July 25, 2024 at 12:45PM Chainguard, a software supply chain security startup, raised $140 million in a new financing round, reaching a valuation in excess of $1 billion. The company, founded by ex-Google engineers, has raised a total of $256 million since its launch in late 2021. The funding will be used to expand into … Read more
July 23, 2024 at 10:07AM The SBOM, originally created by NTIA, has transitioned from niche to mandatory for federal agencies and security teams due to the rise in supply chain attacks. However, the current fragmented implementation is hindering its effectiveness. The need for a unified, comprehensive format is crucial to enhance software supply chain security … Read more
July 22, 2024 at 02:07AM The UN Open-Source Program Officers for Good 2024 conference discussed the benefits of open source software (OSS) in delivering affordable technology to underserved nations. Emphasizing the need for security in OSS, speakers highlighted the risk of under-resourced projects and ways to secure the open source ecosystem, including software bills of … Read more
July 10, 2024 at 09:06AM The NSA patched a CSRF vulnerability in its SkillTree platform, designed to modernize software practices within the agency and shared on GitHub in 2020. The fix addressed potential manipulation by hackers, and users were urged to apply the update. This incident highlights the inherent difficulty in identifying and addressing CSRF … Read more
July 1, 2024 at 05:02PM Google will reward security researchers who can perform a guest-to-host attack using a zero-day vulnerability in the KVM open source hypervisor. The meeting notes indicate that if security researchers are able to carry out a guest-to-host attack by exploiting a zero-day vulnerability in the KVM open source hypervisor, Google is … Read more
June 30, 2024 at 10:43AM The ‘ip’ open-source project’s GitHub repository was archived by its developer, Fedor Indutny, due to dubious or bogus CVE reports being filed against it. The ‘node-ip’ GitHub repository was also made read-only, limiting interactions. Indutny disputed the severity of the CVE and raised concerns about the influx of unverified vulnerability … Read more
June 30, 2024 at 10:35AM The widely used ‘ip’ open-source project had its GitHub repository made “read-only” after developer Fedor Indutny received a dubious CVE report and experienced increased scrutiny due to a vulnerability in the ‘node-ip’ project, affecting JavaScript developers. This pattern of inflated CVE reports is causing frustration for developers and clouding the … Read more
June 28, 2024 at 05:03PM The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has released a report detailing the prevalence of memory-unsafe languages in critical open source projects, highlighting the risks of memory safety vulnerabilities. The report emphasizes the need for organizations to prioritize memory safety and consider using memory-safe languages like Rust or … Read more
June 26, 2024 at 01:59PM The Cybersecurity and Infrastructure Security Agency (CISA) has released a report exploring memory flaws in 172 key open-source projects. It reveals that over half of these projects contain memory-unsafe code, emphasizing the importance of memory-safe languages like Rust, Java, and Go. CISA recommends safe coding practices and continuous testing to … Read more
June 24, 2024 at 10:24AM Cybersecurity researchers disclosed a security flaw, CVE-2024-37032, affecting the Ollama open-source AI platform, enabling remote code execution. The issue was fixed in version 0.1.34. Exploiting the vulnerability involves manipulating HTTP requests. In default Linux installations, the risk is lowered, but Docker deployments are at high risk. Wiz identified over 1,000 … Read more