In September 2024, Frost & Sullivan released its Frost Radar: Application Security Posture Management (ASPM), 2024, highlighting the leaders in this rapidly growing market. We’re proud to be recognized as a top player, reflecting our strong growth and impact in the ASPM space. Our customers use Nucleus to achieve a comprehensive and unified application security posture.

Have you ever heard of CVEs? Maybe not by their acronym, but Common Vulnerabilities and Exposures, monitored by the CVE Program Mission, are everywhere. As of the writing of this article, there are over 220,000 CVE Records available—meaning many potential threats you could be exposed to. How can you ever protect your infrastructure against this reality? Well, the good news is, you usually don’t have to.

On October 9, 2024, GitLab released patches for a critical vulnerability affecting various versions of GitLab EE, identified as CVE-2024-9164. This flaw allows a remote attacker to run pipelines on arbitrary branches within a repository, which could potentially lead to code execution. A GitLab pipeline consists of a series of automated processes that execute in stages to build, test, and deploy code.

Generative artificial intelligence (GenAI) has already become the defining technology of the 2020s, with users embracing it to do everything from designing travel itineraries to creating music. Today’s software developers are leveraging GenAI en masse to write code, reducing their workload and helping reclaim their valuable time. However, it’s important developers account for potential security risks that can be introduced through GenAI coding tools.

Snyk Code is a powerful tool designed to help developers identify and automatically fix vulnerabilities in their source code. It eliminates flow interruptions and repeated work by detecting and resolving security issues in real time with over 80% autofixing accuracy. It integrates seamlessly with your development workflow, providing real-time feedback on security issues directly within your IDE, CLI, or SCM.

Astra Security identified a vulnerability in the InvenTree Inventory Management System on October 2nd, 2024, which has since been patched. This vulnerability, CVE-2024-47610, is stored cross-site scripting (stored XSS) that targets versions of InvenTree below 0.16.5, where ‘Markdown,’ in the Notes feature, can enable attackers to run code. Cross-site scripting vulnerabilities allow a hacker to inject HTML code into an application and affect the users who intercept the code.

CVE-2024-45409 is a critical vulnerability in the Ruby-SAML (affecting versions up to 12.2 and from 1.13.0 to 1.16.0) and OmniAuth SAML libraries. It hence effectively poses a security risk for unpatched versions of GitLab (read more on the GitLab blog). This vulnerability arises from improper verification of the SAML Response signature. An attacker with access to any signed SAML document can forge a SAML Response or Assertion with arbitrary contents.