Security News

A zero-day vulnerability in open-source Kubernetes development tool Argo lets malicious people steal passwords from git-crypt and other sensitive information by simply uploading a crafted Helm chart. The vuln, tracked as CVE-2022-24438, exists in Argo CD, a widely used open-source continuous delivery tool for Kubernetes.

Target, one of the largest American department store chains and e-commerce retailers, has open sourced 'Merry Maker' - its years-old proprietary scanner for payment card skimming. A skimmer is malicious code injected into shopping sites to steal customers' credit card data at checkout.

The Open Source Security Foundation announced $10 million in funding from a pool of tech and financial companies, including $5 million from Microsoft and Google, to find vulnerabilities in open...

PolKit vulnerability can give attackers root on many Linux distrosA memory corruption vulnerability in PolKit, a component used in major Linux distributions and some Unix-like operating systems, can be easily exploited by local unprivileged users to gain full root privileges. Attackers connect rogue devices to organizations' network with stolen Office 365 credentialsAttackers are trying out a new technique to widen the reach of their phishing campaigns: by using stolen Office 365 credentials, they try to connect rogue Windows devices to the victim organizations' network by registering it with their Azure AD. Stealthy Excel malware putting organizations in crosshairs of ransomware gangsThe HP Wolf Security threat research team identified a wave of attacks utilizing Excel add-in files to spread malware, helping attackers to gain access to targets, and exposing businesses and individuals to data theft and destructive ransomware attacks.

Organizations pulling their code from open source will often find themselves in scenarios where they have created a Frankensteined final artifact, with extremely fragmented origins. Organizations must take time to carefully consider their approach to supply chain security to prepare for potential future security incidents, and to gain the full benefits of open source.

The European Union is, once again, calling on bug hunters to delve into specific open source software and report bugs."One criteria in selecting bug bounties was their use within European public services," the European Commission Open Source Programme Office explained.

Discussions on this topic took place during the Open Source Software Security Summit convened by the Biden administration on Thursday. Participants focused on three topics: preventing security defects and vulnerabilities in open source software, improving the process for finding security flaws and fixing them, and shrinking the time needed to deliver and deploy fixes.

While open-source software doesn't guarantee a life free of vulnerabilities, it does guarantee fast response and remediation, which is crucial in the event of a large-scale security risk such as that brought on by Log4Shell. Open-source software is defined as "Software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose." Some of the benefits of this are lower hardware costs, higher-quality software, flexibility, security, and transparency.

It was designed to evaluate web application security solutions, such as API security proxies, web application firewalls, IPS, API gateways, and others. "We created GoTestWAF to help the security community evaluate the level of API and application security controls they applied," Ivan Novikov, CEO at Wallarm, told Help Net Security.

Now, with full transactional support for everyday business applications, the open source immudb tamper-proof database can serve as the main transactional database for enterprises. "There is no need to have immudb running next to a traditional database anymore, as immudb now has full ACID transactional integrity compliance," said Jerónimo Irázabal, co-founder of immudb and lead architect at Codenotary.