December 10, 2023 at 10:39AM Around 38% of Apache Log4j applications are still vulnerable to security issues, including the critical Log4Shell flaw (CVE-2021-44228) allowing unauthenticated remote code execution. Despite available patches for over two years, many organizations continue to use insecure versions. It’s recommended that companies scan their environment and develop an emergency upgrade plan … Read more
November 30, 2023 at 06:06AM The US cybersecurity agency CISA launched Secure by Design (SbD) alerts, encouraging software manufacturers to build products with proactive security measures to mitigate vulnerabilities, particularly in web management interfaces. The new alerts focus on vendor practices that can globally reduce harm, emphasizing the need for default security features, customer security … Read more
November 28, 2023 at 04:14AM The text discusses the need for a consumer software security organization similar to the US National Highway Traffic Safety Administration. It highlights the lack of safety standards for software and the need to protect consumers from digital crimes. The text suggests the creation of safety ratings for software and devices … Read more
November 17, 2023 at 06:00AM An unidentified threat actor has been uploading malware-laden fake Python libraries to the PyPI repository for the past six months. Disguised as legitimate packages, these 27 libraries have attracted thousands of downloads from various countries. The attacker used steganography to hide malicious payloads within innocent-looking image files. The packages included … Read more
November 16, 2023 at 01:04PM A similar organization to the US National Highway Traffic Safety Administration (NHTSA) should be created to ensure consumer software security. Software should meet basic security and safety standards and be easily understood and implemented by consumers. Safety features should be in place by default, but users need to actively use … Read more
November 3, 2023 at 09:42AM 48 malicious npm packages containing obfuscated JavaScript have been discovered in the npm repository. These packages, uploaded by an npm user named hktalent, can deploy a reverse shell on compromised systems. The attack is triggered post-installation, establishing a reverse shell to rsh.51pwn[.]com. This highlights the increasing interest of threat actors … Read more
November 1, 2023 at 03:32PM FIRST has released CVSS v4.0, the latest version of its Common Vulnerability Scoring System standard after eight years. CVSS provides a framework for assessing the severity of software security vulnerabilities, helping prioritize responses to security threats. The new version offers finer granularity, removes scoring ambiguity, simplifies metrics, and adds supplemental … Read more
November 1, 2023 at 11:46AM Chainguard, a supply chain security startup founded by former Google engineers, has secured $61 million in Series B financing led by Spark Capital. This brings their total venture capital investments to $116 million. Their flagship product, Chainguard Images, has gained traction among Fortune 500 companies and technology providers. Chainguard aims … Read more
October 31, 2023 at 01:01PM A recent report from the Purple Book Community highlights the challenges faced by companies in achieving application security (AppSec) maturity. These challenges include a shortage of AppSec engineers, slow vulnerability remediation, and the increasing reliance on cloud infrastructure. Insufficient funding is also identified as a major obstacle. The report emphasizes … Read more
October 31, 2023 at 08:18AM Malicious packages have been discovered on the NuGet package manager, deployed using a lesser-known method. The campaign, ongoing since August 2023, involves rogue packages delivering the SeroXen RAT remote access trojan. The threat actors behind the campaign are persistent, continuously publishing new malicious packages. The packages imitate popular ones and … Read more