Appsec adventures

 The UK Government's *Generative AI Framework for HMG* provides essential principles and guidance for integrating generative AI tools within government functions. Key principles include ensuring meaningful human control over AI outputs, managing the full lifecycle of generative AI projects, selecting the right tools for the job, and engaging in cross-government collaboration. It emphasizes transparency in AI deployment, ethical use, and the need for skills development. The framework stresses aligning AI applications with existing policies and governance, while fostering collaboration between departments and external stakeholders.  https://www.gov.uk/government/publications/generative-ai-framework-for-hmg/generative-ai-framework-for-hmg-html

 The Open Source Program Office (OSPO) plays a critical role in secure open-source software (OSS) supply chain governance. OSPOs help organizations manage the growing risks associated with OSS use, such as vulnerabilities in outdated components. By establishing secure practices, including internal OSS repositories and integrating security tools into CI/CD pipelines, OSPOs promote safe, efficient use of OSS. This strategic role includes advocating for OSS security policies, fostering developer collaboration, and ensuring compliance with frameworks like NIST’s Secure Software Development Framework (SSDF). OSPOs are essential in mitigating risks and enhancing software supply chain security. https://www.csoonline.com/article/573975/the-ospo-the-front-line-for-secure-open-source-software-supply-chain-governance.html

 **Software Supply Chain Security: NSA Guidance and Key Takeaways** Software supply chain security remains a critical issue, especially with increased cyberattacks targeting both major software vendors and the open-source ecosystem. In response, new startups have emerged focusing on various attack surfaces, while organizations continue to provide valuable guidance for risk mitigation. The latest advice from the NSA emphasizes the importance of open-source software (OSS) and Software Bill of Materials (SBOMs). This guidance aligns with prior directives from the White House and NIST, as well as new federal requirements, such as OMB memos 22-18 and 23-16, which mandate federal software suppliers to adhere to secure development frameworks like SSDF and provide SBOM artifacts. The NSA’s recommendations offer practical steps for organizations involved in OSS and software supply chains, focusing on securing the flow of software and enhancing transparency through SBOMs. These practices aim to

 The blog discusses the importance of NPM provenance, a security feature that connects packages to their source code repositories, providing cryptographic proof of authenticity. Despite its availability, most popular JavaScript packages do not use this feature, leaving them vulnerable to supply chain attacks. The article outlines gaps in NPM's security model, such as missing enforcement for provenance and client-side verification. It emphasizes the need for package maintainers and users to adopt provenance, while calling for better enforcement mechanisms at the registry and client levels.  https://exaforce.com/blog/npm-provenance-the-missing-security-layer-in-popular-javascript-libraries

 Twyn is a security tool designed to prevent typosquatting attacks by comparing dependency names against a set of well-known package names. It detects potentially suspicious package names that resemble popular ones and raises an alert. Twyn supports configuration through a command-line interface or a configuration file and offers various operational modes to customize checks. It's available for installation via PyPi, and it can be run to check dependency files like `requirements.txt` and `poetry.lock`. More details are available [here](https://github.com/elementsinteractive/twyn). https://github.com/elementsinteractive/twyn

 David Trejo's BSides SF presentation introduced Monocle, an internal Rails application developed at Chime to address security scaling challenges as their engineering team expanded. Monocle assigns letter grades to code repositories based on factors including approved base images, branch protection, vulnerability resolution, and test coverage, displaying these grades via badges directly in repositories. The system performs nightly security score recalculations, monitors pull requests for security rule compliance, and automatically creates JIRA tickets for violations, saving approximately 2,000 engineering hours annually on audits. It communicates through monthly security scorecards sent to team Slack channels and provides dashboards showing security posture across services, meeting engineers where they work - in GitHub, Slack, and their editors. The system's key benefits include gamifying security best practices, reducing engineer stress around compliance, providing clear visib