July 22, 2024 at 02:07AM The UN Open-Source Program Officers for Good 2024 conference discussed the benefits of open source software (OSS) in delivering affordable technology to underserved nations. Emphasizing the need for security in OSS, speakers highlighted the risk of under-resourced projects and ways to secure the open source ecosystem, including software bills of … Read more
July 16, 2024 at 06:05PM The Linux Foundation Research and Open Source Security Foundation released the “Secure Software Development Education 2024 Survey”, emphasizing the urgent need for formalized industry education and training programs. Survey results reveal a lack of security awareness among software developers, leading to a new course on security architecture by OpenSSF. For … Read more
May 20, 2024 at 07:14PM The Open Source Security Foundation (OpenSSF) launches OpenSSF Siren, aiming to share threat intelligence and fill the gap between open-source and enterprise communities. It seeks to provide real-time security warnings, community-driven knowledge base, and encourage sign-ups from FOSS developers and security teams. The initiative focuses on sharing attack tactics and … Read more
April 19, 2024 at 09:48AM SecurityWeek’s cybersecurity news roundup offers a curated selection of significant developments, including incidents of backdooring attempts, increased funding for cybersecurity startups, and vulnerabilities in AI/ML supply chain. Additionally, it reports on legislative developments, cybercriminal activities targeting the automotive industry, and a Moldovan botnet operator’s indictment in the US. Based on … Read more
April 16, 2024 at 10:15AM Open source groups are cautioning about recent attacks targeting project maintainers, similar to the attempted backdoor incident in a core Linux library. The OpenJS Foundation and OpenSSF are observing suspicious emails aiming to manipulate project maintainers and have shared tactics to identify potential threats. They emphasize the need to support … Read more
March 8, 2024 at 11:49AM Open-source repositories are essential for modern applications, but can harbor security risks. A new framework from CISA and OpenSSF suggests controls like multi-factor authentication and security reporting to reduce malicious code exposure. However, the security of repositories varies, with potential for accidental inclusion of malicious packages. The risk of namesquatting … Read more
March 8, 2024 at 07:23AM Open-source repositories are crucial for modern applications, but carelessness can introduce backdoors and vulnerabilities. A new security framework by CISA and OpenSSF recommends controls to enhance security. The guidelines aim to prevent incidents like namesquatting and unintentional inclusion of malicious software in repositories. This comes as IT departments are grappling … Read more
February 12, 2024 at 06:27AM The U.S. CISA and OpenSSF are collaborating to establish the Principles for Package Repository Security, a framework aiming to enhance security in open-source software ecosystems. It outlines four security maturity levels and emphasizes the importance of continual security improvements. This development addresses growing security concerns related to open-source software in … Read more
October 11, 2023 at 08:24AM Tech companies including Cloudflare, AWS, and Google have responded to the HTTP/2 zero-day vulnerability that led to massive distributed denial-of-service attacks. The attacks exploited the HTTP/2 Rapid Reset feature, resulting in servers being taken down. Organizations like CISA, Microsoft, NGINX, F5, Netty, Apache, Swift, and Linux distributions have issued advisories … Read more