Advertise

Application Security

10/6/2020
10:15 AM

Curtis Franklin Jr.
Slideshows

1 Comment
Comment Now

6 Best Practices for Using Open Source Software Safely

Open source software is critical yet potentially dangerous. Here are ways to minimize the risk.

4 of 7

Use Automation

The need for speed in DevOps and agile can run into the limitations of smaller security headcount. Automation can be the "bumper" that allows the two competing realities to co-exist.

Automation is recognized as critical for open source security at many different levels. GitHub, for example, has launched Dependabot as a tool to monitor dependencies (applets, pieces of code, or libraries used inside another application) and ensure the code used in a project is the most recent version. Similar tools are available for both developer and operational uses within the enterprise.

As anyone who has lived through Patch Tuesday can attest, the automated update scan process can lead to unintended consequences. Properly deployed security, orchestration, automation, and response (SOAR) tools can go a long way toward minimizing the risks of updating while maximizing the benefits of up-to-date code. Both the consequences and benefits are why it's important to include automation tools as part of an overall software supply chain security program, rather than expecting to turn on the tools and walk away.

(Image: sdecoret VIA Adobe Stock)

4 of 7

Comment |

Email This |

Print |

RSS

Comments

Newest First | Oldest First | Threaded View

[close this box]

50%

linnovate,
User Rank: Apprentice
10/7/2020 | 6:32:04 AM

Additional safety suggestion

It is true, things can quickly get overwhelming in open-source. Ultimately it comes down to trusting the developers, open communication, and having a great teamwork ethic, working collaboratively together. The one thing I would add is knowing who the contributors are.

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

How to Better Secure Your Microsoft 365 Environment

Kelly Sheridan, Staff Editor, Dark Reading, 1/25/2021

Many Cybersecurity Job Candidates Are Subpar, While On-the-Job Training Falls Short

Robert Lemos, Contributing Writer, 1/27/2021

Attackers Leave Stolen Credentials Searchable on Google

Kelly Sheridan, Staff Editor, Dark Reading, 1/21/2021

Webinars

What We Can Learn from Sports Analytics

Protecting Your Enterprise's Intellectual Property

Building the SOC of the Future: Next-Generation Security Operations

Webinar Archives

White Papers

A Technical Deep Dive on Software Exploits

Eliminate East-West Traffic Hair-Pinning

The Dark Side of SD-WAN

The Essential Guide to Securing Remote Access

2020 Gartner Market Guide for Network Detection & Response

More White Papers

Cartoon Contest

Write a Caption, Win an Amazon Gift Card! Click Here

Latest Comment: This comment is waiting for review by our moderators.

Cartoon Archive

Current Issue

2020: The Year in Security

Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

Assessing Cybersecurity Risk in Today's Enterprises

COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.

Download Now!

The Malware Threat Landscape

0 comments

How Data Breaches Affect the Enterprise (2020)

0 comments

Building an Effective Cybersecurity Incident Response Team

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2021-3331
PUBLISHED: 2021-01-27

WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)

CVE-2021-3326
PUBLISHED: 2021-01-27

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.

CVE-2021-22641
PUBLISHED: 2021-01-27

A heap-based buffer overflow issue has been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).

CVE-2021-22653
PUBLISHED: 2021-01-27

Multiple out-of-bounds write issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).

CVE-2021-22655
PUBLISHED: 2021-01-27

Multiple out-of-bounds read issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]