Security News

Feeling VEXed by software supply chain security? You’re not alone
2023-02-28 01:01

SCSW The vast majority of off-the-shelf software is composed of imported components, whether that's open source libraries or proprietary code. "Attackers have realized this, and that it's easy to hide in and attack all those gaps, those third-party components as they get transferred around and reused by other vendors," Dan Lorenc, CEO and co-founder of security specialists Chainguard, told The Register.

Open source software has its perks, but supply chain risks can't be ignored
2023-02-22 12:46

Analysis Open source components play an increasingly central role in the software development scene, proving to be a boon in a time of continuous integration and deployment, DevOps, and daily software updates. In a report last year, silicon design automation outfit Synopsys found that 97 percent of codebases in 2021 contained open source, and that in four of 17 industries studied - computer hardware and chips, cybersecurity, energy and clean tech, and the Internet of Things - open source software was in 100 percent of audited codebases.

Have we learnt nothing from SolarWinds supply chain attacks? Not yet it appears
2023-02-05 12:00

The hack of SolarWinds' software more than two years ago pushed the threat of software supply chain attacks to the front of security conversations, but is anything being done? More recently, attackers have targeted code repositories like GitHub and PyPI and companies like CI/CD platform provider CircleCI, an incident that expanded the definition of a supply chain attack, according to Matt Rose, field CISO for cybersecurity vendor ReversingLabs.

Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software
2023-02-01 03:14

Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations.

Supply chain attacks caused more data compromises than malware
2023-01-26 04:00

Data compromises steadily increased in the second half of 2022. Data breach notices suddenly lacked details, resulting in increased risk for individuals and businesses, as well as uncertainty about the number of data breaches and victims.

Serious Security: How to improve cryptography, resist supply chain attacks, and handle data breaches
2023-01-04 19:50

So we though we'd take a quick look back at some of the major issues we covered over the last couple of weeks, and reiterate the serious security lessons we can learn from them. If you are ever stuck with doing a data breach notification, don't try to rewrite history to your marketing advantage.

Machine-Learning Python package compromised in supply chain attack
2023-01-04 17:00

Dec. 31, 2022, the PyTorch machine learning framework announced on its website that one of its packages had been compromised via the PyPI repository. According to the PyTorch team, a malicious torchtriton dependency package was uploaded to the PyPI code repository on Friday, Dec. 30, 2022, at around 4:40 p.m. The malicious package had the same package name as the one shipped on the PyTorch nightly package index.

Don’t overlook supply chain security in your 2023 security plan
2022-12-30 20:06

Now there are new third party risk assessment strategies, services and tools that can help identify security "Weak points" in your company's supply chain. In 2021, BlueVoyant, a cybersecurity provider, reported that 98% of organizations it had surveyed said they had been impacted by a supply chain security breach.

What is Microsoft’s Secure Supply Chain Consumption Framework, and why should I use it?
2022-12-21 16:17

Software development isn't only about code; more importantly, it's driven by a set of best practices and guidelines that help us write better and more secure software. Like all large software companies, Microsoft has developed its own set of policies and procedures to implement approaches like its Secure Software Development Lifecycle.

Credit card skimming – the long and winding road of supply chain failure
2022-12-08 19:58

Sadly, that's long merely in terms of time, not long in terms of technical complexity or the number of links in the chain itself. In the early 2010s, a web analytics company called Cockpit offered a free web marketing and analytics service.