Security News

Cybersecurity researchers on Tuesday disclosed nine security vulnerabilities affecting three open-source projects - EspoCRM, Pimcore, and Akaunting - that are widely used by several small to medium businesses and, if successfully exploited, could provide a pathway to more sophisticated attacks. All the security flaws in question, which impact EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12, were fixed within a day of responsible disclosure, researchers Wiktor S?dkowski of Nokia and Trevor Christiansen of Rapid7 noted.

GitLab last week announced the release of a new open source tool designed to help software developers identify malicious code in their projects' dependencies. Code reuse is a central approach to today's programming, but implementing open-source libraries in software comes with inherent risks.

Now, prior to this, you may or may not have heard that the Audacity developers were toying around with adding telemetry to collect data from users. "All your personal data is stored on our servers in the European Economic Area. However, we are occasionally required to share your personal data with our main office in Russia and our external counsel in the USA.".

Google has launched an updated version of Scorecards, its automated security tool that produces a "Risk score" for open source initiatives, with improved checks and capabilities to make the data generated by the utility accessible for analysis. "With so much software today relying on open-source projects, consumers need an easy way to judge whether their dependencies are safe," Google's Open Source Security Team said Thursday.

Fugue announced Regula 1.0, an open source policy engine for infrastructure as code security. Available at GitHub, the tool includes support for common IaC tools such as Terraform and AWS CloudFormation, prebuilt libraries with hundreds of policies that validate AWS, Microsoft Azure, and Google Cloud resources, and new developer tooling to support custom rules development and testing with Open Policy Agent.

Google today announced the expansion of the Open Source Vulnerabilities database to include information on bugs identified in Go, Rust, Python, and DWF open source projects. Launched in February 2021 with details on thousands of vulnerabilities from Google's OSS-Fuzz project, the OSV database is meant to provide automated, improved vulnerability triage for both developers and users of open source software.

Google on Thursday introduced a unified vulnerability schema for open source projects, continuing its current campaign to shore up the security of open source software. The as-yet-unnamed vulnerability interchange schema aspires to bridge gaps that make it difficult to connect current, fragmented vulnerability databases by providing a common interchange format.

There's a minefield of security problems bubbling under the surface of modern software, Veracode has claimed in its latest report, thanks to developers pulling third-party open-source libraries into their code bases - then never bothering to update them again. "The vast majority of today's applications use open source code. The security of a library can change quickly, so keeping a current inventory of what's in your application is crucial," Chris Eng, Vercode's chief research officer, said.

Google this week announced that it has released open source tools and libraries that can be used by developers to implement fully homomorphic encryption. FHE enables the processing of encrypted data without providing access to the actual data.

CloudLinux announced UChecker, a free open source tool that scans Linux servers for vulnerable libraries that are outdated and being used by other applications. This provides detailed actionable information regarding which application is using which vulnerable library and needs to be updated, which helps improve the security awareness patching process.