Security News

A group of more than 200 malicious npm packages targeting developers who use Microsoft Azure has been removed two days after they were made available to the public. This group of packages grew from about 50 to at least 200 by March 21.

Researchers have found hundreds of malicious packages in the npm repository of open-source JavaScript code, designed to steal personally identifiable information in a large-scale typosquatting attack against Microsoft Azure cloud users. That's according to the JFrog Security Research team, which said that the set of packages appeared earlier this week and steadily grew since then, from about 50 packages to more than 200.

A developer has been caught adding malicious code to a popular open-source package that wiped files on computers located in Russia and Belarus as part of a protest that has enraged many users and raised concerns about the safety of free and open source software. It constantly surprises non-computer people how much critical software is dependent on the whims of random programmers who inconsistently maintain software libraries.

Cequence Security released a report revealing that both developers and attackers have made the shift to APIs. After analyzing some of the most interesting bot attacks throughout 2021, it's clear that attackers have come to love APIs just as much as developers.

With so many security and developer teams doing post mortems on the Log4j security vulnerability fiasco that unfolded in late 2021, just 10 days before Christmas, the main question is: how do we avoid this type of pain in the future? The answer is it's complicated. On the upside the pain of that experience has triggered a major software supply-chain security rethink from developers and security teams.

Open banking APIs handle everything from account status to fund transfers to pin changes and account services. On top of open banking driving API utilization, APIs have become a de facto standard in modern application development, with organizations often deploying thousands of APIs for a wide variety of purposes.

GitLab on how DevSecOps can help developers provide security from end-to-end. TechRepublic's Karen Roby spoke with Jonathan Hunt, VP of security for GitLab, about the security challenges companies face today and how the concept and practice of DevSecOps can help developers build end-to-end security into their applications.

The interesting part about where IBM is actually headed is, security and what we actually do in security is about protecting the surface area. When you look at Snyk and Snyk's kind of whole ethos is to say, "Well, that's the core. That's the heart. You have to be developer-first." And the meaning of that, one of my favorite things to do is to talk to a chief security officer and say, "Yes, you're kind of here to sort of help secure the organization and you are the one likely to sign the check, but you're not the most important user of the product." Because the most important user of the product, the biggest risk we both face is the developers don't actually pick it up.

Interest in specific topics within cybersecurity grew significantly. Between last year's high-profile incidents involving ransomware, supply chain attacks, the exploitation of critical systems vulnerabilities and the new focus on cryptocurrency theft, it's likely that interest in cybersecurity topics will continue to climb in 2022 and beyond.

Understandably, security teams are recalibrating and sorting out where more security investments are needed in the new year. The software development community is responding to these developments and recognizes that approaching security as an afterthought encourages attacks and their resulting damages.