Security News

Tech pros have low confidence in supply chain security
2022-06-06 04:00

Tech pros have low confidence in supply chain security. Security threats have heightened the supply chain challenges enterprises have faced over the past two years, and a new ISACA survey report finds only 44% of IT professionals surveyed have high confidence in the security of their organization's supply chain.

Majority of CIOs say their software supply chains are vulnerable, execs demand action
2022-06-02 19:57

Majority of CIOs say their software supply chains are vulnerable, execs demand action. A new survey of 1,000 CIOs conducted by Venafi shows that over 80% said their organizations are vulnerable to cyberattacks targeting software supply chains.

CIOs largely believe their software supply chain is vulnerable
2022-05-31 13:00

Ask 1,000 CIOs whether they believe their organizations are vulnerable to cyberattacks targeting their software supply chains and about 82 percent can be expected to say yes. "The results show that while CIOs understand the risk of these types of attacks, they have yet to grasp the fundamental organizational changes and new security controls they will need to incorporate into their security posture to reduce the risk of supply chain attacks that can be devastating to themselves and their customers," says Venafi's report, which was released on Tuesday.

Sigstore: Signature verification for protection against supply chain attacks
2022-05-26 05:00

Software supply chain attacks have been increasing over the past few years, spurring the Biden administration to release an executive order detailing what government agencies are supposed to do to protect themselves against them. These attacks consist of several different types of threats, but the result is always the same: attackers gaining access to run code on your infrastructure or to tamper with the code that you're using in production.

Researchers Uncover Rust Supply Chain Attack Targeting Cloud CI Pipelines
2022-05-20 20:11

A case of software supply chain attack has been observed in the Rust programming language's crate registry that leveraged typosquatting techniques to publish a rogue library containing malware. Cybersecurity firm SentinelOne dubbed the attack "CrateDepression."

Google assuring open source code to secure software supply chains
2022-05-17 16:00

Google has a plan - and a new product plus a partnership with developer-focused security shop Snyk - that attempts to make it easier for enterprises to secure their open source software dependencies. They have corresponding enriched metadata incorporating Container/Artifact Analysis data and are built with Cloud Build, which verifies the code complies with SLSA - this is Google's framework for ensuring the integrity of software artifacts throughout the software supply chain.

Best practices for healthcare delivery organizations to manage supply chain cybersecurity risks
2022-05-17 03:00

Drafted by the Health Information Management Working Group, the report provides best practices that healthcare delivery organizations can use to manage the cybersecurity risks associated with their supply chains. HDOs face risks from many different types of supply chain vendors, everything from food suppliers, software providers, medical devices, pharmaceuticals, and day-to-day medical supplies.

The SaaS-to-SaaS supply chain is a wild, wild mess
2022-05-13 04:30

Employees in the digital transformation age are now compelled to choose their best-of-breed applications, independently adopting and connecting SaaS applications, no/low code platforms like Workato and Zapier, and SaaS marketplace third-party apps in order to increase productivity, creating a convoluted web of ever-growing app-to-app integrations. These solutions provided value for their original purpose, but the SaaS-to-SaaS supply chain today thrives on application integration, non-human identities and app-to-app connectivity - leaving out the human element in order to streamline and automate work processes.

Five Eyes turn spotlight on MSPs: Potential weak links in IT supply-chain security
2022-05-11 21:44

Miscreants are targeting managed service providers to break into their customers' networks and deploy ransomware, steal data, and spy on them, the Five Eyes nations' cybersecurity authorities have formally warned in a joint security alert. These types of supply-chain or "Island-hopping" attacks can prove very lucrative for cybercriminals because once they break into an MSP, they gain access to all of the customers' networks and data being managed, and in turn commit computer crimes and fraud against those customers' customers.

Malicious NPM Packages Target German Companies in Supply Chain Attack
2022-05-11 18:28

Cybersecurity researchers have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent companies based in Germany to carry out supply chain attacks. "Compared with most malware found in the NPM repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine," researchers from JFrog said in a new report.