Former NSA executive Jacob DePriest now heads GitHub’s security operations

GitHub has announced that former NSA (National Security Agency) senior executive Jacob DePriest is now heading its security operations.

Open source evangelist DePriest built the NSA’s Developer Experience from scratch and helped the agency’s developers contribute to the work of others. The NSA’s historically lengthy approval process was reduced from weeks to mere hours in some cases.

A 2019 post on the US Intelligence Careers website explains why DePriest has a...

Report: Sec and DevOps split on who is responsible for software security

Solar Eclipse

IT security and development teams are divided over who is and who should be responsible for securing software, a new report from cybersecurity company Venafi has shown.

When asked who is responsible for software security at their organisations, the sample of 1,000 DevOps and Sec professionals were equally split, with 48% saying development were and 48% saying IT security were.

Of far greater concern is the divide over who should be responsible for software security. Only...

Google’s latest framework aims to prevent SolarWinds-like supply chain attacks

Google has unveiled a new framework called Supply chain Levels for Software Artifacts, or SLSA (pronounced "salsa").

The intention of SLSA is to help prevent the growing number of devastating supply chain attacks in recent years—such as the SolarWinds and CodeCov hacks.

Google describes SLSA as "an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain."

The company says that SLSA is inspired by its own...

Sonatype Lift uses deep code analysis to suggest bug fixes

Sonatype has launched a new deep code analysis platform called Lift which can detect a wide range of bug types.

Lift detects bugs ranging from style issues to complex coding errors commonly found in first-party source code and third-party open source libraries.

Research from Veracode last year found that open-source libraries cause security flaws in around 70 percent of apps. However, open-source libraries are often critical to projects.

Using a deep code...

Codecov breach prompts fears of another SolarWinds-style hack

A hack impacting software testing firm Codecov is expected to have resulted in hundreds of networks being compromised, prompting fears of a fallout similar to the recent SolarWinds attack.

Codecov has over 29,000 customers including companies such as IBM, Proctor & Gamble, Hewlett Packard Enterprise, Atlassian, Washington Post, and GoDaddy. The potential scale of the attack has led to a federal investigation.

"We are aware of the claims and we are investigating...

Hackers are using shared Xcode projects to infect Apple developers

Developers for Apple’s platforms are being hacked through importing shared Xcode projects infected with malware.

Researchers from SentinelOne detailed the growing trend after discovering a macOS malware dubbed XcodeSpy.

“Threat actors are abusing the Run Script feature in Apple’s Xcode IDE to infect unsuspecting Apple Developers via shared Xcode Projects,” the researchers explained.

“XcodeSpy is a malicious Xcode project that installs a custom variant...

StrongSalt’s new Open Privacy API offers ‘encryption as a service’

Encryption as a service provider StrongSalt has released its Open Privacy API to improve the security of developers’ applications.

StrongSalt was founded by Ed Yu, the former founding engineer of cybersecurity giant FireEye. Back in September, StrongSalt raised $3 million in seed funding from Valley Capital Partners.

Claiming it wants to “do for encryption what Stripe has done for payments and Twilio has done for communications,” StrongSalt offers APIs and...

Sophos launches a security analysis platform for developers

British cybersecurity firm Sophos has launched a new threat intelligence and analysis platform for developers.

SophosLabs Intelix helps developers to build more secure applications through simple API calls. Developers can use an API call to assess the risk of things like files, IP addresses, URLs, and more.

Sophos claims the platform is continuously updated and features petabytes of real-time and historical intelligence.

The platform collates masses of data to help...

Python libraries imitating ‘dateutil’ and ‘jellyfish’ caught stealing SSH and GPG keys

Two malicious Python libraries have been caught stealing SSH and GPG keys from developers over the past year.

The libraries were part of PyPI (Python Package Index) and imitated two popular non-malicious libraries using typosquatting.

The first library is “python3-dateutil,” which imitates “dateutil,” a library which provides extensions to Python’s standard datetime module.

Next up is the “jeIlyfish” library, with the first...

PWNED: Researcher uses broken API to print message on GPS watches

A German security researcher printed the word “PWNED!” on hundreds of GPS watches to prove a point about a broken API.

Christopher Bleckmann-Dreher discovered a vulnerability in an API used by Austrian GPS watch manufacturer Vidimensio.

The firm’s watches are used by a wide range of the population from the elderly down to children, and it affected over 20 models.

Dreher alerted Vidimensio to the problem but it was ignored for over a year. Given the...