Travis CI flaw exposed thousands of open-source projects’ secrets

A flaw in popular software testing tool Travis CI exposed the secrets of thousands of open-source projects.

Travis CI is a hosted continuous integration service used to build and test software projects hosted on GitHub and Bitbucket.

For at least a week – between 3-10 Sept – open-source repos that used Travis CI had their keys, credentials, and tokens exposed.

Ethereum developer Felix Lange discovered a flaw with how Travis CI handled environmental...

Google wants to ‘advance cybersecurity’ by fixing open-source and increasing training

Google has committed $10 billion over the next five years to “advance cybersecurity” by fixing some of the key problems with open-source and offering more training.

The announcement follows Google’s participation in President Biden’s White House Cyber Security Meeting this week. Leading tech executives including Alphabet CEO Sundar Pichai put their heads together following an increasing prevalence and seriousness of cyberattacks.

Open-source is vital and speeds...

Checkmarx acquires Dustico in wake of increasing supply chain attacks

Developer-centric app security testing (AST) firm Checkmarx has acquired Dustico to help counter the increasing threat of supply chain attacks.

“We’re thrilled to welcome Dustico and its team to Checkmarx as the Israeli tech ecosystem continues to push the boundaries of cybersecurity innovation and talent,” said Emmanuel Benzaquen, CEO, Checkmarx.

“Blending Dustico’s differentiated approach to open source analysis with Checkmarx’s best-of-breed security...

Google announces raft of Play Store security policy updates

Google has announced a number of changes to its Play Store security policies that will come into effect over the coming year.

Starting in September, a new section will be added to Google’s Enforcement policy that will mean inactive or otherwise abandoned developer accounts will be closed after one year of dormancy.

October will see various policies introduced on different dates.

On 15 October, the Device and Network Abuse policy will be clarified to prohibit...

Former NSA executive Jacob DePriest now heads GitHub’s security operations

GitHub has announced that former NSA (National Security Agency) senior executive Jacob DePriest is now heading its security operations.

Open source evangelist DePriest built the NSA’s Developer Experience from scratch and helped the agency’s developers contribute to the work of others. The NSA’s historically lengthy approval process was reduced from weeks to mere hours in some cases.

A 2019 post on the US Intelligence Careers website explains why DePriest has a...

Report: Sec and DevOps split on who is responsible for software security

Solar Eclipse

IT security and development teams are divided over who is and who should be responsible for securing software, a new report from cybersecurity company Venafi has shown.

When asked who is responsible for software security at their organisations, the sample of 1,000 DevOps and Sec professionals were equally split, with 48% saying development were and 48% saying IT security were.

Of far greater concern is the divide over who should be responsible for software security. Only...

Google’s latest framework aims to prevent SolarWinds-like supply chain attacks

Google has unveiled a new framework called Supply chain Levels for Software Artifacts, or SLSA (pronounced "salsa").

The intention of SLSA is to help prevent the growing number of devastating supply chain attacks in recent years—such as the SolarWinds and CodeCov hacks.

Google describes SLSA as "an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain."

The company says that SLSA is inspired by its own...

Sonatype Lift uses deep code analysis to suggest bug fixes

Sonatype has launched a new deep code analysis platform called Lift which can detect a wide range of bug types.

Lift detects bugs ranging from style issues to complex coding errors commonly found in first-party source code and third-party open source libraries.

Research from Veracode last year found that open-source libraries cause security flaws in around 70 percent of apps. However, open-source libraries are often critical to projects.

Using a deep code...

Codecov breach prompts fears of another SolarWinds-style hack

A hack impacting software testing firm Codecov is expected to have resulted in hundreds of networks being compromised, prompting fears of a fallout similar to the recent SolarWinds attack.

Codecov has over 29,000 customers including companies such as IBM, Proctor & Gamble, Hewlett Packard Enterprise, Atlassian, Washington Post, and GoDaddy. The potential scale of the attack has led to a federal investigation.

"We are aware of the claims and we are investigating...

Hackers are using shared Xcode projects to infect Apple developers

Developers for Apple’s platforms are being hacked through importing shared Xcode projects infected with malware.

Researchers from SentinelOne detailed the growing trend after discovering a macOS malware dubbed XcodeSpy.

“Threat actors are abusing the Run Script feature in Apple’s Xcode IDE to infect unsuspecting Apple Developers via shared Xcode Projects,” the researchers explained.

“XcodeSpy is a malicious Xcode project that installs a custom variant...