Cybersecurity Reflection: 2025 Showed the Cost of Ignoring Open Source Vulnerabilities

April 14, 2026April 14, 2026 viviandufourLeave a comment

3–4 minutes

Illustration depicting the concept of the 'Cost of Ignoring Open Source,' featuring industrial structures above ground and a network of roots or circuits below the surface.

We’re already into the second half of 2026, and it’s worth pausing for a second. Not to recap headlines, but to understand what actually changed in terms of security.

Spoiler alert…. A lot.

Because 2025 wasn’t just another year of breaches. The scale was larger, and the impact was more visible.

The attack on Jaguar Land Rover brought that into focus. Production stopped for months. The losses were estimated at £1.9 billion. The disruption moved straight into operations and revenue.

In the education sector, Kido International faced a ransomware incident that exposed personal data linked to thousands of children and staff. The impact here sat around safeguarding and trust.

Retail saw a similar strain. The ShinyHunters group claimed breaches across multiple brands, including Marks & Spencer. Some platforms lost the ability to trade online during the disruption.

Alongside these cases, a large pool of over 16 billion credentials circulated across criminal forums. Those datasets fed ongoing account takeover attempts throughout the year.

None of this felt isolated. The same weaknesses appeared again and again.

Constant Pressure on Infrastructure

Attacks moved closer to systems that support daily life.

The incident in Poland’s energy sector showed how attackers can move across IT and operational environments. That overlap creates a different kind of exposure.

In the UK, water utilities faced continued pressure from ransomware incidents. These systems often rely on older industrial controls with limited visibility.

At the consumer level, compromised IoT devices formed large botnets. Devices that sit in homes became part of wider attack infrastructure without the user being aware.

The surface area kept expanding.

The Supply Chain Problem is Getting Bigger

Across these incidents, the supply chain kept appearing in the background.

Attackers focused on software providers, cloud platforms, and third-party tools. Access at that level opens the door to many organisations at once.

This approach scales efficiently. One weakness can affect a large number of systems downstream.

For most organisations, this sits outside direct control. That makes it harder to track and harder to manage.

What’s Changing in 2026? A lot

The direction for the coming year is already visible.

Attack workflows are becoming faster. Automation plays a larger role. AI is being used to scan systems, prepare phishing content, and identify weak points.

The targets remain consistent. Local government systems, supply chains, and infrastructure continue to attract attention.

These environments often operate with limited resources and older technology. That combination creates exposure that is difficult to close quickly.

The Open Source Reality

Most systems depend on open source components.

That dependency runs deep. Many components sit several layers down, out of sight during routine checks.

Over time, vulnerabilities build up in those layers. Without active monitoring, they remain unnoticed.

Periodic reviews miss changes that happen between audits. New vulnerabilities appear regularly, and attackers move quickly once they are public.

Continuous monitoring becomes part of day-to-day security, rather than an occasional task.

Read our full list of open source security predictions for 2026 – Is your security team considering all of these threats?

What Needs to Change

The events of 2025 point to a clear shift in approach.

Security needs to keep pace with how quickly vulnerabilities appear and spread. That requires visibility into dependencies and a way to respond without delay.

The focus moves toward shorter response times and better awareness of what sits inside each system.

Small gaps tend to expand quickly when left unattended.

Closing Thought

The past year showed how cyber incidents now reach into operations, services, and public systems.

The same patterns are already carrying into 2026.

The difference will come from how quickly organisations detect and respond to what is already present in their environment.

What can you do? Start with visibility. Continuous monitoring of your open source components is non-negotiable.

3 Lessons From APIdays London: Why OSS Visibility Matters

November 20, 2025 viviandufourdemo, devsecops, videoLeave a comment

Open source powers most modern software and expands your attack surface. At APIdays London, Meterian CTO Bruno Bossola showed how a crafted JSON request can trigger remote code execution when a vulnerable dependency slips into a service.

The key takeaway was that without visibility and fast remediation, vulnerabilities ride your software supply chain into production.

1) Exploits start upstream, not in production

Meterian’s live demo used a known jackson-databind flaw to execute code via a JSON payload. Incidents like the Apache Struts 2 breaches proved the same point years ago: attackers go where libraries are ubiquitous and exposure is public-facing.

Teams still discover many issues late, inside CI/CD or after release. By then, the vulnerable package is woven into multiple services and rollbacks get expensive.

What to change

Shift security into the IDE so developers see and fix dependency risk as they code.
Add pre-push and CI checks to block known-bad versions before they land on main.

2) You can’t patch what you can’t see

Most applications are a small slice of proprietary code on top of a large stack of third-party packages. New CVEs appear daily across NVD, OSV, and GitHub Advisories. If you don’t know exactly which versions you run—including transitives—you can’t assess blast radius or prioritise patches.

What good visibility looks like

Keep an up-to-date SBOM for every build (e.g., CycloneDX) and ingest vendor SBOMs.
Continuously monitor your dependency graph against live feeds and internal policy.
Prioritise RCEs and internet-exposed paths first, then reduce debt in lower-risk services.

3) Make remediation fast and routine

In the demo, upgrading a vulnerable component inside the IDE removed the exploit path in seconds. That’s the experience to aim for: actionable guidance at the moment of discovery, with one-click upgrades where possible. Speed reduces MTTR, avoids regressions, and prevents risk from spreading across repos.

Operationalise speed

Standardise one-click upgrades and automated PRs for safe versions.
Set patch SLAs by severity and exposure (e.g., 24–72 hours for critical RCEs).
Track MTTR, exception waivers, and policy drift to guide platform investments.

A simple workflow that works

IDE (shift left): real-time vulnerability assessment of manifests and transitive dependencies, with suggested fixes developers can apply immediately.
Pre-push: Git proxy hooks to enforce policy and block known-bad versions.
CI/CD: SCA checks per build, SBOM generation/signing, and fail-the-build on criticals.
Post-build: continuous monitoring of deployed SBOMs against new advisories; targeted rollouts for high-risk upgrades.
Governance: clear patch SLAs, exception process, and regular supply-chain reporting to leadership.

Bottom line

Exploit paths are simple; dependency graphs are not. Treat open source security as a first-class discipline.
Visibility is non-negotiable. If you can’t list it, you can’t fix it.
Shift left so the fastest path becomes the secure path—inside the IDE, at pre-push, and in CI.

Meterian’s APIdays demo made it clear: build visibility, shorten the distance from detection to fix, and your software supply chain becomes measurably safer.

Jaguar Land Rover Cyberattack: A Wake-Up Call for Supply Chain Resilience

September 10, 2025September 10, 2025 viviandufourCyberResilience, cybersecurity, opensource, supply chain, vulnerabilityLeave a comment

3–4 minutes

The automotive giant’s recent cyber breach shows why continuous vulnerability assessment and open-source security are no longer optional.

Earlier this month, Jaguar Land Rover (JLR), the UK’s largest carmaker, was forced to shut down global IT systems after a cyberattack disrupted production across its factories. Plants in Solihull, Halewood, Wolverhampton, and Slovakia were halted. Operations in China, India, and Brazil also felt the ripple effect.

Thousands of employees and suppliers were sent home. Dealers and garages had to switch to manual operations during one of the busiest sales periods of the year: the September license plate registration window.

While no customer data breach has been confirmed, the attack reflects how deeply cybersecurity failures in the supply chain can damage both business operations and national economies. JLR contributes nearly 4% of the UK’s exports.

How the Jaguar Land Rover Attack Happened

The hacking coalition calling itself “Scattered Lapsus$ Hunters” claimed responsibility, posting internal screenshots as proof. Analysts link the group to earlier social engineering campaigns carried out by collectives like Scattered Spider, Lapsus$, and ShinyHunters.

This was not a sophisticated zero-day exploit. It was an attack on trust and resilience. By exploiting weaknesses in IT systems and operational processes, attackers triggered a shutdown that cascaded across JLR’s entire global network.

For an industry where every production hour counts, this was a direct hit to the supply chain.

Why Supply Chain Vulnerabilities Are a Critical Business Risk

The JLR case illustrates the stark reality:

Operational Technology (OT) systems are connected to IT systems. A breach in one disrupts the other.
Third-party risk is first-party risk. If suppliers or partners are compromised, your own resilience is at stake.
Downtime is as damaging as data loss. Even without stolen records, JLR faces millions in lost productivity and missed sales.
Open-source software is everywhere. Modern automotive systems depend on open-source libraries and components. Without continuous monitoring, hidden risks can remain undetected until it’s too late.

Where Vulnerability Assessment Makes the Difference

This incident is a powerful reminder of the need for continuous vulnerability assessment and software supply chain security. Key protective measures include:

Automated vulnerability scanning across all code, dependencies, and applications
SBOM (Software Bill of Materials) to ensure visibility into every open-source component used in critical systems
Continuous monitoring for newly disclosed CVEs that could disrupt supply chains
DevSecOps integration to ensure remediation is part of the development and deployment pipeline
Incident readiness through real-time alerts and automated remediation guidance

How Meterian Helps Build Resilience

Meterian’s platform is built to detect, monitor, and remediate open-source vulnerabilities before they cause widespread damage.

BOSS (Business Open Source Sentinel): Provides real-time alerts for newly disclosed vulnerabilities across your software supply chain.
Sentinel: Automates vulnerability assessment and integrates into your CI/CD workflows to block unsafe code before it reaches production.
SBOM generation and ingestion: Gives you complete visibility into the components your business depends on, simplifying compliance and response.
AI-powered continuous monitoring: Ensures you are always ahead of emerging threats—whether in PHP, Java, .NET, or any other stack critical to your business.

Had such systems been in place across JLR and its suppliers, the blast radius of this attack could have been contained, with faster detection and remediation.

Why Open-Source Security Matters

The JLR breach demonstrates a truth we see across industries: open-source security is business security.

When 80–90% of modern applications depend on open-source components, every unpatched library becomes a potential entry point. The cost of ignoring these risks isn’t theoretical. It’s operational paralysis, financial loss, and reputational damage.

Don’t Wait for the Next Breach

The JLR cyber attack is not an isolated incident. It is part of a wider trend of supply chain attacks targeting global industries. The question is not whether open-source vulnerabilities exist in your systems—they do.

The question is: are you continuously monitoring and remediating them?

Now is the time to take control of your software supply chain.

👉 Learn how to strengthen resilience in our upcoming webinar:
“What’s Open Source Security Got to Do with Resilience of the Supply Chain?”
📅 September 18, 2025 • 14:00 BST • 15:00 CET • 09:00 ET • 18:30 IST

Register here

SQL Injection is Back: A Critical ADOdb Vulnerability You Need to Patch Now

August 5, 2025August 29, 2025 viviandufourLeave a comment

Following our recent alert about the PHP AVideo exploit (CVE-2025-48732), another high-risk vulnerability has emerged: ADOdb SQL Injection – CVE-2025-54419. This newly discovered open-source vulnerability in the ADOdb database abstraction library affects a wide array of PHP applications. And yes—it puts your customer database at serious risk.

Therefore, businesses must patch now, or risk customer data loss and brand damage.

Why This Vulnerability Matters

SQL Injection remains one of the most exploited classes of software flaws in today’s threat landscape. The ADOdb vulnerability (pre-5.22.9 versions) allows attackers to manipulate query inputs in PHP applications using SQLite3, enabling them to execute arbitrary SQL commands and:

Access sensitive customer data
Delete or modify database records
Compromise connected systems

This flaw exposes an all-too-common weakness in open-source software components. When dependency management fails, it’s your customer data and digital brand trust on the line.

What is ADOdb and Who Uses It?

ADOdb is a widely used open-source database abstraction library that enables PHP developers to write flexible applications that work across:

MySQL
PostgreSQL
Oracle
Microsoft SQL Server
SQLite
DB2
Sybase
Firebird
Access ODBC
Informix
And more…

It acts as the middleware connecting your PHP app to its data. In modern e-commerce, SaaS, and media delivery platforms, ADOdb often underpins customer records, inventory systems, and transaction logs.

Understanding the Vulnerability (Technical Breakdown)

This SQL injection vulnerability exploits three ADOdb methods:

metaColumns()
metaForeignKeys()
metaIndexes()

If these methods receive a malicious table name, SQLite3 fails to properly escape the input—leading to arbitrary SQL execution.

❗ A single malformed input can compromise your entire database.

This isn’t hypothetical. It’s a known weakness. And it’s now indexed across vulnerability databases. Attackers are already probing for this entry point.

Real-World Impact

Think of it this way: a customer attempts to view their order history. But due to a code-level vulnerability, the attacker uses that same request to exfiltrate entire user tables or drop your product catalog. This can result in:

Permanent data loss
Corrupted analytics and reports
System downtime
Compliance fines (e.g. GDPR, PCI-DSS)
Severe brand reputation damage

A recent IBM report noted that data breaches tied to open-source component vulnerabilities cost businesses an average of $4.45 million per incident in 2024.

What You Should Do Now

Here’s your quick vulnerability assessment checklist for ADOdb:

✔️ Does your application use ADOdb prior to version 5.22.9?
✔️ Are you using the metaColumns(), metaForeignKeys(), or metaIndexes() methods?
✔️ Are your PHP apps connecting to a SQLite3 database?
✔️ Have you scanned third-party dependencies for known CVEs?

If you answered “yes” or “not sure” to any of these, your platform is at risk.

Mitigate risk now with a software composition analysis (SCA) tool that identifies vulnerable open-source components and provides auto-remediation.

Meterian’s Take

At Meterian, our daily scans using BOSS and Sentinel detected and flagged this vulnerability as of August 5, 2025. Teams relying on Meterian’s continuous monitoring and automated vulnerability assessment tools received instant alerts and recommendations to patch or isolate affected components.

Learn How to Protect Your Software Supply Chain

Want to explore how continuous vulnerability assessment can protect your platform?

Join our webinar on September 18, 2025:
🛡️ What’s Open Source Security Got to Do with Resilience of the Supply Chain?

📍 Learn practical steps to secure your software supply chain
📍 Get insights from industry experts on real-world open-source risks
📍 Explore tools for automated remediation and SBOM management

👉 Register Now

Final Thoughts

SQL injection may seem like an old-school threat, but vulnerabilities like this one in ADOdb show that even trusted, mature packages are not immune.

Don’t assume your code is safe just because it compiles.🔍 Start your vulnerability assessment today. Use tools that continuously scan and remediate open-source security risks—before attackers breach your systems.

Does Your Video Platform Have This Vulnerability? A Case for Proactive Vulnerability Assessment

August 1, 2025August 29, 2025 viviandufour1 Comment

In today’s digital-first economy, your brand story lives and breathes through video—from e-commerce product reels to customer testimonials and user-generated content. But what happens when the infrastructure behind that video platform becomes your weakest link?

A newly disclosed vulnerability in a popular open-source PHP platform is a clear reminder: routine vulnerability assessment is not optional. It’s the foundation for protecting both your customers and your brand’s digital identity.

PHP: The Web’s Silent Workhorse and a Key Target

According to BuiltWith, PHP powers over 74% of the internet’s websites, including leading e-commerce platforms like Magento, WooCommerce, and Prestashop. These platforms handle millions in transactions and user data. Their popularity makes them prime targets for open-source security threats, particularly when dependencies and third-party components are not continuously monitored.

A 2024 report from IBM shows the average cost of a data breach now exceeds $4.35 million. But the real damage goes beyond financial loss—customer trust and brand reputation take the biggest hit.

The Exploit: CVE-2025-48732 in AVideo

The latest threat in this category comes from the wwbn/AVideo platform, which serves thousands of streaming and video hosting applications built in PHP.

CVE-2025-48732 is a critical-severity vulnerability (CVSS pending) caused by an incomplete blacklist validation for .phar files.
The flaw allows attackers to bypass upload restrictions and execute arbitrary code on the server.
The root cause? Improper handling of PHP archive files, which aren’t adequately blocked or validated.

This is a classic example of supply chain exposure through unpatched third-party libraries. Without proactive open-source vulnerability scanning, affected organisations remain blind to threats lurking in their dependencies.

We regularly analyse open source projects to identify security risks. The image below shows a short summary of the open source software library WWBN/AVideo, which has been found to have critical vulnerabilities.

Why Continuous Vulnerability Assessment Matters

This isn’t just about one vulnerability. It’s a wake-up call for all businesses using open-source frameworks to:

✅ Implement automated vulnerability assessment tools that scan your software supply chain in real-time
✅ Track emerging CVEs across your entire application stack
✅ Flag unsafe libraries and automatically suggest fixes
✅ Maintain a software bill of materials (SBOM) to understand your exposure footprint
✅ Integrate patching into your CI/CD pipeline for faster remediation

If your video platform or customer-facing application relies on AVideo, or any PHP component, you need a continuous security strategy to detect and resolve vulnerabilities before attackers strike.

Secure Your Platform Before It’s Compromised

At Meterian, we help teams detect and remediate vulnerabilities across their software supply chain through real-time open-source monitoring, automated remediation, and SBOM-driven visibility.

Want to know if your app is exposed to CVE-2025-48732?

Get a full breakdown of the AVideo vulnerability, exploit risks, and how to patch it now.
👉 Download our Security Report

Don’t wait to become the next headline. Stay ahead with intelligent, AI-powered vulnerability assessment.

The Java Clone Hack That Happened in 20 Minutes — Could It Happen to You?

July 4, 2025July 4, 2025 viviandufourjava, opensource, risk, security, vulnerabilityLeave a comment

2–3 minutes

A smartphone displaying icons for a 'Clone App' with error messages and a shield symbol, highlighting cybersecurity themes.

In May 2025, a clone of the secure messaging app Signal — known as TM SGNL by TeleMessage — was compromised in under 20 minutes. The breach wasn’t due to zero-day exploits or state-sponsored threat actors. Instead, it was a plain, preventable Java server misconfiguration that exposed plaintext credentials, archived messages, and encryption keys.

This incident is a stark reminder for security and development teams – modern applications, especially Java-based clone apps, are riddled with hidden vulnerabilities that standard controls often miss.

This is exactly the class of threats Meterian’s continuous monitoring and AI-powered vulnerability intelligence is built to catch early and fix fast.

The TM SGNL Hack: Anatomy of a Misconfiguration

At the heart of the breach was a forgotten and publicly accessible Spring Boot Actuator endpoint. The exposed heap dump included:

Admin usernames and passwords in plaintext
Encryption keys
Archived private messages

TM SGNL had promised end-to-end encryption. Yet archived content was stored insecurely, and passwords were hashed using client-side MD5 — a deprecated and insecure method. The application also ran on an outdated JSP stack, compounding the risk.

The breach showed how vulnerable legacy Java frameworks and poor server hygiene can create systemic risk, even in apps that claim security by design.

Where Continuous Scanning Could Have Helped

This type of vulnerability isn’t exotic. It’s configuration-level, but critically dangerous. Meterian’s platform continuously scans Java applications for:

Misconfigured Actuator endpoints
Insecure or outdated hashing algorithms (like MD5)
Use of legacy Java stacks with unpatched CVEs
Exposure of credentials in memory dumps or logs

By aggregating insights from over 15 trusted vulnerability feeds, including the National Vulnerability Database and GitHub Advisories, Meterian flags risks with both high fidelity and low noise.

BOSS & Sentinel: Detect, Alert, Remediate

Meterian’s Sentinel engine would have flagged the publicly exposed /heapdump endpoint immediately as a misconfiguration with known exploit patterns. Combined with BOSS, our automated alerting system, security engineers would receive:

A prioritized, actionable report
A breakdown of the exposed endpoint’s risk level
Suggested auto-remediation steps (e.g., disable public access, require auth tokens)

These insights are delivered directly into existing CI/CD pipelines or DevSecOps dashboards, accelerating mitigation.

Why Java Clone Apps Are Especially Vulnerable

Clone apps often inherit:

Outdated codebases
Legacy dependencies
Minimal refactoring

In many cases, these applications rebrand functionality but retain insecure implementations. TM SGNL reused insecure design patterns while branding itself as a secure communications tool. This mismatch is where attackers thrive.

Meterian’s dependency graph analysis would have:

Mapped all third-party Java libraries in use
Flagged outdated dependencies
Identified insecure hashing libraries

What This Means for Security Leaders

Security isn’t just about patching CVEs. It’s about maintaining visibility and control across all components — including infrastructure, third-party libraries, and code hygiene.

Meterian helps CISOs, developers, and risk managers:

Maintain an up-to-date SBOM (using CycloneDX)
Integrate continuous monitoring into CI/CD
Detect vulnerabilities before they become breaches
Proactively secure clone apps before release

Prevention Is Achievable

The TM SGNL breach should not have happened. With continuous scanning, real-time intelligence, and automation-first remediation, it could have been prevented.

Meterian empowers software teams to spot and fix vulnerabilities like these — not weeks after deployment, but during development.

In 2025, security isn’t just a feature. It’s a process. And with Meterian, that process is invisible, continuous, and resilient by design.

Open Source, Hidden Risk

June 13, 2025 viviandufourcybersecurity, opensource, risk, vulnerabilityLeave a comment

Part 1: What Business Leaders Must Learn from Recent Cyber Vulnerabilities

Author: Rod Cobain • 4 min read

Three business professionals reading a newspaper titled 'SOURCE: Hidden Risks Susceptible to Cyber Atokspern Attacks' in a modern office setting, discussing hidden risks susceptible to cyber attacks. — AI-generated image of business professionals

Open source software powers your business, it’s a fact whether you know it or not. From core infrastructure to everyday applications, open source code is embedded deep within the tools we trust. It’s a quiet enabler of innovation, agility, and scale.

But recent high-profile vulnerabilities, from Log4Shell to the XZ Utils backdoor, have exposed a hard truth; what’s free and open can also be fragile and risky. For business leaders, these incidents aren’t just technical hiccups. They’re a boardroom-level ticking time bomb. It’s time we stop treating open source security as an engineering detail and start addressing it as a strategic priority.

Many assume that popular open source projects are secure because they’re widely used. But visibility isn’t the same as scrutiny. The Log4Shell vulnerability sat undetected in a core Java logging library for nearly a decade until Dec 2021. When discovered, it impacted millions of computers, everything from cloud platforms to consumer apps. As a business leader, if your business relies on open source (and it does), you must invest in ongoing due diligence, not blind trust. Recent supply chain issues should prompt critical questions such as, “What’s in my software supply chain?” and “How’s it monitored?”.

Your Risk is Reflected by Your Dependencies

A single compromised component can ripple across countless systems. Looking at the event-streamincident, a small JavaScript library was hijacked and weaponised to steal cryptocurrency. As a business leader, demanding visibility into your organisation’s dependency map is a must, ignorance is no excuse, and cyber insurance providers are not covering such risks. Are you relying on unknown or unmaintained components in your software development production? If the answer is “yes or not sure”, you need to have your code assets scanned, and either automatically remediated or managed with a mitigation plan. As a result of the widespread consequences these open source vulnerabilities can have, since the Log4Shell incident, insurance providers require customers to prove they’ve patched or risk losing their insurance cover benefits.

Underfunded Projects Power Billion-Pound Businesses

The most alarming aspect of many open source vulnerabilities isn’t the flaw itself, but the lack of maintenance. The XZ backdoor came about partly because the project had only one active maintainer, such is the nature of open source community driven software. Therefore consumers and enterprises using the open source library inherit the responsibility for the quality and security of the instance used in its own coding projects. Adopting a pro-active 24/7 solution that incorporates continuous monitoring, automated remediation, and AI-powered vulnerability detection, is essential for identifying and addressing issues swiftly.

Leadership takeaway: Small investment vs Large payout or loss of credibility is clear.

Speed of Response Is a Competitive Advantage

Putting in place a pro-active approach when vulnerabilities emerge–detect, prioritise, and patch quickly– can prevent disruption and protect your reputation. Marks & Spencer, Co-op and others are still striving to regain normality in the weeks to come. These unfortunate incidents of “world class companies” highlight how security response has become a key measure of business agility. Are your teams empowered with the tools and authority to act swiftly when open source risks emerge?

The Future of Open Source Security

Open source is here to stay. Its growth is undeniable and remains a cornerstone of technological innovation for good. But security can’t just be an engineering checkbox. It must be part of your organisation’s culture, led from the top. Encourage a mindset of proactive security and open collaboration. The best organisations view open source software not just as free software, but as shared infrastructure worth protecting.

Conclusion

Cyber vulnerabilities in open source is not a reason to fear the model. Instead, they’re a call to engage more responsibly with it. As leaders, we must stop viewing open source security as someone else’s problem. The reality is: if your business runs on open source, its security must be your priority. Your role may not be a technical one, but asking the right questions and knowing your options from the beginning will help you take a preventive stance to ensure you don’t end up as tomorrow’s headline.

Bold colours infographic showing risk and thought leadership in cyber attacks and open source vulnerabilities

Defend Against Disruption: Safeguard Vulnerability Management Amid MITRE Funding Risks

April 16, 2025April 17, 2025 viviandufourcybersecurity, opensource, risk, vulnerabilityLeave a comment

Today’s Reality Check: Vulnerability Management is Non-Negotiable

With the MITRE CVE system being the backbone of global vulnerability identification, it’s alarming to see discussions about funding cuts that could jeopardize this critical resource. If the industry loses its shared language for describing digital flaws, we’re all in trouble. This could stifle innovation in vulnerability management and mitigation, leaving organizations scrambling for reliable data in the U.S. and globally.

The industry needs to rally. We must collaborate on alternative funding models, invest in open-source initiatives, and forge partnerships that keep vital resources like CVE alive and thriving. Let’s ensure that our defenses remain robust, even in the face of disruption.

Meterian: The Power Database and Invisible Security Platform You Need

While others may falter, Meterian is charging ahead. Our vulnerability database is not just comprehensive; it’s a powerhouse, tracking over 400,000+ vulnerabilities and receiving daily automatic updates from a multitude of sources. We pull data from the National Vulnerability Database, GitHub Security Advisories, and 15 other unique feeds. But we don’t stop there. Our AI-generated insights, combined with meticulous manual curation, deliver a done-for-you service that your security and engineering teams can depend on.

In short, we provide your enterprise with a pair of automated eagle eyes, ensuring you have full visibility into potential software weaknesses in your third-party software supply chain.

Quality and Volume

Our commitment to excellence means you get the best tools to manage vulnerabilities effectively, for your team’s tech stack and workflow. We have a multitude of integrations and our OpenAPI architecture means we can collaborate to create more value together.

Join the Revolution

It’s time to elevate your cybersecurity strategy with the best solution for your team. Ready to take your cybersecurity to the next level? Check out our product page infographic to see how our database stacks up against the competition.

EU Cyber Resilience Act: Key Updates on SBOM Compliance

November 20, 2024November 20, 2024 bbossolacompliance, CRA, cyber-security, cybersecurity, devops, meterian, opensource, regulation, risk, security, technologyLeave a comment

Since our previous discussion on the EU Cyber Resilience Act (CRA) and Software Bill of Materials (SBOMs), significant updates have clarified and expanded the framework for compliance. The European Parliament approved the CRA on March 12th, marking its importance in enhancing product security across the EU. This follow-up explain these developments, focusing on new guidelines and the evolving expectations for SBOM compliance.

New clarity on SBOMs from Germany: TR-03183

To provide more detailed guidance, Germany’s Federal Office of Information Security (BSI) released the Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products (Part 2: Software Bill of Materials (SBOM)), version 2.0. This 20-page document sets the groundwork for SBOM requirements under the CRA. Key highlights include:

Mandatory SBOM Compilation: An SBOM is essential for meeting CRA compliance.
Minimum Information Requirements: The SBOM must include the component name, version, dependencies, license (preferably using SPDX or ScanCode identifiers), and a SHA-256 hash.
Version-Specific SBOMs: A separate SBOM must be generated for each software version, with updates made only for error corrections or new information.
Preferred Formats: SBOMs must adhere to CycloneDX (v1.4 or higher) or SPDX (v2.3 or higher).
Process Integration: The SBOM must be generated as part of the build process or an equivalent mechanism.

Other recommendations, such as using CSAF with a VEX profile for distributing vulnerability information, aim to enhance transparency without directly embedding vulnerabilities in the SBOM.

Challenges in SBOM Implementation

While TR-03183 provides critical guidance, several unresolved issues highlight the complexities of SBOM creation and usage:

Identification Gaps: The absence of mandatory CPE or PURL requirements makes vulnerability reporting from SBOMs prone to errors.
Undefined “Scope of Delivery”: The guidelines use this term to define the depth of transitive component enumeration but lack clarity on acceptable thresholds.
SHA-256 Ambiguity: The methodology for computing a SHA-256 hash of source code remains unspecified.
Relationship Details: While all transitive components must be recursively included, relationships among them are not explicitly required. This omission can hinder the effectiveness of SBOMs in vulnerability management.

Preparing for CRA Compliance

The CRA’s adoption signals a critical need for manufacturers and software developers to refine their compliance strategies. With enforcement set for early 2027, organisations should prioritise:

Automating SBOM Generation: Tools like Meterian can streamline SBOM creation, ensuring accurate dependency mapping and compliance with CRA’s format requirements.
Enhancing Vulnerability Management: Despite the lack of mandatory CPE or PURL, integrating these identifiers into internal processes can improve accuracy.
Staying Updated: Monitoring updates to technical guidelines like TR-03183 will be vital as CRA implementation progresses.

Looking ahead

The CRA represents a significant step forward in securing the digital ecosystem. By leveraging clear guidelines and robust tools, organisations can align with compliance requirements while strengthening their cybersecurity posture. The publication of TR-03183 marks progress but also underscores the need for continued refinement as industry feedback shapes the future of SBOM practices.

Navigating the complexities of SBOM creation and CRA compliance doesn’t have to be overwhelming. Meterian provides automated solutions designed to simplify the generation and management of SBOMs, ensuring:

Effortless Compliance: Meterian supports both CycloneDX format, helping you meet the CRA’s technical requirements with ease.
Comprehensive Dependency Mapping: Automatically scans your codebase to identify all components and transitive dependencies, ensuring nothing is missed.
Ongoing Vulnerability Monitoring: Integrates seamlessly with vulnerability databases to keep your SBOMs updated and your products secure.
Time-Saving Automation: Embeds SBOM generation into your build processes, reducing manual effort and increasing efficiency.

With Meterian, you can confidently meet CRA requirements while enhancing your overall security posture. Contact us to learn how we can support your journey toward compliance and beyond.

WHY IS SOFTWARE COMPOSITION ANALYSIS (SCA) IMPORTANT?

September 20, 2024September 20, 2024 bbossolacyber-security, cybersecurity, opensource, risk, security, software, technology, vulnerabilityLeave a comment

Attacks through open source are growing year on year, so companies cannot rely only on periodic pen testing. The code needs to be scanned on a daily basis during the lifecycle of the application’s development stages, and continue to do so once an application is deployed.

Modern software development in fact heavily relies on open-source components: they accelerate development, reduce costs, and provide access to well-tested, community-maintained code. Understanding the composition of their software products is crucial for companies producing applications, as it helps manage and secure the significant portion of their codebase that originates from open-source projects.

Checking open-source components in software development is crucial for at least three reasons: let’s have a closer look and clarify the problems.

Security Risks

The code of open-source components is always publicly available and it is a natural target for hackers. Each day, more than 50 new vulnerabilities are discovered in open-source components and, if not identified and managed, they can be exploited, leading to security breaches.

Countless examples are available:

the Canadian Revenue Agency hack (2014): OpenSSL Heartbleed (CVE-2014-0160)
the Equifax data breach (2017): Apache Struts vulnerability (CVE-2017-5638)
the iCloud and Minecraft hack (2021): Log4j vulnerability (CVE-2021-44228)

All these hacks were performed using a vulnerability in an open-source component: nothing was wrong with the code written by the respective developers.

How common are vulnerabilities? See, in this sample, the growth of vulnerabilities in the .NET open-source ecosystem:

Please note that this is a restricted view that matches exclusively only vulnerabilities affecting opensource components specific to the .NET ecosystem. Across all ecosystems, more than 100,000 vulnerabilities affecting open-source components are recorded.

The risks are real. If you want to learn more you can also read our blog here.

License compliance

Open-source components come with various licenses, each with specific requirements and restrictions. Failing to comply with these licenses can lead to legal issues, including copyright infringement claims.

Among all those, let’s not forget TruthSocial, the famous Twitter clone created by the Trump Media & Technology Group, was found to be in breach of an OSS license and had to disclose its source code publicly.

Also Tesla decided to release its code to the public to comply with a copyleft license. On another occasion. Westinghouse Digital Electronics preferred bankruptcy.

The risks are real. If you want to learn more you can also read our blog here.

Quality and reliability

While open-source software can be of high quality, this varies significantly, and some components might be abandoned or poorly maintained. Using such components can pose risks to the project’s stability and reliability.

Here introducing you Swashbuckle, a popular .NET project that has been abandoned by his creator for a more interesting adventures and now lays unmaintained and without an owner. It was last updated 6 (six) years ago.

Let’s also have a look at Lazy, another popular NodeJS component that was last updated 11 (eleven) years ago. While it’s a small library with a limited attach surface, why would you like to have this in your application? Software does not age like fine wine, unfortunately.

This is an example of two commonly used opensource components that have not been updated in years, a very long time in software development. Those components are basically not maintained anymore: if a problem is found, it won’t be fixed. If a vulnerability is there, nobody will know about it (apart from the occasional hacker, of course)

How Meterian SCA helps solve the challenge

Meterian offers a comprehensive application security platform designed to enhance the security posture, compliance adherence, and overall quality of software projects. This platform provides in-depth analysis and automation capabilities, empowering organisations to effectively manage open-source and third-party libraries throughout their software development lifecycle. Through its robust features, Meterian enables organisations to identify and mitigate vulnerabilities, ensure compliance with relevant regulations and standards, and maintain a high level of software quality.

Meterian is unique compared to its competitors because of various characteristics, let’s explore them

Supports the largest number of ecosystems
If you are using a legacy technology like Perl, focus on data science using Jupyter Notebooks, build video games with Unity, or build ultra-fast micro-services with Rust, you deserve the best protection available. Meterian supports a wide range of languages and ecosystems, and if your platform is not there, we will be happy to support it for you.

Easy to to deploy on premises or dedicated cloud
In the SaaS industry, the requirement for a dedicated single-tenant instance or an on-premises installation may be driven by specific business needs, such as tight security, data sovereignty, and geo-location considerations. Meterian can easily provide a single-tenant environment, either on-cloud or on-prem, and offers also a range of air-gapped solutions for extreme secure environments.

Comprehensive vulnerability database
Meterian’s vulnerability database not only boasts a broader coverage than any of its competitors but is also updated daily through a fully automated system that integrates numerous OSINT sources and Meterian’s specially curated databases, including AI-generated advisories directly from the analysis of open-source repositories. This automated process outpaces manual entry methods, ensuring we maintain a competitive edge through faster and more efficient updates, a key differentiation in our service offering.

Superior customer support
Speed, quality of responses, customer obsession, won deals because of this. We have a unique culture where the concept of “support” does not really exist, as all engineers are constantly working with customers. We want to be obsessed with customers, solve their problems quickly and effectively. Every customer support query is directly handled by engineers and is given priority in our backlog. This approach guarantees that our product evolves in response to real-world feedback, while also maintaining the highest level of customer satisfaction.

What next?

Don’t just take our word for it – experience the benefits for yourself. We invite you to schedule a demo to see how our solution can make a difference in your organisation’s security posture. Our team of experts is ready to guide you through the features and show you how it can address your specific security challenges. Take the first step towards a more secure future – reach out today and discover how Meterian can elevate your cybersecurity strategy.

Looking forward hearing from you.