CTO vs VP R&D
Implementing Mend Renovate Enterprise has never been easier: 24/7 support, dedicated team guidance, and additional features for increased productivity.
Security | Threat Detection | Cyberattacks | DevSecOps | Compliance
The Latest Cybersecurity News & Insights From Around The World
November 2024
DevSecOps in 2024: Key Trends, Challenges, and Emerging Solutions
Explore DevSecOps trends in 2024, from automation to shift-left security. Discover challenges and solutions shaping secure software development.
Aikido joins the AWS Partner Network
If you missed it, over the summer months launched our product on the AWS Marketplace with the promise to deliver the fastest “time-to-security” in the industry for new AWS users. We’ve also officially joined the AWS Partner Network (APN) as a validated AWS partner. This means we went through the AWS Foundational Technical Review (FTR). We are FTR-approved* and meet the well-architected best practices enforced by AWS, not to brag. ;) Psst.
Measuring AppSec success: Key KPIs that demonstrate value
In the software development industry, proactively securing the software development life cycle (SDLC) from cyber threats must always be a top priority. Taking a shift left approach addresses security early on so your development teams can spend more time innovating and less on dealing with vulnerabilities. But that’s just the beginning.
Path Traversal in 2024 - The year unpacked
Path traversal, also known as directory traversal, occurs when a malicious user manipulates user-supplied data to gain unauthorized access to files and directories. Typically the attacker will be trying to access logs and credentials that are in different directories. Path traversal is not a new vulnerability and has been actively exploited since the 90s when web servers gained popularity, many relied on Common Gateway Interface (CGI) scripts to execute dynamic server-side content.
Command injection in 2024 unpacked
Command injection is a vulnerability still very prevalent in web applications despite being less famous than its cousins SQL injection or Code injection. If you’re familiar with other injection vulnerabilities, you’ll recognize the common principle: untrusted user input is not properly validated, leading to the execution of arbitrary system commands. This flaw occurs when unvalidated input is passed to system-level functions. So how prominent is command injection actually?
Cisco Research GenAI Security Summit
Cisco Research hosted a virtual summit on GenAI security, bringing together researchers to explore GenAI security challenges. The summit includes presentations from university professors and students collaborating with the Cisco Research team, including Tianlong Chen (University of North Carolina-Chapel Hill), Ruoxi Jia (Virginia Tech), Xialoin Xu (Northeastern University), and Xun Xian (University of Minnesota).
Balancing Security: When to Leverage Open-Source Tools vs. Commercial Tools
When deciding what approach to use for security tooling, it seems like there are two choices. Like everything in security, there is more to unpack in reality. In this article I want to explore when open-source security tools should be used, when commercial tools are more effective, and if we can trust tools built from an open-source core.
Breaking Down Jit's New Approach to ASPM
Application Security Posture Management (ASPM) emerged to address gaps in traditional application and cloud security scanners – like SAST, SCA, secrets detection, IaC scanning, CSPM, and many others – that generate noisy alerts and silo security insights across various tools. By providing a consolidated view of product security risks that are prioritized according to their business and runtime context, ASPM helps security teams understand which issues truly matter.
Introducing Veracode Risk Manager: A New Chapter in ASPM Built for Scale
In a digital world that’s evolving faster than ever, industry landscapes are shifting, and customer needs are becoming more complex. At Veracode, we recognize these fundamental changes in the application security space. That’s why Veracode strategically acquired Longbow Security, now rebranded as Veracode Risk Manager.
Your AppSec Journey Demystified: Driving Effective API Security with Wallarm and StackHawk
There is no doubt that attackers have shifted their attention to APIs. Wallarm’s API ThreatStats research identifies that 70% of attacks now target APIs instead of Web Applications. While APIs have become the backbone of innovation and connectivity for businesses, they have also introduced a vast attack surface that’s challenging to defend with traditional methods alone.
How ASPM boosts visibility to manage application risk
How often are you surprised by a threat or vulnerability from a software asset you never knew existed? For many companies, the answer is, “More often than we’d like.” This is because you can’t protect what you can’t see. Full visibility across the entire software supply chain is a must for AppSec teams, but this comprehensive view across the attack surface can be elusive.
Secure Python code faster with Code Sight: Real-time issue detection in Visual Studio | Black Duck
Join David Bohannan, an R&D engineer at Black Duck, as he demonstrates using Black Duck's IDE plug-in, Code Sight to run static analysis on Python code within Visual Studio. Watch as Code Sight instantly detects vulnerabilities like OS command injection and cross-site request forgery while code is being written, helping developers fix issues early in the software lifecycle. David will demonstrate how leveraging Coverity's Rapid Scanning engine through Code Sight can allow developers to tackle issues such as secret scanning and ensure hardcoded secrets are flagged before they become risks to applications further downstream.
Jit Open ASPM Platform Overview
In five minutes, explore Jit's core product capabilities to empower developers to secure everything they code and unify product security risk mitigation.
Auditing Your Security Program with Roddy Bergeron - Secrets of AppSec Champions Podcast
Mend.io, formerly known as Whitesource, has over a decade of experience helping global organizations build world-class AppSec programs that reduce risk and accelerate development -– using tools built into the technologies that software and security teams already love. Our automated technology protects organizations from supply chain and malicious package attacks, vulnerabilities in open source and custom code, and open-source license risks.
The State of SQL Injection
SQL injection (SQLi) has a history that is older than Internet Explorer (which according to Gen Z was the start of civilization). There have been thousands of breaches caused by SQL injection and an endless amount of well-documented best practices and tools to help prevent it. So surely, surely we learned our lesson from these breaches and SQLi is no longer an issue.
OWASP Top 10 LLM is Dead: Here's Why
The OWASP Top 10 for LLMs is getting an update! But is v2 going to be significantly different from v1? Check out Bar-El Tayouri's take on what's new in v2 and how it impacts hashtag#GenAI security.
The 7 Essential Steps for Ensuring Mobile App Security
Mobile devices now account for more than half of all web traffic, and that number seems poised to increase over the next few years. Between the Apple App Store and Google Play Store, there are already more than 5 million applications available — and not all of them are safe. A smart mobile app security strategy can mitigate some of the threats that come from unauthorized, misconfigured, or malicious software.
Visma's Security Boost with Aikido: A Conversation with Nikolai Brogaard
"Aikido helps us catch the blind spots in our security that we couldn’t fully address with our existing tools. It’s been a game-changer for us beyond just the SCA (Software Composition Analysis) solutions we originally brought them in for." A little while ago, we shared that Visma chose Aikido Security for its portfolio companies. Recently, we had the pleasure of having Nicolai Brogaard, Service Owner of SAST & SCA over in our Belgian headquarters.
Okta vulnerability explained (bcrypt auth bypass)
Okta Bcrypt Authentication Bypass Explained Last week, on October 30th, Okta released an interesting security advisory detailing a vulnerability that could potentially lead to an authentication bypass. According to Okta, the vulnerability was discovered during an internal review and was promptly addressed. Okta was transparent about the issue, sharing the details publicly.
Revolutionizing Risk Management in Application Security
In our hyper-connected reality, software applications are the unsung heroes of business operations. But, let's face it, with great tech comes great vulnerability to cyber shakedowns and data leaks. This begs the question: “Is scanning enough to manage risk?” Organizations are playing a high-stakes game of keeping their apps secure to safeguard their secrets.
Why is ASPM taking over AppSec?
Amir Kessler gives his perspective on one of the fundamental challenges of AppSec – making sense of huge volumes of product security issues – and how ASPM can solve this problem.
How to Fight Security Tool Sprawl with ASPM Extensibility
Chris Hughes describes the advantages of product security orchestration, which enables security teams to plug their favorite scanners into a single framework that unifies the execution and UX of multiple tools.