Security News

Sigstore could eliminate the headaches associated with current software signing technology through public ledgers. The Linux Foundation, in partnership with Red Hat, Google and Purdue University, has announced a new digital signing project, potentially eliminating many of the headaches that come with securing open source software, files, images and binaries.

Akash Network, a project out of Overclock Labs, confirmed the successful launch of Akash MAINNET 2, the first open-source cloud and the only viable decentralized cloud alternative to centralized cloud providers like Amazon Web Services, Google Cloud, and Microsoft Azure. Akash MAINNET 2 empowers developers to break free from the limitations of traditional cloud infrastructure, and accelerates growth and scale in the blockchain ecosystem by enabling developers and companies to decentralize their cloud infrastructure, deploying applications faster, more efficiently, and at lower cost.

Infrastructure modernization remains the most important use case for enterprise open source for the third consecutive year, according to Red Hat's newly released State of Enterprise Open Source Report. "The two are closely related because new applications are a big part of digital transformation. Taken together, they clearly demonstrate that organizations are using enterprise open source for strategic purposes, not just for infrastructure 'plumbing,'" the report said.

Microsoft on Thursday announced the open source availability of CodeQL queries that it used during its investigation into the SolarWinds attack. The company has released the source code of CodeQL queries, which it used to analyze its code at scale and identify any code-level indicators of compromise associated with Solorigate.

Perhaps the most troubling aspect of this tale is that this was the seventh such malicious package found on npm within a month, a stark illustration of the effort that cybercriminals are making to insert themselves into the open source software supply chain. According to Weeks, anywhere from 10 per cent to 40 percent of open source software components developers are downloading have known vulnerabilities.

Hands On. Google has big ambitions for its new Open Source Vulnerabilities database, but getting started requires a Google Cloud Platform account and there are other obstacles that may add friction to adoption. The company wants to see more discipline and checks in critical open-source software, and revealed that it maintains its own private repositories for many projects to guard against compromised code or newly committed vulnerabilities.

Guardicore released IPCDump, a new open source tool for tracing interprocess communication on Linux. The tool covers most interprocess communication mechanisms, including pipes, fifos, signals, Unix sockets, loopback-based networking, and pseudoterminals, and is useful for debugging multi-process applications and gaining transparency into how they communicate with one another in their IT environment.

Dan Garfield, who joined founder and CEO Raziel Tabib to launch Codefresh in 2016, has been promoted to Chief Open Source Officer. In his new role, Garfield will lead the realignment of Codefresh as an open source company, with engineering time dedicated to open source contributions and providing enterprise solutions on top of open source projects for their customers.

Google last week announced the launch of OSV, which the internet giant has described as a vulnerability database and triage infrastructure for open source projects. OSV should make it easier for the users of open source software to find out which vulnerabilities impact them.

CyberArk researchers have released BlobHunter, an open-source tool organizations can use to discover Azure blobs containing sensitive files they have inadvertently made public. Despite access to the files uploaded to cloud storages being by default private and cloud providers constantly sharing and reiterating best practices for securing them, misconfigurations happen all the time, making potentially sensitive information publicly accessible to anyone who knows how to find it.