Critical Unpatched Flaws Disclosed in Popular Gogs Open-Source Git Service

July 8, 2024 at 04:37AM Four critical security flaws have been identified in the Gogs open-source Git service, allowing attackers to execute arbitrary commands, steal source code, and plant backdoors. The vulnerabilities, disclosed by SonarSource researchers, require authentication for exploitation. The project maintainers have not implemented fixes, and users are advised to take precautions while … Read more

Google now pays $250,000 for KVM zero-day vulnerabilities

July 2, 2024 at 02:11PM Google has initiated the kvmCTF, a new VRP to enhance the security of the KVM hypervisor. Offering $250,000 for full VM escape exploits, the program targets zero-day vulnerabilities through a controlled lab environment. Researchers will use exploits to capture flags, earning rewards based on the severity of the attack. Rules … Read more

US, Allies Warn of Memory Unsafety Risks in Open Source Software

June 27, 2024 at 10:04AM Government agencies in the US, Australia, and Canada have drawn attention to memory safety issues in open source software (OSS) code. They stress that the majority of OSS projects use code written in a memory-unsafe language, exposing organizations and users to attacks. The analysis also revealed vulnerabilities in projects written … Read more

Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

June 19, 2024 at 04:03AM Two security vulnerabilities in Mailcow, impacting versions prior to 2024-04, were disclosed by SonarSource. CVE-2024-30270 allows arbitrary code execution via path traversal, and CVE-2024-31204 enables cross-site scripting. Exploiting both could hijack admin sessions and execute arbitrary code. Mailcow users are urged to update to the latest version to mitigate these … Read more

What is DevSecOps and Why is it Essential for Secure Software Delivery?

June 17, 2024 at 07:39AM Traditional application security practices are inadequate for modern DevOps, leading to costly vulnerabilities and compliance risks. DevSecOps integrates security into the entire software lifecycle, aiming to “shift security left” to catch vulnerabilities early. Successful implementation requires a culture of shared responsibility, collaboration, and early integration of security practices. For more, … Read more

North Korea’s Moonstone Sleet Widens Distribution of Malicious Code

June 13, 2024 at 03:33PM A newly identified North Korean threat actor, Moonstone Sleet, is expanding its distribution of malicious npm packages to public registries, targeting the software supply chain and open source code repositories. It differentiates itself through various techniques, posing a growing risk to the open source community. Organizations are urged to implement … Read more

Developing a Plan to Respond to Critical CVEs in Open Source Software

June 7, 2024 at 10:09AM The tech industry faced wake-up calls in 2020 and 2021 with incidents like SolarWinds, Log4j, and Kaseya’s VSA, emphasizing the critical need to refine response strategies to vulnerabilities and supply chain attacks. Both large and small organizations must prioritize comprehensive asset inventories and software bills of materials to effectively respond … Read more

Streamlining IT Security Compliance Using the Wazuh FIM Capability

May 21, 2024 at 08:06AM File Integrity Monitoring (FIM) is crucial for IT security control, ensuring the integrity of files and system configurations. Compliance with cybersecurity standards is essential for businesses, and Wazuh offers an open source FIM capability, enabling real-time monitoring and detection of unauthorized file changes, aiding in meeting regulatory compliance and enhancing … Read more

OpenSSF sings a Siren song to steer developers away from buggy FOSS

May 20, 2024 at 07:14PM The Open Source Security Foundation (OpenSSF) launches OpenSSF Siren, aiming to share threat intelligence and fill the gap between open-source and enterprise communities. It seeks to provide real-time security warnings, community-driven knowledge base, and encourage sign-ups from FOSS developers and security teams. The initiative focuses on sharing attack tactics and … Read more

It might take a decade to address SSC security, says infosec exec

May 3, 2024 at 01:36PM Varun Badhwar, CEO at Endor Labs, predicts that software supply chain vulnerabilities will become a major cybersecurity threat, with a vast majority of enterprise code derived from untrusted sources. He emphasizes the need for proper documentation, automation, and a thorough reevaluation of open-source risks. Badhwar predicts a lengthy process in … Read more