Veracode is pleased to announce the availability of Veracode Fix capability in Veracode Scan for VS Code. Now developers can discover and remediate security flaws using Veracode’s Generative AI-powered tools directly from their Integrated Development Environment (IDE). According to the Veracode State of Software Security, 45.9% of organizations have critical security debt.

Vulnerability scans are essential to an effective cyber defense strategy, offering a proactive approach to uncover and mitigate potential threats before they can exploit your systems. At the forefront of this crucial practice are Tenable and RiskOptics, each offering comprehensive solutions designed to conduct thorough vulnerability assessments. These tools identify weaknesses and help prioritize and address them, significantly strengthening your overall security posture.

ConnectWise ScreenConnect, a widely used remote desktop product, has recently been found vulnerable to two critical security flaws, assigned CVE numbers CVE-2024-1709 and CVE-2024-1708. These vulnerabilities, if exploited, can lead to remote code execution, potentially compromising sensitive data and critical systems. What’s more alarming is that reports are indicating active exploitation of these vulnerabilities in the wild.

In today's digital landscape, web applications and APIs are constantly under threat from malicious actors looking to exploit vulnerabilities. A common and dangerous attack is a SQL injection. In this blog, we will explore SQL injection vulnerabilities and attacks, understand their severity levels, and provide practical steps to prevent them. By implementing these best practices, you can enhance the security of your web applications and APIs.

While tech sector media coverage on cybersecurity has primarily focused in recent years on trends such as ransomware attacks, vulnerabilities in the DevOps chain, and the growing role of AI in combating threats, a quiet but significant development has been advancing under the radar on several fronts: we refer to the more assertive stance taken by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to elevate security best practices in government and the private sector.

ConnectWise urges organizations using an on-premises installation of the ScreenConnect remote monitoring and management software (formerly known as ConnectWise Control) to update servers to version 23.9.8 immediately due to a critical remote code execution vulnerability. The ScreenConnect remote desktop product is at risk due to a pair of vulnerabilities: CVE-2024-1709 and CVE-2024-1708.

Did you know that GitHub Copilot may suggest insecure code if your existing codebase contains security issues? On the other hand, if your codebase is already highly secure, Copilot is less likely to generate code with security issues. AI coding assistants can suggest insecure code due to their limited understanding of your specific codebase. They imitate learned patterns or utilize available context without providing judgment.

On February 20, 2024, we published a security bulletin detailing newly disclosed authentication bypass and path traversal vulnerabilities in ConnectWise ScreenConnect. Shortly after the bulletin was sent, ConnectWise updated their security bulletin with IOCs from observed active exploitation of these vulnerabilities. On February 21, 2024, the vulnerabilities were assigned the following CVE numbers.

Vulnerability prioritization is one of the most important steps in managing cybersecurity risks effectively. Ideally, security teams would address every vulnerability immediately upon detection. However, the reality is far from ideal because of the overwhelming number of vulnerabilities and their escalating volume among other challenges, like severity spectrum differences requiring nuanced assessment, evolving threats, or resource constraints.

People, processes, and tooling all impact an organization’s ability to maintain a strong AppSec program. In a recent panel at Black Hat Europe, Snyk spoke with two customers — Jaguar Land Rover (JLR) and Asda — about the unique challenges they face managing development teams, onboarding new security tools, and building a modern DevSecOps program throughout their organizations.