Security News

A full 70 percent of applications being used today have at least one security flaw stemming from the use of an open-source library. Most JavaScript applications contain hundreds of open-source libraries - some have more than 1,000 different libraries.

Seven in 10 applications have a security flaw in an open source library, highlighting how use of open source can introduce flaws, increase risk, and add to security debt, a Veracode research reveals. An application's attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies.

The State of Software Security: Open Source Edition analyzed the component open source libraries across the Veracode platform database of 85,000 applications which includes 351,000 unique external libraries. The idea was to define the risk that a single flaw in one library can pose to all applications that leverage that code.

Swimlane, an industry leader in security orchestration, automation and response announced the launch of the Swimlane Analyst Hub as a way to aggregate its open-source and developer tools and content for security analysts. Swimlane's Deep Dive team will continue to enhance and add additional open-source tools on the Analyst Hub.

Microsoft this week announced that it has made some of its COVID-19 threat intelligence available to the public. The number of attacks targeting organizations and individuals worldwide using coronavirus lures has increased dramatically over the past several months, and Microsoft says it wants to help even those who do not use its threat protection solutions.

99% of commercial codebases contain at least one open source component, with open source comprising 70% of the code overall, according to Synopsys. The most concerning trend in this year's analysis is the mounting security risk posed by unmanaged open source, with 75% of audited codebases containing open source components with known security vulnerabilities, up from 60% the previous year.

StellarGraph has launched a series of new algorithms for network graph analysis to help discover patterns in data, work with larger data sets and speed up performance while reducing memory usage. One of the challenges data scientists face when dealing with connected data is how to understand relationships between entities, as opposed to looking at data in silos, to provide a much deeper understanding of the problem.

GitHub has made available two new security features for open and private repositories: code scanning and secret scanning. The code scanning feature, available for set up in every GitHub repository, is powered by CodeQL, a semantic code analysis engine that GitHub has made available last year.

The aim, said the code repo house, is to help developers suss out potential security vulnerabilities ahead of time, and to do so at a scale that will work for both small and large projects. The feature, based on the code-checking tools GitHub bought last year when it gobbled up UK-based Semmle, automatically graphs and scans code when a new push request is made and checks it for a number of common errors that can cause security vulnerabilities.

Network operators, integrators and software vendors have joined forces to create Leitstand, an open-source community that aims to increase the efficiency of developing, buying and running network management systems for next generation carrier networks. It will provide the tools needed to operate the underlying infrastructure in a disaggregated telecoms network, including zero-touch provisioning of infrastructure, inventory management, operational visibility of network elements, alarm monitoring, fault diagnosis and software version management.