Spies Among Us: Insider Threats in Open Source Environments

May 7, 2024 at 10:51AM A critical vulnerability in XZ Utils raised comparisons to the SolarWinds hack and highlighted the power of the open source community in averting a disaster. However, it also raised questions about security and trust within the ecosystem. The incident suggests the need for stricter security measures and consideration of internal … Read more

Uncle Sam’s had it up to here with ‘unforgivable’ SQL injection flaws

March 26, 2024 at 12:52PM The FBI and CISA issued a warning to software vendors about the prevalence of SQL injection vulnerabilities. They emphasized the need for formal code reviews and secure-by-design programming practices to eradicate these vulnerabilities from the development process. They also urged vendors to use parameterized queries and be transparent in disclosing … Read more

No Security Scrutiny for Half of Major Code Changes: AppSec Survey

February 15, 2024 at 09:51AM A recent AppSec survey found that costly code reviews, limited security scrutiny, and manual cataloging of applications and APIs are common issues. Only 54% of major code changes undergo full security reviews, and organizations face challenges with the time and cost of the review process. The survey also highlights the … Read more

After Critical Bug Disclosures, TETRA Emergency Comms Code Goes Public

November 15, 2023 at 11:11AM The encryption algorithms used to secure emergency radio communications will be released to the public domain, after vulnerabilities were found in TETRA. The decision to go public is a complete turn from ETSI, which initially denied vulnerabilities. The algorithms will be open to academic research for independent reviews. No date … Read more

CI/CD Pipeline: How to Overcome Set-Up Challenges

October 19, 2023 at 01:03PM Setting up a CI/CD pipeline comes with several challenges, but there are strategies to overcome them. These include implementing strong authentication practices, ensuring robust networking, conducting code reviews, selecting the right branching strategy, managing secrets securely, practicing effective change management, validating the pipeline through automation and monitoring, and effectively communicating … Read more

Dozens of Squid Proxy Vulnerabilities Remain Unpatched 2 Years After Disclosure

October 13, 2023 at 06:18AM Dozens of vulnerabilities in the Squid caching and forwarding web proxy, discovered in 2021 by researcher Joshua Rogers, remain unpatched. Only a few flaws have been addressed, while 35 vulnerabilities still exist. The Squid Team lacks resources to address the issues, and the researcher suggests reassessing the use of Squid … Read more