Security News

Yor is an open-source tool from Palo Alto Networks that automatically tags cloud resources within infrastructure as code frameworks such as Terraform, Cloudformation, Kubernetes, and Serverless Framework. Yor helps security teams trace a security misconfiguration from code to cloud, automates the tedious work of manually tagging cloud resources, and enables highly effective GitOps across all major cloud providers.

Automated testing and rapid deployment are critical to defending against vulnerabilities in open source software, said David Wheeler, director of Open Source Supply Chain Security at the Linux Foundation. Wheeler referenced a 2021 report by software security and IoT company Synopsys which said there are an average of 528 open source components per application, that 84 per cent of codebases have at least one vulnerability, and the average number of vulnerabilities per codebase is 158.

"You only want to learn the larger patterns in the data, and so what differential privacy is doing is adding some noise to hide those smaller patterns that you didn't want to know anyway," Bird explained. Others reach out to the SmartNoise team on GitHub, which has led to a more formal early adoption programme where Microsoft is helping organisations like Humana and the Educational Results Partnership build differential privacy into research programmes looking at health and education data.

Microsoft this week announced the availability of SimuLand, an open source tool that enables security researchers to reproduce attack techniques in lab environments. The purpose of SimuLand, Microsoft says, is to help understand the behavior and functionality of threat actors' tradecraft, to find mitigations and validate existing detection capabilities, and to identify and share data sources relevant to adversary detection.

Commentary: It's progress that President Biden's executive order recognizes the need to secure open source software. Writing at that time, Recordon said, "The pandemic and ongoing cyber security attacks present new challenges for the entire Executive Office of the President." Fast forward to May 2021, and President Biden issued an executive order on improving the nation's cybersecurity, with Recordon's open source fingers all over the document.

Enterprises have a deep appreciation for the value of open source software with 100% of the information technology decision-makers in a recent survey saying that "Using open source provides benefits for their organization." The survey of 200 IT decision-makers was conducted by Vanson Bourne. Use of open source software increasing among enterprises.

Google has released a new open-source tool called cosign to make it easier to manage the process of signing and verifying container images. Google says all of its distroless images have been signed using the open source tool and that all users of distroless can easily check whether they are using the base image they are looking for.

Agencies in the United States and the United Kingdom on Friday published a joint report providing more details on the activities of the Russian cyberspy group that is believed to be behind the attack on IT management company SolarWinds. The FBI, NSA, CISA and the UK's NCSC say the Russian threat actor tracked as APT29 was behind the SolarWinds attack, which resulted in hundreds of organizations having their systems breached through malicious updates served from compromised SolarWinds systems.

Accurics announced that its open source project Terrascan, which enables teams to detect compliance and security violations across Infrastructure as Code, now integrates with the Argo Project. This integration, coupled with the new Terrascan admission controller feature to enforce CNCF's Open Policy Agent policies across the software development lifecycle, significantly enhances cloud security as developers adopt a GitOps approach.

After developing a tool for testing the security of its own AI systems and assessing them for vulnerabilities, Microsoft has decided to open-source it to help organizations verify that that the algorithms they use are "Robust, reliable, and trustworthy." Counterfit started as a collection of attack scripts written to target individual AI models, but Microsoft turned it into an automation tool to attack multiple AI systems at scale.