Security News

A Tromzo report reveals developers remediate only 32% of vulnerabilities and regularly push vulnerable code. "These findings show that developers regularly ignore security issues, but can we really blame them?" said Tromzo CTO Harshit Chitalia.

A new large scale supply chain attack has been observed targeting Azure developers with no less than 218 malicious NPM packages with the goal of stealing personal identifiable information. The entire set of malicious packages was disclosed to the NPM maintainers roughly two days after they were published, leading to their quick removal, but not before each of the packages were downloaded around 50 times on average.

A group of more than 200 malicious npm packages targeting developers who use Microsoft Azure has been removed two days after they were made available to the public. This group of packages grew from about 50 to at least 200 by March 21.

Researchers have found hundreds of malicious packages in the npm repository of open-source JavaScript code, designed to steal personally identifiable information in a large-scale typosquatting attack against Microsoft Azure cloud users. That's according to the JFrog Security Research team, which said that the set of packages appeared earlier this week and steadily grew since then, from about 50 packages to more than 200.

A developer has been caught adding malicious code to a popular open-source package that wiped files on computers located in Russia and Belarus as part of a protest that has enraged many users and raised concerns about the safety of free and open source software. It constantly surprises non-computer people how much critical software is dependent on the whims of random programmers who inconsistently maintain software libraries.

Cequence Security released a report revealing that both developers and attackers have made the shift to APIs. After analyzing some of the most interesting bot attacks throughout 2021, it's clear that attackers have come to love APIs just as much as developers.

With so many security and developer teams doing post mortems on the Log4j security vulnerability fiasco that unfolded in late 2021, just 10 days before Christmas, the main question is: how do we avoid this type of pain in the future? The answer is it's complicated. On the upside the pain of that experience has triggered a major software supply-chain security rethink from developers and security teams.

Open banking APIs handle everything from account status to fund transfers to pin changes and account services. On top of open banking driving API utilization, APIs have become a de facto standard in modern application development, with organizations often deploying thousands of APIs for a wide variety of purposes.

GitLab on how DevSecOps can help developers provide security from end-to-end. TechRepublic's Karen Roby spoke with Jonathan Hunt, VP of security for GitLab, about the security challenges companies face today and how the concept and practice of DevSecOps can help developers build end-to-end security into their applications.

The interesting part about where IBM is actually headed is, security and what we actually do in security is about protecting the surface area. When you look at Snyk and Snyk's kind of whole ethos is to say, "Well, that's the core. That's the heart. You have to be developer-first." And the meaning of that, one of my favorite things to do is to talk to a chief security officer and say, "Yes, you're kind of here to sort of help secure the organization and you are the one likely to sign the check, but you're not the most important user of the product." Because the most important user of the product, the biggest risk we both face is the developers don't actually pick it up.