CISA chief frets about open-source vulnerabilities, delayed security improvements
Securing some of the open-source technology that serves as the backbone for all modern digital infrastructure is going to require some “hard decisions” amid a wave of malware attacks, the leader of the Cybersecurity and Infrastructure Security Agency said Thursday.
“The open-source community is one that I’m particularly worried about when we start to think about rapid escalation of vulnerability discovery,” acting director Nick Andersen said, referencing a cartoon about how key technologies that underpin the internet are often maintained by a single person.
In one recent attack, a hacker hijacked an account of a single open-source project maintainer to publish malicious updates for axios, popular with software developers, raising the potential for attacks that could spread more widely. TeamPCP, a suspected North Korean hacking group, has been on a sweeping spree of open-source attacks.
Read more at CyberScoop