Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

After implementing a DevSecOps strategy from the ground up — including secure design, testing and monitoring, and risk-based remediation — you will need to focus on analysis and governance. After all, organizations need to regularly measure and refine their security processes to mature their DevSecOps programs.

Data poisoning is a sophisticated adversarial attack designed to manipulate the information used in training artificial intelligence (AI) models. By injecting deceptive or corrupt data, attackers can hurt model performance, introduce biases, or even create security vulnerabilities. As AI models increasingly power critical applications in cybersecurity, healthcare, finance, and many other industries, maintaining the integrity of their training data is absolutely critical.

On Friday morning, March 21, 2025, at 9:00 a.m. UTC, a security advisory identified as CVE-2025-29927 was published. It cited a critical 9.1 severity vulnerability for mainstream Next.js applications. Next.js versions considered vulnerable: We urge all developers to upgrade and deploy the latest version of Next.js that carries a fix to avoid suffering critical authorization bypass and other middleware logic circumvention.

Financial institutions face a tricky balancing act: they need to innovate quickly while also following strict compliance rules in an environment where security is paramount. Recently, Snyk's Field CTO, Steven Schmidt, sat down with Mihai Saveschi, Senior Director of Security Service Management at CIBC, for a fireside chat to discuss these pressing issues. We’ve pulled key insights from their conversation on some of the most pressing AppSec challenges facing financial services organizations today.

Developers are trapped in a loop: constantly chasing dependency upgrades to mitigate security risks or chasing down security reports of vulnerable code or findings in the CI pipeline. Developers often refer to this as “vulnerability fatigue,” a term commonly referenced in npm package install logs that list the newly introduced security vulnerabilities for third-party dependencies.

Speed and innovation rule in software development, which makes it easy to overlook one crucial aspect: security. As a Staff Solutions Engineer at Snyk, I’ve seen firsthand how a single overlooked vulnerability can spiral into a crisis, affecting businesses, customers, and trust. Secure coding isn’t just about writing better code—it’s about protecting what matters, which includes the credibility and reputation of individuals, teams, and the business.

In the afternoon on Friday, March 14, 2025, details began to emerge about a serious security exploit on a popular GitHub Action called changed files (tj-actions/changed-files). About 23,000 GitHub repos use this Action as part of their CI and DevOps workflows. It allows you to track which files have changed across branches and commits. An attacker with write privileges on the Action repo made a commit that caused encrypted secrets to appear in plaintext in the GitHub Action logs.

As organizations continue to evolve their DevSecOps programs by adopting comprehensive testing and monitoring, the next step is to take action on the insights uncovered. This means remediating security issues as early as possible and responding to security alerts and incidents in a timely manner. However, many security and development teams find that triaging the findings of every tool and managing remediation efforts is time-consuming and costly.

Managing the risks of AI development tools is crucial for organizations looking to responsibly and effectively leverage this technology’s potential. AI offers transformative capabilities, particularly in coding assistance, where tools can speed up development and reduce manual workloads. However, these benefits can come with risks, such as security vulnerabilities and compliance challenges, that cannot be overlooked.

Snyk is exploring using the open-source Golang project Bento to read data from Kafka streams and materialize intelligence to various outputs. We are pleased to share that we are proactively helping secure the Bento project by contributing dependency fix updates.

Snyk is committed to our partnership with ServiceNow, and together, we're revolutionizing how organizations manage Application vulnerabilities and risk. Snyk's market-leading developer security platform and ServiceNow's robust Security Operations (SecOps) capabilities offer a powerful solution for Application Security teams and Enterprise CISOs.

Security is often seen as a roadblock in development, slowing releases and adding friction between teams. However, as software development cycles become faster and more complex, security must evolve from a blocker to an innovation driver. DevSecOps ensures security is a core part of the development workflow, and automation plays a crucial role in making this integration smooth and effective.

AI code generation is exactly what it sounds like — using artificial intelligence to write and improve code. Tools powered by large language models (LLMs) and specialized AI systems can help developers generate boilerplate code, fix bugs, and even refactor entire sections of an application. And developers are leaning in. According to a GitHub survey, 92% of developers have already used AI coding tools at work or on personal projects.

Snyk Learn, our developer security education platform, now includes lessons on API security! Check out the new learning path that covers the OWASP Top 10 for API security risks. APIs power the modern web, connecting applications and services in ways that drive innovation and efficiency. However, with this interconnectivity comes significant security risks.

JWTs are often used by developers who seek to implement authentication over traditional cookie-based sessions. However, what happens when developers misunderstand JWT security and risk a severe broken authentication vulnerability?

As developers continue to adopt AI tools to transform their workflows, AI-generated code has become more common. In fact, 96% of developers reported using AI coding assistants to streamline their work. Although generative AI (GenAI) tools like ChatGPT can speed up workflows and boost productivity, the security and quality of the outputs aren’t guaranteed.