#OpenSourceSecurity

The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development

by

July 16, 2024 at 06:05PM The Linux Foundation Research and Open Source Security Foundation released the “Secure Software Development Education 2024 Survey”, emphasizing the urgent need for formalized industry education and training programs. Survey results reveal a lack of security awareness among software developers, leading to a new course on security architecture by OpenSSF. For … Read more

Malicious npm Packages Found Using Image Files to Hide Backdoor Code

by

July 16, 2024 at 06:19AM Cybersecurity researchers discovered two malicious packages on the npm registry containing backdoor code for executing commands from a remote server. The packages, disguised as legitimate libraries, were taken down after being downloaded 190 and 48 times. The code was designed to execute disguised command and control functionality hidden in image … Read more

Well-Established Cybercriminal Ecosystem Blooming in Iraq

by

July 15, 2024 at 01:48PM A sophisticated criminal network based in Iraq has been uncovered, revolving around a Telegram bot with over 90,000 messages mainly in Arabic. Checkmarx researchers found the bot to be central to a larger cybercriminal ecosystem offering various illicit services. They also discovered malicious Python packages on PyPI facilitating data theft, … Read more

Critical Unpatched Flaws Disclosed in Popular Gogs Open-Source Git Service

by

July 8, 2024 at 04:37AM Four critical security flaws have been identified in the Gogs open-source Git service, allowing attackers to execute arbitrary commands, steal source code, and plant backdoors. The vulnerabilities, disclosed by SonarSource researchers, require authentication for exploitation. The project maintainers have not implemented fixes, and users are advised to take precautions while … Read more

Google now pays $250,000 for KVM zero-day vulnerabilities

by

July 2, 2024 at 02:11PM Google has initiated the kvmCTF, a new VRP to enhance the security of the KVM hypervisor. Offering $250,000 for full VM escape exploits, the program targets zero-day vulnerabilities through a controlled lab environment. Researchers will use exploits to capture flags, earning rewards based on the severity of the attack. Rules … Read more

US, Allies Warn of Memory Unsafety Risks in Open Source Software

by

June 27, 2024 at 10:04AM Government agencies in the US, Australia, and Canada have drawn attention to memory safety issues in open source software (OSS) code. They stress that the majority of OSS projects use code written in a memory-unsafe language, exposing organizations and users to attacks. The analysis also revealed vulnerabilities in projects written … Read more

Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

by

June 19, 2024 at 04:03AM Two security vulnerabilities in Mailcow, impacting versions prior to 2024-04, were disclosed by SonarSource. CVE-2024-30270 allows arbitrary code execution via path traversal, and CVE-2024-31204 enables cross-site scripting. Exploiting both could hijack admin sessions and execute arbitrary code. Mailcow users are urged to update to the latest version to mitigate these … Read more

What is DevSecOps and Why is it Essential for Secure Software Delivery?

by

June 17, 2024 at 07:39AM Traditional application security practices are inadequate for modern DevOps, leading to costly vulnerabilities and compliance risks. DevSecOps integrates security into the entire software lifecycle, aiming to “shift security left” to catch vulnerabilities early. Successful implementation requires a culture of shared responsibility, collaboration, and early integration of security practices. For more, … Read more

North Korea’s Moonstone Sleet Widens Distribution of Malicious Code

by

June 13, 2024 at 03:33PM A newly identified North Korean threat actor, Moonstone Sleet, is expanding its distribution of malicious npm packages to public registries, targeting the software supply chain and open source code repositories. It differentiates itself through various techniques, posing a growing risk to the open source community. Organizations are urged to implement … Read more

Developing a Plan to Respond to Critical CVEs in Open Source Software

by

June 7, 2024 at 10:09AM The tech industry faced wake-up calls in 2020 and 2021 with incidents like SolarWinds, Log4j, and Kaseya’s VSA, emphasizing the critical need to refine response strategies to vulnerabilities and supply chain attacks. Both large and small organizations must prioritize comprehensive asset inventories and software bills of materials to effectively respond … Read more