Security News
Fully Homomorphic Encryption (FHE) is a cryptographic primitive that enables performing computations over encrypted data without having access to the secret key. In this Help Net Security video,...
In this Help Net Security video, Christophe Tafani-Dereeper, Cloud Security Researcher and Advocate at DataDog, talks about Stratus Red Team, an open-source project for adversary emulation and validation of threat detection in the cloud. The tool supports common AWS and Kubernetes attack techniques.
In this Help Net Security video, Ofri Ouzan, Security Researcher at Rezilion, talks about MI-X, an open source tool aimed at effectively determining whether a local host or a running container image is truly vulnerable to a specific vulnerability by accounting for all factors which affect actual exploitability. The tool prints the logical steps it takes in order to reach a decision and can generate a flow chart depicting the complete logical flow.
Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards. Given open source's value as a public asset, an institutional structure must be built that sustains and secures it.
Detectree, developed by WithSecure, is a detection visualization tool for cyber security defense teams. "Time is always working against incident responders. And looking through rows of text data and making connections between them and the suspicious activity under investigation is time spent not remediating the problem, which is a real waste when you're under pressure to stop an attack."
Alibaba's financial services affiliate, Ant Group, has open sourced its "Privacy-preserving Computation Framework." A "Secure Processing Unit" that offers a "Provable, measurable secure computation device, which provides computation ability while keeping your private data protected".
The Python module "Ctx" and a fork of the PHP library "Phpass" have recently been modified by an unknown attacker to grab AWS credentials/keys and send them to a Heroku app. What at first seemed like the work of a malicious actor turned out to be an exploit by a security researcher, who wanted to demonstrate how easy it is to take control of popular packages and the repositories hosting them.
Google has a plan - and a new product plus a partnership with developer-focused security shop Snyk - that attempts to make it easier for enterprises to secure their open source software dependencies. They have corresponding enriched metadata incorporating Container/Artifact Analysis data and are built with Cloud Build, which verifies the code complies with SLSA - this is Google's framework for ensuring the integrity of software artifacts throughout the software supply chain.
Google on Thursday announced the creation of a new "Open Source Maintenance Crew" to focus on bolstering the security of critical open source projects. The tech giant pointed out Open Source Insights as a tool for analyzing packages and their dependency graphs, using it to determine "Whether a vulnerability in a dependency might affect your code."
The Linux Foundation and the Open Source Software Security Foundation, with input provided by executives from 37 companies and many U.S. government leaders, delivered a 10-point plan to broadly address open source and software supply chain security, by securing open source security production, improving vulnerability discovery and remediation, and shortening the patching response time of the ecosystem. Incident Response - Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.