DORA ICT risk management framework: What to know
The Digital Operational Resilience Act, or DORA, focuses on limiting how disruptive cyberattacks are to financial institutions. One of its key characteristics is that it views open source analysis, also known as software composition analysis (SCA), as a basic security requirement that all institutions under its guidance must develop as ... Read More
Start building your CRA compliance strategy now
In March 2024, the European Parliament overwhelmingly approved the EU Cyber Resilience Act, or CRA, which will now be formally adopted with the goal of improving the cybersecurity of digital products. It sets out to do this by establishing essential requirements for manufacturers to ensure their products reach the market ... Read More
NIS2 readiness: Ensure compliance with the EU Cybersecurity Directive
The software development community has been awash in new requirements and legislation recently, with the goal of neutralizing — or at least minimizing — cybersecurity threats. If your day-to-day work has not already been impacted by these new rules, it will soon be ... Read More
CVE-2024-3094 The targeted backdoor supply chain attack against XZ and libzma
As sure as long weekends arrive in the western world, so too does news of new supply chain attacks. The easter bank holidays were no exception, with the discovery of a targeted attack against the popular XZ compression utility seen in many linux distributions such as fedora, debian to name ... Read More
CVE-2024-3094 The targeted backdoor supply chain attack against XZ and liblzma
As sure as long weekends arrive in the western world, so too does news of new supply chain attacks. The easter bank holidays were no exception, with the discovery of a targeted attack against the popular XZ compression utility seen in many linux distributions such as fedora, debian to name ... Read More
Secure Software Development Attestation Form: Sonatype helps you comply
On March 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) unveiled the final version of the Secure Software Development Attestation Form. This pivotal document, two years in the making, is set to transform the enforcement of minimum security standards for software ... Read More
Struts2 CVE-2023-50164 by the numbers
Over the past few years, a not-so-great holiday season tradition has been critical security vulnerabilities that come out at the last minute, prompting action and fast responses at a time when resources at the defending side are low ... Read More
Decrypting the Ledger connect-kit compromise: A deep dive into the crypto drainer attack
Earlier today, Ledger, a maker of hardware wallets for storing crypto, announced that they had identified malicious software embedded in one of their open source packages called @ledgerhq/connect-kit. This package is widely used as a connector between distributed blockchain applications and crypto wallets that back them up. This analysis delves ... Read More
A New OpenSSL Vulnerability Is Coming – Get Ready to Patch
On Tuesday 1st of November, between 1-5pm UTC a new version of the widely adopted OpenSSL 3.x series will be released for general consumption. The OpenSSL project announced this in their mailing list and through twitter, also revealing the existence of a new CRITICAL security vulnerability this patch fixes ... Read More
