Join our subscribers
Open Source Vulnerabilities Take Four Years to Spot, Says GitHub
Tuesday, December 15, 2020
The GitHub Security Lab makes a number of suggestions for developers that make use of the platform. These include checking dependencies for open source vulnerabilities on a regular schedule, having the security team actively participate in the community by sharing search findings, implementing automated alert and patching tools, and maintaining a policy of patching remediations as soon as possible.
Ilia Kolochenko, Founder & CEO of ImmuniWeb, expanded on the importance of patching early and often in regards to open source vulnerabilities: “The root problem is not detection of previously unknown Open Source Software (OSS) vulnerabilities: but well known and unpatched vulnerabilities. Virtually all industry reports and studies converge that a very small number, usually varying from 10% to 30%, of known OSS security vulnerabilities are ever patched. Rapid proliferation of containers – exacerbate the problem – as outdated and vulnerable software transform containers into ticking a time bomb … Today, cybercriminals don’t even bother to search for 0days: they have a myriad of vulnerable web systems accessible from the Internet. One can easily acquire fully automated exploits for them designed to compromise the flaw, backdoor the system and patch the vulnerability – to preclude “competitors” from getting in.”
Other strong suggestions related to the security of open source drawn from previous GitHub data breach incidents: never including login credentials in any sort of code or comments, implementing appropriate access privileges on a user-by-user basis, and mandating the use of multi-factor authentication (MFA) for anyone with access to sensitive information. Read Full Article
ITWeb: SolarWinds attack damage will be 'far worse than we think'
SiliconANGLE: Russian group reportedly hacks US Commerce and Treasury departments
