Security Articles
Security Articles
New Relic and FOSSA Upgrade Supply Chain Security with Connected Build-Time and Run-Time Vulnerability Management
New integration between FOSSA and New Relic provides end-to-end visibility and actionable insights for developers to manage software supply chain security efficiently.
Understanding CVSS: The Common Vulnerability Scoring System
An in-depth look at the Common Vulnerability Scoring System (CVSS), its evolution, scoring methods, and its importance in prioritizing vulnerabilities.
A Proposal for the Future of SBOM Minimum Elements
Exploring the next steps for improving SBOM usability across the ecosystem with new data requirements and considerations for vulnerability management.
4 Considerations for Effective SBOM Sharing
Organizations are successfully generating SBOMs for security, regulatory compliance, and business reasons, but struggle with their distribution.
Actioning the Stakeholder-Specific Vulnerability Categorization (SSVC) Model
An overview of the CISA Stakeholder-Specific Vulnerability Categorization (SSVC) model, focusing on its decision-making framework to categorize and prioritize vulnerabilities based on unique organizational risk profiles.
Understanding SBOM Requirements in PCI DSS
This blog post explores the introduction of SBOM requirements in PCI DSS 4.0, detailing the specific requirements and timelines, and suggesting steps for organizations to prepare for the March 2025 enforcement date.
Secure Open Source for All: FOSSA's Free Plan Just Got Better
FOSSA's free plan now includes security, license compliance, and SBOM management for up to 25 developers and 5 projects.
Polyfill Supply Chain Attack: Details and Fixes
An overview of a significant supply chain attack on the Polyfill CDN service, including its background, impact, and mitigation strategies.
Using the CISA Kev Catalog
Explore how the CISA KEV Catalog aids organizations in vulnerability prioritization and learn about its evaluation process.
FOSSA Joins Forces with New Relic in the Secure Developer Alliance
FOSSA partners with New Relic in the Secure Developer Alliance to enhance vulnerability management with cutting-edge resources and collaborations.
CVE-2024-3094: New Vulnerability Impacts XZ Utils
A new vulnerability, impacting XZ Utils with CVSS severity score of 10, brings potential remote code execution risks.
Complying with the FDA’s SBOM Requirements
Explore the FDA's new SBOM requirements for medical devices, detailing the scope, structure, and support information needed for compliance.
Enable Global Visibility and Swift Remediation with Package Index
Explore how FOSSA’s Package Index enhances software supply chain visibility, enabling swift vulnerability detection and remediation.
Terrapin (CVE-2023-48795): New Attack Impacts the SSH Protocol
Researchers from Ruhr University Bochum have uncovered Terrapin, a new SSH vulnerability (CVE-2023-48795) allowing man-in-the-middle attacks, affecting widely used SSH applications.
SCA vs. SAST: Comparing Security Tools
A detailed comparison of SCA and SAST security tools, highlighting their differences and combined use for enhanced security.
Understanding and Using the EPSS Scoring System
Explore the EPSS scoring system and how it helps prioritize vulnerability exploitability.
5 Ways to Reduce GitHub Copilot Security and Legal Risks
Explore strategies to mitigate security and legal risks associated with GitHub Copilot and similar AI tools.
5 Ways an SBOM Can Strengthen Security
Explore how a software bill of materials (SBOM) can enhance your organization's security by providing visibility into open source vulnerabilities, improving software supply chain transparency, enabling VEX, supporting vulnerability remediation, and flagging high-risk components.
Vulnerability Remediation Tactics
Explore strategies for addressing vulnerabilities in third-party components, including patching and upgrading methods.
VEX (Vulnerability Exploitability eXchange): Purpose and Use Cases
Explore the purpose and significance of VEX (Vulnerability Exploitability eXchange) in managing software vulnerabilities, detailing its necessity, applications, and future implications for suppliers and users.
Generative AI and Software Development: Copyright Law and License Compliance
Explores the impact of recent U.S. Copyright Office decisions on generative AI, potential risks from open source licensing, and strategies to mitigate IP risk in software development.
The FOSSA Podcast: SCA Purchasing and Implementation Trends
A discussion on open source usage and software composition analysis tools to manage OSS license compliance and security risks.
Announcing the GA of C and C++ Security and License Scanning
FOSSA announces the general availability of its security and license scanning for C and C++ projects, offering tailored solutions for dependency identification.
OpenSSL Vulnerability 2022: Details and Fixes
This post discusses two high-severity vulnerabilities impacting OpenSSL versions 3.0 and later, including details on how to find and fix them.
CVE-2022-42889 Text4Shell Vulnerability: Impact and Fixes
A critical remote code execution vulnerability called Text4Shell impacting the Apache Commons Text library.
Analyzing the Securing Open Source Software Act
An overview of the Securing Open Source Software Act, its implications for federal agencies, and potential effects on the private sector.
How to Implement the CSRB’s Log4j Security Recommendations
Recommendations from the CSRB to improve software security concerning the Log4j vulnerability, with a focus on private enterprises.
Announcing the Private Beta of FOSSA Risk Intelligence
Introducing FOSSA Risk Intelligence, a private beta add-on to enhance software supply chain security by addressing risks like stale packages, abandonware, and more.
Understanding and Preventing Dependency Confusion Attacks
Explore the concept of dependency confusion attacks, how they work, and strategies to prevent them from affecting software supply chains.
Highlights from NIST SP 800-161r1: Cybersecurity Supply Chain Risk Management
An overview of NIST's updated recommendations for managing cybersecurity risks across supply chains, featuring frameworks and templates for organizations.
An Overview of Spring RCE Vulnerabilities
A review of critical remote code execution vulnerabilities in Spring, highlighting CVE-2022-22965 and CVE-2022-22963, their impact, and mitigation strategies.
Building a Sustainable Software Supply Chain
Exploring strategies to enhance software supply chain security through sustainability practices.
The Three Pillars of Reproducible Builds
Exploring the guiding principles of reproducible builds to strengthen software supply chain security.
5 Highlights from the U.S. Senate’s Log4J Vulnerability Hearing
An overview of the U.S. Senate's hearing on the Log4J vulnerability, highlighting key discussions on software security.
6 Takeaways from the Linux Foundation's SBOM Report
A detailed analysis of the Linux Foundation's SBOM report, outlining key insights into software supply chain security.
React Security: How to Fix Common Vulnerabilities
Learn about the common security vulnerabilities in React and best practices to prevent them.
How to Quickly Find and Remediate Log4J Vulnerabilities (Log4Shell)
Explore detection and remediation strategies for Log4J vulnerabilities, including Log4Shell, using FOSSA's CLI.
How to Fix the New Log4J DoS Vulnerability: CVE-2021-45105
A guide on addressing the newly discovered Log4J DoS vulnerability CVE-2021-45105 and recommended updates.
Log4J "Log4Shell" Zero-Day Vulnerability: Impact and Fixes
Discover the critical CVE-2021-44228 vulnerability in Apache Log4J affecting many applications and how to mitigate it.
DevSecOps 101: Understanding and Implementing DevSecOps Principles
Explore the principles of DevSecOps, a natural extension of DevOps, focusing on integrating security testing throughout the software development lifecycle.
Embedded Malware in NPM: Coa, Rc, Ua-parser
A significant rise in NPM packages with embedded malware has been reported, affecting popular packages like coa, rc, and ua-parser. This raises serious concerns over the ecosystem's security.
Anatomy of a Software Supply Chain Attack
Understanding software supply chain attacks and strategies to defend against them.
Role-Based Access Control (RBAC), Zero Trust, and FOSSA
Exploring the implementation of Zero Trust through Role-Based Access Control (RBAC) with FOSSA.
Announcing FOSSA Container Scanning
Announcing the availability of FOSSA Container Scanning, a tool that helps identify vulnerabilities and license risks in container images.
Container Image Security and Vulnerability Scanning
Explore today’s container image security landscape and learn strategies to fend off cyber threats like vulnerability scanning and digital signatures.
All About CWE-79: Cross-Site Scripting
An overview of CWE-79: Cross-Site Scripting, a common web vulnerability that allows attackers to inject malicious code into web applications.
Cybersecurity Executive Order and Software Supply Chain Security
An overview of the Biden Administration's executive order on cybersecurity and its impact on software supply chain security.
IT Central Station: What Makes for an Effective SCA Solution
Exploring the essential features of an effective Software Composition Analysis (SCA) solution through insights from IT Central Station members.
Application Security for Developers: SCA, DAST, and GitHub Actions
Explore application security testing with SCA and DAST, and learn how to implement these tools using GitHub Actions for early bug detection and cost reduction.
Top Security Takeaways from the 2020 FOSS Contributor Survey
Discover key security insights from the 2020 FOSS Contributor Survey and explore actionable recommendations for open source project owners.
SolarWinds, Supply Chain Attacks, and Software Composition Analysis
Exploring the implications of the SolarWinds hack and methods to prevent similar software supply chain attacks, with a focus on software composition analysis.
Introducing Open Source Security Management at Enterprise Scale
Announcing the launch of FOSSA Security Management, empowering enterprises to prevent vulnerabilities proactively and continuously.
FOSSA and Container Scanning
Explore how FOSSA aids in scanning different components of a container to ensure compliance and security.