March 1, 2024 at 01:09AM GitHub has announced the default activation of secret scanning push protection for all public repository pushes. This feature identifies over 200 token types from more than 180 service providers to prevent fraudulent use. The move comes as a response to ongoing “repo confusion” attacks targeting GitHub, aiming to thwart malicious … Read more
February 16, 2024 at 10:03AM SecurityWeek’s roundup includes Google Cloud’s threat report, a free decryption tool for Rhysida ransomware, and NIST’s guidance on software supply chain security. It covers OpenTitan’s root of trust availability, Seal Security’s emergence, and Pentagon’s data breach notification. Google denies Hamas cyber support, and China’s hacking claims are criticized for lack … Read more
January 30, 2024 at 11:36AM GitLab released fixes for a critical security flaw (CVE-2024-0402) in its Community and Enterprise Editions, allowing unauthorized writing of files. Patches have been backported, and additional medium-severity flaws were resolved. Users are urged to upgrade to the latest version promptly. This follows recent fixes to address critical vulnerabilities in the … Read more
January 12, 2024 at 10:42PM GitLab released security updates to address two critical vulnerabilities, CVE-2023-7028 and CVE-2023-5356. CVE-2023-7028 allows account takeover without user interaction, affecting versions 16.1 to 16.7. CVE-2023-5356 enables execution of slash commands as another user through Slack/Mattermost integrations. Users are advised to upgrade instances and enable 2FA for elevated privileges. Key takeaways … Read more
January 12, 2024 at 02:47PM GitLab has released security updates to address critical vulnerabilities in its Community and Enterprise Edition, including an authentication flaw (CVE-2023-7028) allowing account hijacking and a vulnerability (CVE-2023-5356) enabling the abuse of Slack/Mattermost integrations. The flaws were addressed in GitLab versions 16.7.2, 16.5.6, and 16.6.4, with backported fixes available. For official … Read more
December 22, 2023 at 10:05AM The dynamic between software developers and security teams is crucial for a productive work environment. Shifting from a reactive to a proactive approach, organizations can enhance collaboration, leverage context for focused remediation, improve code dependency visibility, educate developers with the right tools, and foster a culture of continuous feedback for … Read more
December 21, 2023 at 06:27AM The IBM Security’s Cost of a Data Breach Report analyzes 553 breaches across 16 countries and 17 industries. Key findings include record high breach costs in 2023, emphasizing the need for strategic security investments. Recommendations urge organizations to integrate DevSecOps, secure data in hybrid cloud environments, utilize AI and automation, … Read more
December 11, 2023 at 06:03PM Fortress and CodeSecure have partnered to enhance software security by mapping open-source components and identifying vulnerabilities. The partnership aims to fortify national security and critical infrastructure from cyber threats. CodeSecure’s capabilities will expand Fortress’ Software Bill of Materials (SBOM) database, providing risk data to critical industries via NAESAD. A webinar … Read more
December 7, 2023 at 06:30PM Cycode released the State of ASPM 2024 report, the first of its kind, revealing that a majority of CISOs find current AppSec surfaces unmanageable. 90% see a need to improve security-dev relations, with software supply chain security being a critical oversight. Their ASPM platform, including newly announced ConnectorX, aims to … Read more
October 31, 2023 at 01:01PM A recent report from the Purple Book Community highlights the challenges faced by companies in achieving application security (AppSec) maturity. These challenges include a shortage of AppSec engineers, slow vulnerability remediation, and the increasing reliance on cloud infrastructure. Insufficient funding is also identified as a major obstacle. The report emphasizes … Read more