Murphy Security officially released the murphysec open source project! Let developers use open source code more safely

On April 11, Murphy Security officially released its open source software security detection tool - murphysec. It is reported that the project combines the advantages of ease of use, professionalism and innovation, and is intended to help every developer use open source code more safely.

(Open source address:
https://github.com/murphysecurity/murphysec )
Product official website:
https://www.murphysec.com/

Murphy Security was officially launched as early as May 2020 (the project was initially named gokusec, which was later renamed Murphy Security because the name was already used by companies in the industry). The founding team members of Murphy Security are all from the enterprise security construction teams of Baidu, Huawei and Shell. Most of the team members are ten-year veterans of enterprise security construction and security attack and defense research. They are dealing with codes and vulnerabilities almost every day. Rich experience in "security incident emergency response" and "vulnerability analysis".

The newly released murphysec project can accurately obtain the dependency information of the project by building the project or directly parsing the package management file, so as to meet the needs of projects using different languages/package management tools. The project's dependency information will be uploaded to the server, and finally, based on the vulnerability knowledge base maintained by Murphy Security, the dependencies with security defects in the project will be identified.

The core functions of the murphysec project include the "trinity" of testing, medical treatment, and treatment, which can not only help developers accurately identify directly and indirectly dependent open source components in the software, but also accurately identify the security vulnerabilities and license compliance of these open source components. risks, and provide developers with simple and efficient one-click defect repair capabilities.

In terms of functions, the murphysec project supports vulnerability detection, one-click repair and real-time detection, and can detect defective components introduced in Java (Maven), JavaScript (npm), and Go code. Not only has a clear repair plan, but also can be quickly repaired through this function. , even if the code dependencies change and cause security problems, don't worry, the plug-in will remind you to deal with it in time.

In terms of language, the murphysec project temporarily only supports the detection of Java, JavaScript, Golang, and Python language projects. In the future, Murphy Security will gradually support other development languages, so stay tuned.

At present, the murphysec project can be applied to more scenarios such as GitLab code base detection tools, Jenkins integrated security detection capabilities, and more.

In recent years, with the continuous development and application of open source technologies, the threat of software supply chain attacks has become increasingly serious. Facing the new pattern of global technological innovation and development in the post-epidemic era, the topic of software supply chain security risks has gradually become the focus of global attention.

It is against this background that the new murphysec project released by the Murphy security team came into being.

I believe everyone still remembers the Log4j2 vulnerability incident in December last year. At that time, it directly detonated the global technology circle, and the industry also began to pay attention to measures related to open source software and ecological security governance.

After the incident in March this year, Murphy Security Lab also made the world's first warning for Spark&Hadoop RCE vulnerability and Spring Cloud expression injection vulnerability for 2 consecutive days. detect and warn.

These are all thanks to the IDE plug-in developed based on Murphy's security open source detection tool - IDE detection plug-in, which can help developers detect code-dependent security issues in the IDE, and easily identify which security problems are used in the code. Defective open source components can quickly solve security problems through accurate repair solutions and one-click repair functions.

(The official address of the plugin:
https://plugins.jetbrains.com/plugin/18274-murphysec-code-scan )

murphysec project:

The specific installation steps are as follows:

• Visit the GitHub Releases page to download the latest version of the Murphy Security CLI, or execute the relevant command below: Install on Linux
• wget -q https://s.murphysec.com/install.sh -O - | /bin/bash
  Install on OSX
• curl -fsSL https://s.murphysec.com/install.sh | /bin/bash
  INSTALL ON WINDOWS
• powershell -Command "iwr -useb https://s.murphysec.com/install.ps1 | iex"

use:

Execute murphysec scan [your-project-path] to start detection

View Results:

• Execute the command to add the --json parameter, you can output the detection result in Json format for viewing
• Detailed test results can also be viewed directly on the Murphy Security Platform

View dependency information:

• View detection results (provide disposal recommendations, minimum fix versions of defective components, and rich vulnerability information)