GitHub notifies victims of OAuth token theft

GitHub is notifying known victims of an ongoing attack using stolen third-party OAuth user tokens.

OAuth user tokens maintained by Heroku and Travis CI were stolen and abused by an unauthorised party to download data from dozens of organisations, including npm.

Mike Hanley, Chief Security Officer at GitHub, wrote in a blog post:

“We have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and...

19 April 2022 | Git

Google will hide outdated Android apps to improve security

Google will start hiding outdated apps on the Play Store in a bid to improve security.

With almost three million apps hosted on the Play Store, keeping Android’s three billion users protected is a gargantuan task.

Given the scale of the challenge, Google’s AI-powered security does an admirable job. However, Google’s system is far from perfect and software that poses a threat to users does slip through.

Sometimes the apps that slip past Google’s security...

7 April 2022 | Android

80% of Spring framework downloads are exploitable versions

Data from Sonatype suggests that 80 percent of weekly Spring framework downloads are still exploitable versions.

Spring is a mighty popular framework—often ranking in the top three most-used Java frameworks. That’s why the Java developer community was shaken when a vulnerability named Spring4Shell (CVE-2022-22965) was leaked by a security researcher ahead of an official CVE publication.

Spring4Shell allows unauthenticated remote code execution. This week, the US...

5 April 2022 | Frameworks

Spring4Shell vulnerability could have ‘a larger impact’ than Log4j

A newly-discovered zero-day vulnerability known as Spring4Shell could have “a larger impact” than Log4j.

Log4j made waves in recent months as the vulnerability in the popular open-source logging library enabled attackers to break into systems, steal passwords and logins, extract data, and infect networks with malicious software.

However, attention is now shifting to the Spring4Shell exploit.

Spring4Shell is a zero-day remote code execution (RCE)...

31 March 2022 | Frameworks

‘Protestware’ emerges amid Russia-Ukraine crisis

Some open-source developers are using their projects to target users in Russia after the country’s invasion of Ukraine.

The invasion of Ukraine has been almost internationally condemned. The actions of Russian forces are being investigated for numerous war crimes and the targeting of civilians in areas like Mariupol has equated to genocide.

State-controlled media and harsh penalties for protests mean that a large number of Russians believe the Kremlin’s narrative...

21 March 2022 | Open Source

GitHub Advisory Database now accepts community contributions

GitHub is opening its Advisory Database to community contributions to help further secure software supply chains.

One vulnerability can have a devastating “domino effect” on software across the globe. With the use of open-source increasing, so does the threat of a vast amount of software being compromised.

GitHub launched its Advisory Database almost two years ago. As the largest database of vulnerabilities in software dependencies in the world, it’s become an...

22 February 2022 | Hacking & Security

State of Software Security v12: Don’t become complacent, but we’ve come a long way

Veracode’s latest State of Software Security report highlights that applications are, on average, more secure than ever.

Getting the negatives out the way first, the report warns about the devastating “domino effect” that one vulnerability can have on software across the globe.

One clear example of this in action was the SolarWinds attack in which hackers inserted malicious code into the company’s Orion software. Every company and organisation using Orion was...

8 February 2022 | Developer

GitHub incentivises open-source investments with sponsor-only repos

GitHub is launching private repositories that only sponsors have access to, helping to incentivise open-source investments.

Open-source mostly relies on developers voluntarily giving up their time to build and improve projects. Priority is naturally given to work that helps to keep a roof over their heads and food on the table—meaning that open-source projects can be underdeveloped at best or be left with devastating vulnerabilities at worst.

A growing number of...

3 February 2022 | Git

Open-source can play a critical role in tackling the UK’s developer shortage

It is no secret that developers have never been more in demand. According to a recent analysis, the shortage of “programmers and software development professionals” only ranks behind HGV drivers and nurses as the occupation where worker shortages are most acute in the UK.

The sheer pace of digital transformation across every industry means the demand for developer talent continues to outstrip supply at a rapid rate – and the situation shows no sign of abating. Just about...

25 January 2022 | Git

Software supply chain attacks increased over 300% in 2021

We all knew there was an increase in software supply chain attacks in 2021, but a new study has quantified just how bad things got.

Argon Security – recently acquired by Aqua Security – published the latest edition of its annual Software Supply Chain Security Review this week.

The headline stat from Argon’s report that software supply chain attacks grew by more than 300 percent in 2021 compared to 2020.

Eran Orzel, Senior Director of Argon Customer...

20 January 2022 | Development Tools