The Latest Software Security Intel (January 2024)

Newsletter January 2024 | MergeBase

Welcome to the January issue of the MergeBase newsletter, your gateway to the latest developments and insights in the world of cybersecurity.

To kickstart the year, we’re looking forward to global cybersecurity trends for 2024 and looking back at the key government cybersecurity regulations and strategies released in 2023.

Skip to:

1. Industry headlines
2. Top vulnerabilities
3. Tips & guides


 

Join Oscar, Kelly, and Delan as they discuss cybersecurity from a multifaceted perspective and learn more about the latest cybersecurity trends in machine learning, AI, and more. Whether you’re looking to impress a new employer or stay current on what’s happening in your industry, this video is for you.


Industry Headlines


CISA urges technology manufacturers to eliminate default passwords

As part of their new Secure by Design series, CISA published new guidance on how technology manufacturers can protect customers by eliminating default passwords.

The TLDR: Manufacturers must implement the following principles into their design, development, and delivery processes to prevent exploitations of static default passwords.

  1. Take ownership of customer security outcomes.
  2. Build organizational structure and leadership to achieve these goals.

Learn more about the latest SbD alert here.

2023’s key government cybersecurity regulations and strategies — A year in review

From the White House’s National Cybersecurity Strategy to the FDA’s extensive premarket cybersecurity guidance for medical devices, there’s a lot to unpack from 2023.

Get a more in-depth look at the new regulations and strategies shaping AI, healthcare, software design, and more in our 2023 wrap-up.


Top Vulnerabilities


Google releases eighth zero-day patch of 2023 for Chrome

Google released an urgent security update for Chrome, addressing a critical zero-day flaw that’s been making waves in the cyber world.

Identifier: CVE-2023-7024

Risk score: 8.8 out of 10

Description: Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High).

Critical Vulnerability in the Apache Struts2 Framework

Apache has issued a critical security advisor for its widely-used Struts 2 web application framework.

Identifier: CVE-2023-50164

Risk score: 9.8 out of 10

Description: An attacker can manipulate file upload params to enable paths traversal, and under some circumstances, this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.


Tips & Guides


5 tips to manage your SCA tool more effectively

Cybersecurity expert and Founder and CEO of Forward Security, Farshad Abasi, shares his top tips for streamlining your SCA process and getting more from your chosen tool.

A comparison of the best SBOM tools: How to pick the right one

ake a look at how CycloneDX, Syft, Fossa, and MergeBase compare and discover tips that will ensure you choose the right SBOM generation tool for your business in this SBOM comparison guide.


Ready to prioritize your software supply chain security in 2024? 

MergeBase CTO Kelly West and Customer Success Manager Cody Bludorn are ready to answer your software supply chain security questions and help you find the right solution for your organization.