Our previous research on CVE exploitability in the top DockerHub images discovered that 78% of the reported CVEs were actually not exploitable. This time, the JFrog Security Research team used JFrog Xray’s Contextual Analysis feature, automatically analyzing the applicability of reported CVEs, to scan OWASP WebGoat – a deliberately insecure application. The results identified that out of 60 CVEs reported with a Critical CVSS score, only 10 are actually applicable.

On December 2022, a security researcher from the Outpost24 Ghost Labs team discovered a vulnerability on the ThingsBoard IoT platform, where a normal user’s privileges can be escalated, by doing a simple post with an additional header, and exploiting the associated flaws, to take control over the entire platform and related accounts. Upon reporting of the vulnerability to the vendor, it was quickly resolved.

Most application security testing focuses on server-side vulnerabilities. While vulnerability management alerts are necessary within today’s threat landscape for increased security, your teams can quickly become overwhelmed by them. These alerts can create a lot of noise for your development teams, other IT staff, and even your business operations.

Identifying and evaluating security vulnerabilities is essential at every stage of software development and system management. New vulnerabilities surface all the time, demanding ongoing vigilance as well as effective methods of assessment and response. And recent data shows that this is increasingly the case.

I conducted some research to try and identify YAML Injection issues in open-source projects using Snyk Code. Though the vulnerability itself is not a new one, the potential impact of YAML Injection is high, which made it a good candidate for research. This research led to the discovery of several issues in open-source projects written in Python, PHP and Ruby. This article focuses on the issue found in geokit-rails version 2.3.2, a plugin for Ruby on Rails

Open source is everywhere, as is the need to properly manage it. Get the latest open source trends from the 2023 OSSRA report. It’s that time of year again: Now in its 8th edition, the Synopsys “Open Source Security and Risk Analysis” (OSSRA) report launched earlier this week.

Were you tasked with building a product that requires the execution of dynamic JavaScript originating from end users? You might think building it on-top of Node.js VM module is a viable way to create a JavaScript sandbox. In this article, we’ll learn why that’s far from being a recommended approach and the security implications of doing so. Every now and then there’s a project that challenges the rudimentary and routine backend development. APIs? Message queues?

One of the biggest concerns when using Kubernetes is whether we are complying with the security posture and taking into account all possible threats. For this reason, OWASP has created the OWASP Kubernetes Top 10, which helps identify the most likely risks.

Open source libraries have become an indispensable part of modern applications. Approximately 90% of organizations use open source software to support their services, but monitoring these dependencies can be difficult when environments run thousands of ephemeral services. The complex nature of modern applications, in combination with the challenge of keeping a competitive edge in a fast-moving market, can make it difficult for organizations to identify and remediate threats in a timely manner.

I was inspired to write this after reading a post from Thomas Depierre on Mastodon. The post touched on something that’s been troubling me recently. When it comes to software security, we spend a lot of time talking about the software supply chain and related concepts, such as the software bill of materials (SBOM). This metaphor comes from an industrial lexicon. People who are used to talking about economies and how manufacturing works are familiar with the idea of supply chain.

Mass assignment, also known as autobinding or object injection, is a category of vulnerabilities that occur when user input is bound to variables or objects within a program. Mass assignment vulnerabilities are often the result of an attacker adding unexpected fields to an object to manipulate the logic of a program.

We are in early 2023, and we have over 2700 new vulnerabilities registered in CVE. It is still a challenge for developers to endure the fatigue of continually vulnerability prioritization and mitigating new threats. Our findings in the Sysdig 2023 Cloud-Native Security and Container Usage Report provide signs of hope for overburdened developers, as the data showed opportunities to focus remediation efforts on vulnerable packages loaded at runtime.

Using an outdated jQuery library can open up your web application to vulnerabilities. Read more to find out how to find and fix jQuery vulnerabilities. jQuery is among the oldest JavaScript libraries available online. It simplifies your coding and is used by countless websites. But there is an inherent danger that lies with outdated jQuery libraries: they are vulnerable to risks such as cross-site scripting.

A vulnerability is a state of being exposed to the possibility of an attack. In the context of cyber security, vulnerabilities are software bugs that can expose your systems to threats like malware infection, DDoS attacks, injections, and ransomware attacks.

The number of devices, systems, and assets that are reliant on the internet is increasing by the day. From the POV of an attacker, this is a gold mine.

At JFrog, we’re serious about software supply chain security. As a CVE Numbering Authority, our JFrog Security Research team regularly discovers and discloses new malicious packages and vulnerabilities posing a threat to development organizations. We know that in order to deliver trusted software on demand, you must have a secure software supply chain — making security a priority in everything we do.

If I throw a coin high up in the air, I know the outcome — it will either be heads or tails. However, I can’t predict which it will be. I will certainly be able to guess with a 50% chance, but I can’t be 100% certain. If I were to roll a die, my certainty becomes less (1 in 6). However, I still know what the output could be. Computers are great at many things, especially predictability. They are deterministic and creating a truly random number is impossible.

Vulnerability Management refers to the systematic approach to the identification, classification, and remediation of vulnerabilities across various cyber systems.

Software is an intricate part of our lives, with its presence in nearly every device and aspect of technology. However, the software can also be vulnerable to malicious threats, given that the code within it can contain flaws. As a result, software vulnerability has been on the rise over the years and is likely to continue increasing in 2023. Organizations and businesses alike need to remain proactive about their security measures when it comes to their systems, software, and data management.

OpenSSH’s newly released version 9.2p1 contains a fix for a double-free vulnerability. Given the severe potential impact of the vulnerability on OpenSSH servers (DoS/RCE) and its high popularity in the industry, this security fix prompted the JFrog Security Research team to investigate the vulnerability. This blog post provides details on the vulnerability, who is affected, and a proof-of-concept to trigger it causing a Denial of Service (DoS).

Our long-standing partnership with Atlassian is built on our mutual commitment to providing a great developer experience. It started with our native integration within the Bitbucket Cloud UI, and today we’re incredibly excited to announce yet another new door opening in our partnership. The new Snyk integration for Jira Software will bring security and collaboration to Atlassian users at every stage of the development lifecycle.

An information disclosure vulnerability has been identified in Money Lover, a finance tracking application created by Finsify and available on Android, iOS, Microsoft Store, with a web interface. This vulnerability allows any authenticated user to view live transactions related to shared wallets.

Audits are challenging. Especially when it comes to assessing abstract compliance standards against multiple cloud environments, unique cloud infrastructure setups, and many possible (mis)configurations. To help our customers automate compliance assessments, Snyk Cloud now supports 10+ compliance standards— including CIS Benchmarks for AWS, Azure, and Google Cloud, SOC 2, PCI DSS, ISO 27001, HIPAA, and more.

Every day, thousands of developers use the Snyk CLI as part of their development workflow, to identify and resolve security issues in their code as early as possible. What if these developers and other security professionals could harness the power of this dev-first approach and also utilize entirely new security analyses, filters, and workflows via an extensible approach?

During a recent penetration test, Trustwave SpiderLabs researchers discovered a weak input validation vulnerability in the CrushFTP application which caused the deletion of all users. CrushFTP is a secure high- speed file transfer server that runs on almost any OS. It handles a wide array of protocols, and security options. CrushFTP stores details of registered users within the filesystem in the users/MainUsers directory.

Regardless of how last year went, a few things probably come to mind that you’d like to leave in 2022. Maybe it’s a bad habit you’d like to drop or a mindset you’d like to change. But speaking of ditching bad habits, some poor cloud application security practices shouldn’t carry over to 2023 either!

Containerization is becoming increasingly common due to portability, ability to isolate application dependencies, scalability, cost effectiveness, and ease of use. The ability to easily package and deploy code has changed the way that organizations work with applications. But like with Windows servers years ago, or AWS today, any time one specific technology gains a significant portion of the market share, it becomes a target for attackers.

All it takes for cybercriminals to breach your mission-critical networks, database, and IT systems is a single unpatched vulnerability. To prevent this and maintain good cyber hygiene, you need to obtain real-time vulnerability data. ‍ Vulnerability scans generate a lot of data that when analyzed reveal several security flaws.

Sliver’s growing popularity as an open-source C2 framework, Emotet’s comeback and new evasion techniques, and how Chinese hackers exploited a Fortinet flaw using a 0-Day.