Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How Hackers Infiltrate Open Source Projects
Newest First  |  Oldest First  |  Threaded View
tdsan
tdsan,
User Rank: Ninja
6/30/2019 | 8:47:07 AM
Re: Guidelines to updating software
Then there needs to be a filtering or application scrubbing mechanism that catches these items, in addition, just as the article states, there needs to be more eyes on this practice where the line of code goes through a check (similar to way AV functions where it looks for potential threats in the line of code).
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools

Click on the link, this provides a list of tools, some are free to the public. One scrubbing center I can think of is Akamai, F5 and Radware.

Todd
RyanSepe
RyanSepe,
User Rank: Ninja
6/30/2019 | 8:31:57 AM
Re: Guidelines to updating software
Very true Todd. And yet I know many app developers that openly admit to using open-source libraries to develop their code. Why recreate the wheel? The big problem there is that the libraries could be harboring malicious code and then you've given the threat actor inside access into your environment.
tdsan
tdsan,
User Rank: Ninja
6/29/2019 | 12:18:50 AM
Guidelines to updating software
And upon left-pad's un-publishing, those thousands upon thousands of applications stopped working.

This statement is the reason why open-source projects are installed with some level of caution. There are a few steps we take before installing it on production systems:
  • Create a test environment where the code is installed on a VM or container (1 to 1 relatoinship with product)
  • We test the software update and patch to ensure the system comes up after a reboot
  • Implement a PIT (Point-in-Time) copy process to roleback the application
  • Install different versions on test environments to ensure the patch works (utilize VMware thinapp or other application virtualization tools)
  • Schedule a time and review app information on a regular basis
  • Test the application by using an automated process

Todd


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2289
PUBLISHED: 2022-07-03
Use After Free in GitHub repository vim/vim prior to 9.0.
CVE-2022-2288
PUBLISHED: 2022-07-03
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.
CVE-2022-2290
PUBLISHED: 2022-07-03
Cross-site Scripting (XSS) - Reflected in GitHub repository zadam/trilium prior to 0.52.4, 0.53.1-beta.
CVE-2022-2287
PUBLISHED: 2022-07-02
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
CVE-2022-34911
PUBLISHED: 2022-07-02
An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the usern...