Most open source maintainers still consider themselves hobbyists, despite compensation pledges

A study by Tidelift shows a compensation gap for the key producers of open source applications, raising questions about how to properly secure software supply chains.

By David Jones • May 2, 2023

OpenAI adds more data privacy guardrails for ChatGPT

The company is allowing users to turn off chat history and export data as it seeks to reach enterprise customers.

By Lindsey Wilkinson • April 26, 2023

More than 2K organizations at risk of major attacks linked to SLP vulnerability

Over 54,000 SLP-speaking instances and 670 product types are vulnerable, researchers from BitSight and Curesec found, including VMware ESXi Hypervisor. 

By David Jones • April 25, 2023

Software industry leaders debate real costs and benefits of CISA security push

The global effort to promote secure by design is seen as a potential game changer for software security, but may require substantial investments and considerable cultural changes.

By David Jones • April 14, 2023

CISA to unveil secure-by-design principles this week amid push for software security

The Biden administration plans to shift responsibility for product safety to the tech industry. Stakeholder discussions are already underway.  

By David Jones • April 12, 2023

Palo Alto security software stung by ransomware strain

Check Point researchers say the “Rorschach” ransomware – found during an attack on a U.S. company – may be the fastest ever seen.

By David Jones • April 4, 2023

IBM file transfer service under active exploit, security researchers warn

Ransomware groups are still exploiting a vulnerability in unpatched versions of Aspera Faspex almost four months after IBM issued a patch.

By Matt Kapko • March 31, 2023

Outlook zero-day still vulnerable to attackers with prior access, researchers find

Days after Microsoft issued a patch, researchers demonstrated that threat actors could still bypass the mitigation steps from within a network.

By David Jones • March 20, 2023

Zero-days fell by one-third in 2022, Mandiant says

Zero-day vulnerabilities in security, IT and network management products, which are consistently connected to the internet, claimed nearly 1 in 5 exploits.

By Matt Kapko • March 20, 2023

Outlook zero day linked to critical infrastructure attacks

State-linked actors have targeted oil and gas, transportation and defense industries in Europe.

By David Jones • March 16, 2023

CISA launches ransomware warning pilot for critical infrastructure providers

The agency already warned dozens of organizations about ProxyNotShell.

By David Jones • March 14, 2023

GitHub to begin rollout of 2FA security upgrade for developers

The enhancement is part of a wider series of security measures following a series of malicious cyberattacks.

By David Jones • March 9, 2023

Cloud skills gap raises cyber concerns for banks

As financial sector companies push forward with modernization, difficulty sourcing talent looms as a potential security risk.

By Matt Ashare • March 7, 2023

Organizations tempt risk as they deploy code more frequently

An imbalance between developers and security professionals on staff spotlights a disconnect between these business functions and objectives.

By Matt Kapko • March 7, 2023

Who is liable for flawed software? New guidance upends the security standard

Development practices and safe harbor provisions are the subject of major debate as work to implement the White Houses’ cyber strategy begins.

By David Jones • March 6, 2023

An ongoing SOC skills shortage could spell trouble for compliance

Without skilled analysts to monitor the SOC, the risk of a successful cyberattack breaking through a company’s defenses grows. 

By Sue Poremba • March 1, 2023

LastPass compromise grew worse after DevOps engineer targeted for encryption key

A threat actor used data from multiple breaches and a vulnerability on a high-level employee’s home computer to steal customer passwords.

By Matt Kapko • Feb. 28, 2023

Google backs federal push for tech to embrace ‘secure by design’

CISA has urged the technology industry to develop more resilient products before they reach customers.

By David Jones • Feb. 15, 2023

What’s known about the ESXiArgs ransomware hitting VMware servers

An initial strain affected thousands of devices before a new variant emerged. The latest burst of attacks hit Saturday.

By Matt Kapko • Feb. 15, 2023

VMware ransomware was on the rise leading up to ESXiArgs spree, research finds

Recorded Future analysis underscores a growing ransomware threat confronting organizations using VMware ESXi.

By Matt Kapko • Feb. 13, 2023

VMware ransomware evolves to evade data recovery, reinfects servers

The new ESXiArgs strain has reinfected more than 1,150 VMware servers and represents more than 4 in 5 live infections, according to open-source ransomware data.

By Matt Kapko • Feb. 10, 2023

Unsophisticated ransomware campaign targeting VMware ripe for copycats

Ransomware doesn’t typically hit thousands of potential victims at once. “All of it’s very strange,” one security researcher said.

By Matt Kapko • Feb. 8, 2023

Sports betting apps fumble open source, placing users at risk

On the cusp of Super Bowl 57, researchers from Synopsys warned popular mobile betting apps face a higher than average risk of being hacked.

By David Jones • Feb. 7, 2023

Ransomware attack spree hits thousands of VMware servers

Cyber authorities linked the attacks, dubbed ESXiArgs, to a two-year-old VMware vulnerability. At least 2,250 machines have been compromised.

By Matt Kapko • Feb. 6, 2023

CVEs expected to rise in 2023, as organizations still struggle to patch

Most CVEs are exploited within 30 days of public disclosure, a Coalition report found, spelling trouble for organizations trying to shore up their defenses.

By David Jones • Feb. 3, 2023