Security News

Software supply chain security gets its first Linux distro, Wolfi
2022-09-22 13:00

Despite all the security vendors' best efforts to whitewash their products around software supply chain security, it's still unclear exactly how anyone is supposed to build or maintain these SBOMs. Recent memos out to the heads of federal agencies merely underscore the "Importance of secure software development environments" without much useful elaboration on how to get there. A new stack is forming, and I believe we are about to see theoretical conversations about software supply chain security leapfrog into actual implementations and refinement of best practices.

WordPress-powered sites backdoored after FishPig suffers supply chain attack
2022-09-15 02:12

Infosec outfit Sansec raised the alarm this week that FishPig's software was acting weird: when a deployment's control panel was visited by a logged-in Magento staff user, the code would automatically fetch and run from FishPig's back-end systems a Linux binary that turned out to be Rekoobe. Free versions of FishPig modules available on GitHub were likely clean.

Attackers mount Magento supply chain attack by compromising FishPig extensions
2022-09-14 13:01

FishPig, a UK-based company developing extensions for the popular Magento open-source e-commerce platform, has announced that its paid software offerings have been injected with malware after its distribution server was compromised. How the attackers compromised the FishPig extensions.

Hackers breach software vendor for Magento supply-chain attacks
2022-09-13 15:21

Hackers have injected malware in multiple extensions from FishPig, a vendor of Magento-WordPress integrations that count over 200,000 downloads. The intruders took control of FishPig's server infrastructure and added malicious code to the vendor's software to gain access to websites using the products, in what is described as a supply-chain attack.

Government guide for supply chain security: The good, the bad and the ugly
2022-09-06 04:00

Just as developers and security teams were getting ready to take a breather and fire up the BBQ for the holiday weekend, the U.S.'s most prestigious security agencies dropped a 60+ page recommended practice guide, Securing the Software Supply Chain for Developers. My first reaction was that it's great to see these agencies adding to the public discourse in these still heady days where we're all sorting out software supply chain security best practices.

Supply chain risk is a top security priority as confidence in partners wanes
2022-09-05 03:30

As cyber attackers increasingly look to capitalize on accelerating digitalization that has seen many enterprises significantly increase their reliance on cloud-based solutions and services as well as third-party service providers, software supply chain risk has become a major concern of organizations. Seventy-nine percent of security professionals responding to a recent survey conducted by the Neustar International Security Council indicated that their organization's reliance on cloud-based solutions has increased from pre-pandemic levels, with 48% saying their reliance has "Greatly increased." Similarly, 78% said their reliance on cloud-based services has increased, and 66% reported that their reliance on third-party services providers has increased.

NSA and CISA share tips to secure the software supply chain
2022-09-01 15:21

The U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency have released tips today on securing the software supply chain. "Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations," the Department of Defense's intelligence agency said.

Google Launches New Open Source Bug Bounty to Tackle Supply Chain Attacks
2022-08-31 05:42

Google on Monday introduced a new bug bounty program for its open source projects, offering payouts anywhere from $100 to $31,337 to secure the ecosystem from supply chain attacks. Called the Open Source Software Vulnerability Rewards Program, the offering is one of the first open source-specific vulnerability programs.

How vulnerable supply chains threaten cloud security
2022-08-22 03:00

Organizations are struggling to sufficiently secure new cloud environments implemented during the pandemic, while maintaining legacy equipment and trying to adapt their overall security strategy to the evolving landscape, according to a Proofpoint study released in collaboration with The Cloud Security Alliance reveals. "In the wake of COVID-19, organizations substantially accelerated their digital transformation initiatives to accommodate a remote workforce." said Hillary Baron, lead author and research analyst at CSA, the world's leading organization in defining standards, certifications, and best practices to help ensure a secure cloud computing environment.

How to minimize your exposure to supply chain attacks
2022-08-03 04:00

Supply chain attacks are on the rise, and many organizations seem unsure on how to respond to the threat, but I'm here to tell you that there are several steps you can take to minimize your risk of being involved in a supply chain breach. To minimize any unknowns, start with a full audit of your IT environment, including any unapproved shadow IT. You need to understand exactly what hardware, software and SaaS products are being used, where the security gaps lie, and which vendors and partners your business relies on - including the nature of those interactions, from the types of data they process to system interfaces and various levels of integration.