DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • Calendar View
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • Calendar View
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Cloud Native Now
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • CI/CD
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Sustainability
  • Low-Code/No-Code
  • IT as Code
  • More
    • Builder Community Hub
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB
Hot Topics
  • Veracode Extends DAST Reach Left Toward Developers
  • Fear of the Future
  • KubeCon 2023: Internal Developer Platforms and Developer Productivity
  • Three Strategies for Reducing MTTD and MTTR as Outage Costs Spiral
  • Observability: The Central Watchtower Your All-Seeing IT Needs

Features Checkmarx Report Highlights Need for AppSec Collaboration

Checkmarx Report Highlights Need for AppSec Collaboration

Avatar photoBy: Mike Vizard on May 9, 2022 Leave a Comment

A research report published by Checkmarx finds the same basic malicious software developed using multiple programming languages as cyberattackers industrialize their malware development processes.

Checkmarx, a provider of code scanning tools, shared examples of malicious packages written in multiple programming languages. These example packages share the same indicators of compromise that have gone undetected for years. A “junkeldat” PyPI package for Python applications, for example, that has been compromised also shows up in a Ruby version of the package.

Tzachi Zornstain, head of supply chain security for Checkmarx, said much like any other development team that uses multiple programming languages, it appears cybercriminals are also sharing techniques. These examples highlight the need for development teams to share security intelligence even if they build applications using different programming languages, he added. There is a tendency for development teams using one programming language to ignore application security issues that appear to only impact applications written in another programming language, noted Zornstain.

The fact that the packages remained undetected for such a long period of time is due—at least in part—to the lack of information sharing in the ecosystem, said Zornstain.

Cyberattackers are, of course, trying to take advantage of the implicit trust many development teams have in open source projects. However, now that more cybercriminals are making a concerted effort to compromise downstream software components, it’s imperative that every component be vetted, said Zornstain. In fact, organizations should not use any code provided by strangers, he advises.

The core issue is that many open source projects are maintained by a small number of programmers contributing their time and effort to building components that others are free to use. Many of them argue that the onus for making sure software is secure is on the organizations that decide to deploy that software. Nor is it their responsibility to keep track of cybercrimimals distributing malicious versions of their software.

AI In ActionSponsorships Available

Unfortunately, many IT vendors and large enterprise IT organizations that rely on that code are, unfortunately, not contributing anything meaningful back to the project, either in terms of financing or helping open source maintainers find and remediate vulnerabilities. Many of those same organizations, however, are assessing whether the open source software they employ is, from a security perspective, actually sustainable in the absence of those contributions. As a result, it may be only a matter of time before these long-simmering open source software security concerns boil over into a larger crisis.

One way or another, DevSecOps best practices will need to be applied to application development at a deeper level. Organizations can’t assume that the software components they are relying on have been scanned for vulnerabilities by someone else. It’s simply too easy for a development team to make a mistake. The need for higher levels of security may lengthen the development process, but the alternative—malware infestations wreaking havoc—is far less desirable.

Recent Posts By Mike Vizard
  • Veracode Extends DAST Reach Left Toward Developers
  • Bitrise Tightens Mobile DevOps Integration With AWS Cloud Services
  • LaunchDarkly Previews Generative AI Testing Tool for Feature Management
Avatar photo More from Mike Vizard
Related Posts
  • Checkmarx Report Highlights Need for AppSec Collaboration
  • Checkmarx Surfaces Threat to GitHub Repositories
  • Static Application Security Testing (SAST) from Checkmarx
    Related Categories
  • DevOps and Open Technologies
  • DevOps Practice
  • DevSecOps
  • Features
  • IT Security
  • News
    Related Topics
  • Checkmarx
  • cyberattack
  • malicious code
  • Python
  • Ruby
Show more
Show less

Filed Under: DevOps and Open Technologies, DevOps Practice, DevSecOps, Features, IT Security, News Tagged With: Checkmarx, cyberattack, malicious code, Python, Ruby

« Stytch Launches New, Flexibility-First SDK
OpenSSF Adds Open Source Package Analysis Tool Prototype »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Quiz

Results to last week’s quiz are here.

Upcoming Webinars

Building Resilient Organizations Around IT and Cybersecurity
Wednesday, November 29, 2023 - 1:00 pm EST
How to Bring DevSecOps to V-Shaped Development
Thursday, November 30, 2023 - 1:00 pm EST
Scale and Standardize Your infrastructure in Azure, With Red Hat Enterprise Linux
Thursday, November 30, 2023 - 3:00 pm EST

GET THE TOP STORIES OF THE WEEK

Sponsored Content

Why AIOps is Critical for Networks

October 3, 2023 | Mitch Ashley

JFrog’s swampUP 2023: Ready for Next 

September 1, 2023 | Natan Solomon

DevOps World: Time to Bring the Community Together Again

August 8, 2023 | Saskia Sawyerr

PlatformCon 2023: This Year’s Hottest Platform Engineering Event

May 30, 2023 | Karolina Junčytė

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.