Security News

While open-source software doesn't guarantee a life free of vulnerabilities, it does guarantee fast response and remediation, which is crucial in the event of a large-scale security risk such as that brought on by Log4Shell. Open-source software is defined as "Software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose." Some of the benefits of this are lower hardware costs, higher-quality software, flexibility, security, and transparency.

It was designed to evaluate web application security solutions, such as API security proxies, web application firewalls, IPS, API gateways, and others. "We created GoTestWAF to help the security community evaluate the level of API and application security controls they applied," Ivan Novikov, CEO at Wallarm, told Help Net Security.

Now, with full transactional support for everyday business applications, the open source immudb tamper-proof database can serve as the main transactional database for enterprises. "There is no need to have immudb running next to a traditional database anymore, as immudb now has full ACID transactional integrity compliance," said Jerónimo Irázabal, co-founder of immudb and lead architect at Codenotary.

XMGoat is an open-source tool that enables penetration testers, red teamers, security consultants, and cloud experts to learn how to abuse different misconfigurations within the Azure environment. Misconfigurations within Azure environments are common.

Cossack Labs updated its flagship open-source product Acra database security suite to version 0.90.0 and made many of its core security features previously available only for enterprise customers free in Acra Community Edition. Acra's features enable the implementation of application-level encryption in modern cloud applications, saving development costs and allowing tighter grip on sensitive data lifecycle.

Tenable enhanced Terrascan, an open source cloud native security analyzer that helps developers secure Infrastructure as Code. "It's now more critical than ever for developers to have tools that can detect compliance and security violations across their entire cloud systems, including IaC," said Nico Popp, chief product officer, Tenable.

YARA comes as a binary that can be launched against files, taking YARA rules as arguments. Outgoing communication can be analyzed using YARA rules to detect outgoing malware communications but also to try to detect data exfiltration.

The software industry does not currently track the source of all code, nor does it grade the level of security standards applied in these international code factories. Establish a grading scale to rate each piece of code to more effectively determine the risk a company is inheriting from the code.

Apiiro released Dependency Combobulator, a modular and extensible open source toolkit to detect and prevent dependency confusion attacks. Dependency confusion compromises the open source software ecosystem by tricking end-users, developers and automation-systems into installing a malicious dependency instead of the correct one they intended to install, resulting in the compromise of their software.

Academic researchers have released details about a new attack method they call "Trojan Source" that allows injecting vulnerabilities into the source code of a software project in a way that human reviewers can't detect. "The trick is to use Unicode control characters to reorder tokens in source code at the encoding level," reveals Nicholas Boucher, one of the researchers that discovered Trojan Source.