InfoQ Homepage Security Vulnerabilities Content on InfoQ

News

RSS Feed

Newer Older

Web Development

Manifest Confusion Paves the Way to New npm Supply Chain Threats

A recent report by former npm engineering manager Darcy Clarke found that the npm registry does not validate manifest information against the contents of its corresponding package tarball. This creates a double source of truth that attackers can exploit to hide scripts or dependencies, says Clarke.

Sergio De Simone
on Jul 05, 2023
DevOps

Celebrity Vulnerabilities: Effective Response to Critical Production Threats

Alyssa Miller, chief information security officer of EpiqGlobal, presented at QCon London about the lessons learned from three major open-source security events, the Equifax breach via Struts, the Log4j vulnerabilities, and the Spring4Shell exploit.

Steef-Jan Wiggers
on Mar 30, 2023
DevOps

Cross-Industry Report Identifies Top 10 Open-Source Software Risks

Promoted by Endor Labs and featuring contributions from over 20 industry experts, the new Endor Labs Station 9 report identifies the top operational and security risks in open-source software.

Sergio De Simone
on Mar 06, 2023
DevOps

GitHub Enhances CodeQL, Extends Language Support, Available Queries, and More

After adding support for Ruby at GitHub Universe 2022, CodeQL introduced Kotlin support in beta. Additionally, support for other languages has been extended to include more recent versions. GitHub has also extended available queries to fully cover several industry-wide vulnerability directories, and improved the CodeQL ecosystem.

Sergio De Simone
on Feb 18, 2023
DevOps

Sonatype BOM Doctor Evaluates and Helps Patch Java Software Bills of Materials

BOM Doctor is a free, GitHub-hosted tool created by Sonatype to scan software bills of materials (SBOMs) and identify vulnerabilities and legal issues.

Sergio De Simone
on Feb 16, 2023
DevOps

AWS Patches Undocumented APIs Bypassing CloudTrail Event Logging

AWS recently patched undocumented IAM APIs that bypassed CloudTrail logging. The vulnerability allowed a malicious user to perform reconnaissance activities on IAM without recording events in CloudTrail or being detected by Amazon GuardDuty.

Renato Losio
on Feb 04, 2023
DevOps

Git 2.39.1 Fixes Two Critical Remote Code Execution Vulnerabilities

Two vulnerabilities affecting Git's commit log formatting and .gitattributes parsing in Git versions up to and including Git 2.39 have been recently patched. Both may lead to remote code execution, so users are required to upgrade immediately to Git 2.39.1.

Sergio De Simone
on Jan 20, 2023
DevOps

Unskilled Cybercriminals May Be Leveraging ChatGPT to Create Malware

In a recent report, Israeli cybersecurity company Check Point warned that cybercriminals are already using ChatGPT to develop malicious programs on the Dark Web. According to Check Point, ChatGPT makes it possible for even unskilled threat actors to create functioning malware.

Sergio De Simone
on Jan 13, 2023
DevOps

Google Releases Open-Source Vulnerability Scanning Tool

Google has released OSV-Scanner, an open-source front-end interface to the Open Source Vulnerability (OSV) database. The OSV database is a distributed, open-source database that stores vulnerability information in the OSV format. The OSV-Scanner assesses a project's dependencies against the OSV database showing all vulnerabilities relating to the project.

Matt Campbell
on Dec 29, 2022
DevOps

Critical Vulnerability in VM2 Sandbox Found Affecting Spotify Portal Platform Backstage

Spotify Backstage, an open-source platform used to build developer portals and in use at a number of large companies, has been found vulnerable to a critical remote code execution vulnerability. Confirming that most vulnerabilities are found in indirect dependencies, the Backstage vulnerability is enabled by another vulnerability found in its JavaScript VM2 sandbox dependency.

Sergio De Simone
on Nov 28, 2022
DevOps

OpenSSL Hit by Two High Severity Vulnerabilities, Recently Patched

Introduced in OpenSSL 3.0 in September 2021 and affecting all successive versions up to and including OpenSSL 3.0.6, the two recently patched vulnerabilities are caused by buffer overruns in X.509 certificate verification.

Sergio De Simone
on Nov 03, 2022
Java

Azul Joins the Effort of Improving Supply Chain Security by Launching Vulnerability Detection SaaS

November, 2nd: Azul released a new security product that intends to offer a solution to the increased risk of enterprise software supply chain attacks, compounded by severe threats such as Log4Shell. Azul Vulnerability Detection is a new SaaS that continuously detects known security vulnerabilities in Java applications. In addition, they promise not to affect the application’s performance.

Olimpiu Pop
on Nov 02, 2022
DevOps

Two New Git Vulnerabilities Affecting Local Clones and Git Shell Patched

Two Git vulnerabilities affecting local clones and git shell interactive mode in version 2.38 and older have been recently patched.

Sergio De Simone
on Oct 20, 2022
DevOps

Cloud Security Posture Management Now Available in Vulnerability Scanner Trivy

The open source vulnerability scanner Trivy has been recently extended to support cloud security posture management (CSPM) capabilities. While initially available only for AWS, Trivy will soon get support for other cloud providers, says Aqua Security.

Sergio De Simone
on Aug 28, 2022
AI, ML & Data Engineering

Machine Learning Systems Vulnerable to Specific Attacks

The growing number of organizations creating and deploying machine learning solutions raises concerns as to their intrinsic security, argues the NCC Group in a recent whitepaper (Practical Attacks on Machine Learning Systems).

Sergio De Simone
on Aug 15, 2022

Newer News

Older News

InfoQ Software Architects' Newsletter

Login with:

Don't have an InfoQ account?

News