TestifySec

Are you heading to the Open Source Summit Europe in Vienna, Austria? Keep an eye out for our teammate Kairo Araujo who will be around talking about our two opensource projects, #Witness and #Archivista. Kairo also has two talks on Thursday at the SOSS Community Day Sept 19, details below. 🔹 Securing Content Distribution with RSTUF, an Incubating OpenSSF Project. Thursday September 19, 2024 14:40 - 15:00 CEST Room 3.29-3.30. Kairo Araujo will be speaking with Martin Vrachev. The project offers solutions for package repositories like PyPI and Rubygens, as well as any repository (GitHub Releases, S3 buckets, JFrog, Nexus, etc., including traditional old-fashioned HTTP/FTP servers distributing artifacts 😅). Moreover, he will showcase the seamless integration of RSTUF with #intoto and #Archivista to enhance security in Attestations/Policy distribution, a project developed by #TestifySec and donated to CNCF. 🔹 Thursday September 19 4:00pm - 5:15pm CEST, Room 3.16-3.17 Kairo will also be speaking as a panelist in the TTX Session on Thursday with Daniel Appelquist from Samsung, Georg Kunz from Ericsson and Katherine Druckman from Intel Corporation TTX Session - Daniel Appelquist, Samsung; Kairo De Araujo, TestifySec; Georg Kunz, Ericsson; & Moderated by Katherine Druckman, Intel Corporation #OSSummitEurope #OSSummit The Linux Foundation

Our team had a great time at CISA’s SBOM-a-Rama this week in Denver. We got to hear from four tiger teams, and many use cases and success stories of SBOMa across the government and other communities. Thanks Allan Friedman, PhD and your team for all you are doing for this community. Cybersecurity and Infrastructure Security Agency #sbom #supplychainsecurity #cybersecurity #governance

To Attest or not to Attest? That is the question... Well, we always say ATTEST, and so do a lot of organizations lately, including the federal government in a recent change requiring all software sold to the government to be signed and attested. Wait, what is an #attestation exactly? This article we wrote in recent years, with a few updates, explains how attestations are verifiable proofs of events, like certifications, that ensure the quality and security of your software. With new regulations from NIST, CISA, and DHS, providing attestations is crucial for compliance and protecting your supply chain from threats. Learn how attestations can verify processes, materials, and environments in each CI step, and why they’re essential for modern software security. Discover more about how attestations can safeguard your software supply chain by reading the full article below. #Attestations #SoftwareSupplyChain #Cybersecurity #NIST #DevSecOps

Today we remember the lives lost on September 11th, 2001 and honor those who have sacrificed in the wars that followed. Today, we reflect on their courage and dedication, and we carry their memory forward with gratitude and respect. #NeverForget

We are heading to CISA’s SBOM-a-Rama in Denver this week. Who else will be there? Matt “Mohawk” Denny 🧨 , Mike LeBeau and Cole Kennedy 🔐 🔗 will all be in town and they love morning, afternoon or evening beverages. Let em know you wanna meet up. Cybersecurity and Infrastructure Security Agency #sbom #cisa #sbomarama #cybersecurity

🚨 Today is the Day! As of September 9, 2024, the NIST Secure Software Development Framework (SSDF) is now a requirement for all government software providers. This is a critical milestone in improving the security and integrity of the software supply chain across federal agencies. If you’re delivering software to the U.S. Government, ensuring compliance with SSDF is now non-negotiable. This framework is pivotal in protecting against vulnerabilities and supply chain attacks, while fostering transparency and trust in the development lifecycle. At TestifySec, we help organizations meet these new requirements through our Integrated Product Governance Platform and our #opensource tools like #Witness and #Archivista, which integrate security by design and provide real-time monitoring and trusted telemetry to maintain compliance. Whether you're working with #DevOps pipelines or air-gapped systems, our solutions ensure your software meets SSDF standards—keeping you compliant and ahead of security risks. Why SSDF Matters: 🔹 Provenance: Ensure software components are trustworthy from development to deployment. 🔹 Compliance: Stay aligned with federal regulations and frameworks like NIST 800-53, 800-204D, and more. 🔹 Security: Automate vulnerability detection and secure supply chains before breaches happen. Is your pipeline ready for SSDF? Don’t wait—take action and message us today to secure your software and protect your government contracts! #SSDF #NIST #CyberSecurity #Compliance

Being an open-source first software company means we have the privilege of working with amazing friends, colleagues, and even employees from all around the world. Today, we honor and celebrate our teammates from #Brazil on Dia da Independência, also known as Sete de Setembro, which translates to "Seven of September." Observed on September 7th, this day commemorates the moment in 1822 when Brazil declared independence from Portuguese colonial rule. A special shoutout to our talented teammate, and favorite Brazilian, Kairo Araujo – we’re grateful for your incredible skills and contributions to our team! #IndependenceDay #OpenSource #GlobalTeam

When #governance is viewed as a strategic enabler, the conversation shifts from “how can we ensure compliance and security?” to “how can we deliver this product to market faster while still mitigating risk?” And that’s the sweet spot every business wants to hit: accelerating time to market without cutting corners or compromising on quality. If you want to live in that sweet spot, send us a message to chat today.

🚀 Real Results from One of Our Users! We recently had a conversation with a user leveraging #Witness and #Archivista to accelerate their product governance programs, including #FedRAMP. The results speak for themselves: ✅ 50-75% of required data was gathered automatically by Witness, significantly reducing the need for manual input from developers. ✅ Automated security and compliance checks were integrated seamlessly into legacy infrastructure, allowing developers to continue their work without interruption. ✅ Centralized storage of #SBOMs and attestations in Archivista ensured that compliance data could be easily accessed and queried throughout the product lifecycle. We're proud to be empowering teams to streamline security and compliance efforts, giving them back time to focus on what matters most—building great products, find out more at https://witness.dev

🎉 Huge congratulations to our friends at Project Blue, Defense Unicorns and Beast Code on this incredible achievement! Your success in securing rapid authorization for a cloud-native mission application using the Navy’s Continuous ATO (cATO) process is nothing short of revolutionary. 🚀🐙🦄 We're thrilled to see the Navy's approach to cybersecurity transforming with RAISE 2.0, enabling faster delivery of mission-critical applications directly into production. The shift towards continuous cyber-readiness and real-time visibility is setting a new standard across the Fleet. We're especially proud to see our #opensource project Witness mentioned as a key tool in implementing continuous security controls compliance monitoring and ensuring pipeline integrity through attestations. #Witness is all about enabling continuous security correlation, action tracking, and reporting within the DevSecOps pipeline—exactly what's needed to keep pace with the rapid innovations you're driving forward. Kudos to the teams pushing boundaries and making rapid, secure software deployment a reality. The best is yet to come! 💫 #CyberSecurity #DevSecOps #ContinuousATO #innovation Naval Sea Systems Command (NAVSEA)NAVWAR