The JFrog Security Research team is constantly looking for new and previously unknown vulnerabilities and security issues in popular open-source projects to help improve their security posture and defend the wider software supply chain.

Attack surface management (ASM) and vulnerability management (VM) are often confused, but they’re not the same. The primary difference between the two is scope: Attack surface management and external attack surface management (EASM) assume that a company has many unknown assets and therefore begin with discovery. Vulnerability management, on the other hand, operates on the list of known assets.

Conversations about basic cybersecurity hygiene often start with a lecture on effective patch management. While proper patch management is certainly recommended, much more can be done. Say you’ve locked the doors of your house before leaving for vacation – an opportunist might only check to see if the doors are locked, but a persistent thief might try the windows or look for other ways in. Similarly, CVEs and CVSS serve a purpose, but they still leave you with many untreated risks. Why?

In this new Cybersecurity Research Center series, we analyze the OWASP Top 10, which is a list of the most common vulnerabilities in web applications. In application security, the Open Web Application Security Project (OWASP) Top 10 list is a valuable resource for DevSecOps teams that oversee the development and security of web applications. The OWASP Top 10, updated every four years, lists the most common vulnerabilities in web apps based on a consensus among contributors from the OWASP community.

Attacks targeting the software supply chain are on the rise. Indeed, data from the Mend Open Source Risk Report shows a steady quarterly increase in the number of malicious packages published in 2022, with a significant jump in Q3, which jumped 79 percent from Q2. The European Cybersecurity Agency (ENISA) predicts that supply chain attacks will increase fourfold by 2022.

Ransomware’s new favorite victim is educational institutions. Ransomware attacks, that exploit targets utilizing malicious software code, have increased tremendously over the past few years. In addition to targeting business sectors, cybercriminals are now attempting to ambush the security posture of educational sectors. Educational institutions are an easy prey for ransomware attackers as they lack the fundamental elements of a secured network.

For most websites and apps, employing security-related HTTP headers has become standard practice. Websites use headers as part of HTTP requests and replies to convey information about a page or data sent via the HTTP protocol. They might include a Content-Encoding header to indicate that the content is a compressed zip file or a Location header to specify a redirect URL.

Microservices offer significant advantages compared to monoliths. You can scale the development more easily and have precise control over scaling infrastructure. Additionally, the ability to make many minor updates and incremental rollouts significantly reduces the time to market. Despite these benefits, microservices architecture presents a problem — the inability to access its services externally. Fortunately, an API gateway can resolve this issue.

Timing is everything when it comes to responding and recovering from a widespread, destructive attack. As threat actors operate undetected across a victim network and get deeper into the attack lifecycle, it becomes increasingly more challenging to recover and avoid the business disruption that comes from a compromised environment.

Most developers aren’t security experts. This isn’t because we don’t care about security, it’s just that there are only so many hours in the day and features come first. Fortunately, developers don’t need to be security experts to build secure apps — they just need the right tools.