June 6, 2024 at 08:18AM Kiuwan, a code security firm owned by US-based Idera, took almost two years to patch critical vulnerabilities in its SAST and Local Analyzer products. Discovered by SEC Consult, the flaws included XSS, XXE injection, privilege escalation, and IDOR issues, posing significant security risks to users. Despite extensive coordination, Kiuwan’s response … Read more
May 29, 2024 at 07:25PM Cybercriminals have been using Stack Overflow to spread malware, posing as helpful contributors answering users’ questions about a PyPi package named ‘pytoileur’ which actually installs Windows information-stealing malware. This malicious package is part of the ‘Cool package’ campaign and was promoted through typo-squatting and Stack Overflow answers. Developers are urged … Read more
May 7, 2024 at 11:00AM Cloud security company Wiz raised $1 billion at a $12 billion valuation in a funding round led by Andreessen Horowitz, Lightspeed Venture Partners, and Thrive Capital. The company’s platform offers various security capabilities, with a focus on cloud security posture management and infrastructure entitlement management. Wiz aims to continue innovating … Read more
April 10, 2024 at 09:15AM Threat actors are leveraging GitHub’s search feature to dupe users into downloading malicious code by creating fake repositories with popular names. The attackers manipulate search rankings and use fake stars to deceive users. Researchers warn of the ongoing threat to the open-source ecosystem and emphasize the need for caution when … Read more
April 6, 2024 at 12:18PM A recently discovered sophisticated backdoor in the xz software library raised concerns about the security of open-source code. The backdoor could allow remote control over infected systems, highlighting the risks of widely used code. Experts debate whether large corporations should contribute to securing such code. Join the Kettle series for … Read more
March 4, 2024 at 08:31AM Cyberattackers have created over 100,000 malicious repositories on GitHub, with some estimates reaching over a million. They use automation to copy, infect, and reupload existing repositories, tricking developers into downloading malware. GitHub’s security mechanisms remove most fakes, but some still slip through. Organizations need policies to protect against these attacks. … Read more
February 6, 2024 at 08:35AM The fuzzing framework utilizes AI to enhance code coverage and accelerate vulnerability detection. Based on the meeting notes, the key takeaways are: – The fuzzing framework utilizes AI to enhance code coverage – The AI also helps to expedite vulnerability discovery Full Article
January 31, 2024 at 12:36PM A recent code security audit of the Tor network by Radically Open Security revealed 17 vulnerabilities, including a high-risk CSRF bug in the Onion Bandwidth Scanner. The issues can lead to DoS attacks, security bypass, and unauthorized access. This audit followed another by Cure53 that focused on user interface changes … Read more
December 26, 2023 at 04:09PM GitHub is requiring users to enable two-factor authentication (2FA) by January 19th, 2024, for contributing code on GitHub.com. This measure aims to safeguard accounts and prevent code alteration. Failure to comply will result in limited access to the site. Various 2FA methods are available, and users are encouraged to set … Read more
November 29, 2023 at 06:26PM Piiano, a data protection firm, launched Piiano Flows, the first privacy-centric static code analyzer, offering free scans until year-end. Post the Duolingo leak, this tool helps security teams identify potential data leaks in source code, protecting sensitive information early in the development cycle. Here are the clear takeaways from the … Read more