CVE-2022-1271 is a new vulnerability affecting gzip, a widely used open source component for archiving, compressing, and decompressing files. CVE-2022-1271, also tracked in the Black Duck KnowledgeBase™ as BDSA-2022-0958, is a bug in gzip, a file format and software application used for archiving, compressing, and decompressing files.

This blog was written by an independent guest blogger. In mid-March, Microsoft released a free, open-source tool that can be used to secure MikroTik routers. The tool, RouterOS Scanner, has its source code available on GitHub. It is designed to analyze routers for Indicators of Compromise (IoCs) associated with Trickbot. This article will introduce some background on the MikroTik vulnerability, the Trickbot malware, and some ways you can protect yourself.

Open source software adoption reaches higher levels every year. Recent figures show that over 70% of code used in codebases is open source. With a constant stream of new components comes increased requirements to manage the inherent risks associated with open source. Requirements that quickly turn into a necessity as supply chain attacks increased by 400% in 2021. The practice to identify and track open source components usually falls under the umbrella of Software Composition Analysis (SCA).

We’re happy to announce the general availability of C/C++ security scanning in Snyk Open Source, enabling development and security teams to find and fix known security vulnerabilities in their C/C++ open source library dependencies. 2:21

Following our recent announcement about supporting the open source community, LimaCharlie is excited to share that we have decided to sponsor the IntelOwl project.

A few days ago, Snyk reported on a new type of threat vector in the open source community: protestware. The advisory was about a transitive vulnerability — peacenotwar — in node-ipc that impacted the supply chain of a great deal of developers. Snyk uses various intel threat feeds and algorithms to monitor chatter on potential threats to open source, and we believe this may just be the tip of a protestware iceberg.

It’s open source, anyone can audit it, but is it safe? In this blog our CSO explores why distribution of malicious scripts via libraries is causing a stir amongst the open-source community and how you can defend against it.

More than ever, developers are building web applications on the foundations of open source software libraries. However, while those libraries make up the software bill of materials (SBOM) components inventory, not all developers and business stakeholders understand the significant impact on open source supply chain security that stems from including 3rd party libraries.

Census II examines the most popular components of free and open source software and highlights the issues affecting the security of these libraries. Last week, the nonprofit Linux Foundation and Harvard’s Lab for Innovation Science published Census II of Free and Open Source Software—Application Libraries. This report identifies more than 1,000 of the most widely deployed open source application libraries.

At LimaCharlie, we are building a world where people and organizations can realize their full potential without compromising security along the way. We believe that it’s best to leave security in the hands of security professionals while enabling them with powerful tools to do what they can do best. For us, these are not just words. It’s a core belief that guides everything we do. Security is about people.