News & Information       http://info.owt.com

Security

04/12/2024   InfoWorld Security

The Rust language team has published a point release of Rust to fix a critical vulnerability to the standard library that could benefit an attacker when using Windows.

Rust 1.77.2, published on April 9, includes a fix for CVE-2024-24576. Before this release, Rust’s standard library did not properly escape arguments when invoking batch files with the bat and cmd extensions on Windows using the Command API. An attacker who controlled arguments passed to a spawned process could execute arbitrary shell commands by bypassing the escape. This vulnerability becomes critical if batch files are invoked on Windows with untrusted arguments. No other platform or use was affected. Developers already using Rust can get Rust 1.77.2 using the command: rustup update stable.

To read this article in full, please click here

04/09/2024   InfoWorld Security

Synopsys has introduced Black Duck Supply Chain Edition, a software composition analysis (SCA) package that helps organizations mitigate upstream risk in software supply chains, including from AI code.

Announced April 9, Black Duck Supply Chain Edition is intended to address a rise in software supply chain attacks targeting vulnerable or maliciously altered open source and third-party components. Due April 25, the product combines open source detection technologies, automated third-party software bill of materials (SBOM) analysis, and malware detection to give a view of software risks inherited from open source, AI-generated code, and third-party code, Synopsys said. Security and development teams can track dependencies across the application life cycle to find and resolve security vulnerabilities, malicious packages, and license violations and conflicts, the company added.

To read this article in full, please click here

04/09/2024   InfoWorld Security

Parasoft has launched a tool to enhance safety testing for C and C++ applications. The tool comes at a time when the two venerable programming languages have come under fire over safety concerns.

Announced April 8, the C/C++test CT (Continous Testing) tool is intended to empower large developer teams to build reliable and dependable embedded systems. It provides a comprehensive solution for large teams engaged in the development of safety-critical and security-critical C and C++ products, Parasoft said. C/C++test CT integrates with developers’ desktop environments such as Visual Studio Code, unit testing frameworks such as GoogleTest, Boost.Test, and CppUnit, and CI/CD workflows for continuous testing and efficiency, according to Parasoft.

To read this article in full, please click here

04/05/2024   InfoWorld Security

The Eclipse Foundation announced that it is partnering with the Apache Software Foundation and other open source foundations to establish common specifications for secure software development based on existing open source best practices.

In an April 2 blog post, Eclipse said that the goal of the initiative was to meet the challenges of cybersecurity in the open source ecosystem and demonstrate cooperation with the European Union’s Cyber Resilience Act (CRA). Participants include Apache, Eclipse, the Rust Foundation, the PHP Foundation, the Blender Foundation, the OpenSSL Software Foundation, and the Python Software Foundation.

To read this article in full, please click here

04/03/2024   InfoWorld Security

Over the past decade, Rust has emerged as a language of choice for people who want to write fast, machine-native software that also has strong guarantees for memory safety.

Other languages, like C, may run fast and close to the metal, but they lack the language features to ensure program memory is allocated and disposed of properly. As noted recently by the White House Office of the National Cyber Director, these shortcomings enable software insecurities and exploits with costly real-world consequences. Languages like Rust, which put memory safety first, are getting more attention.

To read this article in full, please click here

04/02/2024   InfoWorld Security

2023 has been a breakout year for developers and generative AI. GitHub Copilot graduated from its technical preview stage in June 2022, and OpenAI released ChatGPT in November 2022. Just 18 months later, according to a survey by Sourcegraph, 95% of developers report they use generative AI to assist them in writing code. Generative AI can help developers write more code in a shorter space of time, but we need to consider how much of a good thing that may be.

To read this article in full, please click here

03/25/2024   InfoWorld Security

The key benefits of platform engineering are increased developer productivity, better quality of software, reduced lead time for deployment, and more stable applications, according to Puppet by Perforce’s 2024 State of Devops Report: The Evolution of Platform Engineering.

The report is based on a survey of 474 participants who work with a platform engineering team at their organizations. The survey was conducted in the summer of 2023.

Other benefits cited include cost savings, reduced time for product development, reduced errors, and reduced risk of security breaches. “Security has never just been IT’s job,” said Kapil Tandon, Puppet by Perforce vice president of product management, in the executive summary. “With secure tools built into most platforms, platform engineering is empowering more people than ever to take responsibility for security.”

To read this article in full, please click here

03/25/2024   InfoWorld Security

The benefits of developing software in the cloud include increased flexibility and reliability, greater efficiency, and reduced costs. But cloud-based development also presents a host of challenges. Knowing what to watch out for is the first step to protecting your applications and development efforts. Here, are 10 pitfalls to consider before developing, testing, or deploying applications in the cloud.

10 reasons to think twice before developing in the cloud

  1. Performance and latency issues
  2. Cybersecurity and data protection threats
  3. Vendor lock-in
  4. Runaway costs
  5. Regulatory compliance requirements
  6. Compatibility and integration issues
  7. Scalability demands
  8. Distributed collaboration and communication
  9. Testing and deployment hurdles
  10. Developing for a global market

Performance and latency issues

While cloud services are generally reliable in terms of availability and performance, service outages or performance issues can impact development efforts.

To read this article in full, please click here

03/22/2024   InfoWorld Security

Java Development Kit (JDK) 22, released by Oracle March 19 as the latest version of standard Java, offers a number of security enhancements, covering areas ranging from an asymmetric key interface to a new security option for -XshowSettings that allows developers to easily display security-related settings.

In a March 20 blog post on Oracle’s inside.java web page, Sean Mullan, technical lead of the Java Security libraries team and lead of the OpenJDK Security Group, detailed the security enhancements in JDK 22.

To read this article in full, please click here

03/20/2024   InfoWorld Security

GitHub is previewing code scanning autofix, a feature that combines its GitHub Copilot AI assistant with its CodeQL code scanner to provide suggested fixes to discovered vulnerabilities. Code scanning autofix is available in a public beta to GitHub Advanced Security customers.

Launched March 20, code scanning autofix makes vulnerability fixes available right away as a developer is coding, GitHub said. GitHub Copilot AI is used to provide a code suggestion and explanation directly in the pull request. Code scanning autofix covers more than 90% of alert types in JavaScript, TypeScript, Java, and Python, and remediates more than two-thirds of found vulnerabilities with little or no editing, according to the company.

To read this article in full, please click here

03/20/2024   InfoWorld Security

In JFrog’s just-released Software Supply Chain State of the Union 2024 report, the software supply chain platform provider found extensive use of AI and machine learning tools for security. However, only one in three software developers the company surveyed use generative AI to write code.

While 90% of survey respondents indicate their organizations currently use AI/ML-powered tools in some capacity to assist in security scanning and remediation, only about one in three professionals, 32%, said their organizations use AI/ML-powered tools to write code. This indicates the majority still are wary of the potential vulnerabilities that AI-generated code can introduce to enterprise software, JFrog said.

To read this article in full, please click here

03/20/2024   InfoWorld Security

The internet of things (IoT) has transformed the way we interact with the world, connecting a myriad of devices to the internet, from smart thermostats in our homes to industrial sensors in manufacturing plants. A significant portion of these IoT devices relies on the Linux operating system due to its flexibility, robustness, and open-source nature.

Deploying software to Linux-based devices, at scale, is a complex and critical process that requires planning, well-thought-out processes, and adherence to best practices to ensure the stability, security, and manageability of the IoT fleet. In this article, we’ll explore some best practices for deploying software on large fleets of Linux-based IoT devices.

To read this article in full, please click here

03/18/2024   InfoWorld Security

C++ creator Bjarne Stroustrup has defended the widely used programming language in response to a Biden administration report that calls on developers to use memory-safe languages and avoid using vulnerable ones such as C++ and C.

In a March 15 response to an inquiry from InfoWorld, Stroustrup pointed out strengths of C++, which was designed in 1979. “I find it surprising that the writers of those government documents seem oblivious of the strengths of contemporary C++ and the efforts to provide strong safety guarantees,” Stroustrup said. “On the other hand, they seem to have realized that a programming language is just one part of a tool chain, so that improved tools and development processes are essential.”

To read this article in full, please click here

03/14/2024   InfoWorld Security

Frank Crane wasn’t talking about open source when he famously said, “You may be deceived if you trust too much, but you will live in torment if you don’t trust enough.”

But that’s a great way to summarize today’s gap between how open source is actually being consumed, versus the zero trust patterns that enterprises are trying to codify into their DevSecOps practices.

Every study I see suggests that between 90% and 98% of the world’s software is open source. We’re all taking code written by other people—standing on the shoulders of giants—and building and modifying all that code, implicitly trusting every author, maintainer, and contributor that’s come before us.

To read this article in full, please click here