JFrog’s Security Research team is constantly looking for new and previously unknown security vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered 5 security vulnerabilities in PJSIP, a widely used open-source multimedia communication library developed by Teluu. By triggering these newly discovered vulnerabilities, an attacker can cause arbitrary code execution in the application that uses the PJSIP library.

Governance, risk, and compliance (GRC) management presents some unique challenges for organizations that deploy a myriad of cloud resources, services, and accounts. Simple misconfigurations in any of these assets can lead to a serious data breach, and compliance issues become even more prevalent as organizations try to inventory and manage assets across multiple cloud platforms and security and auditing tools.

In the first article in this series we covered the basics. In the second article about the planning process, we covered how developers incorporate security at the beginning of their project. This article explores DevSecOps during the Continuous Integration (CI) phase of the coding process and how to protect the code from supply chain attacks, license issues, and theft. Developers are advised during planning to use secure coding best-practices during the coding process.

The Data Security and Protection Toolkit (DSP Toolkit) is an NHS operated online tool that enables organisations in benchmarking their security against the National Data Guardian’s 10 Data Security Standards (NDG Standards).

According to Gartner, enterprise usage of AIOps is set to surge from a mere 5% in 2018 to a whopping 30% in 2023. To survive in an increasingly competitive market, MSPs must not only respond well to customer expectations but anticipate them. Another Gartner report states that by 2025, over 80% of public cloud managed and professional services deals will require both hybrid and multi-cloud capabilities from the provider, up from below 50% in 2020.

Web applications are continuously evolving due to the hypo-velocity of code changes and stream of new features and functionality leaving businesses exposed to application security risks. A new wave of automated pen testing conducted through a software as a service delivery model can help reduce this risk by providing automated vulnerability findings in real time.

As a former systems and network administrator, I understand the demands that are placed on today’s IT professionals. It’s true that skills gap continues to hamper IT and security personnel, for example. In early 2020, Tripwire revealed the results of a survey in which 83% of security professionals noted that they felt more overworked going into that year than they did at the start of 2019.

Guessing how many marbles are in a jar is either a fun carnival game (pick the average based on the wisdom of the crowd) or a math problem involving orb volume, cylinder volume and the estimated space between marbles. You can also just count the marbles. Unfortunately, when it comes to identifying the number of devices connected to your network, none of these approaches works – although quasi-manual counting remains all too common.

We’ve seen a massive increase in the number of open source packages created and used in the wild during the past few years. These days every ecosystem has its package manager, and almost every package manager has its hidden gems and configurations. That said, as developers continuously install an ever-expanding number of packages, attackers gain interest in the packages’ attack surfaces. Then, the journey to craft the perfectly hidden malicious package begins.