Open Source

Everyone loves open source, and for good reason. We want to help you use open source and stay secure. Read more to learn how this is achievable!

10 npm Security Best Practices

Concerned about npm vulnerabilities? It is important to take npm security best practices into account for both frontend, and backend developers. Open source security auditing is a crucial part of shifting security to the left, and npm package security should be a top concern, as we see that even the official npm command line tool […]

February 19, 2019

NumPy Arbitrary Code Execution Vulnerability

A recently discovered vulnerability in NumPy, the widely used open source package for scientific computing in Python, allows for the execution of arbitrary, potentially malicious code. NumPy NumPy is part of the SciPy ecosystem, which is a collection of open source software packages for mathematics, science, and engineering. NumPy is used in both industry and […]

February 4, 2019

A post-mortem of the malicious event-stream backdoor

Last week the imaginable happened. A malicious package, flatmap-stream, was published to npm and was later added as a dependency to the widely used event-stream package by user right9ctrl. Some time, and 8 million downloads later, applications all over the web were unwittingly running malicious code in production. We wrote some early thoughts on our […]

December 6, 2018

Serverless Security: What’s left to protect?

I just had the pleasure of giving a talk about Serverless Security at the inaugural Serverless Computing conference in London, run by Situation Publishing (owner of The Register). The audience was very attentive and I got some great questions after my session. All in all the conference was great and staff behind the event was […]

November 12, 2018

The State of Open Source Security Survey

We’re excited to launch the second edition of our State of Open Source Security Survey! The goal of this survey is to provide a global view of our industry’s security health. Once we get all of your wonderful responses we’re going to turn them into a beautiful report that you can read, printout, give to […]

November 6, 2018

JVM Ecosystem Report 2018

Welcome to the largest survey ever of Java developers. The data presented in the following report was taken from more than 10,200 questionnaires, covering JDK vendors, versions, IDEs, build tools, CI servers, Java EE versions, web frameworks, JVM languages, binary repositories, source code repositories, source code management and much more!

October 17, 2018

JVM Ecosystem report 2018 – About your Tools

Welcome to the largest survey ever of Java developers. The data presented in the following report was taken from more than 10,200 questionnaires, covering JDK vendors, versions, IDEs, build tools, CI servers, Java EE versions, web frameworks, JVM languages, binary repositories, source code repositories, source code management and much more!

October 17, 2018

JVM Ecosystem report 2018 – About your Platform and Application

Welcome to the largest survey ever of Java developers. The data presented in the following report was taken from more than 10,200 questionnaires, covering JDK vendors, versions, IDEs, build tools, CI servers, Java EE versions, web frameworks, JVM languages, binary repositories, source code repositories, source code management and much more!

October 17, 2018

JVM Ecosystem report 2018 – About your processes and you

Welcome to the largest survey ever of Java developers. The data presented in the following report was taken from more than 10,200 questionnaires, covering JDK vendors, versions, IDEs, build tools, CI servers, Java EE versions, web frameworks, JVM languages, binary repositories, source code repositories, source code management and much more!

October 17, 2018

Over 10% of Python Packages on PyPI are Distributed Without Any License

Imagine that you installed a random Python package from PyPI. There’s a good 13.5% chance that the package has no licensing information. Considering it’s not uncommon to have hundreds of dependencies and sub-dependencies in a typical Python application, there’s a very good chance of using unlicensed code. Depending on the context, the consequences of using unlicensed software could be anywhere from insignificant to disastrous. Ok, that’s a wild range, so this post will dig deeper into this issue.

September 18, 2018

10 GitHub Security Best Practices

Your source code should be one of your prize possesions. You must protect it with security processes and practices to ensure you don't put your code or users at risk. This cheat sheet covers 10 best practices you should consider implementing in your GitHub repository or organisation to enforce security on your projects.

May 30, 2018