Sonatype analysis reveals a 73 percent surge in open-source demand

A report from Sonatype has revealed a 73 percent surge in the demand for open-source despite a year of high profile vulnerabilities.

The growing use of open-source to keep up with the pace of modern development makes it a prime target for cybercriminals. We’ve seen this multiple times in practice over the past year with devastating attacks like that on SolarWinds even making national headlines for its widespread implications.

In fact, Sonatype’s report highlights a...

GitHub releases analysis of relations between developers and security researchers

Relations between developers and security researchers is critical, but it’s no secret they’re often fraught.

GitHub first announced that it was expanding its research to more fully understand the relationship between developer and security research communities in December 2020. The initial analysis, conducted by GitHub Security Lab, has now been released.

For its debut analysis, Github focused on the vulnerability disclosure process—of which there is currently no...

Google wants to ‘advance cybersecurity’ by fixing open-source and increasing training

Google has committed $10 billion over the next five years to “advance cybersecurity” by fixing some of the key problems with open-source and offering more training.

The announcement follows Google’s participation in President Biden’s White House Cyber Security Meeting this week. Leading tech executives including Alphabet CEO Sundar Pichai put their heads together following an increasing prevalence and seriousness of cyberattacks.

Open-source is vital and speeds...

Boris Cipot, Synopsys Software Integrity: On the cybersecurity landscape and countering threats

Following a year of high-profile cyberattacks, developers are understandably concerned their software could be the next to be compromised.

Developer caught up with Boris Cipot, Senior Sales Engineer at Synopsys Software Integrity, to discuss the cybersecurity landscape and how developers can secure their software.

Cipot came to Synopsys following the company’s acquisition of Black Duck Software. Prior to those companies, Cipot held senior roles at anti-malware...

Checkmarx acquires Dustico in wake of increasing supply chain attacks

Developer-centric app security testing (AST) firm Checkmarx has acquired Dustico to help counter the increasing threat of supply chain attacks.

“We’re thrilled to welcome Dustico and its team to Checkmarx as the Israeli tech ecosystem continues to push the boundaries of cybersecurity innovation and talent,” said Emmanuel Benzaquen, CEO, Checkmarx.

“Blending Dustico’s differentiated approach to open source analysis with Checkmarx’s best-of-breed security...

Former NSA executive Jacob DePriest now heads GitHub’s security operations

GitHub has announced that former NSA (National Security Agency) senior executive Jacob DePriest is now heading its security operations.

Open source evangelist DePriest built the NSA’s Developer Experience from scratch and helped the agency’s developers contribute to the work of others. The NSA’s historically lengthy approval process was reduced from weeks to mere hours in some cases.

A 2019 post on the US Intelligence Careers website explains why DePriest has a...

Google’s latest framework aims to prevent SolarWinds-like supply chain attacks

Google has unveiled a new framework called Supply chain Levels for Software Artifacts, or SLSA (pronounced "salsa").

The intention of SLSA is to help prevent the growing number of devastating supply chain attacks in recent years—such as the SolarWinds and CodeCov hacks.

Google describes SLSA as "an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain."

The company says that SLSA is inspired by its own...

Sonatype Lift uses deep code analysis to suggest bug fixes

Sonatype has launched a new deep code analysis platform called Lift which can detect a wide range of bug types.

Lift detects bugs ranging from style issues to complex coding errors commonly found in first-party source code and third-party open source libraries.

Research from Veracode last year found that open-source libraries cause security flaws in around 70 percent of apps. However, open-source libraries are often critical to projects.

Using a deep code...

At DevSecCon24, find out how to build a Security Champions programme to scale your team

Next week, we’re looking forward to bringing together the amazing speakers, attendees and sponsors of DevSecCon24 to discuss, debate and understand how a Security Champions programme can work. As Snyk’s Field CTO, I’ll be leading a panel with stellar DevSecOps leaders from Twilio, Atlassian and Pearson to delve into how to get started, the challenges and the fine-tuning. Here’s a taster of where the discussion might lead.

The concept of a Security Champions...

Trend Micro partners with Snyk to fight open-source bugs

Cybersecurity leader Trend Micro is partnering up with application security platform Snyk to fight open-source bugs.

Research from Veracode last year found that open-source libraries cause security flaws in 70 percent of apps. Snyk itself has observed a 2.5x growth in open-source vulnerabilities over the past three years.

However, open-source is vital to the advancement of the software development industry. Snyk estimates that around 80 percent of application today is...