Between the 28th –30th of December 2022, Zoho released security updates to address a SQL injection vulnerability that they identified, designated as CVE-2022-47523. An advisory was later published, summarizing the affected products and remediation. This vulnerability affects several credential management products including ManageEngine PAM360, ManageEngine Access Manager Plus, and ManageEngine Password Manager Pro.

On January 4, CircleCI, an automated CI/CD pipeline setup tool, reported a security incident in their product by sharing an advisory.

Conversations about basic cybersecurity hygiene often start with a lecture on effective patch management. While proper patch management is certainly recommended, much more can be done. Say you’ve locked the doors of your house before leaving for vacation – an opportunist might only check to see if the doors are locked, but a persistent thief might try the windows or look for other ways in. Similarly, CVEs and CVSS serve a purpose, but they still leave you with many untreated risks. Why?

The ongoing rise in open source vulnerabilities and software supply chain attacks poses a growing threat to businesses, which heavily rely on applications for success. Between 70 and 90 percent of organizations’ code base is open source, while vulnerabilities such as Log4j have significantly exposed organizations to cyberattacks.

The JFrog Security Research team is constantly looking for new and previously unknown vulnerabilities and security issues in popular open-source projects to help improve their security posture and defend the wider software supply chain.

Attack surface management (ASM) and vulnerability management (VM) are often confused, but they’re not the same. The primary difference between the two is scope: Attack surface management and external attack surface management (EASM) assume that a company has many unknown assets and therefore begin with discovery. Vulnerability management, on the other hand, operates on the list of known assets.

In this new Cybersecurity Research Center series, we analyze the OWASP Top 10, which is a list of the most common vulnerabilities in web applications. In application security, the Open Web Application Security Project (OWASP) Top 10 list is a valuable resource for DevSecOps teams that oversee the development and security of web applications. The OWASP Top 10, updated every four years, lists the most common vulnerabilities in web apps based on a consensus among contributors from the OWASP community.

Attacks targeting the software supply chain are on the rise. Indeed, data from the Mend Open Source Risk Report shows a steady quarterly increase in the number of malicious packages published in 2022, with a significant jump in Q3, which jumped 79 percent from Q2. The European Cybersecurity Agency (ENISA) predicts that supply chain attacks will increase fourfold by 2022.

Ransomware’s new favorite victim is educational institutions. Ransomware attacks, that exploit targets utilizing malicious software code, have increased tremendously over the past few years. In addition to targeting business sectors, cybercriminals are now attempting to ambush the security posture of educational sectors. Educational institutions are an easy prey for ransomware attackers as they lack the fundamental elements of a secured network.

For most websites and apps, employing security-related HTTP headers has become standard practice. Websites use headers as part of HTTP requests and replies to convey information about a page or data sent via the HTTP protocol. They might include a Content-Encoding header to indicate that the content is a compressed zip file or a Location header to specify a redirect URL.