Security News

The seventh annual State of the Software Supply Chain Report from Sonatype found that developers think software management practices are in much better shape than what conditions on the ground indicate. The analysis found that the majority of respondents use an ad hoc approach to software supply chain management for most parts of the process, except for remediation and inventory.

The new contribution to the open source Kubernetes ecosystem addresses the need for organizations to easily deploy, run and manage Kubernetes clusters directly on top of bare metal servers, increasing performance and minimizing cost and operational effort."Running Kubernetes directly on bare metal servers is the next big thing for the Kubernetes community, but it has been challenging and difficult to implement," said Tenry Fu, CEO, Spectro Cloud.

DataStax unveiled research findings that show how leading organizations are winning with data, and how others can close the gap. Through insights from over 500 technology executives and practitioners, the report reveals clear, proven patterns for success with data among today's "Data leaders" - those most likely to excel at using data to deliver value to customers.

The Open Source Security Foundation, the cross-industry forum focused on improving open source software security, has expanded its member list with the addition of names such as Accurics, Anchore, Bloomberg Finance, Cisco Systems, Codethink, Cybertrust Japan, OpenUK, ShiftLeft, Sonatype and Tidelift. With open source software becoming a central pillar of the application development lifecycle, ensuring the security of open source code is essential to securing modern software, regardless of whether it is used on end-user devices or in enterprise environments.

Dynatrace announced customers can extend Smartscape, the Dynatrace platform's real-time and continuously updated topology, to bring Dynatrace's powerful AIOps and analytics capabilities to more open-source services, including OpenTelemetry, FluentD, and Prometheus. As a result, DevOps and SRE teams can easily curate and analyze data streams from any source, at scale.

Cybersecurity researchers on Tuesday disclosed nine security vulnerabilities affecting three open-source projects - EspoCRM, Pimcore, and Akaunting - that are widely used by several small to medium businesses and, if successfully exploited, could provide a pathway to more sophisticated attacks. All the security flaws in question, which impact EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12, were fixed within a day of responsible disclosure, researchers Wiktor S?dkowski of Nokia and Trevor Christiansen of Rapid7 noted.

GitLab last week announced the release of a new open source tool designed to help software developers identify malicious code in their projects' dependencies. Code reuse is a central approach to today's programming, but implementing open-source libraries in software comes with inherent risks.

Now, prior to this, you may or may not have heard that the Audacity developers were toying around with adding telemetry to collect data from users. "All your personal data is stored on our servers in the European Economic Area. However, we are occasionally required to share your personal data with our main office in Russia and our external counsel in the USA.".

Google has launched an updated version of Scorecards, its automated security tool that produces a "Risk score" for open source initiatives, with improved checks and capabilities to make the data generated by the utility accessible for analysis. "With so much software today relying on open-source projects, consumers need an easy way to judge whether their dependencies are safe," Google's Open Source Security Team said Thursday.

Fugue announced Regula 1.0, an open source policy engine for infrastructure as code security. Available at GitHub, the tool includes support for common IaC tools such as Terraform and AWS CloudFormation, prebuilt libraries with hundreds of policies that validate AWS, Microsoft Azure, and Google Cloud resources, and new developer tooling to support custom rules development and testing with Open Policy Agent.