Modern applications rely on open source components for up to 90% of their code, creating a vast attack surface dominated by inhemalicious supply chain injections. High-profile incidents like Log4j and the sabotage of colors.js highlight that traditional scanning often fails to detect sophisticated “protestware” or dependency confusion, necessitating 19 practical controls focused on strict intake governance, dependency pinning, and behavioral monitoring to secure the development lifecycle.
Open-Source Software Community Riled by Yet Another CVE
Another maintainer of an open-source software project has decided to no longer actively update IP address parsing utilities used widely by JavaScript developers.
Standardize: It’s Not the Where. Sometimes it’s Not the What
In our industry’s attempts to follow best practices that marketers assure us we must have or we are going to lose to our biggest competitor … No, wait, we’ll lose to that startup no one ever heard of … No, hold on, we’ll lose to foreign competition … No, wait … (okay, I’ll stop. You […]
WhiteSource Report Finds NPM Vulnerabilities Fixed Fast
WhiteSource today published a report that found most of the vulnerabilities that affect node package managers (NPMs), widely employed to deploy JavaScript applications, are addressed long before they are assigned a Common Vulnerabilities and Exposure (CVE) in the National Vulnerability Database (NVD). The report, based on an analysis of the vulnerabilities that WhiteSource tracks in […]
ClickShare Vulnerabilities May Have Been Patched, But They Mask a Much Bigger Problem
I think we can all recall a time in recent memory where, in a meeting or at a conference, someone has had issues with presentation technology. It happens so often that there is almost an expectation of a clunky experience, at least initially. It stands as no surprise, then, that ClickShare’s seamless app was immediately […]