A few days ago, Snyk reported on a new type of threat vector in the open source community: protestware. The advisory was about a transitive vulnerability — peacenotwar — in node-ipc that impacted the supply chain of a great deal of developers. Snyk uses various intel threat feeds and algorithms to monitor chatter on potential threats to open source, and we believe this may just be the tip of a protestware iceberg.

It’s open source, anyone can audit it, but is it safe? In this blog our CSO explores why distribution of malicious scripts via libraries is causing a stir amongst the open-source community and how you can defend against it.

More than ever, developers are building web applications on the foundations of open source software libraries. However, while those libraries make up the software bill of materials (SBOM) components inventory, not all developers and business stakeholders understand the significant impact on open source supply chain security that stems from including 3rd party libraries.

Census II examines the most popular components of free and open source software and highlights the issues affecting the security of these libraries. Last week, the nonprofit Linux Foundation and Harvard’s Lab for Innovation Science published Census II of Free and Open Source Software—Application Libraries. This report identifies more than 1,000 of the most widely deployed open source application libraries.

At LimaCharlie, we are building a world where people and organizations can realize their full potential without compromising security along the way. We believe that it’s best to leave security in the hands of security professionals while enabling them with powerful tools to do what they can do best. For us, these are not just words. It’s a core belief that guides everything we do. Security is about people.

Supply chain attacks tripled in 2021, meaning a secure software development lifecycle is more important than ever. Do you know what open source software (OSS) components are in use within your organisation? Or how to find out?

In 2021, the WhiteSource Diffend automated malware detection platform detected and reported more than 1,200 malicious npm packages that were responsible for stealing credentials and crypto, as well as for running botnets and collecting host information from machines on which they were installed.

Today, anyone can contribute to some of the world’s most important software platforms and frameworks, such as Kubernetes, the Linux kernel or Python. They can do this because these platforms are open source, meaning they are collaboratively developed by global communities. What if we applied the same principles of democratization and free access to cybersecurity?

Our activities around sponsoring Open Source are not just limited to projects we rely on; we have also been supporting those that are important to the general Cybersecurity ecosystem and beyond. We're in this for the long haul and the most recent set of projects covers a very wide scope. We want to help ensure that everyone has sustainable Open Source for many years to come. Let's tell you about these new projects and why you should be aware of them.

Unique open source licenses provide amusement for developers but they create extra work for legal teams overseeing a company’s IP. Several of my open source friends had the same reaction when they heard of the death of Bob Saget. Sadly, the actor/comedian passed away last week at a relatively young age, and with him went an increment of open source license risk. Wait… what?