InfoWorld

C++ creator rebuts White House warning

InfoWorld - Mon, 03/18/2024 - 12:30pm

C++ creator Bjarne Stroustrup has defended the widely used programming language in response to a Biden administration report that calls on developers to use memory-safe languages and avoid using vulnerable ones such as C++ and C.

In a March 15 response to an inquiry from InfoWorld, Stroustrup pointed out strengths of C++, which was designed in 1979. “I find it surprising that the writers of those government documents seem oblivious of the strengths of contemporary C++ and the efforts to provide strong safety guarantees,” Stroustrup said. “On the other hand, they seem to have realized that a programming language is just one part of a tool chain, so that improved tools and development processes are essential.”

To read this article in full, please click here

Categories: InfoWorld

Open source is not insecure

InfoWorld - Thu, 03/14/2024 - 5:00am

Frank Crane wasn’t talking about open source when he famously said, “You may be deceived if you trust too much, but you will live in torment if you don’t trust enough.”

But that’s a great way to summarize today’s gap between how open source is actually being consumed, versus the zero trust patterns that enterprises are trying to codify into their DevSecOps practices.

Every study I see suggests that between 90% and 98% of the world’s software is open source. We’re all taking code written by other people—standing on the shoulders of giants—and building and modifying all that code, implicitly trusting every author, maintainer, and contributor that’s come before us.

To read this article in full, please click here

Categories: InfoWorld

Feds seek attestation on secure software

InfoWorld - Wed, 03/13/2024 - 5:54pm

The US federal government has released a software attestation form intended to ensure that software producers partnering with the government leverage minimum secure development techniques and tool sets.

The form was announced March 11 by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which developed the form with the Office of Management and Budget (OMB). The form identifies minimum secure software development requirements a software producer must meet and attest to meeting. Software requires attestation if it was developed after September 14, 2022. Software developed prior to this date requires attestation if it was modified by major version changes after September 14, 2022. Attestation also is required if the producer delivers constant changes to the code.

To read this article in full, please click here

Categories: InfoWorld

JetBrains releases security fixes for TeamCity CI/CD system

InfoWorld - Tue, 03/12/2024 - 1:25pm

JetBrains has released fixes for two critical security vulnerabilities in its TeamCity On-Premises CI/CD system discovered by cybersecurity company Rapid7.

The two vulnerabilities reported in late-February by Rapid7 would enable an authenticated attacker with HTTP(S) access to a TeamCity On-Premises server to bypass authentication checks and gain administrative control. These vulnerabilities affected all TeamCity On-Premises versions through 2023.11.3, but have been fixed in TeamCity On-Premises 2023.11.4. For users unable to update their server to version 2023.11.4, JetBrains also released a security patch plugin.

To read this article in full, please click here

Categories: InfoWorld

Cloudflare announces Firewall for AI

InfoWorld - Tue, 03/05/2024 - 3:00pm

Cloudflare has announced the development of Firewall for AI, a protection layer that can be deployed in front of large language models (LLMs) that promises to identify abuses before they reach the models.

Unveiled March 4, Firewall for AI is intended to be an advanced web application firewall (WAF) for applications that use LLMs, comprising a set of tools that can be deployed in front of applications to detect vulnerabilities and provide visibility into the threats to models.

To read this article in full, please click here

Categories: InfoWorld

Biden executive order protects personal data

InfoWorld - Fri, 03/01/2024 - 2:04pm

President Joseph Biden has issued an executive order intended to protect Americans’ sensitive personal data from exploitation from countries of concern including China, Russa, Iran, and North Korea.

Issued February 28, the order authorizes the attorney general to prevent the large-scale transfer of Americans’ personal data to countries of concern and offers safeguards around other activities that can give these countries access to this sensitive data.

To read this article in full, please click here

Categories: InfoWorld

GitHub rolls out push protection on public repos

InfoWorld - Fri, 03/01/2024 - 5:00am

GitHub has begun rolling out push protection for all of its users, a secrets scanning feature that gives users the option to remove secrets from commits or bypass a block.

The policy, announced February 29, affects supported secrets. It might take one to two weeks for this change to apply to an account; developers can verify status and opt in early in code security and analysis settings. GitHub secret scanning guards more than 200 token types and patterns from more than 180 service providers.

To read this article in full, please click here

Categories: InfoWorld

Why passkeys will replace passwords

InfoWorld - Thu, 02/29/2024 - 5:00am

With the growth of sophisticated attacks against critical software and infrastructure systems, multi-factor authentication (MFA) has emerged as a critical layer of defense against unauthorized access. An increasing number of enterprise and developer-facing technology applications and platforms, from GitHub to Salesforce to Amazon Web Services, are making MFA mandatory for users.

That said, we are all used to passwords, and many people like the status quo. Not surprisingly, the introduction of MFA has added friction to the login process. This can negatively impact the user experience.

A newer technology that can provide even greater security benefits than MFA is now becoming more widely deployed. That technology is called passkeys. Based on widely accepted industry standards, passkeys offers the tantalizing promise of eliminating the need for passwords and the risks passwords create without adding user experience friction like MFA.

To read this article in full, please click here

Categories: InfoWorld

High-risk open source vulnerabilities on the rise, Synopsys reports

InfoWorld - Wed, 02/28/2024 - 1:40pm

Nearly three-quarters of codebases assessed for risk by Synopsis in 2023 contained open source components with high-risk vulnerabilities, according to a just-released report from the company, a provider of application security testing tools.

While the number of codebases with at least one open source vulnerability remained consistent year over year at 84%, Synopsis said, the number that contained high-risk vulnerabilities increased dramatically, from 48% in 2022 to 74% in 2023. Synopsis defines high-risk vulnerabilities as vulnerabilities that have been exploited, or have documented proof-of-concept exploits, or have been classified as remote code execution vulnerabilities.

To read this article in full, please click here

Categories: InfoWorld

White House urges developers to dump C and C++

InfoWorld - Tue, 02/27/2024 - 1:35pm

US President Joe Biden’s administration wants software developers to use memory-safe programming languages and ditch vulnerable ones like C and C++.

The White House Office of the National Cyber Director (ONCD), in a report released Monday, called on developers to reduce the risk of cyberattacks by using programming languages that don’t have memory safety vulnerabilities. Technology companies “can prevent entire classes of vulnerabilities from entering the digital ecosystem” by adopting memory-safe programming languages, the White House said in a news release.

To read this article in full, please click here

Categories: InfoWorld

GitHub Copilot makes insecure code even less secure, Snyk says

InfoWorld - Thu, 02/22/2024 - 8:00am

GitHub’s AI-powered coding assistant, GitHub Copilot, may suggest insecure code when the user’s existing codebase contains security issues, according to developer security company Snyk.

GitHub Copilot can replicate existing security issues in code, Snyk said in a blog post published February 22. “This means that existing security debt in a project can make insecure developers using Copilot even less secure,” the company said. However, GitHub Copilot is less likely to suggest insecure code in projects without security issues, as it has a less insecure code context to draw from.

To read this article in full, please click here

Categories: InfoWorld