The most critical challenge your organization faces when choosing a software composition analysis (SCA) vendor is understanding that some miss up to 60% of the open source, exposing your organization to security and licensing risks. We’re also seeing challenges surrounding the accuracy of the results. A vendor will find some open source but then mismatch […]
Author: Kristen Bianchi
Keeping current with Log4j dependencies and new exploits is a complex and ongoing challenge. Organizations struggle to find the proverbial needle in hundreds of haystacks in a constantly changing environment. Then there is the issue of finding the right security tool to use across numerous applications and networks. Our Truematch technology gives us the unique […]
As a result of Log4Shell’s popularity and easy exploitability, its potentially severe impact is tremendous. What has emerged is not just how mainstream it is, but how deeply woven it is into the software we use, and how difficult it is to detect. Log4Shell Detection Because it is common across open source and third-party applications, […]
Log4Shell exploits are present in 17,000 unpatched Log4J packages in the Maven Central ecosystem, posing a significant supply-chain risk. Google security estimates that approximately 17,000 Java packages in the Maven Central repository are vulnerable to Log4j – and that it will take “years” for it to be fixed across the ecosystem. The Log4j bug impacts […]
How do you know what is really in your software? Open-source software is present in an overwhelming amount of proprietary codebases and public projects. For the global 2000, the question you should be asking is not “ if you are or aren’t using open source code.” The right question is, “what open-source code you’re using, […]
As the steward of the Open Source Definition, the Open Source Initiative has been designating licenses as “open source” for over 20 years. These licenses are the foundation of the open-source software ecosystem, ensuring that everyone can use, improve, and share software. When a license is approved, it is because the OSI believes that the […]
The pressures of being a CISO are extensive and extend well past concerns of incident response time. There are pressures of maintaining budgets, reporting improved performance to stock-holders, and when the breadth and number of cyberattacks are increasing, the challenges to find qualified prospects to fill a considerable number of unfilled positions. Where does cybersecurity […]
The Supreme Court has ruled in Google’s favor, stating that the use of 12,000 lines of code from Oracle’s Java SE program was permitted as “fair use.” In its ruling, the Supreme Court states Google’s copying “only those lines of code that were needed to allow programmers to put their accrued talents to work in […]
Go to developer forums, Youtube channels and blog posts, and you’ll find endless conversations about copying and pasting code. The discussion revolves around whether this practice is a lazy form of code development or whether it will cause problems with achieving the desired outcome. They discuss if it will take longer to fix the bugs […]
Open source is systematically being attacked on the infrastructure used to distribute code. In a few years, we’ve experienced attacks on pre-existing vulnerabilities occurring months after a disclosure down to a few days. Attackers now directly hijack the publisher’s credentials and distribute malicious components.This worrisome trend requires enterprises to have in-depth knowledge of what open […]