6/30/23: SolarWinds, MOVEit, memory overwrite bugs & more

This week's software security highlights:

Memory overwrite bugs are still #1

The most dangerous type of software bug is the out-of-bounds write, according to MITRE this week. This type of flaw is responsible for 70 CVE-tagged holes in the US government's list of known vulnerabilities that are under active attack and need to be patched.

Guidance on securing CI/CD environments

The document (PDF) from the Cybersecurity and Infrastructure Security Agency & National Security Agency includes recommendations and best practices for hardening CI/CD cloud deployments and improving the defenses of development, security, and operations (DevSecOps).

16 million people and counting affected in MOVEit breaches

More than 16 million people are known to have had their information accessed by hackers exploiting vulnerabilities in the MOVEit software thus far — a tally that is likely a fraction of the total amount. This week, 美国加州大学洛杉矶分校 , 西门子能源 and 施耐德电气 revealed that they had data accessed through the MOVEit vulnerability.

npm, Inc. ecosystem vulnerable to new manifest confusion attack

There’s no shortage of package versions with vulnerabilities, even in actively maintained projects. Snyk and RedHunt Labs released the findings of a research project which scanned for vulnerabilities and dependencies in 11,000+ repositories belonging to the top 1,000 organizations on GitHub. For JavaScript (npm and yarn), the team extracted 1.9 million dependencies and identified around 550,000 instances of known vulnerabilities in them.

U.S. Securities and Exchange Commission notices spark alarm for cyber executives

SolarWinds recently disclosed that the SEC notified top executives of pending legal action over the company’s landmark data breach — a step that some have described as unprecedented. That’s because the company’s chief information security officer is among those who received a notice, “likely the first time a CISO has ever received one of these,” Jamil Farshchi , CISO at Equifax .

Subscribe for your weekly security updates!