Toyota has fixed a vulnerability in the Toyota Global Supplier Preparation Information Management System (GSPIMS) Web portal that allowed a security researcher to gain access to corporate and partner accounts, and other sensitive data. GSPIMS is used by Toyota employees and suppliers to coordinate supply chain tasks. The researcher notified Toyota about the backdoor login …
Supply Chain
QUESTION The Information Technology industry is a rapidly evolving space, and it is essential for professionals to stay up to date with the latest trends in order to remain competitive. The Information Technology industry is ever-evolving, and so are the skills and technologies that are in high demand. In the current Information Technology (IT) industry, …
Security researcher Dawid Potocki discovered that more than 300 motherboard models from MSI do not implement the Secure Boot feature by default, which means that they will allow any bootloader, signed or unsigned, to run. According to an MSI Reddit post, the company says they “preemptively set Secure Boot as Enabled and ‘Always Execute’ as …
Updated on 2023-01-02: PyTorch-nightly Dependency Chain Compromised Machine learning framework PyTorch has disclosed that the PyTorch-nightly dependency chain was compromised in late December. Users who installed PyTorch-nightly Linux packages with pip between December 25 and 30 should uninstall those nightly builds and use the most recent nightly binaries. The dependency in question, torchtriton, was compromised …
Updated on 2022-12-13: New tool—OSV-Scanner Google has open-sourced a new tool called OSV-Scanner that can find known vulnerabilities affecting a project’s dependencies. OSV-Scanner is a free tool that helps developers understand whether projects include dependencies that contain vulnerabilities. The scanner uses the OSV database to scan for vulnerabilities across various programming environments and dependency systems. …
Updated on 2022-11-07: SolarWinds settlement SolarWinds said it reached a settlement with its shareholders in a class-action lawsuit filed in 2021 in which the company was accused of misleading its investors about the 2020 hack and subsequent supply chain attack. According to documents filed with the SEC, the settlement is worth $26 million but still …
Updated on 2022-10-30: GitHub fixes repo-hijack bug Researchers at Checkmarx found a vulnerability, now addressed by GitHub, which allowed attackers to take control of code repositories because of a naming issue. Per The Record, thousands of GitHub users — including those in control of popular repositories and packages – opt to change their usernames, “leaving …
Updated on 2022-10-04 Cyber adversaries hijacked the installer for commercial chat provider Comm100 to propagate a trojan malware via its Windows Desktop agent software. Read more: Report: Commercial chat provider hijacked to spread malware in supply chain attack Updated on 2022-10-03: Comm100 supply chain attack CrowdStrike said on Friday that it detected that a suspected …
In a memorandum for the heads of executive departments and agencies, the US Office of Management and Budget (OMB) requires agencies to comply with US National Institute of Standards and Technology (NIST) guidance regarding software supply chain security. NIST developed best practices guidelines for the software supply chain, NIST Secure Software Development Framework (SSDF), SP …
Learn how to digitally sign software artifacts to ensure a safer chain of custody that can be traced back to the source. The article is for anyone new to Sigstore and its sub-projects. It starts by teaching you the basics such as: “What is Software Supply Chain Security?” and defines key terms and concepts like …
As the software components and delivery pipelines that comprise supply chains get more complex, so do the requirements for securing them. This checklist breaks down the components of supply chains to identify, prioritize, and address risks faster and proactively protect them from attacks. Software supply chains are core to building and delivering cloud-native applications. They …
The NIST have put out a standard for risk management of supply chains, which is a reasonable set of models to start thinking about supply chains. But for most organisations, we struggle to articulate the difference in threat between several different scenarios. For example, would you describe all of these as “supply chain risks”?
For an SMB a SolarWinds-style software supply-chain attack must be viewed as an existential threat to the business: violating contracts, gravely harming the company’s reputation and client confidence and public valuation. This article outlines 12 key questions to ask your software vendor, including: Do you have a multi-level process in place to analyze and review …
While 90% of international trade travels by sea, ocean freight still has a visibility problem. Supply chain, logistics, and procurement leaders struggle to build a more resilient and agile global supply chain. That requires gaining real-time insight into all modes of transportation, including sea freight. From manufacturers to retailers, obtaining better ocean visibility will play …
In 2021, shippers and logistics service providers (LSPs) are closer to 100% shipment visibility. So why have most carriers not yet deployed true end-to-end visibility solutions in their operations to boost customer satisfaction? This article unveils the Open Visibility Network: a collaboration of the world’s top providers of real-time visibility and predictive analytics that is …
