July 12, 2024 at 04:34PM GitLab recently disclosed a critical vulnerability, CVE-2024-6385, impacting its DevOps platform, allowing attackers to run pipelines within users’ contexts. With a severity rating of 9.6 on the CVSS scale, the bug affects GitLab versions 15.8 to 17.1. Users were strongly urged to upgrade as soon as possible. This follows a … Read more
July 10, 2024 at 09:06AM The NSA patched a CSRF vulnerability in its SkillTree platform, designed to modernize software practices within the agency and shared on GitHub in 2020. The fix addressed potential manipulation by hackers, and users were urged to apply the update. This incident highlights the inherent difficulty in identifying and addressing CSRF … Read more
June 28, 2024 at 10:43AM GitLab released updates addressing 14 security flaws, including a critical vulnerability allowing unauthorized execution of CI/CD pipelines. The most severe flaw, CVE-2024-5655 (CVSS score: 9.6), impacts versions 15.8 to 17.1, with 17.1.1, 17.0.3, and 16.11.5 providing fixes. While there’s no active exploitation, users are urged to apply patches. Key takeaways … Read more
May 30, 2024 at 01:21PM Cloudflare announced the acquisition of BastionZero, a seed-stage startup based in Boston, Mass. The financial terms were not disclosed. BastionZero’s technology offers remote access to infrastructure for backend and cloud engineering teams. The acquisition fits into Cloudflare’s plan to extend its Zero Trust Network Access flows and enhance its VPN … Read more
May 22, 2024 at 01:03PM The RSA Conference 2024’s Innovation Sandbox highlighted emerging trends in AI security, deepfake detection, AI data security, and automation’s identity management. Reality Defender won for its deepfake detection capabilities, as startups showcased advanced AI security and detection technology. Startups are adapting to AI adversaries and data vulnerabilities, foreseeing reinvention of … Read more
May 1, 2024 at 12:33PM CISA warns of active exploitation of a critical GitLab vulnerability (CVE-2023-7028), allowing attackers to hijack accounts via password resets, potentially leading to supply chain attacks. While 2FA-protected accounts are safe, unpatched systems are at risk. GitLab has released fixes, and CISA urges prompt patching, especially for federal agencies and private … Read more
April 23, 2024 at 05:07PM Cloud security has progressed but still has a long way to go, with breaches costing organizations heavily. John Kindervag, a zero trust security proponent, emphasizes that simply moving to the cloud doesn’t make organizations more secure. Meanwhile, native security controls are hard to manage, and identity alone won’t save the … Read more
March 28, 2024 at 08:03AM The text discusses the challenges of managing non-human identities in modern software development, highlighting issues such as hard-coded secrets, scalability challenges, compliance difficulties, and the neglect of security in the development process. It also provides best practices for securing non-human identities and introduces Entro, a tool for efficient secrets management … Read more
March 15, 2024 at 11:45AM Codezero, a startup specializing in secure enterprise microservices development, has secured $3.5 million in seed funding led by Ballistic Ventures and angel investors. Based in Vancouver, the company aims to streamline Kubernetes software development workflows, offering a product called Teamspaces that creates an ephemeral environment similar to production and allows … Read more
March 11, 2024 at 12:51PM Steadybit, based in Solingen, Germany, has secured $6 million in Series A funding led by Paladin Capital Group, with participation from existing investors. The company uses chaos engineering to enhance software reliability by simulating disturbances and failures, helping organizations preempt and mitigate vulnerabilities. They are introducing a new feature called … Read more