Security News
The bug, dubbed CVE-2022-29176, could have allowed attackers to remove a package that wasn't theirs, and then to replace it with modified version of their own. The RubyGems security bulletin notes that package owners receive an automatic email notification whenever a package of theirs is yanked or published, yet no support tickets were ever received to report peculiar and unexpected changes of this sort.
The National Institute of Standards and Technology has updated its guidance document for helping organizations identify, assess and respond to cybersecurity risks throughout the supply chain. "The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, the guidance now considers potential vulnerabilities such as the sources of code within a product, for example, or retailers that carry it," NIST notes.
The National Institute of Standards and Technology has released updated guidance on securing the supply chain against cyberattacks. Since 2020, NIST has released two draft documents on how the enterprise can better defend itself from supply-chain attacks.
The National Institute of Standards and Technology on Thursday released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector. The new directive outlines major security controls and practices that entities should adopt to identify, assess, and respond to risks at different stages of the supply chain, including the possibility of malicious functionality, flaws in third-party software, insertion of counterfeit hardware, and poor manufacturing and development practices.
Russian president Vladimir Putin has authorized retaliatory sanctions against individuals and organizations that have taken action over the illegal invasion of Ukraine. An executive order issued on Tuesday explains that Russia will implement reprisals against states and international organizations that have acted against Russian interests in the wake of the invasion.
Early in April 2022, news broke that various users of Microsoft's GitHub platform had suffered unauthorised access to their private source code. GitHub, if you've never used it, is a cloud-based source code control system, best known for hosting the public repositories of many open source software projects.
Ivanti Wavelink announced the results of a joint survey with VDC Research regarding the state of industrial supply chain operations and the adoption of Industrial Internet of Things solutions. For industrial organizations, IIoT platforms offer significant promise to unlock new business models, deliver improved customer experiences, address the disruptive impact of downtime, and ultimately provide greater operational resilience.
Today we're seeing another massive security challenge ahead for developers, where nothing is easy or automatic: software supply-chain security. Lorenc met Chainguard co-founder Kim Lewandowski at Google, and they have both been approaching the software supply chain security problem through a series of open source projects that they co-created and co-maintain.
In this video for Help Net Security, Donald Fischer, CEO at Tidelift, talks about the state of open-source software supply chain security in 2022. Open source is the modern application development platform and is becoming an indispensable part of the software development process for organizations of all sizes.
New research from the NCC Group illustrates that the number of cyberattacks on these supply chains increased by over half during the period from July to December of 2021. The study, which surveyed 1,400 cybersecurity decision makers, found that 36% said that they are more responsible for preventing, detecting and resolving supply chain attacks than their suppliers.