Security News

The pros and cons of OSS. The challenge of OSS security is that just because everyone can look at the source code, it does not mean anyone will. A recent report from the Linux Foundation found that the average number of outstanding critical vulnerabilities in an application is 5.1, and that 41% of organizations are not confident in their open source software security.

A "Highly operational, destructive, and sophisticated nation-state activity group" with ties to North Korea has been weaponizing open source software in their social engineering campaigns aimed at companies around the world since June 2022. Attacks targeted employees in organizations across multiple industries, including media, defense and aerospace, and IT services in the U.S., the U.K., India, and Russia.

Microsoft says the North Korean-sponsored Lazarus threat group is trojanizing legitimate open-source software and using it to backdoor organizations in many industry sectors, such as technology, defense, and media entertainment. The list of open-source software weaponized by Lazarus state hackers to deploy the BLINDINGCAN backdoor includes PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer.

Wazuh is a free and open source security platform that provides unified SIEM and XDR protection. Wazuh central components that analyze security data collected from the agents.

Wazuh is an open source unified XDR and SIEM platform. The Wazuh agent collects security event data from the monitored endpoints and forwards them to the Wazuh server for log analysis, correlation, and alerting.

Sonatype has found a massive year-over-year increase in cyberattacks aimed at open source projects. To capitalize on weaknesses in upstream open source ecosystems, cybercriminals continue to target organizations through open source repositories.

Code Intelligence has open-sourced a new security tool, CI Fuzz CLI, which lets developers run coverage-guided fuzz tests directly from the command line to find and fix vulnerabilities at scale. Code Intelligence's new open-source tool aims to tackle these challenges by making fuzz testing usable for all developers.

350,000 open source projects at risk from Python vulnerability. Cybersecurity company Trellix announced Wednesday that a known Python vulnerability puts 350,000 open-source projects and the applications that use them at risk of device take over or malicious code execution.

Trellix Advanced Research Center published its research into CVE-2007-4559, a vulnerability estimated to be present in over 350,000 open-source projects and prevalent in closed-source projects.The vulnerability exists in the Python tarfile module which is a default module in any project using Python and is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google, and applications used for machine learning, automation and docker containerization.

Anaconda released its annual 2022 State of Data Science report, revealing the widespread trends, opportunities, and perceived blockers facing the data science, machine learning, and artificial intelligence industries. While open-source software was created by and for developers, it is now an integral part of commercial software development and the backbone for continuous enterprise innovation.