Appsec adventures

 The DevSecOps Arsenal is a curated collection of tools, methodologies, and resources designed to integrate security seamlessly into every stage of the Software Development Life Cycle (SDLC) and DevOps workflows. It includes insights into embedding security throughout the SDLC, strategies for shifting security left in the development process, a categorized list of DevSecOps tools, and resources like whitepapers and architecture guidelines. The repository also provides contribution rules for those looking to add to the collection. It serves as a valuable resource for enhancing security practices within development and operational workflows. https://github.com/sk3pp3r/DevSecOps-Arsenal

 The BSIMM15 report from Black Duck Software focuses on how organizations are addressing security risks related to artificial intelligence (AI) and software supply chains. The study covers 121 organizations across industries like healthcare, IoT, and technology. Key findings include a rise in adversarial testing, with the number of companies conducting abuse case scenarios doubling from the previous year. Software composition analysis (SCA) on code repositories increased by 67%, and 30% more organizations are employing research groups to explore new attack methods. Additionally, 22% more organizations are generating software bills of materials (SBOMs) for transparency. The report emphasizes the importance of prioritizing security as AI and supply chain risks grow. https://securityboulevard.com/2025/01/bsimm15-new-focus-on-securing-ai-and-the-software-supply-chain/

 The Common Vulnerability Scoring System (CVSS) is used to assess the severity of vulnerabilities, with scores ranging from 0 to 10. CVSS 4.0, released in November 2023, generally assigns higher base scores than CVSS 3.1 due to its more detailed evaluation of exploitability and impact factors. However, these higher scores may not always reflect the actual risk in specific environments, as default settings often overlook organizational contexts. This can lead to misallocation of resources when prioritizing vulnerability remediation. The analysis highlights the importance of considering contextual factors for better risk assessment and prioritization. https://securityboulevard.com/2025/01/cvss-3-1-vs-cvss-4-0-a-look-at-the-data/

 RSA Conference 2025 is now accepting submissions for its 20th Annual Innovation Sandbox and 5th Annual Launch Pad contests, scheduled for April 28, 2025. The Innovation Sandbox contest is open to emerging cybersecurity companies with products launched between December 1, 2023, and February 14, 2025. The top 10 finalists will present at the conference, with each finalist receiving a $5 million investment. The Launch Pad contest is for earlier-stage companies seeking strategic advice and exposure. Submissions for both contests are open until February 14, 2025. https://www.prnewswire.com/news-releases/rsa-conference-2025-now-accepting-submissions-for-20th-annual-innovation-sandbox-fifth-annual-launch-pad-contests-302349898.html

In January 2025, a Snyk researcher published malicious npm packages seemingly aimed at Cursor, an AI coding company. The packages, named "cursor-retrieval," "cursor-always-local," and "cursor-shadow-workspace," collected system data, including environment variables containing sensitive information like AWS keys and GitHub credentials, and sent it to an attacker-controlled server. This resembles dependency confusion attacks, where public packages mimic private ones to trick developers. The OpenSSF package analysis scanner flagged these packages, and advisories were issued. The incident highlights the need for vigilance and robust security when using npm packages. https://sourcecodered.com/snyk-malicious-npm-package/

 In May 2024, Cloudflare signed the Cybersecurity and Infrastructure Security Agency's "Secure by Design" pledge, emphasizing security as a core aspect of software development. The initiative aims to eliminate classes of vulnerabilities, such as injection flaws and hardcoded secrets in code. Cloudflare's Product Security team implemented customized rulesets to detect and block these vulnerabilities, achieving a 79% reduction in secrets found in code over the last quarter. By establishing secure defaults and separating data from code, Cloudflare aligns with the pledge's goals, promoting resilient systems with built-in security. https://blog.cloudflare.com/cisa-pledge-commitment-reducing-vulnerability/