While the open-source ecosystem continues to make progress on securing the production of widely used components, developers need better tools and a security culture to benefit.
Multiple studies have found that generative neural networks that produce code also reproduce security vulnerabilities in their datasets.
The “S” in HTTPS stands for “secure,” but a newly disclosed pair of software flaws in one of the most popular open-source cryptographic libraries shows that assurance can come with a caveat.
Vulnerabilities in nigh-ubiquitous apps like Zoom, Microsoft Teams and Slack, combined with the behavioral changes that accompanied many people’s unexpected move to remote work, have had an outsized impact on security.
Verifying users based on their fingerprints, irises or some other biological measurement could backfire for Big Tech if companies fail to heed cybersecurity threats.
In its first-ever report for the Department of Homeland Security, a group of top government and industry cyber experts said the Log4j vulnerability triggered “one of the most intensive cybersecurity community responses in history” last December — and it’s far from over.
Recent cyberthreats targeting firmware technology have underscored how tricky it is to weed out malware that can start wreaking havoc before infected computers even boot up.
Keeping software up to date is a mainstay of good cybersecurity hygiene. But in rare cases when patches backfire — either by introducing new, more severe software flaws or failing to fix the old ones — it can set off a scramble to set things right.
Security researcher Vera Mens and her colleagues on Claroty’s Team82 took on some of the toughest challenges in the industrial cybersecurity field at Pwn2Own Miami.
Most of the code in typical applications comes from open-source projects, importing dozens — and often, hundreds — of components created by volunteers. As the Log4j incident shows, those deep dependencies can carry critical vulnerabilities.