennedy, James Bohrman
| Tuesday, Aug 3, 2021
| Security Supply Chain Security CNCF
Introduction The increasing frequency of software supply chain attacks over the past few years has seen a lot of attention directed at the open source software that secures the software build process. Although the number of successful exploits is relatively small, the ramifications of these successful exploits are often far-reaching and catastrophic, and they have the potential to entice further attacks.
Despite the increasing importance of addressing these vulnerabilities, there is still somewhat of a blind spot when it comes to processes and mitigation strategies for addressing supply chain vulnerabilities.
A New Chapter for BoxBoat
by Tim Hohman
| Thursday, Jul 29, 2021
Today, I am proud to announce that IBM has completed its acquisition of BoxBoat Technologies. We are excited to join the IBM family as part of the Global Business Services Hybrid Cloud team. For additional information on the acquisition, please visit the IBM Newsroom.
Ken, Will, Kristen, and I founded BoxBoat 5 years ago with the idea that we could help transform enterprise organizations with Docker container technology and DevOps practices.
What is an SBOM, and why should you Care??
by David Widen, Cole Kennedy
| Wednesday, May 12, 2021
Developing software is a challenging and often time-consuming task. One of the biggest reasons for this is that creating solutions for novel problems is difficult. In the real world, software engineers will break down complex problems into simpler ones, which allows them to take an iterative approach. Software Engineers accomplish this by using software libraries, and this leads to two major problems:
How can you be sure what libraries are used by the software, and
Supply Chain Security By Verification - Mitigating Supply Chain Attacks
by Cole Kennedy
| Tuesday, May 4, 2021
| Security Kubernetes
At BoxBoat, we have been helping high compliance and assurance industries adopt DevSecOps practices for the last five years. In-band compliance, security checks, and scans form the basis of a secure software delivery pipeline. However, recent supply chain attacks such as SUNBURST have highlighted the need for a new approach to supply chain security. At BoxBoat we have been working with the Cloud Native Computing Foundation sig-security on guidance on implementing an evidence based trust system for secure software delivery that mitigates against key and root credential loss.
What is Toil, and Why Are SREs Obsessed with It?
by Zachary Nickens
| Tuesday, May 4, 2021
| Site Reliability Engineering
Site Reliability Engineers (SREs) love to hate toil, but what exactly is toil? And why are SREs obsessed with removing toil? In a nutshell, Site Reliability Engineering is what happens when you treat IT operations like a software problem. But… how do you treat operations like a software problem?
SRE can feel opaque, but in practice, it is the essence of engineering. In general, this means that you remove inefficiencies in one component, so that other components may perform quantifiably better.