January 18, 2024 at 10:00AM Kusari, a software supply chain security startup, has secured $8 million in pre-seed and seed funding led by J2 Ventures and Glasswing Ventures, with support from Unusual Ventures. Founded by members of OpenSSF and CNCF, Kusari aims to provide transparency in the software supply chain with its GUAC tool, reducing … Read more
December 15, 2023 at 08:36AM Zoom unveiled an open source Vulnerability Impact Scoring System (VISS) to help organizations assess and prioritize vulnerabilities based on actual exploitation. The system, designed to complement the Common Vulnerability Scoring System, led to increased reports of critical vulnerabilities during testing and analyzes vulnerabilities based on 13 impact aspects. It remains … Read more
December 11, 2023 at 10:06AM Two years after the Log4Shell vulnerability disclosure, around 1 in 4 applications still rely on outdated Log4j libraries, making them susceptible to exploitation. While some developers promptly updated the libraries, a significant proportion remain vulnerable. Urgent action was effective, but there’s still a need for more rigorous open source security … Read more
December 11, 2023 at 05:20AM VictoriaMetrics, an unusual monitoring company, has yet to accept external investment and is committed to growing organically. Co-founder Roman Khavronenko emphasizes the negative impact of investor pressure on startups. The company prioritizes open source offerings, embracing the Apache 2 license and providing enterprise tools under a free trial. Khavronenko also … Read more
November 28, 2023 at 05:08PM Researchers have discovered three unpatched vulnerabilities in Ray, an open source framework used for scaling AI and machine learning workloads. These vulnerabilities could allow attackers to gain operating system access, execute remote code, and escalate privileges. Anyscale, the company that sells a managed version of Ray, has not yet addressed … Read more
November 3, 2023 at 09:42AM 48 malicious npm packages containing obfuscated JavaScript have been discovered in the npm repository. These packages, uploaded by an npm user named hktalent, can deploy a reverse shell on compromised systems. The attack is triggered post-installation, establishing a reverse shell to rsh.51pwn[.]com. This highlights the increasing interest of threat actors … Read more
October 24, 2023 at 12:47PM The Matrix open standard and communication protocol has released its second major version, which brings group VoIP with end-to-end encryption, faster loading times, and more. The protocol has experienced significant growth, with over 115 million unique matrix IDs on the public network. Matrix 2.0 also introduces features like Sliding Sync … Read more
October 19, 2023 at 08:13AM Some security startups are building ecosystems around the open-source security agent osquery to reduce reliance on proprietary software and customize IT monitoring and security. Companies like Fleet, Wazuh, Kolide, Zentral, and Uptycs use or integrate with osquery to provide universal endpoint monitoring. The recent update by Fleet allows the agents … Read more
October 13, 2023 at 10:49AM The European Union’s Cyber Resilience Act (CRA) is causing concern among the open source community. The Act, aimed at addressing cybersecurity issues, imposes strict regulations on software publishers, potentially hindering open source development. The open source community is advocating for more flexibility in the regulations and better understanding of how … Read more
October 13, 2023 at 06:18AM Dozens of vulnerabilities in the Squid caching and forwarding web proxy, discovered in 2021 by researcher Joshua Rogers, remain unpatched. Only a few flaws have been addressed, while 35 vulnerabilities still exist. The Squid Team lacks resources to address the issues, and the researcher suggests reassessing the use of Squid … Read more