Today, I’m delighted to announce the release of Jit’s Context Engine, which uses the runtime context of vulnerabilities to automatically prioritize the top security risks in our customers’ cloud applications. One of the defining challenges of product security is the overwhelming volume of alerts generated by code and cloud security scanners, which is especially painful when the majority of “issues” don’t pose any real security risk.

Imagine this: an attacker sneaks a tiny backdoor into software that hundreds of companies use. It sounds like a plot from a spy movie, but it’s a real threat that recently impacted major Linux distributions through a compromised utility tool, XZ Utils. So far, in 2024, over 35 billion known records have been breached. The Linux attack, potentially in action and undetected since 2021, is just one of the many that highlight the alarming proliferation of supply chain attacks.

The widespread adoption of external libraries and packages in the modern application development process introduces potential security risks that could impact the entire application. To address this, Software Composition Analysis (SCA) tools like npm-audit and OSV Scanner play an important role.

Sisense is a popular monitoring tool that enables users to monitor business metrics from multiple third-party sources in a single dashboard. On April 10, the company informed customers that the sensitive information they entrusted with Sisense may have been compromised and urged them to reset their password and rotate their secrets. According to KrebsOnSecurity, the attackers were allegedly able to access GitLab repositories hosted by Sisense, where hard-coded secrets may have been found.

TruffleHog and Gitleaks are popular secrets scanning tools that can automatically surface hardcoded secrets such as API keys, passwords, and tokens. They can both be integrated into the Software Development Lifecycle (SDLC) to proactively scan repositories to identify and rectify potential issues before they can be exploited. The need for effective secret detection tools underscores a broader shift toward more secure software development practices.

Free vulnerability scanners are a great way to begin scanning your cloud applications and infrastructure for security issues, and proactively resolving vulnerabilities before attackers can find them. These tools can be implemented at every stage of the SDLC, from code planning to production, depending on your preferences and objectives. As a domain, vulnerability scanners cover use cases such as code scanning, dependency reviews, and secret detection.

A cloud-based application security assessment (or ASA) is a systematic evaluation to identify vulnerabilities and improve security in cloud applications. It aims to ensure the application’s structural, design, and operational integrity against all cyber threats. A staggering 82% of data breaches in 2023 involved data stored in the cloud.