Security News

Attackers tried to insert backdoor into PHP source codeThe PHP development team has averted an attempted supply chain compromise that could have opened a backdoor into many web servers. The growing threat to CI/CD pipelinesBy hardening CI/CD pipelines and addressing security early in the development process, developers can deliver software faster and more securely.

The U.S. government is working to draw attention to supply chain vulnerabilities, an issue that received particular attention late last year after suspected Russian hackers gained access to federal agencies and private corporations by sneaking malicious code into widely used software. The NCSC said it is working with other agencies, including the Cybersecurity and Infrastructure Security Agency, to raise awareness of the supply chain issue.

Open source web programming language PHP narrowly avoided a potentially dangerous supply chain attack over the weekend. In theory, anyone who downloaded the very latest "Still in development" version of PHP on Sunday 2021-03-28, compiled it, and installed it on a real-life, internet facing web server could have been at risk.

A vulnerability in the Accellion file-transfer program is being used by criminal groups to hack networks worldwide. There's much in the article about when Accellion knew about the vulnerability, when it alerted its customers, and when it patched its software.

Accenture and Ripjar are collaborating with Royal Dutch Shell to further enhance risk screening within its global supply chain using artificial intelligence. Shell is leveraging Accenture's industry experience and risk expertise to configure Ripjar's AI technology for analysis of its supply chain.

A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developer's computer. Threat actors are increasingly creating malicious versions of popular projects hoping that they are included in other developer's applications.

Email security biz Mimecast has dumped SolarWinds' network monitoring tool in favour of Cisco's Netflow product after falling victim to the infamous December supply chain attack. In an incident report detailing its experiences of the SolarWinds compromise, Mimecast said it had "Decommissioned SolarWinds Orion and replaced it with an alternative NetFlow monitoring system".

The Telecommunications Industry Association published a new white paper on SCS 9001, the first process-based supply chain security standard for the information communications technology industry. With sophisticated supply chain cyberattacks on the rise, SCS 9001 is on an accelerated schedule to address the urgent need for an ICT-specific standard for global supply chain security.

Sigstore could eliminate the headaches associated with current software signing technology through public ledgers. The Linux Foundation, in partnership with Red Hat, Google and Purdue University, has announced a new digital signing project, potentially eliminating many of the headaches that come with securing open source software, files, images and binaries.

Join Intel on Wednesday, March 10, at SecurityWeek's Supply Chain Security Summit, where industry leaders will examine the current state of supply chain attacks. Hear Intel's experts discuss the need for transparency and integrity across the complete product lifecycle, from build to retire.