There’s a Slashdot discussion of ZDnet‘s reporting on a critical security vulnerability in OpenSSL: OpenSSL Warns of Critical Security Vulnerability With Upcoming Patch.
Australia is increasing fines for massive data breaches.
Apple has admitted they will only commit to patching their latest OS versions. Ars Technica‘s Andrew Cunningham:
This confirms something that independent security researchers have been aware of for a while but that Apple hasn’t publicly articulated before. Intego Chief Security Analyst Joshua Long has tracked the CVEs patched by different macOS and iOS updates for years and generally found that bugs patched in the newest OS versions can go months before being patched in older (but still ostensibly “supported”) versions, when they’re patched at all.
The NSA and CISA have published a big report on supply chain security: Securing the Software Supply Chain: Recommended Practices Guide for Suppliers. There’s also a guide for developers: “Securing the Software Supply Chain: Recommended Practices Guide for Developers.” Future guidance will extend to customers as well.
A proposed EU Cyber Resilience Act requires software providers to deliver secure code and fix bugs quickly.