GitHub’s Copilot Autofix triples vulnerability remediation speed

Shipping software quickly often comes at the cost of security, with vulnerabilities inadvertently making their way into production code. This poses a significant challenge, as many developers find security requirements complex and difficult to implement.

"Developers are shipping software faster than previously imaginable, releasing new features early and often. Yet, despite their best efforts to code securely, software vulnerabilities inadvertently make their way into production...

14 August 2024 | Artificial Intelligence

Apple, the EU, and the threat of sideloaded applications

A huge shift has just happened in the mobile security landscape: Apple’s release of iOS 17.04 in March 2024 has allowed users to sideload apps and use third party app stores. This has largely been done in an effort to comply with the EU’s Digital Markets Act (DMA). The DMA was introduced by the European Commission in order to help mitigate the domination of silicon valley giants – which the DMA calls “gatekeepers” – over digital markets.

Specifically, the DMA states...

13 August 2024 | App Stores

Veracode unveils tools to combat growing security debt

To help organisations tackle mounting security debt and an expanding attack surface, Veracode has announced two new platform innovations.

Veracode has introduced Universal Connector and Application Security Heatmap, both powered by Longbow, to enable businesses to quickly identify and prioritise security risks across their applications.

These new capabilities come at a critical time, as organisations struggle to manage an overwhelming volume of security alerts and the...

1 August 2024 | Hacking & Security

Mandrake spyware variant evades Google Play security for two years

Kaspersky researchers have uncovered a new version of the notorious Mandrake spyware, revealing advanced obfuscation techniques that allowed it to bypass Google Play's security checks and remain undetected for two years.

First identified in 2020, Mandrake has been an active Android espionage platform since at least 2016. The latest variant, detected in April 2024, showcases enhanced functionality and evasion capabilities that have raised concerns among cybersecurity...

31 July 2024 | Android

Images weaponised in latest supply chain attack

A series of malicious packages disguised as legitimate software have been discovered in the npm registry by cybersecurity firm Phylum.

The packages – identified on 13 July 2024 – contained hidden command and control functionality embedded within image files, executed during the installation process.

Phylum researchers uncovered two packages in this campaign, with one named "img-aws-s3-object-multipart-copy" mimicking a legitimate GitHub library. The malicious version...

16 July 2024 | Hacking & Security

GitLab update addresses pipeline execution vulnerability

GitLab has released critical security updates to address multiple vulnerabilities, including a high-severity flaw that could allow attackers to run pipeline jobs as arbitrary users.

The company strongly recommends all GitLab installations be upgraded immediately to the latest versions: 17.1.2, 17.0.4, or 16.11.6 for both Community Edition (CE) and Enterprise Edition (EE).

The most critical vulnerability (CVE-2024-6385) affects GitLab versions 15.8 to 17.1.1. With a CVSS...

11 July 2024 | Developer

CocoaPods flaws highlight growing supply chain risks

Security researchers at E.V.A Information Security have uncovered several critical vulnerabilities in CocoaPods, a popular dependency manager for Swift and Objective-C projects. These vulnerabilities potentially expose millions of Apple devices to supply chain attacks, highlighting the growing risks associated with open-source software dependencies.

CocoaPods, used in over three million mobile apps, plays a crucial role in the iOS and macOS development ecosystem. The discovered...

2 July 2024 | Developer

Critical OpenSSH vulnerability threatens millions of Linux systems

A severe vulnerability in OpenSSH's server (sshd) has been uncovered by Qualys’ Threat Research Unit (TRU), potentially affecting over 14 million Linux systems worldwide. The flaw, designated as CVE-2024-6387, allows for remote unauthenticated code execution (RCE) with root privileges on glibc-based Linux systems.

This vulnerability, stemming from a signal handler race condition, impacts sshd in its default configuration. Qualys researchers have identified approximately 700,000...

1 July 2024 | Developer

GitLab’s DevSecOps report highlights AI challenges

GitLab's 8th annual Global DevSecOps Report has unveiled a complex landscape of software development, highlighting disparities between executive perceptions and developer realities. The survey, conducted in April 2024, gathered insights from over 5,300 professionals across the software development spectrum.

While 69% of CxOs report shipping software at least twice as fast as last year, AI adoption remains low, with only 26% of respondents implementing AI in their workflows. This...

28 June 2024 | Approaches

Optus breach is a wake-up call for secure coding practices

A “coding error” in Optus Mobile's systems led to a massive data breach affecting over nine million customers, sparking a lawsuit from the Australian Communications and Media Authority (ACMA).

The case, filed under number VID429/2024 in the Federal Court of Australia, highlights the severe consequences of software vulnerabilities in large-scale systems.

The breach, which affected over nine million Optus users, was caused by a seemingly simple coding error—a stark...

21 June 2024 | Approaches