Mathew Payne, GitHub: Protecting code while nurturing user experience

Developer caught up with Mathew Payne, Principal Field Security Specialist at GitHub, to discuss the platform’s security strategies and how they aim to strike a balance between robustness and a seamless user experience.

At the heart of GitHub's security philosophy lies a commitment to safeguarding user code. Payne emphasised that a major focus is on securing the code created by both users and developers.

“The first thing that we focus on at GitHub is the security...

Malicious PyPI package discovered in ongoing ‘PaperPin’ campaign

In a recent analysis conducted by Sonatype, a malicious Python Package Index (PyPI) package named 'VMConnect' was discovered masquerading as the legitimate VMware vSphere connector module 'vConnector'.

The counterfeit package was found to contain sinister code designed to compromise users' systems. Further investigation revealed an ongoing campaign involving additional packages like "ethter" and "quantiumbase," all sharing the same structure and payload.

The 'VMConnect'...

Apple will require developers to explain their API use

In an effort to bolster user privacy and crack down on fingerprinting, Apple has announced that developers will soon be required to provide detailed explanations for their app's use of certain APIs before submitting them to the App Store.

The APIs in question are now classified as "required reason APIs," meaning developers must articulate the purpose of these APIs in their apps when submitting them for review. Currently, there are around 30 APIs to which the new rule...

Checkmarx uncovers supply chain attacks targeting banking

Checkmarx has uncovered a new and sophisticated cyber threat targeting the banking sector.

The security testing firm's research team detected two distinct open-source software supply chain attacks targeting financial institutions. These attacks, which involved advanced techniques and deceptive tactics, have raised alarm bells among cybersecurity experts.

Attack one: NPM

The first attack occurred on April 5th and 7th when a threat actor exploited the NPM platform,...

Play Store loses over 260K apps following Google’s quality push

Android’s app ecosystem has experienced a significant decline in the number of available apps in recent years, according to data from Statista and AppBrain.

Three years ago, Android users had 295 million apps to choose from. However, by the end of 2021, that number had dropped drastically to 2.7 million, and the decline continued.

In January 2022, there were 2.64 million apps available—representing a staggering drop of 260,000 apps in just two years. Although the...

GitHub introduces passwordless authentication

GitHub is introducing passwordless authentication to enhance account security and provide a more seamless user experience.

Passkeys are touted as offering a secure and easy-to-use method of protecting user accounts, with the aim of eliminating password-based breaches altogether. Unlike conventional security measures, passkeys offer improved security by combining two-factor authentication (2FA) with enhanced user verification.

Passkeys require something the user is or...

Sonatype uncovers further malicious PyPI and npm packages

Sonatype continues to uncover a significant number of malicious packages within the PyPI and npm software registries.

Among the flagged packages were several Python packages published on PyPI, masquerading as legitimate libraries named after the popular npm "colors" library.

The malicious packages, including names such as "broke-rcl," "brokescolors," and "trexcolors," exclusively targeted the Windows operating system. Once installed, these packages would initiate the...

PyPI suspends new projects and users due to malicious activity

The PyPI (Python Package Index) team has temporarily suspended new projects and users on their platform due to malicious activity.

This surge in malicious activity aligns with a larger trend observed across several open-source registries in recent months. Notably, incidents such as the flood of malicious packages on the NPM JavaScript package manager and a similar attack on the Nuget package manager last year, involving over 140,000 malicious packages, have highlighted the...

Apple blocked over $2B of fraudulent App Store transactions in 2022

Apple continues to prioritise user safety and security within its App Store ecosystem, reporting that it successfully prevented over $2 billion in potentially fraudulent transactions in 2022.

The company says that it has been intensifying its efforts to reject suspicious apps and ensure that only reliable and trustworthy apps are available to users.

With millions of weekly visitors and over 36 million registered developers, the App Store has become a thriving platform....

ChatGPT-generated code is often insecure

OpenAI's large language model, ChatGPT, is capable of generating code but produces insecure code without alerting users to its inadequacies, according to research by computer scientists from the Université du Québec in Canada.

The researchers asked ChatGPT to generate 21 programs in five programming languages to illustrate specific security vulnerabilities such as memory corruption, denial of service, and improperly implemented cryptography.

ChatGPT produced only five...