Security News
Perhaps the most troubling aspect of this tale is that this was the seventh such malicious package found on npm within a month, a stark illustration of the effort that cybercriminals are making to insert themselves into the open source software supply chain. According to Weeks, anywhere from 10 per cent to 40 percent of open source software components developers are downloading have known vulnerabilities.
Hands On. Google has big ambitions for its new Open Source Vulnerabilities database, but getting started requires a Google Cloud Platform account and there are other obstacles that may add friction to adoption. The company wants to see more discipline and checks in critical open-source software, and revealed that it maintains its own private repositories for many projects to guard against compromised code or newly committed vulnerabilities.
Guardicore released IPCDump, a new open source tool for tracing interprocess communication on Linux. The tool covers most interprocess communication mechanisms, including pipes, fifos, signals, Unix sockets, loopback-based networking, and pseudoterminals, and is useful for debugging multi-process applications and gaining transparency into how they communicate with one another in their IT environment.
Dan Garfield, who joined founder and CEO Raziel Tabib to launch Codefresh in 2016, has been promoted to Chief Open Source Officer. In his new role, Garfield will lead the realignment of Codefresh as an open source company, with engineering time dedicated to open source contributions and providing enterprise solutions on top of open source projects for their customers.
Google last week announced the launch of OSV, which the internet giant has described as a vulnerability database and triage infrastructure for open source projects. OSV should make it easier for the users of open source software to find out which vulnerabilities impact them.
CyberArk researchers have released BlobHunter, an open-source tool organizations can use to discover Azure blobs containing sensitive files they have inadvertently made public. Despite access to the files uploaded to cloud storages being by default private and cloud providers constantly sharing and reiterating best practices for securing them, misconfigurations happen all the time, making potentially sensitive information publicly accessible to anyone who knows how to find it.
Industrial cybersecurity firm OTORIO this week announced the availability of a new open source tool designed to help organizations secure their GE CIMPLICITY systems. OTORIO has worked with GE Digital to develop a free and open source tool that can be used to harden CIMPLICITY systems by ensuring that they are configured in accordance with the vendor's guidelines for security best practices.
Otorio, a provider of OT security and digital risk management solutions, released an open-source tool designed for hardening the security of GE Digital's CIMPLICITY, one of the most commonly used HMI/SCADA systems. Over the past several months, Otorio's researchers worked closely with GE Digital engineers to deliver a first of its kind open-source tool designed to identify GE CIMPLICITY misconfigurations.
A team from Google has now posted at length about the issue in the hope of "Sparking industry-wide discussion and progress on the security of open source software." The post - called "Know, Prevent, Fix" - is co-authored by Eric Brewer, VP of infrastructure at Google, distinguished engineer Rob Pike; principal software engineer Abhishek Arya; program manager, Open Source Security, Anne Bertucio; and product manager Kim Lewandowski.
Some of this just comes down to numbers: The more dependencies enterprises take on open source software, the more open source software will show up in audits like these. While Orion isn't open source, it shows how supply chain attacks have become increasingly critical to combat, and reflect what we've known since Heartbleed: As open source becomes a critical part of nearly all software, we need to improve how we secure it.