When it comes to securing your software development against open source vulnerabilities, the earlier action occurs — by the right person — the safer you and your enterprise will be. Many IT departments rely on the PagerDuty incident response platform to improve visibility and agility across the organization.

Vulnerability scans and penetration test are often used interchangeably. Unfortunately, it is the improper use that creates confusions, sometimes around security decisions too. This article shal help the reader with these terms: penetration testing vs vulnerability scanning, their project inputs, outputs, security health indicators and decision making factors.

The Internet of things, cyber-physical systems, smart offices, smart homes. We are getting accustomed to these ‘smart’ concepts; lights turn off automatically when you leave home. Your car drives you, instead of the other way around and you quickly scan your access badge to check-in at work. All the little conveniences that make our lives easier, our work more enjoyable and ever so slightly improves our lives… Until they bite you in the behind.

Imagine you are a Java programmer and that you just decided you want to use Snyk Open Source scanning to help you find security problems in your third party libraries. Good call! However, after connecting your repository to the Snyk Open Source scanner, you find out that you have ten or maybe even 50 vulnerabilities in the packages you depend on. The major question is: where do I start?

A recent privilege escalation heap overflow vulnerability (CVSS 7.8), CVE-2021-3156, has been found in sudo. sudo is a powerful utility built in almost all Unix-like based OSes. This includes Linux distributions, like Ubuntu 20 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2). This popular tool allows users to run commands with other user privileges.

On January 26th, 2021, Qualys reported that many versions of SUDO (1.8.2 to 1.8.31p2 and 1.9.0 to 1.9.5p1) are vulnerable (CVE-2021-3156) to a buffer overflow attack dubbed Baron Samedit that can result in privilege escalations. Qualys was able to use this vulnerability to gain root on at least Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2), some of the most modern and widely used Linux operating systems.

Stay on top of open source vulnerabilities and license obligations with discovery capabilities from Black Duck.

User authentication – the process of ensuring only authorized users have access to controlled data and functionality – is the fundamental cornerstone of web and application security.