Security News

Google has a plan - and a new product plus a partnership with developer-focused security shop Snyk - that attempts to make it easier for enterprises to secure their open source software dependencies. They have corresponding enriched metadata incorporating Container/Artifact Analysis data and are built with Cloud Build, which verifies the code complies with SLSA - this is Google's framework for ensuring the integrity of software artifacts throughout the software supply chain.

Drafted by the Health Information Management Working Group, the report provides best practices that healthcare delivery organizations can use to manage the cybersecurity risks associated with their supply chains. HDOs face risks from many different types of supply chain vendors, everything from food suppliers, software providers, medical devices, pharmaceuticals, and day-to-day medical supplies.

Employees in the digital transformation age are now compelled to choose their best-of-breed applications, independently adopting and connecting SaaS applications, no/low code platforms like Workato and Zapier, and SaaS marketplace third-party apps in order to increase productivity, creating a convoluted web of ever-growing app-to-app integrations. These solutions provided value for their original purpose, but the SaaS-to-SaaS supply chain today thrives on application integration, non-human identities and app-to-app connectivity - leaving out the human element in order to streamline and automate work processes.

Miscreants are targeting managed service providers to break into their customers' networks and deploy ransomware, steal data, and spy on them, the Five Eyes nations' cybersecurity authorities have formally warned in a joint security alert. These types of supply-chain or "Island-hopping" attacks can prove very lucrative for cybercriminals because once they break into an MSP, they gain access to all of the customers' networks and data being managed, and in turn commit computer crimes and fraud against those customers' customers.

Cybersecurity researchers have discovered a number of malicious packages in the NPM registry specifically targeting a number of prominent companies based in Germany to carry out supply chain attacks. "Compared with most malware found in the NPM repository, this payload seems particularly dangerous: a highly-sophisticated, obfuscated piece of malware that acts as a backdoor and allows the attacker to take total control over the infected machine," researchers from JFrog said in a new report.

The bug, dubbed CVE-2022-29176, could have allowed attackers to remove a package that wasn't theirs, and then to replace it with modified version of their own. The RubyGems security bulletin notes that package owners receive an automatic email notification whenever a package of theirs is yanked or published, yet no support tickets were ever received to report peculiar and unexpected changes of this sort.

The National Institute of Standards and Technology has updated its guidance document for helping organizations identify, assess and respond to cybersecurity risks throughout the supply chain. "The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks. Because cybersecurity risks can arise at any point in the life cycle or any link in the supply chain, the guidance now considers potential vulnerabilities such as the sources of code within a product, for example, or retailers that carry it," NIST notes.

The National Institute of Standards and Technology has released updated guidance on securing the supply chain against cyberattacks. Since 2020, NIST has released two draft documents on how the enterprise can better defend itself from supply-chain attacks.

The National Institute of Standards and Technology on Thursday released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector. The new directive outlines major security controls and practices that entities should adopt to identify, assess, and respond to risks at different stages of the supply chain, including the possibility of malicious functionality, flaws in third-party software, insertion of counterfeit hardware, and poor manufacturing and development practices.

Russian president Vladimir Putin has authorized retaliatory sanctions against individuals and organizations that have taken action over the illegal invasion of Ukraine. An executive order issued on Tuesday explains that Russia will implement reprisals against states and international organizations that have acted against Russian interests in the wake of the invasion.