June 28, 2024 at 05:03PM The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has released a report detailing the prevalence of memory-unsafe languages in critical open source projects, highlighting the risks of memory safety vulnerabilities. The report emphasizes the need for organizations to prioritize memory safety and consider using memory-safe languages like Rust or … Read more
June 28, 2024 at 01:28PM A new study reveals the widespread and concerning use of memory-unsafe code in major open source software projects, leading to common security issues. Despite this insight, immediate changes are unlikely due to the complexity and cost of rewriting code entirely in memory-safe languages. The report’s findings align with previous studies, … Read more
May 6, 2024 at 07:57PM Supply chain breaches rose steeply in 2023, with 15% involving third parties, up from 9% in 2022. Verizon’s DBIR considers not only vendor compromises but also vulnerabilities in third-party software. Exploited vulnerabilities, primarily in ransomware attacks, were the most common issue, prompting the suggestion to assess vendor choices and prioritize … Read more
May 3, 2024 at 09:10AM CISA and the FBI issued a Secure by Design Alert about path traversal software vulnerabilities targeting critical infrastructure. These flaws enable unauthorized access to application files and directories, allowing threat actors to compromise systems. Urging organizations to eliminate these defects, the agencies emphasize a secure software development lifecycle and suggest … Read more
April 23, 2024 at 11:28AM Researchers have found a vulnerability in the archived Apache project Cordova App Harness, leading to dependency confusion attacks. Over 49% of organizations are vulnerable. Despite npm’s efforts to fix the issue, the Cordova App Harness project remains at risk. The discovery emphasizes the importance of addressing vulnerabilities in third-party projects … Read more
April 15, 2024 at 11:06AM NightVision, a US-based startup founded in 2022, raised $5.4 million in seed funding from angel investors. The company focuses on application security testing, aiding in the identification and resolution of software security vulnerabilities early in the development lifecycle. Its technology simulates attacks, integrates with development workflows, and enables secure development … Read more
March 26, 2024 at 04:42PM Binarly, a Los Angeles startup, secured $10.5 million in venture capital funding led by Two Bear Capital. Their AI-powered solution, the Binarly Transparency Platform, automates discovery of security vulnerabilities in firmware and software supply chain. Founded by NVIDIA alum Alex Matrosov, the company aims to capitalize on global software supply … Read more
March 26, 2024 at 07:18AM CISA and the FBI advise organizations to review and eliminate SQL injection vulnerabilities in their commercial software, as such flaws pose a significant security risk. They urge technology manufacturers to conduct a formal code review and embrace secure-by-design principles in software development to prevent malicious exploitation and enhance cybersecurity. From … Read more
March 25, 2024 at 02:28PM CISA and FBI advised technology manufacturing executives to conduct formal software reviews and implement mitigations to eliminate SQL injection (SQLi) vulnerabilities. SQL injection attacks enable unauthorized access to sensitive data and can lead to data breaches and system takeover. They recommend using parameterized queries with prepared statements as a secure … Read more
February 29, 2024 at 02:28PM The MITRE-led CWE program added four new microprocessor-related weaknesses, including exposure of sensitive information during transient execution and data leaks tied to microarchitectural structures and incorrect data forwarding. These vulnerabilities help processors address major issues like Meltdown and Spectre and contribute to a common language for discussing microprocessor weaknesses in … Read more