In response to the recent supply chain attack in the JavaScript package manager npm, GitHub has made a few changes that will enable stronger security. The attack on the npm ecosystem was caused by a worm, named Shai-Hulud, that infects and republish other packages with its malware to spread it across the npm ecosystem. “By … continue reading
Digital.ai has created a new product that will make white-box cryptography accessible to all developers, not just cryptography experts. White-box cryptography is a technique that adds cryptographic protections directly into application code, making it hard for attackers to obtain secret information, like cryptographic keys. Digital.ai’s White-box Cryptography Agent provides access to a white-box cryptography library … continue reading
Android will soon require app developers to go through an identity verification process before their apps can be installed on users’ devices—regardless of if the apps are downloaded through the Play Store or sideloaded. “Think of it like an ID check at the airport, which confirms a traveler’s identity but is separate from the security … continue reading
Tenable is updating its Vulnerability Priority Rating (VPR) method of scoring vulnerabilities to enable organizations to focus their efforts on the most critical and impactful vulnerabilities. According to the company, Common Vulnerability Scoring System (CVSS), which is used by the CVE database, flags 60% of vulnerabilities as high or critical. When Tenable VPR was launched … continue reading
Google is hoping to improve public trust in open source projects with the launch of a new open source project called OSS Rebuild that reproduces upstream artifacts and compares the new package with the original artifact. According to Google, this process enables customers to verify a package’s origin, understand and repeat its build process, and … continue reading
Azul has announced an update to its Vulnerability Detection solution that promises to reduce false positives in Java vulnerability detection by up to 99% by only flagging vulnerabilities in code paths that are actually used. According to Azul, typical scanners scan JAR files for components by name, rather than what the JVM actually loads. Erik … continue reading
Earlier this month, the Certification Authority(CA)/Browser Forum voted to significantly shorten the lifetime of TLS certificates: from 398 days currently to 47 days by March 15, 2029. The CA/Browser Forum is a collective of certificate issuers, browsers, and other applications that use certificates, and they’ve long been discussing the potential for shorter certificate lifetimes. As … continue reading
Harness has announced a new offering to help developers secure their cloud-native applications and APIs, the first major update to feature Traceable’s technology since the companies merged earlier this year. Traceable Cloud Web Application and API Protection (WAAP) provides web application protection, API security, bot mitigation, and DDoS defense. According to Sudhir Patamsetti, senior. director … continue reading
Snyk has announced a new dynamic application security testing (DAST) solution designed specifically for AI-powered software development. Snyk API & Web allows developers to test the security of all of their APIs and web apps, regardless of if the code was written by a developer or AI. It also provides detailed recommendations on how to … continue reading
Symbiotic Security is releasing a new tool that will enable automatic detection and remediation of vulnerabilities in code. Embedded directly into a developer’s IDE, Symbiotic Security Version 1 utilizes an AI model that was trained on a “proprietary, security-specific, and verified dataset.” In addition to detecting and remediating issues, it also features a built-in chatbot … continue reading
The fate of the CVE Program—a database that catalogs publicly disclosed security vulnerabilities—was unknown over the past 24 hours. Yesterday, it was leaked that the maintainer of the CVE Program, MITRE, sent a letter to CVE board members, saying that funding for the CVE program was set to expire today, April 16. “If a break … continue reading
Orca Security has announced a new integration that will enable it to scan Bitbucket repositories for misconfigurations, exposed secrets, and vulnerabilities. According to Orca Security, code scanning is an important element of any security program, and when developers utilize public code repositories, they typically have to manually embed CLI security tools into each repository and … continue reading
