- GitHub Actions is the weakest link
Andrew Nesbitt outlines the multitude of ways that GitHub Actions is insecure by default and gives examples of the compromises in software supply chains that this has resulted in - Password managers' promise that they can't see your vaults isn't always true
New research shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. - GitHub Actions has a package manager, and it might be the worst
"Package managers are a critical part of software supply chain security. The industry has spent years hardening them after incidents like left-pad, event-stream, and countless others. Lockfiles, integrity hashes, and dependency visibility aren’t optional extras. They’re the baseline. GitHub Actions ignores all of it." — Andrew Nesbitt - What is an engineering audit like?
Anna J McDougall shares her experience in an ISO 13485 Medical Device Engineering QMS Case Study - A sneaky phish just grabbed my Mailchimp mailing list
Troy Hunt's welcome reminder no one is immune to being caught out by phishing as he shares his own experience - On the matter of the British Library cyber incident
Ciaran Martin on what can be learned from this ransomeware incident - 10 fundamental (but really hard) security metrics
Phil Venables highlights a number of areas to think about when it comes to measuring your security.
Suppliers
Suppliers of security and compliance services
- Cure53
Recommended for penetration testing - Detectify
External attack surface management service - Halo I.S.
Recommended for penetration testing - Intruder
Automated vulnerability scanning that comes highly recommended - KnowBe4
Security Awareness Training that includes simulated phishing attacks to drive awareness and change user behaviour - Samurai Security
Recommended for penetration testing - VaaData
Recommended for penetration testing