GitHub will mandate 2FA to help secure the software supply chain

GitHub will require all users who contribute code on the platform to use 2FA as part of its latest security improvements.

Attacks on the software supply chain are on the increase. GitHub, which has over 83 million code-contributing users, is stepping up to the plate to protect developers and the software supply chain with this major policy change announcement.

“At GitHub, we believe that our unique position as the home for all developers grants us both an opportunity...

4 May 2022 | Git

Five Eyes alliance lists 2021’s top vulnerabilities

A cybersecurity advisory issued by members of the ‘Five Eyes’ intelligence alliance lists the most-exploited vulnerabilities of 2021.

The Five Eyes consists of the US, UK, Canada, Australia, and New Zealand. Over recent weeks, cybersecurity authorities from the normally secretive alliance have issued a number of joint statements amid increasing global threats.

According to the alliance, here were the top 15 “routinely exploited” vulnerabilities in...

28 April 2022 | Hacking & Security

Google’s Project Zero found over twice as many exploits in 2021

Project Zero, Google’s in-house team of experts tasked with finding zero-day exploits, reports that it found over twice as many in 2021.

According to the team’s annual report, it found a record 58 zero-day exploits in 2021. That’s over double the 25 it detected in 2020 and the previous record of 28 detected in 2015.

(Credit: Google)

While such a large uptick may cause alarm, Google puts a positive spin on the news.

“We believe the large...

20 April 2022 | Hacking & Security

GitHub notifies victims of OAuth token theft

GitHub is notifying known victims of an ongoing attack using stolen third-party OAuth user tokens.

OAuth user tokens maintained by Heroku and Travis CI were stolen and abused by an unauthorised party to download data from dozens of organisations, including npm.

Mike Hanley, Chief Security Officer at GitHub, wrote in a blog post:

“We have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and...

19 April 2022 | Git

80% of Spring framework downloads are exploitable versions

Data from Sonatype suggests that 80 percent of weekly Spring framework downloads are still exploitable versions.

Spring is a mighty popular framework—often ranking in the top three most-used Java frameworks. That’s why the Java developer community was shaken when a vulnerability named Spring4Shell (CVE-2022-22965) was leaked by a security researcher ahead of an official CVE publication.

Spring4Shell allows unauthenticated remote code execution. This week, the US...

5 April 2022 | Frameworks

Spring4Shell vulnerability could have ‘a larger impact’ than Log4j

A newly-discovered zero-day vulnerability known as Spring4Shell could have “a larger impact” than Log4j.

Log4j made waves in recent months as the vulnerability in the popular open-source logging library enabled attackers to break into systems, steal passwords and logins, extract data, and infect networks with malicious software.

However, attention is now shifting to the Spring4Shell exploit.

Spring4Shell is a zero-day remote code execution (RCE)...

31 March 2022 | Frameworks

Large-scale supply chain attack used 218 malicious NPM packages

A large-scale supply chain attack has been uncovered that used 218 malicious NPM packages.

Researchers from JFrog claim that several of their automated analysers started throwing up alerts regarding a set of packages in the npm registry earlier this week.

Over a few days, the number of packages swelled from around 50 packages to more than 200 (as of March 21st).

The researchers manually analysed the packages and found that it was a targeted attack against the...

24 March 2022 | Hacking & Security

GitHub Advisory Database now accepts community contributions

GitHub is opening its Advisory Database to community contributions to help further secure software supply chains.

One vulnerability can have a devastating “domino effect” on software across the globe. With the use of open-source increasing, so does the threat of a vast amount of software being compromised.

GitHub launched its Advisory Database almost two years ago. As the largest database of vulnerabilities in software dependencies in the world, it’s become an...

22 February 2022 | Hacking & Security

State of Software Security v12: Don’t become complacent, but we’ve come a long way

Veracode’s latest State of Software Security report highlights that applications are, on average, more secure than ever.

Getting the negatives out the way first, the report warns about the devastating “domino effect” that one vulnerability can have on software across the globe.

One clear example of this in action was the SolarWinds attack in which hackers inserted malicious code into the company’s Orion software. Every company and organisation using Orion was...

8 February 2022 | Developer

Rust vulnerability enables attackers to delete files and directories

Maintainers of the Rust programming language have warned of a critical vulnerability that enables attackers to delete files and directories.

In a security advisory, the Rust Security Response Working Group wrote:

“The Rust Security Response WG was notified that the std::fs::remove_dir_all standard library function is vulnerable to a race condition enabling symlink following (CWE-363).

An attacker could use this security issue to trick a privileged program into...

24 January 2022 | Hacking & Security