Episode #245: npm Typo-Squat Deploys RootKits; Software Supply Chain: What Matters to an Architect; Security During Software Creation; OpenSSF Scorecards for Open Source

🎙️ Free, ungated access to all 235+ episodes of “It’s 5:05!” on your favorite podcast platforms: https://bit.ly/505-updates. ♻️ You’re welcome to 𝗿𝗲𝗽𝗼𝘀𝘁 if your followers will find this of value.

The stories we're covering today.

Marcel Brown:  October 6th, 1942. Chester Carlson is issued a patent on a process called electrophotography, now commonly known as photocopying. It was not until 1946 that a company had any interest in pursuing photocopying commercially.

Edwin Kwan: A malicious component in the npm package registry has been found to be deploying an open-source rootkit. This incident is a reminder that developers need to take caution when installing open-source components.

Trac Bannon: Sonatype has released the 9th Annual State of Supply Chain Report. One of the most important evolutions is the emphasis on security during software creation.

Olimpiu Pop: Sonatype published the 9th edition of their already-traditional state of the software supply chain report. There is a high need of continuously monitoring the state of the libraries that we are using in our projects. According to the report, 18.6% of the open-source projects are not maintained anymore.

Katy Craig: OpenSSF is to software, what a health inspector is to restaurants. And guess what? They’ve got scorecards. Good scores here don’t just get you bragging rights. They predict fewer vulnerabilities, so your software is not just rocking it, it’s also locking it down.