#software-supply-chain-security

[ follow ]
#malware-campaign #extension-registry-attacks #developer-tools-exploitation #cryptocurrency-theft
Information security
fromThe Hacker News
48 minutes ago

GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers

GlassWorm campaign escalates by using extension dependencies to turn benign-looking packages into malware delivery vehicles after establishing user trust.
Information security
fromInfoQ
4 days ago

GitLab Suggests AI Can Detect Vulnerabilities But it's AI Governance that Determines Risk

AI accelerates vulnerability detection, but effective risk management requires governance frameworks, clear accountability, and policy-based enforcement mechanisms beyond detection alone.
Information security
fromTechzine Global
4 days ago

When is an SBOM not an SBOM? CISA's Minimum Elements

CISA's new SBOM Minimum Elements establish baseline standards for software supply chain security, while EU regulations legally mandate SBOMs, creating a global baseline that organizations must meet to remain competitive.
Software development
fromDevOps.com
1 week ago

Sonar Unfurls Framework for Managing DevOps Workflows in the Age of AI - DevOps.com

Sonar launched the Agent Centric Development Cycle framework to modernize continuous integration for AI-driven coding with enhanced security and governance tools.
fromDevOps.com
1 week ago

Chainguard Expands Repository to Add More Secure Open Source Libraries - DevOps.com

Chainguard has rebuilt nearly one million unique versions of Java dependencies, including enterprise essentials such as Spring Boot, Jackson, Apache Commons, and Log4j, using the Chainguard Factory, an automated platform for creating software builds based on code originally found in open source software repositories.
Information security
fromTechzine Global
2 weeks ago

What's wrong (and right) with AI coding agents

This is a state where we see that the teams that move fastest will be the ones with clear tests, tight review policies, automated enforcement and reliable merge paths. Those guardrails are what make AI useful. If your systems can automatically catch mistakes, enforce standards, and prove what changed and why, then you can safely let agents do the heavy lifting. If not, you're just accelerating risk,
Software development
fromInfoWorld
1 month ago

GitLab devsecops survey finds progress, new priorities

Results of the survey, conducted in April, have been compiled into GitLab's 2024 Global DevSecOps Report, which was announced June 25. Among the findings, 78% of respondents said they are currently using AI in software development or plan to in the next two years, an increase from 64% of respondents who said they were using or planning to use AI in development last year.
Software development
Software development
fromInfoWorld
1 month ago

GitHub Artifact Attestations sign and verify software artifacts

Artifact Attestations in GitHub Actions is now generally available to secure artifacts and verify provenance using Sigstore, Kubernetes Policy Controller, and gh attestation verify.
fromNextgov.com
2 months ago

The cyberwarfare landscape is changing - here's how to prepare

Even incidents like the Colonial Pipeline ransomware attack, which showed us how the cyber world and our physical lives intersect, stopped far short of societal disruption. However, the threat of cyberwar has been building, influenced by advancements in AI and increased presence of actors in U.S. systems and telecommunication networks. A military conflict could escalate these attacks to scale, crippling critical infrastructure and public safety systems like power grids, transportation networks and emergency response, even disrupting military communications and undermining response.
Information security
Information security
fromZDNET
2 months ago

Did maintainers abandon your critical open-source tool? This rescue plan offers a lifeline

EmeritOSS provides stability-focused maintenance and security patches for mature, unmaintained open-source projects like Kaniko, Kubeapps, and Ingress-NGINX.
fromTechzine Global
3 months ago

The rise (and fall?) of shadow AI

As software application development teams now start to embrace an increasing number of automation tools to provide AI-driven (or at least AI-assisted) coding functions in their codebases, a Newtonian equal and opposite reaction is also surfacing in the shape of governance controls and guardrails to keep AI injections in check as these technologies now surface in the software supply chain.
Information security
Information security
fromWIRED
5 months ago

'Happy Gilmore' Producer Buys Spyware Maker NSO Group

North Korean operatives are posing as architecture professionals using fake profiles, résumés, and Social Security numbers to infiltrate US companies.
Software development
fromInfoQ
5 months ago

The Hidden Vulnerability of The Open Source Software Supply Chain: The Underlying Infrastructure

Brian Fox, Sonatype CTO and open source leader, guided Maven governance, OpenSSF/FINOS efforts, and advised governments on cyber resiliency including the EU Cyber Resilience Act.
fromThe Hacker News
10 months ago

Researchers Uncover Malware in Fake Discord PyPI Package Downloaded 11,500+ Times

At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library, however, the package concealed a fully functional remote access trojan (RAT).
Python
[ Load more ]