Security News

The State of Software Security: Open Source Edition analyzed the component open source libraries across the Veracode platform database of 85,000 applications which includes 351,000 unique external libraries. The idea was to define the risk that a single flaw in one library can pose to all applications that leverage that code.

Swimlane, an industry leader in security orchestration, automation and response announced the launch of the Swimlane Analyst Hub as a way to aggregate its open-source and developer tools and content for security analysts. Swimlane's Deep Dive team will continue to enhance and add additional open-source tools on the Analyst Hub.

Microsoft this week announced that it has made some of its COVID-19 threat intelligence available to the public. The number of attacks targeting organizations and individuals worldwide using coronavirus lures has increased dramatically over the past several months, and Microsoft says it wants to help even those who do not use its threat protection solutions.

99% of commercial codebases contain at least one open source component, with open source comprising 70% of the code overall, according to Synopsys. The most concerning trend in this year's analysis is the mounting security risk posed by unmanaged open source, with 75% of audited codebases containing open source components with known security vulnerabilities, up from 60% the previous year.

StellarGraph has launched a series of new algorithms for network graph analysis to help discover patterns in data, work with larger data sets and speed up performance while reducing memory usage. One of the challenges data scientists face when dealing with connected data is how to understand relationships between entities, as opposed to looking at data in silos, to provide a much deeper understanding of the problem.

GitHub has made available two new security features for open and private repositories: code scanning and secret scanning. The code scanning feature, available for set up in every GitHub repository, is powered by CodeQL, a semantic code analysis engine that GitHub has made available last year.

The aim, said the code repo house, is to help developers suss out potential security vulnerabilities ahead of time, and to do so at a scale that will work for both small and large projects. The feature, based on the code-checking tools GitHub bought last year when it gobbled up UK-based Semmle, automatically graphs and scans code when a new push request is made and checks it for a number of common errors that can cause security vulnerabilities.

Network operators, integrators and software vendors have joined forces to create Leitstand, an open-source community that aims to increase the efficiency of developing, buying and running network management systems for next generation carrier networks. It will provide the tools needed to operate the underlying infrastructure in a disaggregated telecoms network, including zero-touch provisioning of infrastructure, inventory management, operational visibility of network elements, alarm monitoring, fault diagnosis and software version management.

In September last year, Sophos made Sandboxie free, while also announcing that it was transitioning the tool to open source. "Sophos is proud to announce the release of the Sandboxie source code to the community, meaning we are finally an open source tool! We're excited to give the code to the community," the company announced on its forums.

CSIRO's Data61, the digital specialist arm of Australia's national science agency, announced the creation of the seL4 Foundation, a not-for-profit organization, to accelerate the development of the seL4 microkernel and related technologies. The seL4 Foundation will provide a global, independent and neutral organization for funding and steering the future evolution of seL4.