Manifest

We're proud to sponsor the OWASP AIBOM project!

We’re excited to welcome Greg Armor to Manifest as our new Chief Revenue Officer. Greg brings more than 25 years of go-to-market leadership across cybersecurity and enterprise software. He will lead our global sales, revenue operations, and partnership strategy as we scale to meet growing demand across commercial and public sector markets. Organizations today need to trust the software and AI they build and buy. Manifest is helping product security, AI risk, and third-party risk teams gain visibility and control across the software supply chain, from source code to deployment. Greg’s deep experience building and scaling high-performance revenue organizations will help accelerate that mission. As adoption continues to grow across industries including defense, healthcare, financial services, and automotive, we’re investing in leadership that can match the opportunity ahead. Welcome to the team, Greg. Read the full announcement: https://lnkd.in/gzC3YgCh

As AI agents get access to tools like files, terminals, and APIs, they start to look less like chatbots and more like operational software. In this post, we share a pragmatic way to think about agent security: treat them like privileged operators and apply familiar controls like least privilege, isolation, and auditability. What we cover: - where agent risk differs (tool use + untrusted inputs) - the kinds of issues showing up in the ecosystem - practical guardrails for local agents (isolation + scoped permissions) - what to add for enterprise use (policy, logging, provenance) Read here: https://lnkd.in/gEh9wKmN #AIsecurity #AppSec #AgenticAI #DevSecOps

Open-weight AI is moving faster than enterprise governance. Open models and datasets are accelerating innovation across critical industries, from automotive to defense to healthcare. They also introduce risks that most organizations are not structurally prepared to evaluate, let alone manage. Licensing ambiguity. Opaque provenance. Embedded software vulnerabilities. Geopolitical and regulatory exposure. This whitepaper lays out a practical policy framework for safely adopting open-weight AI models and datasets in mission-critical environments. Not theory. Not hype. Actual policies already being used by teams that operate under real regulatory pressure. The goal is simple: Make AI adoption defensible, auditable, and resilient. If your organization is experimenting with open-weight AI without a clear policy foundation, read our whitepaper today. https://hubs.la/Q042VZ0m0

AI is making it easier to build software in-house. That doesn’t mean SaaS is headed for extinction. In IT Brew, Daniel Bardenstein pushes back on the latest “SaaS is dead” narrative, calling it another round of overhyped doomsday predictions, more self-driving car hype than industry reset. Yes, AI expands what teams can build themselves. But mature software platforms weren’t built overnight, and they won’t be replaced overnight either. Trust, domain expertise, and operational rigor still matter. AI doesn’t eliminate the build-vs-buy decision. It just makes the tradeoffs more interesting. https://lnkd.in/gz-EStfj

Cars aren’t mechanical machines with a little software sprinkled on top anymore. They’re software platforms that happen to go 70 mph. That flips the security equation. Modern vehicles run on open-source, third-party code, and a web of dependencies most teams can’t fully map. But many automotive security assumptions were made back when “software-defined” wasn’t the default. When those assumptions fail, the consequences are not abstract. They impact safety in the real world. This piece explains why securing vehicles is no longer optional and why knowing what’s inside your software stack is becoming as critical as any physical safety feature. Read the perspective: https://hubs.ly/Q041rN0D0 Because you can’t protect what you can’t see.

FOCI isn’t just a government or defense acronym anymore, it’s an automotive concern. Model Year 2027 is the line in the sand: BIS ties connected-vehicle software risk to ownership, control, and influence. Not just code and components. Here’s what that means in practice: https://lnkd.in/eFDH9uc9 #AutomotiveCybersecurity #ConnectedVehicles #SoftwareSupplyChainSecurity

Are your employees downloading Moltbot (Clawdbot) to automate things at work? It’s gone viral fast, but that popularity can turn into a software supply chain problem overnight. We analyzed the public moltbot/moltbot Github repo in Manifest, and the inherited risk is hard to ignore: - Overall risk rating: High - 18 total vulnerabilities, including Critical and High severity CVEs - 7 “forbidden” license categories flagged (GPL/LGPL variants + MPL-2.0) This is in addition to the thousands of internet-facing Moltbot interfaces observed in public reporting. The bigger point: when a tool can read messages, store context, call APIs, and execute workflows, any weakness in its dependency graph or configuration can create an outsized blast radius. Full breakdown: https://lnkd.in/eiPKE-qR #SoftwareSupplyChainSecurity #AppSec #SBOM #OpenSourceSecurity #AISecurity

Paperwork won’t fix supply-chain risk. Operational evidence will. In this SC Media perspective, Daniel Bardenstein explains why “secure software” self-attestations became compliance theater. The good news is OMB is moving in the right direction with M-26-05, pushing toward risk-based, outcomes-driven security. Bottom line: SBOMs (and where relevant HBOMs) are not a silver bullet, but they make exposure and patch priority actionable when the next vulnerability hits. Read the perspective: https://lnkd.in/eUyAmvjf #SoftwareSupplyChainSecurity #SBOM #AppSec #SecureByDesign

Proof of secure software is shifting to continuous, evidence-based expectations. That shift is reshaping how government suppliers and agencies think about FOCI and software supply chain risk. Read the latest blog from Alistair C.: https://lnkd.in/eUvK9eCF