Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialThis week: Google Cloud takes a swing at software supply chain risk. Also: multiple vulnerabilities in Adobe products could lead to arbitrary code execution, and more.
Google is doubling down on its investment to supply chain security, announcing a new platform and Google Cloud-based development workstations designed to secure cloud development organizations from supply chain risks.
The company's Software Delivery Shield is a managed supply chain security platform targeted at development, DevOps, and security teams. The platform integrates with Google's Cloud services and developer tooling, Google said in a blog post. Modules address application development, software “supply,” continuous integration (CI) and continuous delivery (CD), production environments, and policies.
As part of its new offering, Google is also introducing a new service for its Google Cloud Next dubbed Cloud Workstations — fully managed development environments that run on on Google Cloud. The goal is to eliminate the risks of decentralized development — for example: local storage of source code by developers, inconsistent configurations or privacy risks.
Finally, Google said it has added a new module to its Cloud Code IDE: Source Protect, which it claims gives developers "real-time security feedback" as they work, identifying issues such as vulnerable dependencies and license reporting.
Software Delivery Shield follows the previous work Google Cloud has done to pave the way for software security efforts, such as the company’s involvement in the creation of Supply Chain Levels for Software Artifacts (SLSA), as well as its $10 billion commitment to advancing cybersecurity.
Here are the stories we’re paying attention to this week…
The U.K.'s National Cyber Security Centre (NCSC) has published new guidance 'How to assess and gain confidence in your supply chain cyber security'. It’s aimed at medium to large organizations who need to gain confidence or assurance that mitigations are in place for vulnerabilities associated with working with suppliers.
Toyota stands accused of lax DevOps standards, as the company reveals it stored prod database credentials in a public GitHub repo. That’s bad enough, but it also took five years to detect and fix. Easy to mock, but could it happen to you? What DevOps processes do you use to prevent a similar incident? And do those processes have management support?
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead.
A ransomware attack at one of the country's largest hospital chains disrupted care at hospitals from Seattle to Tennessee last week.
Threat actors associated with the notorious Emotet malware are continually shifting their tactics and command-and-control (C2) infrastructure to escape detection, according to new research from VMware.
Microsoft has added command-and-control (C2) traffic detection capabilities to its Microsoft Defender for Endpoint (MDE) enterprise endpoint security platform.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free Trial