Security News

XMGoat is an open-source tool that enables penetration testers, red teamers, security consultants, and cloud experts to learn how to abuse different misconfigurations within the Azure environment. Misconfigurations within Azure environments are common.

Cossack Labs updated its flagship open-source product Acra database security suite to version 0.90.0 and made many of its core security features previously available only for enterprise customers free in Acra Community Edition. Acra's features enable the implementation of application-level encryption in modern cloud applications, saving development costs and allowing tighter grip on sensitive data lifecycle.

Tenable enhanced Terrascan, an open source cloud native security analyzer that helps developers secure Infrastructure as Code. "It's now more critical than ever for developers to have tools that can detect compliance and security violations across their entire cloud systems, including IaC," said Nico Popp, chief product officer, Tenable.

YARA comes as a binary that can be launched against files, taking YARA rules as arguments. Outgoing communication can be analyzed using YARA rules to detect outgoing malware communications but also to try to detect data exfiltration.

The software industry does not currently track the source of all code, nor does it grade the level of security standards applied in these international code factories. Establish a grading scale to rate each piece of code to more effectively determine the risk a company is inheriting from the code.

Apiiro released Dependency Combobulator, a modular and extensible open source toolkit to detect and prevent dependency confusion attacks. Dependency confusion compromises the open source software ecosystem by tricking end-users, developers and automation-systems into installing a malicious dependency instead of the correct one they intended to install, resulting in the compromise of their software.

Academic researchers have released details about a new attack method they call "Trojan Source" that allows injecting vulnerabilities into the source code of a software project in a way that human reviewers can't detect. "The trick is to use Unicode control characters to reorder tokens in source code at the encoding level," reveals Nicholas Boucher, one of the researchers that discovered Trojan Source.

Deepfence announced open source availability of ThreatMapper, a signature offering that automatically scans, maps and ranks application vulnerabilities across serverless, Kubernetes, container and multi-cloud environments. ThreatMapper is an open source platform for scanning runtime environments for software supply chain vulnerabilities and contextualizing threats to help organizations determine which to address and when.

CloudLinux launched a new open-core project - KuberLogic - software that allows DevOps to set up scalable, self-healing PaaS on top of your Kubernetes cluster. Available on GitHub, KuberLogic allows administrators to run and deploy key open-source components with simple configurations and high availability.

The SOS program, run by the Linux Foundation, will reward developers with potentially more than $10,000 for enhancing the security of critical open source software. As part of Google's recently announced $10 billion commitment to cybersecurity defense, the company announced Friday the sponsorship for the Secure Open Source Rewards pilot program run by the Linux Foundation.