Merge pull request #38 from shiftleftcyber/blog-posts

Blog posts

Author: j28smith

marketing/content/blog/2026-03-09-an-interesting-and-useful-visualization-for-security-teams.md

@@ -0,0 +1,19 @@
++++
+author = "Jason Smith"
+title = "An Interesting and Useful Visualization for Security Teams"
+date = "2026-03-09"
+linkedin = "https://www.linkedin.com/posts/j28smith_an-interesting-and-useful-visualization-for-activity-7435683818319134720-Icis/"
+image = "img/thirdparty/2026-03-09-an-interesting-and-useful-visualization-for-security-teams.png"
++++
+
+Zero Day Clock: [https://zerodayclock.com/](https://zerodayclock.com/)
+
+The Zero Day Clock tracks how quickly vulnerabilities move from disclosure to active exploitation across tens of
+thousands of CVEs. The trend is concerning: the time between discovery and weaponization continues to compress.
+
+Worth a look if you work in software security, vulnerability management, or supply chain risk.
+
+Thanks [Mihai (MM) Maruseac](https://www.linkedin.com/in/mihai-maruseac/) for sharing in the
+[OpenSSF](https://openssf.org/) Slack.
+
+Happy Friday!

marketing/content/blog/2026-03-16-convergence-in-sbom-signing.md

@@ -0,0 +1,74 @@
++++
+author = "Jason Smith"
+title = "🔀 Convergence in SBOM Signing"
+date = "2026-03-16"
+linkedin = "https://www.linkedin.com/posts/j28smith_cyclonedx-spdx-sbom-activity-7436868417690746881-Ywy6/"
+image = "img/thirdparty/2026-03-16-convergence-in-sbom-signing.png"
++++
+
+"Don't roll your own crypto." It's the first rule of security engineering, and it turns out it's also the best way to
+build a global standard. 🤝
+
+The last few weeks of work on SBOM Signing Best Practices have been a masterclass in the power of open-source
+community collaboration. What started as a technical draft has evolved into real-time alignment between
+[CycloneDX](https://cyclonedx.org/) and [SPDX](https://spdx.dev/).
+
+Here are the major updates and lessons learned:
+
+## 1️⃣ From JSF to JSS (The CycloneDX Evolution)
+
+While CycloneDX currently uses [JSF (JSON Signature Format)](https://cyberphone.github.io/doc/security/jsf.html), a
+conversation with [Steve Springett](https://www.linkedin.com/in/stevespringett/) led me to the authors of the specs,
+[Anders Rundgren](https://www.linkedin.com/in/andersrundgren/) and
+[Bret Jordan, MS, CISSP](https://www.linkedin.com/in/bretjordan/).
+
+I learned JSF evolved into [JSS (JSON Signature Scheme)](https://www.itu.int/rec/T-REC-X.590/en), which was formally
+standardized by the [ITU](https://www.itu.int/) as [X.590](https://www.itu.int/rec/T-REC-X.590/en). With CycloneDX
+moving toward JSON-only in v2 later this year, it was the perfect time to suggest a move to this formal standard. Steve
+agreed, and a PoC is already in the works to make JSS the signature standard for the next generation of CycloneDX. 🚀
+
+🔗 Track the Issue Here:
+[https://github.com/CycloneDX/specification/issues/851](https://github.com/CycloneDX/specification/issues/851)
+
+## 2️⃣ Bringing Consistency to SPDX
+
+Following a presentation to the [OpenSSF](https://openssf.org/) SBOM Everywhere SIG,
+[Kate Stewart](https://www.linkedin.com/in/katestewartaustin/) invited me to share these findings with the SPDX Tech
+Call. The feedback was fantastic and has led to new initiatives within the SPDX model:
+
+SPDX is considering using JCS for underlying data consistency.
+
+🔗 Track the Issue Here:
+[https://github.com/spdx/spdx-spec/issues/1362](https://github.com/spdx/spdx-spec/issues/1362)
+
+SPDX is exploring JSS (X.590) as an option for introducing cryptographic signatures to the SPDX 3.0 model.
+
+🔗 Track the Issue Here:
+[https://github.com/spdx/spdx-3-model/issues/1065](https://github.com/spdx/spdx-3-model/issues/1065#issuecomment-3953855076)
+
+## 3️⃣ The Road to Formal Standardization (ITU)
+
+A common concern with new specs is "Who owns this"? I'm excited to share that Bret Jordan is also leading an initiative
+to formally standardize JCS within the ITU.
+
+Moving JCS to a formal ITU standard provides the regulatory-grade foundation that global enterprises and governments
+require for long-term supply chain trust.
+
+## 🤔 Why This Matters: A Unified Path
+
+The technical stars are aligning. By leveraging JSS and JCS, we are building a unified path for the industry.
+
+**🎯 Core Support:** JCS is heavily used across many industries. It was recently added as a core function in Go with
+existing libraries available in many other languages, enabling dependency-light implementations.
+
+**🔁 Interoperability:** This drives consistency between SPDX and CycloneDX, offering a standardized approach that
+works across the entire software supply chain.
+
+**🙅‍♂️ No Custom Logic:** This approach leverages existing, supported international standards rather than
+"rolling our own".
+
+A huge thank you to the open source community on the collaboration and the sanity checks on this journey.
+
+The benchmark for SBOM integrity is being built right now. Are you ready for a standardized future?
+
+\#SBOM #SupplyChainSecurity \#Cryptography \#JCS \#JSS

marketing/package.json

@@ -9,12 +9,13 @@
   },
   "author": "wamo <ainznino@pm.me>",
   "license": "MIT",
-  "scripts": {
-    "start": "concurrently npm:watch:*",
-    "watch:tw": "tailwindcss -i ./themes/tella/assets/css/main.css -o ./themes/tella/assets/css/style.css --watch",
-    "watch:hugo": "hugo server",
-    "build": "tailwindcss -i ./themes/tella/assets/css/main.css -o ./themes/tella/assets/css/style.css && hugo --minify"
-  },
+  "scripts": {
+    "start": "concurrently npm:watch:*",
+    "watch:tw": "tailwindcss -i ./themes/tella/assets/css/main.css -o ./themes/tella/assets/css/style.css --watch",
+    "watch:hugo": "hugo server",
+    "build": "tailwindcss -i ./themes/tella/assets/css/main.css -o ./themes/tella/assets/css/style.css && hugo --minify",
+    "import:linkedin": "node ./scripts/import-linkedin-post.mjs"
+  },
   "devDependencies": {
     "@cyclonedx/cyclonedx-npm": "^4.1.2",
     "@tailwindcss/typography": "^0.5.12",

marketing/scripts/README.md

@@ -0,0 +1,16 @@
+# LinkedIn Post Importer
+
+Create a Hugo blog post from a LinkedIn post without relying on LinkedIn read API access.
+
+```sh
+npm run import:linkedin -- \
+  --url "https://www.linkedin.com/posts/..." \
+  --date 2026-04-29 \
+  --title "My Post Title" \
+  --text-file ./post.txt \
+  --image ./post.png
+```
+
+Use `--text "Post body"` instead of `--text-file` for short posts. The image argument is optional; when omitted, the post uses `img/default.jpg`.
+
+The importer writes Markdown to `content/blog/YYYY-MM-DD-title-slug.md`, copies images to `static/img/thirdparty/`, and rejects duplicates unless `--overwrite` is supplied.

marketing/scripts/import-linkedin-post.mjs

@@ -0,0 +1,264 @@
+#!/usr/bin/env node
+
+import { copyFile, mkdir, readFile, stat, writeFile } from "node:fs/promises";
+import path from "node:path";
+import process from "node:process";
+
+const CONTENT_DIR = path.resolve("content/blog");
+const IMAGE_DIR = path.resolve("static/img/thirdparty");
+const AUTHOR = "Jason Smith";
+const DEFAULT_IMAGE = "img/default.jpg";
+const IMAGE_EXTENSIONS = new Set([
+  ".gif",
+  ".jpeg",
+  ".jpg",
+  ".png",
+  ".svg",
+  ".webp",
+]);
+
+function usage() {
+  return `
+Usage:
+  npm run import:linkedin -- --url <linkedin-url> --date <YYYY-MM-DD> --title <title> (--text <post> | --text-file <path>) [--image <path>] [--overwrite]
+
+Examples:
+  npm run import:linkedin -- --url "https://www.linkedin.com/posts/..." --date 2026-04-29 --title "My Post" --text-file ./post.txt --image ./post.png
+  npm run import:linkedin -- --url "https://www.linkedin.com/posts/..." --date 2026-04-29 --title "My Post" --text "Post body"
+`;
+}
+
+function parseArgs(argv) {
+  const args = {};
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const arg = argv[index];
+
+    if (arg === "--help" || arg === "-h") {
+      args.help = true;
+      continue;
+    }
+
+    if (arg === "--overwrite") {
+      args.overwrite = true;
+      continue;
+    }
+
+    if (!arg.startsWith("--")) {
+      throw new Error(`Unexpected positional argument: ${arg}`);
+    }
+
+    const key = arg.slice(2);
+    const value = argv[index + 1];
+
+    if (!value || value.startsWith("--")) {
+      throw new Error(`Missing value for --${key}`);
+    }
+
+    args[toCamelCase(key)] = value;
+    index += 1;
+  }
+
+  return args;
+}
+
+function toCamelCase(value) {
+  return value.replace(/-([a-z])/g, (_, letter) => letter.toUpperCase());
+}
+
+function validateArgs(args) {
+  const missing = [];
+
+  for (const key of ["url", "date", "title"]) {
+    if (!args[key]) {
+      missing.push(`--${key}`);
+    }
+  }
+
+  if (!args.text && !args.textFile) {
+    missing.push("--text or --text-file");
+  }
+
+  if (args.text && args.textFile) {
+    throw new Error("Use either --text or --text-file, not both.");
+  }
+
+  if (missing.length > 0) {
+    throw new Error(`Missing required argument(s): ${missing.join(", ")}`);
+  }
+
+  if (!/^https:\/\/(www\.)?linkedin\.com\//.test(args.url)) {
+    throw new Error("--url must be a LinkedIn URL beginning with https://www.linkedin.com/");
+  }
+
+  if (!/^\d{4}-\d{2}-\d{2}$/.test(args.date)) {
+    throw new Error("--date must use YYYY-MM-DD format.");
+  }
+
+  const parsedDate = new Date(`${args.date}T00:00:00Z`);
+  if (Number.isNaN(parsedDate.getTime()) || parsedDate.toISOString().slice(0, 10) !== args.date) {
+    throw new Error("--date is not a valid calendar date.");
+  }
+}
+
+function slugify(title) {
+  const slug = title
+    .normalize("NFKD")
+    .replace(/[\u0300-\u036f]/g, "")
+    .toLowerCase()
+    .replace(/&/g, " and ")
+    .replace(/[^a-z0-9]+/g, "-")
+    .replace(/^-+|-+$/g, "")
+    .replace(/-{2,}/g, "-");
+
+  if (!slug) {
+    throw new Error("The title did not produce a usable slug.");
+  }
+
+  return slug;
+}
+
+function escapeTomlString(value) {
+  return value
+    .replace(/\\/g, "\\\\")
+    .replace(/"/g, '\\"')
+    .replace(/\r/g, "\\r")
+    .replace(/\n/g, "\\n");
+}
+
+function normalizeText(value) {
+  const normalized = value
+    .replace(/\r\n/g, "\n")
+    .replace(/\r/g, "\n")
+    .trim();
+
+  return normalized
+    .split("\n")
+    .map((line) => linkifyBareUrls(line.trimEnd()))
+    .join("\n")
+    .replace(/\n{3,}/g, "\n\n");
+}
+
+function linkifyBareUrls(line) {
+  return line.replace(/(^|[\s(])((https?:\/\/)[^\s<>()\]]+[^\s<>().,\];:'"!?”’])/g, (match, prefix, url) => {
+    const beforeUrl = line.slice(0, line.indexOf(match) + prefix.length);
+
+    if (beforeUrl.endsWith("](") || beforeUrl.endsWith('"') || beforeUrl.endsWith("'")) {
+      return match;
+    }
+
+    return `${prefix}[${url}](${url})`;
+  });
+}
+
+async function readPostText(args) {
+  if (args.textFile) {
+    return readFile(path.resolve(args.textFile), "utf8");
+  }
+
+  return args.text;
+}
+
+async function resolveImage(args, slug, overwrite) {
+  if (!args.image) {
+    return DEFAULT_IMAGE;
+  }
+
+  const sourcePath = path.resolve(args.image);
+  const sourceStats = await stat(sourcePath);
+
+  if (!sourceStats.isFile()) {
+    throw new Error(`Image path is not a file: ${args.image}`);
+  }
+
+  const extension = path.extname(sourcePath).toLowerCase();
+  if (!IMAGE_EXTENSIONS.has(extension)) {
+    throw new Error(`Unsupported image extension "${extension}". Supported: ${[...IMAGE_EXTENSIONS].join(", ")}`);
+  }
+
+  await mkdir(IMAGE_DIR, { recursive: true });
+
+  const imageFileName = `${slug}${extension}`;
+  const destinationPath = path.join(IMAGE_DIR, imageFileName);
+
+  if (!overwrite && await exists(destinationPath)) {
+    throw new Error(`Image already exists: ${path.relative(process.cwd(), destinationPath)}. Use --overwrite to replace it.`);
+  }
+
+  await copyFile(sourcePath, destinationPath);
+
+  return `img/thirdparty/${imageFileName}`;
+}
+
+async function exists(filePath) {
+  try {
+    await stat(filePath);
+    return true;
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return false;
+    }
+
+    throw error;
+  }
+}
+
+function buildMarkdown({ title, date, url, image, body }) {
+  return `+++
+author = "${AUTHOR}"
+title = "${escapeTomlString(title)}"
+date = "${date}"
+linkedin = "${escapeTomlString(url)}"
+image = "${escapeTomlString(image)}"
++++
+
+${body}
+`;
+}
+
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+
+  if (args.help) {
+    process.stdout.write(usage());
+    return;
+  }
+
+  validateArgs(args);
+
+  const slug = `${args.date}-${slugify(args.title)}`;
+  const postPath = path.join(CONTENT_DIR, `${slug}.md`);
+
+  if (!args.overwrite && await exists(postPath)) {
+    throw new Error(`Post already exists: ${path.relative(process.cwd(), postPath)}. Use --overwrite to replace it.`);
+  }
+
+  await mkdir(CONTENT_DIR, { recursive: true });
+
+  const rawText = await readPostText(args);
+  const body = normalizeText(rawText);
+
+  if (!body) {
+    throw new Error("Post body is empty after normalization.");
+  }
+
+  const image = await resolveImage(args, slug, Boolean(args.overwrite));
+  const markdown = buildMarkdown({
+    title: args.title,
+    date: args.date,
+    url: args.url,
+    image,
+    body,
+  });
+
+  await writeFile(postPath, markdown, "utf8");
+
+  process.stdout.write(`Created ${path.relative(process.cwd(), postPath)}\n`);
+  process.stdout.write(`Image: ${image}\n`);
+}
+
+main().catch((error) => {
+  process.stderr.write(`Error: ${error.message}\n`);
+  process.stderr.write(usage());
+  process.exitCode = 1;
+});