Security Vulnerabilities 
malware linux
malware linux IronWorm steals credentials and uses them to spread beyond the original victim, turning developer access into a supply chain risk. . A new campaign targeting npm has evolved past simple credential theft. Researchers identified IronWorm, a self-spreading threat. It harvests high-value Linux development secrets—SSH keys, cloud tokens, package publishing credentials. One compromised workstation becomes a launchpad for downstream supply chain attacks. This is not a get-in-and-get-out operation....
Jun 08, 2026
Network Securitysystem security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found 0 articles for you...
209
software assurancecyber attackscomplianceUsing Static Analysis for Continuous Assurance in Open Source Security
Open Source lends itself to a new way of certifying software: Continuous Assurance. In this approach, automated tools and processes ensure that, as code changes, it continually satisfies compliance, quality, and security requirements. "Continuous Assurance integrates directly into development and benefits from the always-up-to-date nature of cloud services, making it a perfect match for Open Source." . Sonatype’s 2020 State of the Software Supply Chain Report found that next generation cyber-attacks actively targeting open-source soft- ware projects increased 430% over the past 12 months. Industry and the Open Source communities recognize heightened security risks and are working to solve these. For example, in August 2020 the Linux Foundation launched the Open Source Security Foundation (OpenSSF), billing itself as “a cross-industry collaboration that brings together leaders to improve the security of open-source software.” The Foundation notes how pervasive open source has become, and how critical it is to bring together open-source security initiatives and those who support them to advance open-source security for all stakeholders. . Continuous Assurance and static analysis play crucial roles in enhancing open source security and ensuring compliance throughout the software development lifecycle. open source security, static analysis, cyber attacks, software compliance, Continuous Assurance. . Brittany Day
Nov 04, 2020
•
Security Trends
78
phpsecurity toolstatic analysisRIPS Static Analyzer For PHP Web Apps: Security Insights and Tools
RIPS is a tool written in PHP to find vulnerabilities using static source code analysis for PHP web applications. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by user input (influenced by a malicious user) during the program flow. . Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis. The link for this article located at Darknet is no longer available. . RIPS delivers static analysis for PHP, identifying security flaws and supplying a comprehensive audit system for enhanced protection.. PHP Security,Vulnerability Detection,Static Analysis,Code Audit Framework. . LinuxSecurity.com Team
Oct 21, 2014
•
Vendors/Products
79
open sourcestatic analysissoftware auditCoverity Scan Report: 16% Reduction In Open Source Defects
The quality and security levels of open source code are continuing to improve, according to the latest annual audit by code analysis tools vendor Coverity.. The third edition of the Coverity Scan Open Source report measured a 16 per cent reduction in static analysis defect density over the past three years among the projects subjected to scrutiny, including Firefox, Linux, PHP, Ruby and Samba. The report covers analysis of more than 11 billion lines of code from 280 open source projects. Beween 2006 and 2009, more than 11,200 defects in open source programs have been fixed thanks to Coverity - 2, 700 of those in the last year. The link for this article located at The Register is no longer available. . The latest release of the Coverity Scan Open Source report reported a 16 percent decline in the density of static analysis defects.. Code Quality Improvement, Defect Density, Open Source Projects. . LinuxSecurity.com Team
Sep 25, 2009
•
Security Projects
82
software improvementsecurity analysisstatic analysisCoverity 2008 Open Source Software Security Report Highlights
SAN FRANCISCO - May 20, 2008 - CoverityT, Inc., the leader in improving software quality and security, today announced the availability of the Scan Report on Open Source Software 2008. The Coverity Scan site was developed with support from the U.S. Department of Homeland Security as part of the federal government's 'Open Source Hardening Project.' The report is based on 2 years of analysis of more than 55 million lines of code on a recurring basis from over 250 popular open source projects with Coverity PreventT, the industry-leading static source code analysis solution. This projects seems to be on the right track in improving open-source security. What do you think? Will this project make a big impact on code quality and security?. . SAN FRANCISCO - May 20, 2008 - CoverityT, Inc., the leader in improving software quality and securit. francisco, coverityt, leader, improving, software, quality, securit. . Bill Locke
May 23, 2008
•
Government
77
security toolopen sourceC/C++ scanningIntroducing ITS4: Command-Line Tool for C/C++ Security Audits
John Viega posted the following message to bugtraq announcing a new security auditing tool. "I've put together a command-line tool for statically scanning C and C++ source code for security vulnerabilities. The tool is . . .. John Viega posted the following message to bugtraq announcing a new security auditing tool. "I've put together a command-line tool for statically scanning C and C++ source code for security vulnerabilities. The tool is called ITS4. ITS4 scans through source code for potentially dangerous function calls that are stored in a database. Anything that is in the database gets flagged. ITS4 tries to automate a lot of the grepping usually done by hand when performing security audits. The tool is available from: Also on this site is a research paper on ITS4 submitted to this year's Usenix Security conference. ITS4 is open source software. The license puts some minor restrictions on commercial use. In essence, you can't use this tool to make money (such as by reselling it, or by using it in a consulting practice). However, you are encouraged to run the tool on your own product in order to make it better. ITS4 does more than just grep-type work. It allows for arbitrary handlers to refine the initial analysis. This version of ITS4 comes with some simple handlers. Some of these handlers check for uses of common string operations that often are not significant problems. For example: strcpy(buf, "\n"); sprintf(buf, "%d", i); In the first case, ITS4 will look at the second argument to a strcpy. If it is a string constant, the severity of the problem site is reduced to the lowest possible level. The tool will not output this kind of problem in its standard mode. In the second case, a similar reduction in severity occurs, since the sprintf format string contains no %s's. The tool also has handlers that scan for file access race conditions, similar to the prototype tool discussed in [BD96]. We slightly improve on their toolby allowing for interprocedural and intermodular problems. There are some technical limitations to this tool, many of which we hope to improve in the future. We'd like to have the help of the security community. I'm personally dedicated to improving this tool, and Reliable Software Technologies is willing to put some resources towards doing so. Changes from the community will certainly be considered for inclusion in future ITS4 releases. Currently, the weakest area of ITS4, where the input of the security community is most important, is the vulnerability database, which was largely taken from some very preliminary work done by Tom O'Connor. It's perhaps a good start, but far from complete. Many new things could be added, and the entries that do exist can likely be improved substantially. For each database entry, we have a description, a default severity, and a recommended alternative. Generally, the descriptions are pretty scant, and the severities are not overly well thought out. The next area for improvement is the handlers. It would be great to see people writing some good handlers, or even suggesting good handlers, and then we could write them. Beyond that we're interested in the following: 1) Flagging the allocation mechanism used on important variables (i.e., stack-allocated buffers are usually easier to exploit than heap-allocated buffers if there is an overflow). 2) Performing much better static analysis. We'd probably like to start by building some sort of heuristic alias analysis, and then doing something similar to the analysis done in [WF+00]. We do have plans to ultimately do these things, but if other people want to code them up and contribute to the project, that's great. I've set up a mailing list for people who are interested in helping out in any capacity. Hopefully we can get a good discussion going that will improve the vulnerability database, and make ITS4 a far more useful tool. The mailing list signup is available at: . John Viega Software Security Group Co-founder Reliable Software Technologies
Feb 22, 2000
•
Server Security
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More