Security News

Facebook today open-sourced a static analysis tool its software and security engineers use internally to find potentially dangerous security and privacy flaws in the company's Android and Java applications. "A flow from sources to sinks indicate that for example user passwords may get logged into a file, which is not desirable and is called as an 'issue' under the context of Mariana Trench," Facebook Software Engineer Dominik Gabi said.

TechRepublic contributing writer Jack Wallen is correct that "Open source software has proved itself, time and time and time again, that it is business-grade for a very long time." Sonatype is also correct that supply chain attacks against popular open source software repositories jumped 650% over the last year. Open source keeps growing in popularity, to the tune of 2.2 trillion open source packages pulled from repositories like npmjs and Maven in 2021, according to Sonatype's study.

As more businesses rely on open-source software for mission-critical infrastructure, HackerOne, along with sponsors including Elastic, Facebook, Figma, GitHub, Shopify and TikTok, announced they are throwing a new round of resources behind an Internet Bug Bounty Program to lure threat hunters' attention to open-source supply chains. Following a spate of spectacular software supply-chain breaches, market leaders have decided to throw in some cash to fund the IBB to incentivize bug hunters to take a closer look at open-source code.

Further, with regard to open source security risks, the report reveals a 650% year over year increase in supply chain attacks aimed at upstream public repositories, and a fascinating dichotomy pertaining to the level of known vulnerabilities present in popular and non-popular project versions. Open source supply, demand, and security dynamics Supply increased 20%. The top four open source ecosystems now contain a combined 37,451,682 different versions of components.

The relevant bug fixes were officially available in the OMI source code back on 12 August 2021, more than a month ago. Like WMI, the OMI code runs as a priviliged process on your servers so that sysadmins, and system administration software, can query and control what's going on, such as enumerating processes, kicking off utility programs, and checking up on system configuration settings.

Jack Wallen believes this milestone should help big businesses realize it is time to trust open source software. According to the company, "The certification further strengthens Canonical's industry-leading open source offering, reassuring customers in all industries that they can securely consume open source in a regulated fashion that complies with all the industry standards and best practices."

Continuous integration vendor Travis CI has patched a serious security flaw that exposed API keys, access tokens, and credentials, potentially putting organizations that use public source code repositories at risk of further attacks. Travis CI is a hosted CI/CD solution used to build and test software projects hosted on source code repository systems like GitHub and Bitbucket.

The seventh annual State of the Software Supply Chain Report from Sonatype found that developers think software management practices are in much better shape than what conditions on the ground indicate. The analysis found that the majority of respondents use an ad hoc approach to software supply chain management for most parts of the process, except for remediation and inventory.

The new contribution to the open source Kubernetes ecosystem addresses the need for organizations to easily deploy, run and manage Kubernetes clusters directly on top of bare metal servers, increasing performance and minimizing cost and operational effort."Running Kubernetes directly on bare metal servers is the next big thing for the Kubernetes community, but it has been challenging and difficult to implement," said Tenry Fu, CEO, Spectro Cloud.

DataStax unveiled research findings that show how leading organizations are winning with data, and how others can close the gap. Through insights from over 500 technology executives and practitioners, the report reveals clear, proven patterns for success with data among today's "Data leaders" - those most likely to excel at using data to deliver value to customers.