Security News

YARA comes as a binary that can be launched against files, taking YARA rules as arguments. Outgoing communication can be analyzed using YARA rules to detect outgoing malware communications but also to try to detect data exfiltration.

The software industry does not currently track the source of all code, nor does it grade the level of security standards applied in these international code factories. Establish a grading scale to rate each piece of code to more effectively determine the risk a company is inheriting from the code.

Apiiro released Dependency Combobulator, a modular and extensible open source toolkit to detect and prevent dependency confusion attacks. Dependency confusion compromises the open source software ecosystem by tricking end-users, developers and automation-systems into installing a malicious dependency instead of the correct one they intended to install, resulting in the compromise of their software.

Academic researchers have released details about a new attack method they call "Trojan Source" that allows injecting vulnerabilities into the source code of a software project in a way that human reviewers can't detect. "The trick is to use Unicode control characters to reorder tokens in source code at the encoding level," reveals Nicholas Boucher, one of the researchers that discovered Trojan Source.

Deepfence announced open source availability of ThreatMapper, a signature offering that automatically scans, maps and ranks application vulnerabilities across serverless, Kubernetes, container and multi-cloud environments. ThreatMapper is an open source platform for scanning runtime environments for software supply chain vulnerabilities and contextualizing threats to help organizations determine which to address and when.

CloudLinux launched a new open-core project - KuberLogic - software that allows DevOps to set up scalable, self-healing PaaS on top of your Kubernetes cluster. Available on GitHub, KuberLogic allows administrators to run and deploy key open-source components with simple configurations and high availability.

The SOS program, run by the Linux Foundation, will reward developers with potentially more than $10,000 for enhancing the security of critical open source software. As part of Google's recently announced $10 billion commitment to cybersecurity defense, the company announced Friday the sponsorship for the Secure Open Source Rewards pilot program run by the Linux Foundation.

Facebook today open-sourced a static analysis tool its software and security engineers use internally to find potentially dangerous security and privacy flaws in the company's Android and Java applications. "A flow from sources to sinks indicate that for example user passwords may get logged into a file, which is not desirable and is called as an 'issue' under the context of Mariana Trench," Facebook Software Engineer Dominik Gabi said.

TechRepublic contributing writer Jack Wallen is correct that "Open source software has proved itself, time and time and time again, that it is business-grade for a very long time." Sonatype is also correct that supply chain attacks against popular open source software repositories jumped 650% over the last year. Open source keeps growing in popularity, to the tune of 2.2 trillion open source packages pulled from repositories like npmjs and Maven in 2021, according to Sonatype's study.

As more businesses rely on open-source software for mission-critical infrastructure, HackerOne, along with sponsors including Elastic, Facebook, Figma, GitHub, Shopify and TikTok, announced they are throwing a new round of resources behind an Internet Bug Bounty Program to lure threat hunters' attention to open-source supply chains. Following a spate of spectacular software supply-chain breaches, market leaders have decided to throw in some cash to fund the IBB to incentivize bug hunters to take a closer look at open-source code.