Some naive people may still think they’re not using open-source software. They’re wrong. Everyone does. According to the Synopsys Cybersecurity Research Center (CyRC) 2021 “Open Source Security and Risk Analysis” (OSSRA) report, 95% of all commercial programs contain open-source software. By CyRC’s count, the vast majority of that code contains outdated or insecure code. But how can you tell which libraries and other components are safe without doing a deep code dive? Google and the Open Source Security Foundation (OSSF) have a quick and easy answer: The OpenSSF Security Scorecards.

Open Source

These Scorecards are based on a set of automated pass/fail checks to provide a quick review of many open-source software projects. The Scorecards project is an automated security tool that produces a “risk score” for open-source programs. That’s important because only some organizations have systems and processes in place to check new open-source dependencies for security problems. Even at Google, though, with all its resources, this process is often tedious, manual, and error-prone. Worse still, many of these projects and developers are resource-constrained. The result? Security often ends up a low priority on the task list. This leads to critical projects not following good security best practices and becoming vulnerable to exploits.  The Scorecards project hopes to make security checks easier to make security easier to achieve with the release of Scorecards v2.  This includes new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis.For developers, Scorecards help reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project’s supply chain. Consumers can automatically access the risks to make informed decisions about accepting the program, look for an alternative solution, or work with the maintainers to make improvements. Here’s what new:  Identifying Risks: Since last fall, Scorecards’ coverage has grown; the project has added several new checks, following Google’s Know, Prevent, Fix framework. Spotting malicious contributors:  Contributors with malicious intent or compromised accounts can introduce potential backdoors into code. Code reviews help mitigate such attacks. With the new Branch-Protection check, developers can verify that the project enforces mandatory code review from another developer before code is committed. Currently, this check can only be run by a repository admin due to GitHub API limitations. For a third-party repository, use the less informative Code-Review check instead. Vulnerable Code: Even with developers and peer review’s best efforts, bad code can still enter a codebase and remain undetected. That’s why it’s important to enable continuous fuzzing and static code testing to catch bugs early in the development lifecycle. The project now checks to see if a project uses fuzzing and SAST tools as part of its continuous integration/continuous deployment (CI/CD) pipeline.Build system compromise: A common CI/CD solution used by GitHub projects is GitHub Actions. A danger with these action workflows is that they may handle untrusted user input. Meaning, an attacker can craft a malicious pull request to gain access to the privileged GitHub token, and with it the ability to push malicious code to the repo without review. To mitigate this risk, Scorecard’s Token-Permissions prevention check now verifies that the GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default. Bad dependencies: A program is only as secure as its weakest dependency. This may sound obvious, but the first step to knowing our dependencies is simply to declare them… and have your dependencies declare them too. Armed with this provenance information, you can assess the risks to your programs and mitigate those risks.  That’s the good news. The bad news is there are several widely used anti-patterns that break this provenance principle. The first of these anti-patterns are checked-in binaries — as there’s no way to easily verify or check the contents of the binary in the project. Thanks in particular to the continued use of proprietary drivers, this may be an unavoidable evil. Still, Scorecards provides a Binary-Artifacts check for testing this.Another anti-pattern is the use of curl or bash in scripts, which dynamically pulls dependencies. Cryptographic hashes let us pin our dependencies to a known value. If this value ever changes, the build system detects it and refuses to build. Pinning dependencies is useful everywhere we have dependencies: Not just during compilation, but also in Dockerfiles, CI/CD workflows, etc. Scorecards checks for these anti-patterns with the Frozen-Deps check. This check is helpful for mitigating against malicious dependency attacks such as the recent CodeCov attack.Even with hash-pinning, hashes need to be updated once in a while when dependencies patch vulnerabilities. Tools like dependabot or renovatebot can review and update the hashes. The Scorecards Automated-Dependency-Update check verifies that developers rely on such tools to update their dependencies.It is important to know vulnerabilities in a project before using it as a dependency. Scorecards can provide this information via the new Vulnerabilities check, without subscribing to a vulnerability alert system. That’s what new. Here is what the Scorecards project has done so far.  It now has evaluated security for over 50,000 open source projects. To scale this project, its architecture has been massively redesigned. It now uses a Pub/Sub model. This gives it improved horizontal scalability and higher throughput. This fully automated tool periodically evaluates critical open source projects and exposes the Scorecards check information through weekly updated public BigQuery dataset 

To access this data, you can use the bq command-line tool. The following example shows how to export data for the Kubernetes project. For your purposes, substitute the Kubernetes repo url with the one for the program you need to check:$ bq query –nouse_legacy_sql ‘SELECT Repo, Date, Checks FROM openssf.scorecardcron.scorecard_latest WHERE Repo=”github.com/kubernetes/kubernetes”‘You can also see the latest data on all Scorecards analyzed projects. This data is also available in the new Google Open Source Insights project and the OpenSSF Security Metrics project. The raw data can also be examined via data analysis and visualization tools such as Google Data Studio. With the data in CSV format, you can examine it with whatever your favorite data analysis and visualization tool may be.  One thing is clear from all this data. There’s a lot of security gaps still to fill even in widely used packages such as Kubernetes. For example, many projects are not continuously fuzzed, don’t define a security policy for reporting vulnerabilities, and don’t pin dependencies. According to Google, and frankly, anyone who cares about security: “We all need to come together as an industry to drive awareness of these widespread security risks, and to make improvements that will benefit everyone.” As helpful as Scorecards v2 is, much more work remains to be done. The project now has 23 developers, more would be welcomed.  If you would like to join the fun, check out these good first-timer issues. These are all accessible via GitHub.If you would like us to help you run Scorecards on specific projects, please submit a GitHub pull request to add them. Last but not least, Google’s developers said, “We have a lot of ideas and many more checks we’d like to add, but we want to hear from you. Tell us which checks you would like to see in the next version of Scorecards.” Looking ahead, the team plans to add:If I were you, I’d start using Scorecards immediately. This project can already make your work much safer and it promises to do even more to improve not only security for your programs but the programs it covers.Related Stories: More

Yesterday’s piece on “What should you do with an old Android smartphone” generated a lot of comments. Because I recommended installing a security app, one of the most popular questions was, predictably, which one?
That’s a tough question.
It’s tough because testing security apps means throwing existing vulnerabilities at it, which doesn’t tell you how well it will handle future vulnerabilities. Another issue is that it’s impossible to gauge what kind of performance hit that the app will have across the myriad of devices out there.
So, this is what I suggest you do.
Must read: Here’s why your iPhone Lightning charging cable only works one way (and how to fix it)
Try more than one.
Before I go any further, let me warn you that there are a lot of fake security apps out there. On top of that, there are ones that do little to nothing. Whether you go with something on this list or something different, I suggest you don’t venture away from the big names, the same names who were making security apps for Windows systems a decade ago.

Venturing too far off the beaten path could very well result in you installing the very same badware on your Android device that you are trying to avoid.
Here’s my list — it’s quite short — of recommended apps. There are three free apps here, and one paid-for app. I’ve run all of them on a variety of devices and been happy with the results. 

Price: Free
Why do I like this: No ads! That’s a rarity when it comes to free security apps. It’s not as flashy or whizz-bang as the other apps, but it has scored amazingly well in the AV-TEST testing and gets the job done.
View Now at Google Play Store

Price: Free
Why do I like this: Another app that got the job done. Again, it does show ads, but I didn’t find them intrusive. It also has features such as “Boost RAM” that you can play with. 
View Now at Google Play Store

Price: $14.99 for the first year
Why do I like this: Gives you great protection from malware with the least impact on system performance (as tested by AV-TEST). My only gripe with is that the VPN came with unlimited data rather than the 200MB/day, which feels low.
View Now at BitDefender
Bonus.
Quite a few people have asked me what VPN I use. It’s the same one I have been using for years, and none of the others I’ve tested has come close to it in terms of awesomeness.

Price: From $34.99 per year for 3 devices
Why do I like this: It’s fast, easy to use, and I’ve put terabytes through it across many countries without any problems at all.
View Now at Google Play Store
Do you have a security app installed on your smartphone? If so, which one? Let me know in the comments down below. More

We’re now living in the era of the mega-hack. More than ever, software flaws are being seized on by sophisticated hackers who take these bugs – and use them to create attacks that compromise the computer systems of thousands of organisations, all at once.
Newly discovered vulnerabilities in Microsoft’s Exchange Server provide a good example of this evolution. The flaws were seized on by (likely China-backed) hackers as a way to attack networks, with tens of thousands of systems apparently compromised in a widespread attack. At least 10 other groups are thought to be attempting to use the same exploits, and now cyber criminals are piggy-backing on the original attack in an attempt to deliver ransomware too.
Bugs exists wherever there is software, despite attempts to eradicate them. What we’re seeing now is an growing ability and desire from hackers to turn these bugs into attacks. Increasingly, the same software applications and tools are being used by companies around the world. Some may not even be aware of the software code they are relying on, such is the interconnected world of tech products. And even if they do know the software they are using, too many companies fail to update it even when warned about vulnerabilities by software vendors.
Hacking groups have different motivations: state-backed hackers want to gain access to as many systems as possible before deciding which have strategic value (either a source of intelligence or as a stepping-stone to compromising other systems); cyber criminals want to break in where they can to either steal data or deliver money-making ransomware. Either way, threat actors are now sophisticated enough to respond to weaknesses quicker than ever before. That’s bad for everyone.
A software flaw doesn’t affect just one company, but can put thousands or even tens of thousands at risk as hacking groups seize on a new bug and race to exploit it, breaking into as many systems as possible before a fix is found and applied. Some companies used to think they were too small to be targeted, but will sadly discover that crooks will attack – and potentially destroy — their business, just on the off-chance that a ransom will be paid. Others will find that cutting costs by not patching software flaws is a false economy, to say the least.
So what can be done? Projects that aim to fix bugs in everything — starting with programming languages and the basic code (often open-source) that underpins software applications — are a start. Encouraging secure code as a standard is a must. Companies must also understand that legacy systems may contain vulnerabilities, and that patching is not optional. Longer-term, the ransomware threat must be addressed and better international rules around state-backed hacking put in place. Neither of those are going to be easy problems to tackle.
Right now, we need to realise that the stakes are increasing – and rapidly.
ZDNET’S MONDAY MORNING OPENER 

The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER:   More

Adrian Kingsley-Hughes/ZDNETFollow ZDNET: Add us as a preferred source More

So sad.
Screenshot by ZDNet
You’re so silly, you.

Apple in the Enterprise: A Strategic Guide
Once a pariah in the enterprise, Apple has quietly emerged as a darling of executives and professionals because of the ease of use of the iPhone and the iPad. We look at how the influx of Apple devices is changing the tech landscape in business.
Read More

You spend all day on your phones and laptops and you have no idea just how much of what you say and do via these things simply isn’t private.
You just don’t care, do you? 
It’s like walking up to strangers and shouting your credit card number. Or telling them your heart rate. Or revealing that you’re trying to divorce your ever-loving spouse.
You have to laugh, don’t you?
Well, Apple does. Its latest ad is a vertiable litany of humanity’s sins, as it blithely tosses privacy to the winds. In favor of immediacy, convenience and sheer laziness.
Here we see people going through their everyday lives, exposing themselves on the subway, in a restaurant, on the street and even in a restroom.
Exposing their private information, that is.
Buy an iPhone and your life will be private, says the ad. Wait, or does it?
[embedded content]
Well, what’s interesting here is that there are no phones in the main part of the ad, so we have no idea whether at least some of these people might actually be iPhone users.
Moreover, Apple’s promise at the end is carefully worded: “Some things shouldn’t be shared. iPhone helps keep it that way.”
Helps is correct. Apple does try harder to preserve what’s left of human dignity.
Yet, as a blisteringly depressing Washington Post article last year revealed, in one week with an iPhone thousands of trackers — mostly in apps — merrily sent on the user’s identifiable information to others.
There’s little hope of actual privacy when the whole tech ecosystem is built on stalking.
That’s what recently led a top LG executive to dump Chrome for Brave.
The vast majority of people, however, can’t be bothered. If they think about tracking at all, they think it’s inevitable. If they think about privacy at all, they vaguely remember it used to exist.
For Apple, of course, marketing privacy is a way of suggesting its brand is more purely attuned to humanity’s needs and feelings.
The snag is, of course, that humans are very good at ruining themselves without any help at all. More