You’re confident in your development chops—confident enough to know the apps you’ve built aren’t completely free of security and configuration flaws. You’ve also researched the deep ecosystem of scanning tools available and perhaps got overwhelmed by the sheer volume of choice. What’s the right “portfolio” of open-source app security tools to identify vulnerabilities in your dependencies, Infrastructure as Code (IaC) configurations, containers, and more?

The last time we wrote about open source software (OSS) for security, we explored how community-driven innovation addresses security problems stemming from the rapid pace of business-driven technological advancements. We posed the question: Can open source security solutions adequately secure and protect the OSS that modern businesses depend on?

Foresiet, your trusted cybersecurity advisor, brings attention to the recent addition of a security flaw impacting Apache Flink to the Known Exploited Vulnerabilities catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Tracked as CVE-2020-17519, this vulnerability poses a significant risk due to its potential for active exploitation. Understanding the Vulnerability.

Using open-source code exposes organizations to a tremendous amount of risk, yet this point is treated like a dirty little secret that nobody talks about. So, let’s live on the edge and take a minute to talk about the problem. Open-source code is an oddity. Generally, open-source code is often placed in small packets tucked inside massive programs that corporations use to run their most important processes or it is adopted as a whole program and tasked with running some part of a business.

CVE-2024-3094 is a critical backdoor vulnerability found in the XZ Utils open-source library. The vulnerability was caused by a malicious code injected into the library by one of the maintainers. The vulnerability allows remote attackers to execute any desired code on systems with exposed SSH packages.

Open-source software security is crucial in today's cloud-native world. Learn about vulnerabilities, dependencies, and tools to improve security in this in-depth blog post.

As cybersecurity becomes increasingly important in software development, the “shift left” security approach is widely recognized as a best practice for ensuring superior application security. Numerous traditional security firms are introducing shift-left products and capabilities, and the concept is gaining traction. However, some open source application security tools are more developer-friendly than others.

A necessary step in securing an application is evaluating the supply chain of each component used to create the application—no matter how many hands were involved in its development. If any links in the supply chain are obscured, it can be difficult to confidently assess the amount of risk that an application is susceptible to.

In late March 2024, the cybersecurity community was shaken by the revelation of a critical vulnerability in XZ Utils, a popular open source compression tool integral to many Linux systems. The discovery was made by Andres Freund, a developer at Microsoft, who reported that versions 5.6.0 and 5.6.1 had a backdoor that could potentially allow unauthorised remote code execution.