How to Check for CISA Catalog of Exploited Vulnerabilities

Last week the United States Cybersecurity and Infrastructure Security Agency (CISA) published a binding operational directive describing a list of security vulnerabilities that all federal agencies are required to fix. Read the directive here: https://cyber.dhs.gov/bod/22-01/  The directive establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to federal agencies. The list can …

How to Check for CISA Catalog of Exploited Vulnerabilities Read More »

Enabling Cloud-Native DevSecOps: 3 Key Takeaways from the Gartner Research

Today’s DevSecOps teams face two major challenges — securing development cycles from the ever-increasing rate and complexity of software supply chain attacks and bridging the internal gaps within their organizations that have traditionally separated security and development efforts. The Gartner report, Survey Analysis: Enabling Cloud-Native DevSecOps, provides key data insights that reveal the emergence of …

Enabling Cloud-Native DevSecOps: 3 Key Takeaways from the Gartner Research Read More »

Checklist

Creating a FedRAMP Compliance Checklist

Creating a FedRAMP compliance checklist can be vital to approaching compliance methodically.  While government contracting is full of FedRAMP challenges stories, the move to cloud-native development grants us new tools, technologies, and methodologies to better set your projects up for FedRAMP compliance success. It’s up to you to capture these best practices in a checklist …

Creating a FedRAMP Compliance Checklist Read More »

7 Tips to Create a DevSecOps Open Source Strategy

DevSecOps open source convergence isn’t always apparent to business stakeholders. Here at Anchore, we’re believers in the open sourcing of DevSecOps because open source software (OSS) is foundational to cloud-native software development.  The Relationship between DevSecOps and Open Source Open source technologies play a decisive role in how businesses and government agencies build their DevOps …

7 Tips to Create a DevSecOps Open Source Strategy Read More »

GitHub Action for Syft: SBOM-action

SBOM Tools: Drop an SBOM GitHub Action into your Workflow

As we expand our portfolio of open source SBOM tools, we are excited to announce the release of sbom-action, a GitHub Action for creating a software bill of materials (SBOM) using Syft. What Is It? The sbom-action is a simple way to generate a software bill of materials (SBOM) in your GitHub-based workflows and releases. …

SBOM Tools: Drop an SBOM GitHub Action into your Workflow Read More »

Anchore Enterprise 3.2 Provides Increased Visibility to Identify More Risks in the Software Supply Chain

Modern cloud-native software applications include software components and code from both internal developers and external sources such as open source communities or commercial software providers. Visibility into these components to identify vulnerabilities, security risks, misconfigurations, and bad practices is an integral part of securing the software supply chain. Anchore Enterprise 3.2 provides richer visibility into …

Anchore Enterprise 3.2 Provides Increased Visibility to Identify More Risks in the Software Supply Chain Read More »

Expanding Container Security: Announcing Anchore Engine 1.0 and the Role of Syft and Grype

Expanding Container Security: Announcing Anchore Engine 1.0 and the Role of Syft and Grype

It’s been an amazing five years working with you, our users, with more than 74,000 deployments across more than 40 releases since we initially shipped Anchore Engine. Today, we are pleased to announce that the project has now reached its 1.0 milestone. Much has changed in the world of container security since our first release, …

Expanding Container Security: Announcing Anchore Engine 1.0 and the Role of Syft and Grype Read More »

Getting Started with the STIG Process for Containers BLOG

Getting Started with the STIG Process for Containers

The Security Technical Implementation Guide (STIG) is a Department of Defense (DoD) technical guidance standard that captures the cybersecurity requirements for a specific product, such as a cloud application going into production to support the warfighter. System integrators (SIs), government contractors, and independent software vendors know the STIG process as a well-governed process that all …

Getting Started with the STIG Process for Containers Read More »

The 3 Shades of SecDevOps

The 3 Shades of SecDevOps

We live and work in a time of Peak Ops. DevOps. DevSecOps. GitOps. And SecDevOps, to name a few. It can be confusing to discern the reality through the marketing spin. However, SecDevOps is one new form of Ops that’s worth keeping in mind as you face new and emerging security and compliance challenges as …

The 3 Shades of SecDevOps Read More »