#SecureDevelopment

OData Injection Risk in Low-Code/No-Code Environments

December 13, 2024 by Xynik

December 13, 2024 at 10:06AM Organizations using low-code/no-code (LCNC) platforms face security risks, particularly OData injection, which can expose sensitive data. This vulnerability is poorly understood and lacks established safeguards. To combat these risks, proactive security strategies must be developed, including automated monitoring tools and collaboration between security teams and developers for effective input validation. … Read more

Critical Vulnerability Discovered in SailPoint IdentityIQ

December 6, 2024 by Xynik

December 6, 2024 at 12:55AM SailPoint warned of a critical vulnerability (CVE-2024-10905) in its IdentityIQ IAM platform that allows unauthorized access to files due to improper access control. Affected versions have a CVSS score of 10/10. E-fixes are available, and users are urged to update promptly to prevent potential data compromise. **Meeting Takeaways: SailPoint IdentityIQ … Read more

2023 Top Routinely Exploited Vulnerabilities

November 12, 2024 by Xynik

November 12, 2024 at 10:29AM The joint Cybersecurity Advisory highlights increased exploitation of zero-day vulnerabilities in 2023 by malicious cyber actors compared to 2022, urging vendors and end-users to adopt security measures. Recommendations include implementing secure software development practices and timely patch management to mitigate risks associated with routinely exploited vulnerabilities. ### Meeting Takeaways #### … Read more

New Phishing Tool GoIssue Targets GitHub Developers in Bulk Email Campaigns

November 12, 2024 by Xynik

November 12, 2024 at 10:15AM Cybersecurity researchers warn of GoIssue, a tool for orchestrating large-scale phishing attacks on GitHub users by extracting emails from profiles. Marketed by a threat actor, it enables customized mass email campaigns, increasing risks of data theft and breaches. Additionally, a new two-step phishing attack uses compromised Microsoft files. ### Meeting … Read more

How Developers Drive Security Professionals Crazy

November 8, 2024 by Xynik

November 8, 2024 at 10:35AM The integration of DevSecOps aims to balance development speed with security, addressing challenges such as security training, complex tools, and alert management. Successful implementation involves understanding risk portfolios, automating security testing, continuous monitoring, and simplifying developers’ experiences, ultimately fostering collaboration for efficient, secure software delivery. **Meeting Takeaways: DevSecOps Implementation** 1. … Read more

Mobile Apps With Millions of Downloads Expose Cloud Credentials

October 23, 2024 by Xynik

October 23, 2024 at 11:53AM Research by Symantec reveals that several popular mobile apps expose hardcoded, unencrypted cloud service credentials, risking severe security breaches. Apps for both Android and iPhone include sensitive Amazon Web Services and Microsoft Azure credentials. This highlights the urgent need for improved security practices in mobile app development to mitigate such … Read more

Cyberattack Gold: SBOMs Offer an Easy Census of Vulnerable Software

April 26, 2024 by Xynik

April 26, 2024 at 12:37PM Government and security-sensitive firms are requiring software bills of material (SBOMs), listing components of applications. Attackers could exploit this information without sending packets. Larry Pesce warns that publicly accessible SBOMs can expose vulnerabilities. Yet, SBOMs aim to enhance software security, with 60% adoption expected by next year. Pesce advises using … Read more

NightVision Raises $5.4 Million for Application Security Testing

April 15, 2024 by Xynik

April 15, 2024 at 11:06AM NightVision, a US-based startup founded in 2022, raised $5.4 million in seed funding from angel investors. The company focuses on application security testing, aiding in the identification and resolution of software security vulnerabilities early in the development lifecycle. Its technology simulates attacks, integrates with development workflows, and enables secure development … Read more

Lock Down the Software Supply Chain With ‘Secure by Design’

January 18, 2024 by Xynik

January 18, 2024 at 06:38AM The concept of “secure by design” is crucial in the face of increasing supply chain attacks, with a shift towards proactive security measures. The Cybersecurity and Infrastructure Security Agency (CISA) is pushing for this in software development practices, emphasizing collective responsibility. It involves building security into software from the ground … Read more

CISA, NCSC Offer a Road Map, Not Rules, in New Secure AI Guidelines

November 28, 2023 by Xynik

November 28, 2023 at 05:40AM The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre have released new guidelines for secure AI system development. The guidelines focus on building security into AI systems but do not impose any rules or regulations on the industry. The guidelines cover secure design, development, … Read more