#open-source-security

[ follow ]
#software-supply-chain #npm #bug-bounty #codemender #vulnerability-disclosure #microsoft-security
#bug-bounty
more#bug-bounty
#npm
fromInfoWorld
1 week ago
Information security

A proactive defense against npm supply chain attacks

Widespread reliance on npm packages creates persistent, large-scale security risk as malicious packages can compromise thousands of downstream applications.
fromCyberScoop
3 months ago
Information security

The npm incident frightened everyone, but ended up being nothing to fret about

A social-engineering compromise of an npm maintainer briefly poisoned 18 popular packages, but quick detection and response limited the supply-chain attack’s impact and damage.
more#npm
fromTheregister
1 month ago

Python Foundation rejects $1.5M grant with no-DEI strings

These terms included affirming the statement that we 'do not, and will not during the term of this financial assistance award, operate any programs that advance or promote DEI [diversity, equity, and inclusion], or discriminatory equity ideology in violation of Federal anti-discrimination laws,' Crary noted.
Non-profit organizations
#codemender
more#codemender
Software development
fromTheregister
2 months ago

Curl project, swamped with AI slop, finds not all AI is bad

Human-guided AI code analysis can find valid bugs and improve open-source projects despite widespread low-quality AI-generated reports.
Information security
fromTheregister
2 months ago

Socket will block it with free malicious package firewall

Socket released Socket Firewall Free, a free CLI that blocks malicious dependencies at install time across npm, yarn, pnpm, pip, uv, and cargo.
fromTheregister
2 months ago

Google's dev registration plan 'will end the F-Droid project

"The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot 'take over' the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications," he said. "If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open source app distribution sources as we know them today," said Prud'hommeaux.
Tech industry
#software-supply-chain
more#software-supply-chain
Information security
fromInfoQ
3 months ago

Google Veles is a New Open-source Secret Scanner Powering GCP

Google released Veles, an open-source secret scanner that detects exposed credentials across artifacts and integrates with OSV-SCALIBR and Google Cloud security products.
Privacy professionals
fromInfoQ
7 months ago

Implement the EU Cyber Resilience Act's Requirements to Strengthen Your Software Project

The European Cyber Resilience Act is a significant development aimed at enhancing cybersecurity across the continent.
[ Load more ]