Delete comment from: DSHR's Blog
I regret not citing John Leyden's Open-source software supply chain vulns have doubled in 12 months to illustrate the scope of the problem:
"Miscreants have even started to inject (or mainline) vulnerabilities directly into open source projects, according to Sonatype, which cited 11 recent examples of this type of malfeasance in its study.
El Reg has reported on several such incidents including a code hack on open-source utility eslint-scope back in July."
and:
"organisations are still downloading vulnerable versions of the Apache Struts framework at much the same rate as before the Equifax data breach, at around 80,000 downloads per month.
Downloads of buggy versions of another popular web application framework called Spring were also little changed since a September 2017 vulnerability, Sonatype added. The 85,000 average in September 2017 has declined only 15 per cent to 72,000 over the last 12 months."
Dec 24, 2018, 11:29:37 AM
Posted to Securing The Software Supply Chain