Hot Topics

DevZone

SAST vs. DAST: Enhancing application security

SAST vs. DAST: Enhancing application security

| | Application Security, DAST, DevZone, SAST, security testing
As the threat landscape continues to evolve, organizations face a formidable challenge: ensure the security of their software applications ...
Sonatype Blog
SAST vs. DAST: Enhancing application security

SAST vs. DAST: Enhancing application security

| | Application Security, DAST, DevZone, SAST, security testing
As the threat landscape continues to evolve, organizations face a formidable challenge: ensure the security of their software applications ...
Sonatype Blog
npm packages caught exfiltrating Kubernetes config, SSH keys

npm packages caught exfiltrating Kubernetes config, SSH keys

| | DevZone, Malware Analysis, npm
The Sonatype Security Research team is currently tracking an ongoing campaign on the npm registry that uses npm packages to retrieve and exfiltrate your Kubernetes configuration and SSH keys to an external ...
Sonatype Blog
New npm PoC packages target PayPal Zettle, Airbnb developers

New npm PoC packages target PayPal Zettle, Airbnb developers

| | dependency confusion, DevZone, Malware Analysis, npm
Sonatype has identified several npm packages that are named after internal dependencies purportedly used by PayPal Zettle and Airbnb developers ...
Sonatype Blog
A guide for open source software (OSS) security

A guide for open source software (OSS) security

| | DevZone, open source, secure software supply chain, software supply chain automation, Sonatype Lifecycle, Sonatype Repository Firewall
When you search for a dependable open source software (OSS) component to integrate into your software supply chain, evaluation of the component’s security emerges as a critical task. This involves not only ...
Sonatype Blog
Malicious PyPI package ‘VMConnect’ imitates VMware vSphere connector module

Malicious PyPI package ‘VMConnect’ imitates VMware vSphere connector module

| | DevZone, Malware Analysis, open source, PyPI
This month, we analyzed a malicious PyPI package called ‘VMConnect,’ which has been designed to strongly resemble the legitimate VMware vSphere connector module, ‘vConnector’, except it hides sinister code within ...
Sonatype Blog
Getting started with the Secure Software Development Framework (SSDF)

Getting started with the Secure Software Development Framework (SSDF)

| | Application Security, devops frameworks, DevSecOps journey, DevZone, News and Views, software supply chain
In today’s software-driven world, it’s crucial to ensure the security of software during development. Yet many software development life cycle (SDLC) models lack specific emphasis on software security, requiring the addition of ...
Sonatype Blog
“Quoi...? feur” from meme to malware – PyPI package targets Windows with ‘NullRAT’ info-stealer

“Quoi…? feur” from meme to malware – PyPI package targets Windows with ‘NullRAT’ info-stealer

| | DevZone, Malware Analysis, PyPI, Sonatype Repository Firewall
We’ve got a rather interesting malicious finding this month to talk about, the one that mixes a meme with malware ...
Sonatype Blog

A Closer Look: Differentiating Software Vulnerabilities and Malware

| | DevZone, malware prevention, open source, software supply chain, Sonatype Lifecycle, Sonatype Repository Firewall, Vulnerabilities
In today’s interconnected digital world, vulnerabilities and malware in open source software pose significant threats to the security and integrity of your software supply chain. While these two terms may appear synonymous ...
Sonatype Blog
npm Manifest Confusion – What Is It and Do You Really Need to Worry About It?

npm Manifest Confusion – What Is It and Do You Really Need to Worry About It?

| | dependencies, DevZone, FEATURED, npm, open source
Yesterday, Darcy Clarke, a software developer and a former npm CLI team Engineering Manager, steered everyone’s attention towards a gap in the npm registry website – what he calls “manifest confusion.” ...
Sonatype Blog
Load more