Deborah Mullan’s Post

Building Trusted, Valued Analyst Relations | Thought Leadership | Market Traction

1mo

Katie Norton of IDC recently posted a great piece on the real risk of the open source software ecosystem following the discovery of XZ Utils Backdoor vulnerability. In her words, "The widespread use of OSS by large organizations maintained by volunteers is a poorly kept secret." In a recent blog post about the incident, security researcher Bruce Schneier put the problem bluntly: "We simply have to stop building our critical national infrastructure on top of random software libraries managed by lone unpaid distracted — or worse — individuals." More than 80% of companies use a majority of OSS in their software development. That's not likely to change. What's needed is for developers and security leaders alike to ensure their entire software supply chain is secure from development to device. Headed to #RSA? Stop by JFrog's booth 455 in the South Hall. We'd love to have a chat. Read the blog on the XZ Utils Backdoor https://lnkd.in/eHcqc3Nc IDC (subscription required): The xz Utils Backdoor and Securing the Open Source Software Supply Chain #JFrogSecurity

XZ Utils Backdoor

http://www.schneier.com

5 Comments

Richard Duong

The social engineering aspect related to the XZ backdoor vulnerability combined with the use of data obfuscation techniques to embed the key is the extremely concerning part. These techniques are not new but the relentless frequency of attacks have been intensifying to disrupt software supply chains and erode trust. Someone or some group spent years setting up the situation and waited to create a coordinated attack. Even the back and forth chats between the replacement committer and an open-source user reporting a bug and goading the maintainer to relinquish ownership of the repository and update the code faster is suspect. Unfortunately the whole situation is a major blow to the open-source community, however, software today is so complex that most organizations and individuals don't completely understand how the code they are using works, and use it blindly to provide integrated solutions at a lower cost and faster speed to meet upstream demands. It's the responsibility of larger enterprise companies to fork open-source code, inspect it thoroughly before use in commercial products, and own/support any issues that are related related to derivative products, however, few actually do.

Katie Norton

Industry Analyst at IDC - DevSecOps and Software Supply Chain Security

1mo

Thank you so much for your kind words and for sharing, Deborah! Shout out to Michele Rosen who I collaborated with on this document. She is covering the open source ecosystem at IDC and we will be collaborating a lot around open source security!

2 Reactions

Patricia Pouncey

1mo

Interesting and insightful article Deborah!

1 Reaction

See more comments

To view or add a comment, sign in

More Relevant Posts

Deborah Mullan

Building Trusted, Valued Analyst Relations | Thought Leadership | Market Traction
1w
Report this post
I had the chance to attend the unveiling of the Formula Buckeyes 2024 Competition Car this weekend. Talk about #Leadership, #Culture, #Teamwork. This team is truly impressive! Best of luck to the entire team as they head off to Michigan this week to secure the hardware. Shout out to OHD Studios on the production rollout. You gotta see this!

Formula Buckeyes

344 followers
1w

INTRODUCING FB-24: Our 2024 Competition Car 🏎️🏁 We would like to extend a huge thank you to all of our Sponsors, Alumni, and the University who supported us through the creation of our final Internal Combustion Vehicle. As well, a special thanks goes to OHD Studios for the incredible opportunity to shoot FB-24 in their facilities alongside the help of their amazing production crew! David Jeffries and Patrick Phillips were instrumental in creating unique shots never seen before in FSAE.

1 Comment
Like Comment
To view or add a comment, sign in
Deborah Mullan

Building Trusted, Valued Analyst Relations | Thought Leadership | Market Traction
2w
Report this post
Come join a truly amazing team here at JFrog!

Sean Pratt

Product Marketing at JFrog
4w

I'm looking for a #productmarketing pro to join my team and help bring JFrog's DevOps solutions to market! Come work with a product that sits at the center of modern software delivery (including AI/ML!!) and is used by the majority of Fortune 100 companies. Got referrals? Send them my way :) https://lnkd.in/gx6cdaqF

Product Marketing Manager - JFrog Career Site

join.jfrog.com
Like Comment
To view or add a comment, sign in
Deborah Mullan

Building Trusted, Valued Analyst Relations | Thought Leadership | Market Traction
2w
Report this post
Our JFrog research team discovered coordinated attacks on Docker Hub that planted millions of malicious repositories. Read more in today's blog.
JFrog

58,142 followers
2w

🚨 Nearly 20% of Docker Hub repositories are used to spread #malware & #phishing scams. Our #Security Research team reveals 3 large-scale malware campaigns targeting #Docker Hub, including planting millions of “imageless” repos with malicious metadata. Learn more: https://jfrog.co/3weARe3
Like Comment
To view or add a comment, sign in
Deborah Mullan

Building Trusted, Valued Analyst Relations | Thought Leadership | Market Traction
1mo
Report this post
A don't miss read today!
Katie Norton

Industry Analyst at IDC - DevSecOps and Software Supply Chain Security
1mo

I've been a busy bee 🐝 - more new research published today! This IDC Market Note discusses the software supply chain security–related actions taken by the U.S. federal government in February and March 2024. Recent directives and initiatives by U.S. federal agencies like National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency highlight a strong emphasis on securing the software supply chain. This includes integrating security into CI/CD pipelines, securing open source software, and ensuring software developed for government use meets stringent security standards. Subscribers to the DevSecOps practice can access the full research here: https://lnkd.in/d22TNTK8
Like Comment
To view or add a comment, sign in
Deborah Mullan

Building Trusted, Valued Analyst Relations | Thought Leadership | Market Traction
1mo
Report this post
Absolutely brilliant! Check out this interview with Colin Mullan by Kellum Dean and his Dad at The Ohio State University on racing, engineering and leadership. Shout out to the Formula Buckeyes - teamwork at its best.

Colin Mullan

Professional Racing Driver / Instructor, OSU Mechanical Engineering Student
1mo

Earlier this year I sat down with Kellum Dean and his dad as they are traveling and filming a series on careers in motorsport. Always happy to chat about my career in racing, and on the STEM side, diving into FSAE with the Formula Buckeyes at Ohio State too. Check it out below and help support the future of the sport! https://lnkd.in/gAPj5Y93

Colin Mullan - Formula SAE

https://www.youtube.com/

3 Comments
Like Comment
To view or add a comment, sign in
Deborah Mullan

Building Trusted, Valued Analyst Relations | Thought Leadership | Market Traction
2mo
Report this post
I’m happy to share that I’m starting a new position as Director, Analyst Relations at JFrog!

This content isn’t available here

Access this content and more in the LinkedIn app

55 Comments
Like Comment
To view or add a comment, sign in
Deborah Mullan

Building Trusted, Valued Analyst Relations | Thought Leadership | Market Traction
2mo
Report this post
I'm very excited to take the leap and be joining such an amazing and talented team of frogs!
Jens Eckels

VP, Product Marketing - I'm hiring!
2mo

Some analyst relations pros are glorified schedulers. Not Deborah. I'm proud that she is taking the leap forward with us, and look forward to many years of driving JFrog's business forward with the utmost of care for our analyst community. Welcome to the swamp Deborah Mullan!
7 Comments
Like Comment
To view or add a comment, sign in

743 followers

210 Posts

View Profile Follow

Deborah Mullan’s Post

More Relevant Posts

Colin Mullan - Formula SAE

https://www.youtube.com/

Explore topics