Jay Jacobs and I recently delivered an RSA presentation called Quantifying the Probability of Flaws in Open Source. Since many people didn’t get a chance to see it, I thought I’d summarize some of the findings here for posterity. The question we investigated was simple, at least conceptually: what are the red flags of an open-source repository? Are there characteristics of a given open source library that would reliably indicate it was safer than others?

A week before RSA 2024, Forrester predicted which subjects and themes would come to the forefront of the conference. They emphasized that we’d see a focus on proactive security, defined as “a strategic approach to controlling security posture and reducing breaches through strong visibility, prioritization, and remediation.” I went into the conference with this prediction in mind. However, I was surprised by what I found.

Software security is key to the online world’s survival. Collaborative efforts of cybersecurity professionals and volunteers have come together to create the OWASP web security testing guide. Malicious actors constantly threaten web applications, the backbone of many businesses. OWASP penetration testing is crucial for identifying and addressing these security vulnerabilities.

Over 100,000 websites using a popular JavaScript service (polyfill.io) are now victims of a web supply chain attack. A web supply chain attack is a cyberattack is a type of software supply chain attack that targets a third-party web software component to gain access to an organization’s systems or data. These attacks can be difficult to prevent because they can be hard to detect, take advantage of trust, and have long-lasting effects.

Labeled as CVE-2024-6387, the recently discovered vulnerability in OpenSSH has become a serious cause for concern among Linux servers. OpenSSH is a collection of networking tools built on the Secure Shell (SSH) protocol. It is widely utilized to secure remote logins, manage and administer remote servers, and transfer files through SCP and SFTP. Nicknamed as the “RegreSSHion Bug”, Researchers at Qualys initially identified the vulnerability in May 2024.

Two vulnerabilities—stored XSS and insecure file upload— have been detected in the Alpha 0.5 version of CervantesSec. This article will outline what CervantesSec does, the vulnerabilities found, and its current status.

On July 1st, the Qualys’s security team announced CVE-2024-6387, a remotely exploitable vulnerability in the OpenSSH server. This critical vulnerability is nicknamed “regreSSHion” because the root cause is an accidental removal of code that fixed a much earlier vulnerability CVE-2006-5051 back in 2006. The race condition affects the default configuration of sshd (the daemon program for SSH).