From the Kusari team.

Kusari Platform now tells you which vulnerabilities can actually be exploited — and writes the VEX

Most CVEs can't actually be reached by your code. Kusari's new AI Analysis Agent reads your codebase and traces each vulnerability so you can fix what matters and prove what doesn't.

Parth Patel · May 5, 2026

kusari-cli gives you Kusari’s power wherever you go

The kusari-cli 1.0 release means you can connect to Kusari Inspector and Kusari Platform no matter what platform you use.

Ben Cotton · April 30, 2026

From Provenance to Enforcement: SLSA, in-toto, and Kubernetes Admission Control

If provenance is not evaluated, it is merely metadata. Enforcement is what transforms integrity into control.

Mike Lieberman, Gaurav Saxena · April 27, 2026

Identity, Signing, and Transparency: The Foundation of Verifiable Builds

Signing artifacts is not new. Making that signing keyless, auditable, and transparently verifiable is.

Mike Lieberman, Gaurav Saxena · April 20, 2026

Software Is a Supply Chain — Start Treating It Like One

Modern software delivery now resembles global manufacturing. If we demand traceability for physical components, we must demand the same for code.

Mike Lieberman, Gaurav Saxena · April 14, 2026

Facts and Mythos: understanding the future of AI security analysis

Mythos undoubtedly represents an advancement in the capability of frontier models. It’s also not the apocalypse.

Mike Lieberman, Ben Cotton · April 13, 2026

Why 72% of Organizations Can't See Their Real Attack Surface: Solving the Transitive Dependency Visibility Gap

Most security leaders think they have a handle on their attack surface, using SCA, SBOMs, tracking libraries. But there's a problem with that confidence.

Tim Miller · April 9, 2026

How Kusari Protects Against Recent Supply Chain Attacks

Recent attacks against projects like Trivy, LiteLLM, and Axios show the need for automated supply chain checks.

Ben Cotton · April 2, 2026

Vibe Coding & Vulnerabilities: A Security Team's Guide to AI-Generated Code Risks

Mike Lieberman · March 30, 2026

Kusari Partners with OpenSSF to Strengthen Open Source Software Supply Chain Security

Open source software powers the modern world; securing it remains a shared responsibility.

Mike Lieberman · March 23, 2026

Kusari and CNCF: Advancing Software Supply Chain Security for Cloud Native Projects

Mike Lieberman · March 23, 2026

AI Coding Assistants in 2026: 4× Faster, 10× Riskier and The Hidden Security Cost

AI coding assistants (LLMs) dramatically increase developer velocity, but introduce critical new AppSec risks. AI-generated code is consistently less secure.

Mike Lieberman · March 18, 2026

The 95% Problem: Why Transitive Dependencies Are Your Biggest Software Supply Chain Blind Spot in 2026

Your security team just finished a vulnerability scan. The dashboard looks clean, but there's a catch: that scan only covered about 5% of your actual risk surface.

Tim Miller · March 4, 2026

Why the EU Cyber Resilience Act Will Catch US Software Companies Off Guard

Most US software regulations are built around intent. The EU Cyber Resilience Act (CRA) is built around outcomes. That difference is why 2026 will feel like a shock for many US companies selling softw

Mike Lieberman · February 19, 2026

The Hidden Cost of Reactive AppSec

Security leaders often talk about risk reduction. Developers talk about velocity. The tension between the two has defined AppSec for over a decade.

Tim Miller · February 18, 2026

Compliance Is Getting Real

Why software integrity is becoming the defining security challenge of the next decade

Tim Miller · January 27, 2026

2026 Predictions: Open Source Accountability, AI Security, and Standardization Will Define the Next Era of Software

For years, software security has lived in the realm of best practices. In 2026, software security stops being theoretical and moves firmly into the realm of requirements.

Mike Lieberman · January 20, 2026

Integrating GitLab and Kusari

Use Kusari’s tools directly in GitLab workflows to improve your supply chain security.

Parth Patel · November 11, 2025

Breaking the "Department of No" - Ship Fast, but also Secure

Security shouldn’t slow you down. Kusari and Cloudsmith enable faster, safer releases by turning noisy CVE scans into actionable insight and enforcing policy from build to deploy. Go fast and secure.

Ben Cotton, Nigel Douglas · November 6, 2025

The Top 10 To-Dos for CRA Compliance Right Now

A strategic guide for CISOs and software security leaders

Mike Lieberman · October 22, 2025

It Takes More Than AI to Deliver Code Faster

Large language models write code quickly, but to get value to your customers, you need better security processes.

Ben Cotton · October 15, 2025

Updating Legacy Medical Applications for Modern Security Requirements

You can prepare yourself for future updates by bringing your post-market applications into a modern security paradigm.

Tim Miller · October 8, 2025

Best SBOM Tools 2025: How to Choose the Right SBOM Generation Tool

Compare the best SBOM tools for 2025. Expert analysis of cdxgen, Syft, npm-sbom & more. Choose the right SBOM generator for your needs.

Mike Lieberman · October 1, 2025

Securing Yesterday’s Medical Devices against Cyber Threats: Addressing Legacy MedTech

Medical devices often far outlast their support period. How can these reliable devices avoid becoming a security liability?

Tim Miller · September 25, 2025

Understanding the Proposed CISA 2025 SBOM Minimum Elements

CISA has proposed updates to the SBOM Minimum Elements. What does this mean for business leaders and engineers?

Mike Lieberman · September 23, 2025

Securing Medical Devices: Cyber Threats, SBOMs, and FDA Premarket Readiness

How Medical Devices Can Comply with Section 524B to Meet FDA Cybersecurity Requirements

Tim Miller · September 17, 2025

Using Kusari to Manage your Open Source Dependencies

Companies need to pay attention to the security of their open source dependencies. Kusari Platform can help.

Tim Miller · August 13, 2025

Celebrating OpenSSF’s Anniversary

Kusari celebrates the past, present, and future of the Open Source Security Foundation.

Ben Cotton · August 6, 2025

What Security Leaders Need to Know about America’s AI Action Plan

Here’s what the new report from the White House means for software supply chain leaders, and how you can get ahead.

Tim Miller · July 30, 2025

Addressing the Challenges of Cloud-Native Application Security

Kusari’s software supply chain expertise gives you the ability to overcome the challenges in securing your cloud-native applications.

Ben Cotton · July 23, 2025

Supply Chain Security for GitOps

Software supply chain security doesn’t stop at the application layer. Kusari Inspector can help secure your infrastructure-as-code, too.

Ben Cotton · July 16, 2025

Using Pull Requests on a Single-Developer Project

The pull request workflow might seem unnecessary for projects with one developer, but it offers security, testing, and feedback benefits.

Karly Nelson · July 9, 2025

GitHub Code Review Best Practices for Security-Critical Projects

Explore essential GitHub code security review strategies, specifically designed for projects where security cannot be compromised.

Ben Cotton · July 2, 2025

Going Beyond Vibes with Kusari Inspector

Your security reviews need to be based on facts, not vibes.

Parth Patel · June 25, 2025

Stop Merging Risky Code: Secure Pull Requests with Automated Security Checks

Implementing secure pull requests has become essential to prevent security vulnerabilities from making their way into the codebase.

Parth Patel · June 23, 2025

Top 5 Pull Request Security Risks Every Maintainer Should Know

For maintainers responsible for project integrity, understanding these risks isn't optional. It's essential for protecting your software supply chain.

Parth Patel · June 19, 2025

Kusari Inspector: Security Insights Where You Need Them

Kusari Inspector is now generally available to provide immediate supply chain security insights in pull requests.

Parth Patel · June 17, 2025

AI and the Secure Software Factory

Artificial intelligence can help secure the software supply chain, but it also brings additional considerations.

Mike Lieberman · June 4, 2025

Securing the Maintenance Phase

Securing the software supply chain doesn't end when a release ships. Maintaining released software is an important part of security.

Mike Lieberman · May 28, 2025

Choosing an SBOM Generation Tool

There are so many tools to build SBOMs for your application. How do you know which one to pick?

Nathan Naveen · May 21, 2025

Code is More Important than Identity for Security

Asking open source contributors to prove their legal identity doesn’t make software more secure.

Mike Lieberman, Ben Cotton · May 14, 2025

Open Source Accelerates Secure Software

The US DoD’s Software Fast-Track Initiative looks to improve software procurement and security. Open source software must be a key part of this.

Ben Cotton · May 12, 2025

OpenSSF Tech Talk Recap: Using the OSPS Baseline to Navigate Standards and Regulations

Open source projects are in the spotlight as regulated industries, governments and those that sell to them ramp cybersecurity expectations. Enter Open Source Project Security (OSPS) Baseline!

Ben Cotton · May 8, 2025

Endpoint Security is Supply Chain Security

Endpoint security is a key part of many IT security efforts, but it’s not always thought about in the specific context of software supply chain security.

Mike Lieberman · May 7, 2025

Identifying Threats in the Implementation Phase

Many threats present themselves while implementing software. Here's how to find and address them.

Mike Lieberman · April 30, 2025

The Future of CVEs

Recent funding concerns have highlighted the need for a more resilient system of vulnerability identification.

Mike Lieberman · April 28, 2025

VulnCon 2025 Recap

Kusari CTO Mike Lieberman shares his thoughts after attending the second-annual VulnCon conference.

Mike Lieberman · April 24, 2025

The Hidden Risk in Your Software: Managing Transitive Dependencies

Beyond knowing why transitive dependencies are important, you have to know how to manage them.

Parth Patel · April 22, 2025

Codifying the SDLC with in-toto

in-toto helps ensure product integrity by making transparent what steps were performed, by whom, and in what order.

Mike Lieberman · April 17, 2025

The Hidden Risk in Your Software: Understanding Transitive Dependencies

Transitive dependencies are the invisible majority of your applications. Failure to properly understand them increases your risk.

Parth Patel · April 15, 2025

Providing Secure Updates with TUF

A secure and resilient method for distributing software updates is a key part of keeping your supply chain trustworthy.

Mike Lieberman · April 10, 2025

Securing the Software Supply Chain book now available!

This new book from Michael Liberman and Brandon Lum guides you from the basics of supply chain security through to being a security expert.

Brandon Lum, Mike Lieberman · April 1, 2025

GUAC Now Supports Runtime Kubernetes SBOMs using Kubescape

GUAC v0.14.0 includes a Kubescape collector that can be run inside your Kubernetes cluster to watch for new scan results from Kubescape and ingest those results into GUAC

Jeff Mendoza, Ben Hirschberg · March 27, 2025

Securing Your AI Models

The abilities of generative and agentic AI models require a proactive approach to protecting the AI supply chain.

Tim Miller · March 25, 2025

The Last Step on the Security Journey: Kusari Platform

When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.

Mike Lieberman · March 20, 2025

Another Step on the Security Journey: A Constellation of SBOMs

Comparing two SBOMs is useful, but as your portfolio grows, you need to take a holistic approach.

Mike Lieberman · March 18, 2025

The Next Step in the Security Journey: Comparing SBOMs

Once you have multiple releases, you have multiple SBOMs. What can you learn from comparing them?

Mike Lieberman · March 13, 2025

Starting the Security Journey: Producing an SBOM

A hypothetical organization takes the first step on their software supply chain security journey by creating an SBOM for their application.

Mike Lieberman · March 11, 2025

Unpacking Kusari Platform Views

Kusari Platform gives you the information you need to secure your software supply chain.

Parth Patel, Melissa Kee · March 5, 2025

Raising the Bar for Open Source Security: Introducing the OSPS Baseline

Kusari is proud to contribute to the Open Source Project Security Baseline, an OpenSSF project to help open source maintainers improve their security posture.

Ben Cotton · March 3, 2025

Addressing Third-Party Risk in Open Source Software

Once you've discovered the third-party risks in the open source projects you consume, how do you address those risks without having a vendor relationship with the projects?

Parth Patel, Ben Cotton · February 27, 2025

Analyzing Third-Party Risk in Open Source Software

Third-party risk management is an important part of protecting your organization. But how do you manage the risks of open source software when you have no vendor relationship?

Parth Patel, Ben Cotton · February 25, 2025

Building a Foundation of Trust for a Stronger Software Supply Chain

Creating a secure foundation of trust enables organizations to safely delegate specific actions in the software development life cycle.

Mike Lieberman · February 20, 2025

Unpacking the Kusari “Effort to Fix” Capability

Get a clear understanding of the work involved in remediating a vulnerability so you can schedule it in your sprint without blocking feature work.

Parth Patel, Jeff Mendoza · February 18, 2025

Unpacking the Kusari Score

Cut through the noise to prioritize which vulnerability gets fixed next

Parth Patel, Jeff Mendoza · February 13, 2025

Alarms Raised by Critical Reverse Backdoor Vulnerability in Medical Devices

Medical monitors have critical security flaws, allowing unauthorized code execution and patient data leaks.

Mike Lieberman · February 3, 2025

Stick a Pin in It: Managing Dependencies for Supply Chain Security

Managing software dependencies is an important part of software supply chain security. Here are three approaches you can take to pin your dependencies to known-good versions.

Ben Cotton · January 23, 2025

Software Supply Chain Security Predictions for 2025

This year, we focus on the evolving role of AI, pressing software security concerns, and emerging regulations.

Mike Lieberman · January 13, 2025

AI Alone Won’t Fix Your Supply Chain

Properly integrating AI into your processes can help identify risks and offer proactive insights, but the final decisions must always remain in human hands.

Tim Miller · January 10, 2025

Software Supply Chain Security Predictions: Hits & Misses from 2024

As 2025 approaches, it’s time to revisit our 2024 software supply chain security predictions to see how they held up.

Mike Lieberman · December 29, 2024

Solving the “Bottom Turtle” Problem in Supply Chain Security

Software supply chain security is like a stack of turtles—each layer depends on the integrity of the one below it. Continuous vigilance is key to maintaining security all the way down.

Mike Lieberman · December 18, 2024

Threat Modeling in the Software Development Life Cycle

What are you defending against? From upstream dependencies to code repositories, threat modeling ensures you're prepared to mitigate risks, reduce vulnerabilities, and avoid costly compromises.

Parth Patel · December 17, 2024

Rust Won’t Fix Everything: Moving Toward a Memory-Safe Future

Rust is promising for addressing memory safety issues. Improving existing C/C++ toolchains will take time, but these steps help set a realistic path forward.

Ben Cotton, Mike Lieberman · December 9, 2024

The Best Way to Secure Your Open Source Supply Chain is to Participate

Open source software powers 96% of modern applications, but it comes with challenges. Companies can secure their supply chains by actively participating in the open source projects they rely on.

Ben Cotton · December 5, 2024

Is the Internet on Fire? The State of Open Source Security

Amid the flurry of innovation and collaboration at last week's KubeCon North America, a critical theme emerged: the precarious state of open source security.

Andrew Martin, Mike Lieberman · November 26, 2024

The Path to Zero CVEs: Vanquishing Cyber Threats

Addressing Common Vulnerabilities and Exposures (CVEs) is no longer optional—aiming to eliminate them is a critical priority for securing modern systems.

Andrew Martin, Mike Lieberman · November 8, 2024

Is Your Supply Chain Haunted by CVEs?

Secure development starts with developers: bring forth the code masters

Mike Lieberman · October 31, 2024

Introducing the Kusari Platform—know your software

Navigating modern software development is a complex challenge. Kusari’s aim is to make it easier.

Parth Patel · October 22, 2024

You Can’t Fix Issues if You Can’t Find Them

Organizations often struggle to identify vulnerabilities and risks hidden within the layers of dependencies. Address it by using a holistic approach to software security.

Ben Cotton · October 18, 2024

Understanding Prevalence is the First Step

The White House commits $11 million to enhance our collective understanding of the challenges surrounding open source software.

Ben Cotton · August 26, 2024

GUAC Boosts License Transparency

v0.8.0 features new integration with ClearlyDefined

Ben Cotton · August 8, 2024

Hack-Proof Artificial Intelligence Supply Chains Using Open Source Security

Practical ways to protect against AI software attacks

Tim Miller · August 5, 2024

Why Software Cannot Be Secured by SBOMs Alone

Actionable insights come from SBOMs plus additional information

Tim Miller · July 31, 2024

Announcing GUAC v0.8.0 Enhancements

GUAC v0.8.0 brings support for license information, running vuln scans upon SBOM ingestion, node deletion, and many other improvements.

Parth Patel · July 25, 2024

Achieving Wisdom with GUAC Visualizer

It's not enough to just have the data, you need to be able to see it.

Ben Cotton · July 23, 2024

Meeting Federal Software Supply Chain Mandates

Only two months left until the Secure Software Development Attestation Form deadline

Parth Patel · July 11, 2024

To Fork or Not to Fork

How you handle your dependencies will change how you secure your software supply chain

Ben Cotton · June 27, 2024

Kusari Signs the Secure by Design Pledge

The Secure By Design Pledge is a great starting point, but it can’t be the end.

Tim Miller · June 12, 2024

Counting CVEs Was Never Enough

CVE IDs don't tell you much, but somehow we started using them as a proxy for security

Ben Cotton · June 6, 2024

Another Turn of the Page: GUAC v0.7.0 Released

Improving performance with pagination and more

Parth Patel · June 4, 2024

Graph for Understanding Artifact Composition (GUAC) adds persistent storage in v0.6.0 release

Open source supply chain observability tool standardizes on PostgreSQL

Dejan Bosanac, Jeff Mendoza · May 6, 2024

Proactive Security in the Post-Log4j Era

Gone are the days when signing containers and running vulnerability scans through CI processes provided a sense of security.

Tim Miller · April 23, 2024

XZ Backdoor: Software Security Lessons

The recent incident involving the XZ backdoor brings to light the critical importance of vigilance and proactive security measures, while not losing sight of the human element.

Mike Lieberman · April 5, 2024

Unveiling GUAC as an OpenSSF Incubating Project for Software Dependency Management

Today, we find ourselves in a moment akin to proud parents, as we witness a significant milestone in the journey of Graph for Understanding Artifact Composition (GUAC).

Parth Patel, Mike Lieberman · March 7, 2024

Graph for Understanding Artifact Composition (GUAC) Joins OpenSSF as Incubating Project

The GUAC maintainers are pleased to announce the project has joined the Open Source Security Foundation (OpenSSF) as an Incubating Project.

Brandon Lum, Mike Lieberman · March 7, 2024

From Open Source Community to Joining a Start-up – while in High School

Nathan Naveen, a 17-year-old high schooler, shares his journey to becoming an intern at Kusari

Nathan Naveen · February 8, 2024

Kusari Soaks up Community at FOSDEM and Beyond

Kusari speaking at FOSDEM and other EU community venues

Jeff Mendoza · January 26, 2024

Our $8M Funding Round Fuels our Mission to Make the Software Supply Chain Transparent and Secure

Kusari raises seed funding

Tim Miller · January 18, 2024

Contributor to Leader: Securing Open Source Software at OpenSSF

Kusari elected to OpenSSF leadership roles

Mike Lieberman · January 16, 2024

What the NSA Missed in its SBOM Management Recommendations

The missing first step that most organizations are still struggling with

Parth Patel · December 22, 2023

Spooky Enhancements: Unveiling GUAC's OpenVEX Feature

GUAC's OpenVEX Integration

Nathan Naveen · October 31, 2023

Terror of cURL - Preparation is Half the Battle

CVE-2023-38545 - HIGH Severity Vulnerability

Parth Patel · October 16, 2023

Announcing the Kusari YouTube Channel and GUACademy

Kusari have just launched a YouTube Channel!

Jeff Mendoza · August 23, 2023

Case Study: A discussion with Guidewire on GUAC

A look into Guidewire's software supply chain security use case and why they are using GUAC

Mike Lieberman · August 2, 2023

Announcing Helm Chart for GUAC

Helm Chart for GUAC

Tim Miller · July 12, 2023

daBOM Podcast with Tim & DJ

Tim appeared as a guest on the daBOM podcast.

Tim Miller · July 5, 2023

Quest to determine the 'G' in GUAC

Working towards determining a persistent database for GUAC

Parth Patel · June 27, 2023

GUAC v0.1 Beta Release

Kusari is excited to announce the v0.1 beta release of GUAC — Graph for Understanding Artifact Composition.

Tim Miller · May 23, 2023

Kusari Open-Sources Spector

We’re excited to announce the open-sourcing of Spector.

Mike Lieberman · April 26, 2023

Figure Out Who's Lurking in Your Supply Chain With Signatures and Attestations

A Story of Software and Cats

Mike Lieberman · April 4, 2023

Applying Zero Trust to the Software Supply Chain

Understanding Zero Trust and Its Benefits

Mike Lieberman · March 28, 2023

Kusari's Software Supply Chain Security Overview

What is Software Supply Chain security, and why should I care?

Mike Lieberman · March 14, 2023

The Next Heartbleed?

Heartbleed (CVE-2014-0160) in 2014 left the industry in a scramble...

Parth Patel · October 31, 2022

Kusari presenting at KubeCon and Cloud Native SecurityCon NA 2022

KubeCon + CloudNativeCon is right around the corner and we are excited to be attending in person!

Parth Patel · October 21, 2022

A High Fidelity View of Software Supply Chain

Understanding and maintaining your software supply chain can be a task that needs 24/7 vigilance.

Mike Lieberman · October 20, 2022

Government Memo for Enhancing the Security of the Software Supply Chain

Executive Order (EO) 14028, Improving the Nation’s Cybersecurity was released last year in May.

Parth Patel · September 19, 2022

Not Just Third Party Risk

There’s a misconception in Cybersecurity among some that Software Supply Chain Security is just Third Party Risk Mana...

Mike Lieberman · July 20, 2022

SPIFFE/SPIRE CSI Driver

Overview of the SPIFFE/SPIRE CSI Driver

Parth Patel · June 27, 2022

Open Source Summit 2022

Takeaways & Learnings

Tim Miller · June 23, 2022