• Dev Notes
  • Posts
  • GitHub Strengthens Software Supply Chain Security

GitHub Strengthens Software Supply Chain Security

Good Morning! GitHub has taken measures to strengthen software supply chain security, introducing Artifact Attestations for GitHub Actions and integrating Dependabot with GitHub Actions workflows. The National Institute of Standards and Technology (NIST) has launched a program to test and evaluate generative AI systems for text and image generation/detection. Additionally, the investment firm EQT Private Capital Asia has acquired the open-source software company WSO2, a provider of API, integration, and identity/access management solutions, for over $600 million.

GitHub Strengthens Software Supply Chain Security

GitHub has taken pretty big steps to strengthen the security and integrity of the software supply chain. They increased their reliance on open-source components and third-party dependencies, vulnerabilities or malicious code injected at any point during development and distribution can have severe consequences.

One of GitHub's key updates is the public beta of Artifact Attestations for GitHub Actions. This basically allows open-source maintainers to create a verifiable trail linking their software artifacts directly to the original source code and build instructions used to create them. Powered by Sigstore, the attestations include details like:

  • The associated workflow

  • The repository

  • The commit hash

  • The event that triggered the build

Devs can generate these attestation documents, which users can then download and verify, promoting much-needed transparency in the supply chain.

GitHub's second big update is the integration of Dependabot, their dependency monitoring solution, with GitHub Actions workflows. Previously, Dependabot could only use GitHub's hosted infrastructure, limiting access to on-prem resources and scattering logs across multiple locations.

By running Dependabot as a GitHub Actions workflow, people do gain some key benefits:

  • Use of both hosted and self-hosted runners for compatibility

  • Centralized logs in one place for better visibility and troubleshooting

  • Tighter integration with CI/CD pipelines down the road

Read More Here

NIST Kicks Off Program to Test Generative AI

The rise of generative AI has got people worried about being able to tell if something was created by a human or an AI. The U.S. government wants to develop guidelines to keep this AI tech trustworthy and used responsibly.

That's why the National Institute of Standards and Technology (NIST) has kicked off this new NIST GenAI program. The basic idea is to evaluate and test out different generative AI systems that can generate synthetic:

  • Text

  • Images

  • Audio

  • Video

A major focus is finding reliable ways to detect AI-generated content. NIST is inviting teams to participate by submitting either:

  • "Generators" - AI systems trained to generate human-like content that's indistinguishable from the real thing

  • "Discriminators" - Systems designed to identify AI-generated output

For their first pilot study, they're concentrating specifically on text and image generation/detection using:

  • Text-to-text AI (like ChatGPT)

  • Text-to-image AI (like DALL-E)

The challenges for teams will be:

  • Generating 250-word human vs. AI summaries

  • Building systems to accurately spot which summaries were AI-generated

Registration for teams opens in May 2024, and the initial round of evaluations wraps up by August 2024.

The end goal is to develop new technologies to verify content sources and guidelines for responsible AI development. The results will also inform other initiatives like NIST's AI Safety Institute.

This whole program is part of NIST's response to the 2022 U.S. Executive Order that called for promoting trustworthy AI systems across the board.

Read More Here

EQT snaps up API and identity management software company WSO2 for more than $600M

WSO2, a leading provider of open source software for managing APIs, integrating different systems, and handling identity/access management (IAM), has been acquired by the investment firm EQT Private Capital Asia.

A ton of major organizations rely heavily on WSO2's cloud software - we're talking corporations, universities, governments and more. Their software runs a staggering 60 trillion transactions and manages over 1 billion user identities every single year.

This acquisition is gonna be huge for WSO2's innovation efforts. With EQT's backing, they can:

  • Boost R&D on new cutting-edge products

  • Expand to more countries globally

  • Better help enterprises transform into digital-first businesses

EQT has serious expertise in growing software companies, so they know how to guide WSO2's future growth. A few key areas they'll likely focus on:

  • Taking advantage of the multi-cloud trend as businesses use more cloud platforms

  • Handling rising API traffic volumes as apps talk to each other more

  • Integrating generative AI like ChatGPT into their products

  • Bolstering cyber security against sophisticated hacking threats

WSO2's robust integration, API management, and IAM solutions are perfectly positioned for tackling challenges like these head-on.

With EQT's proven track record and deep pockets, WSO2 is primed to accelerate innovation, scale globally, and cement their position as a digital transformation powerhouse for enterprises worldwide.

Read More Here

🔥 More Notes

Youtube Spotlight

So, you want to be a programmer?

Was this forwarded to you? Sign Up Here

Join the conversation

or to participate.