Appsec adventures

 Semgr8s is a proof-of-concept admission controller for Kubernetes that uses Semgrep rules to validate resources before deployment. It allows the integration of both public and custom Semgrep rules to enforce security and compliance policies within Kubernetes clusters. The project is experimental and not recommended for production use. https://github.com/semgr8ns/semgr8s

Alex John’s article explores container drift, the unauthorized modification of a container’s filesystem, which threatens immutability and may signal security breaches. He highlights forensic tools like Docker Forensics Toolkit and Kube Forensics but notes their limitations in detecting drift. Focusing on OverlayFS, he explains how changes occur in the writable "upper" layer. He recommends using docker diff or custom scripts to track modifications. Enhancing tools with drift detection can improve forensic investigations, helping security teams identify and mitigate unauthorized changes in container environments.  https://detect.fyi/adrift-in-the-cloud-a-forensic-dive-into-container-drift-f29524f4f6c4

In his December 21, 2024, blog post, Adnan Khan introduces Cacheract, an open-source proof-of-concept tool that exploits misconfigurations in GitHub Actions caching. Building on his earlier research into cache poisoning, Khan developed Cacheract to automate the injection of malicious code into build caches, allowing malware to persist across multiple workflow runs. The tool works by predicting and replacing cache entries, enabling unauthorized actions within continuous integration and deployment pipelines. Khan emphasizes that Cacheract is intended for ethical security research and highlights the risks of insecure caching configurations in CI/CD environments.  https://adnanthekhan.com/2024/12/21/cacheract-the-monster-in-your-build-cache

The Open Source Security Foundation's (OpenSSF) Package Analysis project enhances open source software security by analyzing packages from public repositories to detect potentially malicious behavior. It employs static and dynamic analysis techniques to examine file system interactions, network communications, and executed commands. The system continuously monitors package repositories for new or updated packages, queues them for analysis, and executes them in a sandboxed environment using gVisor containers to observe runtime behaviors. The results are stored in BigQuery for further inspection and research. The project's goals include detecting malicious behaviors, informing consumers about safer package selections, and providing researchers with valuable data. It consists of components such as a scheduler that generates analysis jobs, analysis workers that perform static and dynamic assessments, and a loader that uploads results to BigQuery. This infrastructure enables a compr...

 Josh Grossman discusses recent developments with Semgrep, an open-source static analysis tool, and its new fork, Opengrep. He highlights issues with removed features affecting his custom rules but appreciates Semgrep's SARIF output support. Grossman explains Semgrep’s licensing: the core engine is LGPL, but the rule library includes a Commons Clause restricting commercial use. While noting misinformation about these changes, he praises Semgrep’s flexibility and simplicity, comparing it favorably to other tools. The post reflects his concerns and ongoing commitment to using Semgrep effectively. https://joshcgrossman.com/2025/01/28/whats-going-on-with-sem-open-grep/

 The Secure Coding Practice Guidelines from UC Berkeley emphasize the importance of integrating secure coding principles throughout the software development lifecycle to protect sensitive data and mitigate vulnerabilities. Developers are encouraged to undergo training to understand and apply secure coding practices, referencing the OWASP Secure Coding Guidelines. These guidelines address critical areas such as input validation, authentication, session management, cryptographic practices, error handling, and communication security, among others. Compliance is evaluated through an Application Security Testing Program, which ensures adherence to these principles for both web and non-web applications. By following these practices, organizations can reduce the risks of security breaches caused by unsafe coding. https://security.berkeley.edu/secure-coding-practice-guidelines/

The GitHub repository **mlw157/scout** appears to be a project focused on scouting or monitoring, though the exact details are unclear without direct access to the repository. Typically, such projects involve tools or scripts for tasks like data collection, web scraping, or network monitoring. The repository likely includes code written in common programming languages such as Python, JavaScript, or Bash, and may utilize libraries or frameworks for specific functionalities like web scraping or network analysis. It probably provides setup instructions, usage examples, and documentation to help users understand and implement the tools. Being an open-source project, it may also encourage community contributions, with guidelines for submitting issues, pull requests, or feature enhancements. For a more accurate understanding, reviewing the repository's README file and documentation directly on GitHub would be necessary.  https://github.com/mlw157/scout

Aqua Security has been recognized as a market leader in software supply chain security by GigaOm. The report highlights Aqua’s superior capabilities in container image security scanning, automated testing, and supply chain mapping. Aqua’s platform is noted for its scalability, automation, and suitability for compliance-driven sectors. The company's comprehensive solution helps secure the entire application lifecycle, from development to runtime, making it a vital tool for organizations managing complex security needs. https://www.citybiz.co/article/651983/aqua-security-named-market-leader-in-new-software-supply-chain-security-report/

Appdome has introduced Threat Dynamics™, an AI-native platform designed to manage extended threats across mobile and application environments. The platform uses AI to enhance threat detection and response, offering seamless integration with existing security workflows. Appdome aims to address the evolving complexity of cybersecurity by providing real-time insights and automation, simplifying threat management for organizations. This approach positions Threat Dynamics™ as a pioneering tool in the application security landscape. https://www.prnewswire.com/news-releases/appdome-unveils-threat-dynamics-to-become-industrys-first-ai-native-extended-threat-management-platform-302355129.html

Pynt is an AI-powered API security testing platform designed to automate threat detection in APIs before attacks occur. It performs automated penetration testing, mimicking hacker attacks and pinpointing real vulnerabilities in applications. The tool integrates with popular CI/CD environments and minimizes false positives. By offering pre-production testing, detailed remediation suggestions, and swift results, Pynt enhances API security for businesses, shifting security left into the development process. https://www.pynt.io/

StackHawk offers automated application security testing that integrates seamlessly into CI/CD workflows, helping teams identify and fix vulnerabilities faster. It specializes in API security testing, supporting various API types like REST, GraphQL, and SOAP. StackHawk enables developers to discover vulnerabilities early, prioritize critical issues, and enhance overall security without disrupting development. The platform is designed to work with existing tools and workflows, allowing for efficient risk management and secure code delivery at scale. https://www.stackhawk.com/

Levo offers API security solutions that enable organizations to secure and monitor APIs across their enterprise. It provides tools for discovering, documenting, and testing internal, external, and third-party APIs, helping teams prevent vulnerabilities before deployment. Levo supports collaboration between developers, security teams, and QA through a centralized API catalog. It also offers features for improving productivity, reducing pentesting costs, ensuring compliance, and shifting security practices earlier in the CI/CD pipeline. The platform is flexible and adaptable to various enterprise environments. https://www.levo.ai/

Akto offers an API security platform designed for modern application security teams, providing comprehensive tools for API discovery, sensitive data exposure detection, vulnerability testing, and continuous API security posture management. The platform integrates into DevSecOps pipelines, helping organizations identify and secure internal, public, and third-party APIs across a variety of environments. It emphasizes shift-left security testing, supporting tools for identifying risks early in the development process, and ensuring API security throughout an application's lifecycle. https://www.akto.io/

Escape offers a platform to discover and secure APIs, SPAs, and microservices. It provides a comprehensive solution for API documentation, business logic vulnerability detection, and automated penetration testing. By using proprietary security algorithms, it proactively finds issues and simplifies developer remediation. Escape integrates with existing CI/CD workflows and allows tailored security checks, helping organizations reduce overhead while enhancing security at scale. The platform is particularly effective in modern application environments such as Kubernetes and GraphQL. https://escape.tech/

Legit Security's 2025 State of Application Risk Report reveals that all organizations surveyed face high application security risks. The report highlights a significant increase in the number of applications per organization, with 60% of respondents managing over 100 applications. This growth has created challenges in securing applications effectively. Additionally, 70% of organizations lack comprehensive visibility into their application security, making it difficult to identify vulnerabilities. The findings underscore the need for better application security strategies and tools to address risks in a more complex application landscape.  https://www.easternprogress.com/legit-security-releases-2025-state-of-application-risk-report-revealing-100-of-organizations-have-high/article_d4a64bd4-380c-57b9-90f5-e649ee8792da.html

The 2024 Open Source Survey highlights key trends, including a growing focus on security in open source projects, with 82% of respondents considering it vital when selecting projects. AI adoption is also on the rise, with 72% of developers using AI tools. The survey shows increased diversity within the community, with more ethnic minorities and immigrants involved. Additionally, attitudes toward harassment and privacy have shifted, and financial support for open source is seen as an area for growth. https://opensourcesurvey.org/2024/

Sonatype highlights its role in automating the Software Bill of Materials (SBOM) reporting process to meet U.S. Army cybersecurity requirements. The Army has mandated SBOM integration in software contracts by February 2025 to enhance transparency and security in software supply chains. By leveraging Sonatype’s tools, teams can proactively manage open-source components, ensuring compliance, reducing risks, and improving overall cybersecurity practices. SBOMs are critical for tracking dependencies and detecting vulnerabilities in defense applications, where rapid development and secure deployment are vital. https://www.sonatype.com/blog/proactive-compliance-with-sonatype-automating-reporting-for-u.s.-army-sbom-requirements

 Accenture has invested in QuSecure to enhance cybersecurity against future quantum threats. Through this collaboration, they aim to offer post-quantum encryption solutions, ensuring robust protection for critical infrastructure. QuSecure's software, QuProtect, supports crypto agility, allowing seamless upgrades to encryption standards. This partnership follows successful tests in securing communications and collaborations, like with Banco Sabadell. The investment will help businesses adopt quantum-resistant technologies and future-proof their networks. https://newsroom.accenture.com/news/2025/accenture-invests-in-qusecure-to-protect-against-future-quantum-threats-with-crypto-agility

 The article discusses the importance of securing third-party APIs in three key scenarios. Organizations must ensure proper monitoring of outbound data flows, validate incoming data from third-party APIs to prevent security risks, and manage the security of data exchanges between SaaS platforms. Each case emphasizes the need for robust security practices to mitigate potential vulnerabilities when using third-party APIs for various business functions. https://www.darkreading.com/cloud-security/3-use-cases-for-third-party-api-security

The blog highlights the security risks of npm postinstall scripts that can run malicious code during package installation. To mitigate these risks, it recommends using the ignore-scripts flag to block the execution of scripts by default, while allowing exceptions for trusted packages. Regular auditing of dependencies is also advised to ensure security.  https://www.nodejs-security.com/blog/npm-ignore-scripts-best-practices-as-security-mitigation-for-malicious-packages/

Forrester's 2025 cybersecurity predictions highlight three key trends: CISOs will reduce focus on generative AI (genAI) due to lack of measurable value, breach-related class-action lawsuits will cost more than regulatory fines, and security and risk professionals must brace for more regulations in response to rising cybercrime costs and evolving risks. These shifts underscore the growing need for resilient, proactive security strategies in a rapidly changing landscape.   https://www.forrester.com/blogs/predictions-2025-cybersecurity-risk-privacy/

The article emphasizes the importance of the "Transition and Retirement Phase" in cryptographic lifecycle management. It argues that building cryptographic inventories without clear agility requirements leads to inefficiency. Key elements include ensuring compliance, mitigating algorithm risks, maintaining interoperability, and preparing for quantum threats. It highlights the role of metadata, intent documentation, and collaboration among technical and organizational teams to enhance agility. Organizations should establish modular infrastructures, governance frameworks, and training to adapt seamlessly to cryptographic updates.   https://www.linkedin.com/pulse/current-advice-go-build-cryptographic-inventory-without-osborne-4g3wf/

The article outlines the fundamentals of threat modeling in AWS, a structured approach to identifying and mitigating security risks. It emphasizes educating teams, creating detailed infrastructure diagrams, and leveraging AWS-specific resources to enhance security. Key practices include prioritizing critical assets, understanding attack vectors, and maintaining updated visual documentation of cloud environments. Threat modeling aligns with compliance frameworks and proactively secures evolving cloud infrastructures. Tools like Draw.io, Lucidchart, and Cloudcraft are recommended for visualizing architectures.   https://awssecuritydigest.com/articles/threat-modelling-in-aws

The article on DevSec Blog explores the development of AI agents for solving security challenges, using tools like CrewAI for enhanced functionality. It highlights the use of AI in identifying and fixing vulnerabilities in an intentionally flawed API project called Damn Vulnerable RESTaurant API Game. By leveraging open-source frameworks and large language models, the AI agent autonomously addresses security issues, explains fixes, and validates solutions. The piece emphasizes practical applications of AI in cybersecurity and outlines steps for building these agents.   https://devsec-blog.com/2024/12/building-ai-agents-to-solve-security-challenges/

Opengrep is a new open-source code security engine, forked from Semgrep CE due to licensing changes that restricted access to critical features. Backed by over 10 organizations, Opengrep aims to democratize Static Application Security Testing (SAST) by ensuring long-term accessibility and innovation for developers. It offers enhanced static code analysis capabilities, backward compatibility, and a commitment to keeping its features open and transparent. Opengrep invites community contributions to improve software security universally.  https://www.opengrep.dev/

Microsoft has developed a comprehensive framework to secure generative AI systems, based on insights from red-teaming over 100 such products. The framework highlights key challenges, such as the amplification of existing risks and the emergence of new threats like prompt injections. While automated tools like PyRIT assist in identifying vulnerabilities, human expertise remains crucial for addressing cultural nuances and ensuring thorough assessments. A defense-in-depth strategy, involving continuous testing and iterative mitigation, is emphasized to counter evolving threats. These approaches aim to improve the safety and reliability of generative AI technologies.  https://www.marktechpost.com/2025/01/18/microsoft-presents-a-comprehensive-framework-for-securing-generative-ai-systems-using-lessons-from-red-teaming-100-generative-ai-products/

On January 15, 2025, Apiiro appointed Bill Nichols as Vice President of Customer Success. Nichols brings over 20 years of experience in the application security industry, having previously been an executive director at Black Duck (formerly Synopsys Software Security Group). In his new role, he will lead Apiiro's customer success team, focusing on optimizing the customer journey and delivering measurable business outcomes. This appointment follows a record year for Apiiro, with a 275% increase in new business growth, reflecting the company’s commitment to enhancing customer experience and support.  https://www.morningstar.com/news/globe-newswire/9332134/apiiro-appoints-industry-veteran-bill-nichols-as-vp-of-customer-succes s

OSV-SCALIBR is an extensible software composition analysis (SCA) tool designed for scanning software inventories and detecting vulnerabilities. It can be used as a standalone binary or integrated as a library in Go projects. The tool supports custom plugins and enables scanning of container images or remote hosts. Users can configure extraction and detection plugins and analyze results in a predefined format.  https://github.com/google/osv-scalibr

The article "Going beyond 'shift left': Why shared responsibility is key to risk management" discusses the limitations of the 'shift left' approach in application security, which focuses on integrating security early in the software development lifecycle. While this method aims to address vulnerabilities early, it often overemphasizes tools and overlooks human involvement and comprehensive security oversight. The article advocates for a shared responsibility model, where developers, security teams, and stakeholders collaborate throughout the development lifecycle. This approach enhances the ability to identify, mitigate, and manage security risks more effectively.  https://securityboulevard.com/2025/01/going-beyond-shift-left-why-shared-responsibility-is-key-to-risk-management/

Cybersecurity threats are expected to continue evolving in 2025, with all attack vectors seeing growth. The ransomware business model has changed since 2017 and continues to evolve. Staying informed about the latest trends is important, as well as prioritizing fundamental strategies such as defense-in-depth and multilayered security. The focus should be on acquiring capabilities in prevention, protection, detection, and response rather than just relying on tools.  https://securitybrief.co.nz/story/cybersecurity-predictions-2025-hype-vs-reality

The 100 Days of YARA 2025 repository invites malware analysts, detection engineers, and reversers to participate in a challenge where they create and share a new YARA rule every day for 100 days. This initiative encourages improving YARA rule writing skills, experimenting, and documenting the learning process. The rules, tips, and ideas are shared publicly, with a focus on advancing skills, from beginners to experienced rule creators. The project fosters a supportive and collaborative environment for malware detection. https://github.com/100DaysofYARA/2025

In 2024, 40,009 CVEs were published, a 38% increase from 2023, averaging 108 CVEs per day. May was the most active month, with 12.5% of the year's CVEs, and May 3rd alone saw 845 CVEs. Tuesdays accounted for 24.3% of releases. The average CVSS score was 6.67, with 231 vulnerabilities scoring 10.0. The Linux kernel was the most referenced CPE, and CVE-2024-20433 had 2,434 unique configurations. Patchstack led CNAs with 4,566 CVEs. CWE-79, related to cross-site scripting, was the most assigned CWE, appearing in 15.56% of CVEs.  https://jerrygamblin.com/2025/01/05/2024-cve-data-review

 The Doyensec blog post "Unsafe Archive Unpacking: Labs and Semgrep Rules" examines security risks in handling archive files across languages like Python, Ruby, Swift, Java, PHP, and JavaScript. It highlights vulnerabilities such as path traversal attacks, where files can be extracted to unintended directories using directory traversal sequences like ../ . The post includes proof-of-concept code for vulnerable and safe implementations and introduces Semgrep rules to detect these issues in codebases. Resources, including secure code examples and Semgrep rules, are available on GitHub at https://github.com/doyensec/Unsafe-Unpacking . https://blog.doyensec.com/2024/12/16/unsafe-unpacking.html

Gitxray is an open-source security tool developed by Kulkan Security to improve the security of GitHub repositories. It identifies information disclosures, monitors suspicious activities, and tracks repository changes using GitHub’s public REST APIs without requiring an API key. The tool examines contributor profiles for accidental exposures, detects shared or fake contributors, ranks contributors by rejected pull requests, and observes repositories transitioning from private to public or experiencing unusual star growth. Gitxray also collects public email addresses, monitors post-release updates, and identifies anonymous contributors. It can be installed using pip install gitxray .  https://blog.kulkan.com/gitxray-a-security-x-ray-for-github-repositories-af8322350db4

 In 2024, startups in cybersecurity focused on securing data-in-motion and tackling the rising threat of deepfakes. As real-time face-swapping and synthetic voice technologies enable impersonation attacks, companies like Validia and RealityDefender are developing identity assurance solutions that assess liveness during video calls. Additionally, startups like Blackbird.AI, Alethea, and Logically are working on unified threat intelligence platforms to address issues like cybersecurity exfiltration, insider threats, impersonation, and information warfare, providing comprehensive insights for organizations to combat these emerging risks. https://www.darkreading.com/cybersecurity-operations/startups-focus-deepfakes-data-motion-model-security

 The DevSecOps Arsenal is a curated collection of tools, methodologies, and resources designed to integrate security seamlessly into every stage of the Software Development Life Cycle (SDLC) and DevOps workflows. It includes insights into embedding security throughout the SDLC, strategies for shifting security left in the development process, a categorized list of DevSecOps tools, and resources like whitepapers and architecture guidelines. The repository also provides contribution rules for those looking to add to the collection. It serves as a valuable resource for enhancing security practices within development and operational workflows. https://github.com/sk3pp3r/DevSecOps-Arsenal

 The BSIMM15 report from Black Duck Software focuses on how organizations are addressing security risks related to artificial intelligence (AI) and software supply chains. The study covers 121 organizations across industries like healthcare, IoT, and technology. Key findings include a rise in adversarial testing, with the number of companies conducting abuse case scenarios doubling from the previous year. Software composition analysis (SCA) on code repositories increased by 67%, and 30% more organizations are employing research groups to explore new attack methods. Additionally, 22% more organizations are generating software bills of materials (SBOMs) for transparency. The report emphasizes the importance of prioritizing security as AI and supply chain risks grow. https://securityboulevard.com/2025/01/bsimm15-new-focus-on-securing-ai-and-the-software-supply-chain/

 The Common Vulnerability Scoring System (CVSS) is used to assess the severity of vulnerabilities, with scores ranging from 0 to 10. CVSS 4.0, released in November 2023, generally assigns higher base scores than CVSS 3.1 due to its more detailed evaluation of exploitability and impact factors. However, these higher scores may not always reflect the actual risk in specific environments, as default settings often overlook organizational contexts. This can lead to misallocation of resources when prioritizing vulnerability remediation. The analysis highlights the importance of considering contextual factors for better risk assessment and prioritization. https://securityboulevard.com/2025/01/cvss-3-1-vs-cvss-4-0-a-look-at-the-data/

 RSA Conference 2025 is now accepting submissions for its 20th Annual Innovation Sandbox and 5th Annual Launch Pad contests, scheduled for April 28, 2025. The Innovation Sandbox contest is open to emerging cybersecurity companies with products launched between December 1, 2023, and February 14, 2025. The top 10 finalists will present at the conference, with each finalist receiving a $5 million investment. The Launch Pad contest is for earlier-stage companies seeking strategic advice and exposure. Submissions for both contests are open until February 14, 2025. https://www.prnewswire.com/news-releases/rsa-conference-2025-now-accepting-submissions-for-20th-annual-innovation-sandbox-fifth-annual-launch-pad-contests-302349898.html

In January 2025, a Snyk researcher published malicious npm packages seemingly aimed at Cursor, an AI coding company. The packages, named "cursor-retrieval," "cursor-always-local," and "cursor-shadow-workspace," collected system data, including environment variables containing sensitive information like AWS keys and GitHub credentials, and sent it to an attacker-controlled server. This resembles dependency confusion attacks, where public packages mimic private ones to trick developers. The OpenSSF package analysis scanner flagged these packages, and advisories were issued. The incident highlights the need for vigilance and robust security when using npm packages. https://sourcecodered.com/snyk-malicious-npm-package/

 In May 2024, Cloudflare signed the Cybersecurity and Infrastructure Security Agency's "Secure by Design" pledge, emphasizing security as a core aspect of software development. The initiative aims to eliminate classes of vulnerabilities, such as injection flaws and hardcoded secrets in code. Cloudflare's Product Security team implemented customized rulesets to detect and block these vulnerabilities, achieving a 79% reduction in secrets found in code over the last quarter. By establishing secure defaults and separating data from code, Cloudflare aligns with the pledge's goals, promoting resilient systems with built-in security. https://blog.cloudflare.com/cisa-pledge-commitment-reducing-vulnerability/

 In 2024, cybersecurity faced significant challenges as threat actors rapidly exploited vulnerabilities while organizations struggled to address them in time. Zero-day exploits were prevalent, targeting critical vulnerabilities in widely used enterprise products like Citrix NetScaler, Cisco IOS XE, and Log4Shell, which remained a significant risk years after its disclosure. The finance and insurance sector reported the most critical vulnerabilities, followed by healthcare. Forty percent of financial applications had unresolved flaws for over a year, with 75% of new vulnerabilities exploited within 19 days, while patching often took over 100 days. Critical vulnerabilities required an average of 4.5 months to remediate, with many surpassing CISA deadlines. Cybercriminals accelerated exploitation, with 41% of organizations detecting attacks from recent vulnerabilities. Time constraints led 91% of companies to release software with known vulnerabilities. These trends emphasize the urge...

The OWASP SAMM project has released version 2.1.0 with several enhancements to support secure software development. Key updates include Agile implementation guides, assessment tools, stream guidance, practitioner and user directories, crowdsourced translations, and a downloadable PDF version. The release also introduces free online training, train-the-trainer materials, and toolbox enhancements with bug fixes. These updates aim to make SAMM more accessible and practical for organizations enhancing their software security practices.  https://github.com/owaspsamm/core/releases/tag/v2.1.0

 Carahsoft Technology Corp. has partnered with Black Duck Software to distribute Black Duck's application security testing (AST) solutions to the U.S. public sector. Carahsoft will act as Black Duck's Master Government Aggregator®, providing access through its reseller network and contracts like NASA SEWP V and ITES-SW2. Black Duck's AST tools help identify security, quality, and compliance issues in proprietary, open source, and third-party code, enabling government agencies to better manage application security risks. https://www.globenewswire.com/news-release/2025/01/09/3007263/0/en/Carahsoft-Enters-Into-Distributor-Agreement-With-Black-Duck-to-Drive-Demand-for-Black-Duck-s-Application-Security-Solutions.html

Snyk, a developer security platform, has acquired Probely, a startup specializing in dynamic application security testing (DAST). Probely provides straightforward DAST scanning, integrates with DevSecOps workflows, and offers remediation guidance for modern applications. In contrast, Escape focuses on advanced testing, such as API discovery, automated documentation, and custom security tests, tailored for complex security environments. This acquisition strengthens Snyk's API security testing capabilities, complementing its developer security tools. https://securityboulevard.com/2025/01/escape-vs-probely-acquired-by-snyk/

 The blog post "Capturing the Flags of the Internet: Find 0-days in OSS and Write Scanners to Detect Them" highlights the importance of identifying and mitigating zero-day vulnerabilities in open-source software (OSS). Zero-day vulnerabilities are flaws unknown to vendors or security providers, making them highly exploitable. The post emphasizes that OSS, often lacking robust security resources, is a common target for such vulnerabilities. It stresses the need for developing detection tools to identify potential zero-day flaws in OSS and proactively address security risks before they can be exploited. https://bughunters.google.com/blog/6752136441233408/capturing-the-flags-of-the-internet-find-0-days-in-oss-and-write-scanners-to-detect-them

 Cymulate has acquired CYNC Secure, an Israeli cybersecurity startup, to enhance its Continuous Threat Exposure Management (CTEM) platform. This acquisition, announced on January 7, 2025, will help Cymulate accelerate its development of CTEM, which is set to launch in 2025. CYNC Secure's technology improves operational efficiency by consolidating vulnerability data and providing actionable insights. The integration will allow Cymulate to focus on exploitability proof and remediation decisions. CYNC Secure's leadership team, including CEO Meir Abergel, will join Cymulate to drive business development and new market solutions. https://www.securityinfowatch.com/cybersecurity/press-release/55253433/cymulate-acquires-cync-secure-to-accelerate-continuous-threat-exposure-management-capabilities

 Tony UcedaVélez, creator of the PASTA (Process for Attack Simulation and Threat Analysis) threat modeling methodology, provides an expert guide to threat modeling. He describes it as a proactive, strategic process aimed at identifying and preparing for threats, contrasting it with reactive tactics like threat detection and response. UcedaVélez emphasizes the importance of contextual information that is understandable to all stakeholders. He recommends the PASTA methodology, a seven-stage process that includes defining objectives, enumerating attack surfaces, and analyzing threats. https://securityboulevard.com/2025/01/from-the-creator-of-pasta-tony-ucedavelezs-expert-guide-to-threat-modeling/

 Qualys Patch Management is a cloud-native solution designed to automate and streamline patching, improving security while offering cost savings and operational benefits. Key advantages include reducing expenses by consolidating patch management, enhancing operational efficiency through automation for faster compliance, and mitigating risks by quickly addressing vulnerabilities to prevent breaches and ransomware attacks. The platform's ease of use and quick deployment allow organizations to see immediate benefits, strengthening security posture and delivering a strong ROI. https://blog.qualys.com/product-tech/2025/01/07/secure-efficient-cost-effective-how-qualys-patch-management-delivers-roi

 Endor Labs prioritizes open-source security patches by focusing on critical dependencies responsible for most security issues in the software supply chain. Their approach targets patches for these key components, significantly reducing risk exposure and optimizing resource allocation. This method follows the Pareto principle, addressing the most pressing security concerns that affect the majority of vulnerabilities. https://www.endorlabs.com/learn/how-endor-labs-prioritizes-open-source-security-patches

 Faraday Security provides an integrated platform for vulnerability management, helping enterprises, MSSPs, and security teams streamline the identification, prioritization, and remediation of vulnerabilities. It consolidates data from over 150 security tools, supporting a range of scanners and ticketing systems. Features include customizable automation workflows, collaboration tools for managing vulnerabilities, and penetration testing reporting with compliance-ready formats. Faraday also offers a free trial for organizations to explore its capabilities. https://faradaysec.com/

 SOOS offers a free Software Composition Analysis (SCA) tool for open-source projects with key features such as unlimited scans, user access, and integration with GitHub and Jira. It ranks vulnerabilities based on severity and impact, detects typos, generates Software Bills of Materials (SBOMs) in SPDX or CycloneDX formats, and performs license analysis. Supporting major programming languages like Java, Python, Ruby, and more, the Community Edition helps with vulnerability management and compliance. Users can quickly get started by signing up via GitHub or email for immediate integration and scanning. https://soos.io/products/community-edition

 In a Reddit discussion on the best static software composition analysis (SCA) tools, several platforms were recommended for managing open-source components and vulnerabilities: Snyk : Known for language support and integration into development workflows to identify vulnerabilities early. Sonatype Nexus Lifecycle : Enforces component governance policies throughout the software lifecycle. Mend (formerly WhiteSource) : Scans for vulnerabilities and licensing issues, integrating with popular DevSecOps tools. Veracode Software Composition Analysis : Identifies and prioritizes third-party component vulnerabilities. Black Duck by Synopsys : Identifies open-source components, vulnerabilities, and license compliance issues. These tools help identify vulnerabilities, ensure licensing compliance, and integrate seamlessly into development workflows. https://www.reddit.com/r/devsecops/comments/1hgphdy/what_is_the_best_static_software_composition/

 Semgrep announced key updates to its open-source tool, now called Semgrep Community Edition. Changes include the renaming to highlight its community focus, a new licensing model for Semgrep-maintained rules that limits their use to non-competing, internal, and non-SaaS contexts, and updates to output formats, with certain fields now reserved for the commercial engine. Additionally, previously experimental features have moved to the paid version. These updates aim to clarify the distinction between Semgrep’s community and commercial offerings. https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/

 Amplify Security provides an automated tool for quick remediation of software vulnerabilities. It features one-click fixes, seamless integration with version control systems like GitHub and GitLab, and supports compliance with industry standards. The platform streamlines vulnerability management, improving code security, reducing costs, and accelerating development cycles. https://amplify.security/

 Code Intelligence provides AI-driven application security testing tools, specializing in fuzz testing for detecting vulnerabilities in C and C++ projects. Their flagship product, CI Fuzz, integrates into development workflows, automating test case generation, achieving high code coverage, and identifying critical issues like memory corruption and buffer overflows. Trusted by companies like Google and Bosch, their solutions support compliance with industry standards and enhance software security. By enabling early vulnerability detection and remediation, Code Intelligence promotes secure and robust software development. https://www.code-intelligence.com/

 Jeff Williams discusses the power of vulnerability in fostering growth and trust in personal and professional settings. He argues that embracing vulnerability is a sign of courage and a pathway to innovation, not a weakness. By sharing challenges and uncertainties, individuals and teams can learn, connect, and develop stronger relationships. Williams highlights the importance of leaders modeling vulnerability to create safe and supportive environments, encouraging authenticity and engagement across their organizations. https://www.linkedin.com/pulse/how-vulnerability-jeff-williams/

 Veracode has acquired Phylum's technology to enhance its ability to detect and block malicious code in open-source software. This move integrates Phylum's automated analysis tools and package management firewall into Veracode's application risk management platform. The acquisition aims to address growing software supply chain threats, projected to cost $138 billion annually by 2031. With this integration, Veracode aims to provide robust, real-time security for open-source dependencies, bolstering its platform and expanding protection against evolving cyber risks. https://securitybrief.co.nz/story/veracode-acquires-phylum-s-tech-to-tackle-software-threats

 

 

 

 

 Patchthis.app is an open-source platform offering a curated list of Common Vulnerabilities and Exposures (CVEs) to help organizations prioritize patch management. It aggregates data from sources like the CISA Known Exploited Vulnerabilities Catalog, Rapid7 Metasploit Modules, Project Discovery Nuclei Templates, and EPSS. The database, updated hourly, includes over 6,000 CVEs. Users can access this data via an updated CSV file, and the source code is available on GitHub. Patchthis.app aims to support organizations in making informed patch management decisions with reliable vulnerability intelligence. https://patchthis.app/

 

 Black Duck Software has appointed Ishpreet Singh as Chief Information Officer (CIO) and Bruce Jenkins as Chief Information Security Officer (CISO). Singh, previously the global CIO at Qualys, will lead Black Duck's technology strategy, focusing on digital transformation and AI-driven growth. Jenkins, with 25 years of experience in security, will oversee the company's cybersecurity program, covering on-premise products, cloud solutions, IT infrastructure, and supply chain. These appointments aim to strengthen Black Duck's IT and security strategies, aligning with its mission to build trust in software. https://news.blackduck.com/2024-12-19-Black-Duck-Welcomes-New-CIO,-CISO-in-Latest-Executive-Expansion-Moves

 SmuggleShield is a browser extension designed to detect and prevent HTML smuggling attacks by identifying common patterns. It is compatible with Chrome and Edge browsers on Mac and Windows. The extension operates offline, ensuring privacy, and supports manual imports/exports of data. It also works in incognito mode with manual activation. Features include URL whitelisting to reduce overhead, maintaining a cache of blocked URLs for up to 10 days, and exporting blocked content logs for review. Version 2.0 is the stable release available for download. https://github.com/RootUp/SmuggleShield

 Integrating Chaos Engineering into DevSecOps can enhance security by proactively identifying vulnerabilities and improving resilience. Chaos Engineering, traditionally used for reliability, is now applied to security by intentionally introducing failures to uncover weaknesses. Key applications include simulating API failures to test Web Application Firewalls (WAFs), injecting network faults for DDoS testing, and stress-testing CI/CD pipelines. To implement, start small with isolated experiments, minimize the blast radius, monitor system behavior, and continuously iterate. By using Chaos Engineering, organizations can proactively address security vulnerabilities and foster a culture of continuous improvement. https://willbates1.medium.com/augmenting-devsecops-with-chaos-engineering-a-resiliency-revolution-f544b8ad88f0

 Threat modeling is a process used to identify, communicate, and understand potential threats and mitigations in securing an application. The purpose of this app is to streamline threat modeling sessions by focusing on core functionalities and avoiding distractions like complex tooling or academic jargon. The website operates offline, with all data stored locally on the user's computer, ensuring privacy and control over user data with manual imports and exports. https://dev.guardio.click/

 The article "Passkey Technology Is Elegant, but It's Most Definitely Not Usable Security" critiques passkeys, a password alternative aimed at enhancing security. While passkeys are seen as an advancement in preventing cyberattacks like phishing, the article highlights several usability challenges. These include inconsistent user experiences across platforms, complex synchronization across devices, and potential vendor lock-in. The article concludes that despite passkeys' technical promise, their usability issues may make traditional password management more practical for many users. https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/

 The article "Deepfakes, Quantum Attacks Loom Over APAC in 2025" examines emerging cybersecurity threats in the Asia-Pacific (APAC) region, specifically focusing on deepfakes and quantum computing. It highlights how cybercriminals are increasingly using AI tools for sophisticated attacks like AI-generated phishing, malware, and deepfakes. Notable incidents include deepfakes used in political disinformation and a $25 million scam in Hong Kong. The article stresses the importance of businesses adopting AI-driven security measures to protect against these evolving threats. https://www.darkreading.com/cyberattacks-data-breaches/deepfakes-quantum-attacks-apac-2025

 The article discusses proposed updates to the HIPAA Security Rule by the U.S. Department of Health and Human Services (HHS), aiming to enhance protection for electronic health information amid rising cyber threats. Key changes include mandating multifactor authentication (MFA) for access to electronic protected health information (ePHI), network segmentation to limit cyberattack spread, encryption of ePHI at rest and in transit, regular risk analysis and audits, and robust incident response planning. These updates are part of a broader strategy to strengthen healthcare cybersecurity, with an estimated cost of $9 billion in the first year. The public comment period begins January 6. https://www.darkreading.com/vulnerabilities-threats/hipaa-security-rules-pull-no-punches

 The GitHub repository AI-Agent-Solving-Security-Challenges features an AI agent designed to solve security challenges in the Damn Vulnerable RESTaurant API Game . Using the CrewAI framework, the agent autonomously identifies and addresses security vulnerabilities in the game. It also generates comprehensive reports to help understand and mitigate potential issues. The setup involves cloning the game repository, launching the game, and running the AI agent. This project demonstrates the potential of AI agents to autonomously identify and resolve security vulnerabilities in cybersecurity environments. https://github.com/theowni/AI-Agent-Solving-Security-Challenges

 Invicti has released Brainstorm , a tool designed to optimize web fuzzing by integrating local Large Language Models (LLMs) with the fuzzing tool ffuf . Brainstorm enhances the discovery of hidden endpoints, files, and directories in web applications. It generates AI-powered path suggestions based on initial links from a target website, performs targeted fuzzing with ffuf, and iteratively refines suggestions through learned data. This process improves efficiency and accuracy over time. The tool can be installed and run with simple commands, and its performance can be benchmarked using different LLM models. https://www.invicti.com/blog/security-labs/brainstorm-tool-release-optimizing-web-fuzzing-with-local-llms

 The Open Source Package Analysis project, developed by the Open Source Security Foundation (OpenSSF), enhances open-source security by analyzing packages for malicious behaviors. It monitors repositories for new packages and performs dynamic analysis in a sandbox environment to observe behaviors such as file access and network connections. The results are stored in BigQuery for further inspection. The project tracks changes in packages over time to identify potential threats and provides valuable data to consumers and researchers. Its infrastructure includes components for scheduling analysis, collecting behavior data, and pushing results into BigQuery. https://github.com/ossf/package-analysis

 The Checkmarx blog post "Falling Stars" highlights security risks tied to the popularity of open-source packages. Developers often assume widely used packages are secure, but this assumption can be risky. The article discusses "starjacking," where attackers exploit package popularity metrics to make malicious packages appear trustworthy. Research across multiple package repositories, including npm, Maven, and PyPI, shows that while some repositories have security measures to counter starjacking, the issue remains. The post stresses the importance of assessing package security beyond popularity metrics to reduce risks. https://checkmarx.com/blog/falling-stars

 Semgrep has introduced the Dependency Graph, a feature to improve visibility into software supply chains. This tool helps Application Security (AppSec) teams identify and address vulnerabilities in both direct and transitive dependencies, even without lockfiles. By visualizing dependency paths, the Dependency Graph simplifies scanning and prioritizes remediation efforts. Key benefits include effortless scanning, clear visual representations of dependency relationships, and a focus on critical transitive dependencies. This development reflects Semgrep's commitment to enhancing software supply chain security with deeper insights and less effort. https://semgrep.dev/blog/2024/less-effort-more-insight-introducing-dependency-graph-for-supply-chain

Reddit's engineering team created a self-hosted code scanning service to improve security. This service allows the use of any command-line interface (CLI) tool, whether open-source or internal, to scan code across repositories. By integrating this service into their development workflow, Reddit ensures consistent scanning for vulnerabilities, strengthening the overall security of their platform. https://www.reddit.com/r/RedditEng/comments/1hks4f3/how_we_are_self_hosting_code_scanning_at_reddit

 Imperva's 2025 application security predictions focus on key trends: API Vulnerabilities : A rise in API usage increases the attack surface, with more attacks targeting business logic vulnerabilities. DevSecOps Adoption : The growing risks associated with APIs will drive the shift toward DevSecOps practices, integrating security from the development stage. AI Security Risks : Generative AI introduces new threats, such as prompt injection, which could lead to intellectual property breaches. Advanced Hacking Tools : New cyberattack tools could automate and escalate phishing attacks, making them more sophisticated and frequent. These trends highlight the need for proactive security measures to address evolving threats. https://www.imperva.com/blog/impervas-wildest-2025-appsec-predictions/

 Wiz has acquired Dazz, a leader in unified security remediation and application security posture management, for $450 million. This acquisition enhances Wiz's cloud and AI security platform by integrating Dazz's advanced remediation engine. The combined capabilities will allow security teams to correlate data from multiple sources and manage application risks within a unified platform, streamlining remediation processes and improving overall security. This move highlights Wiz's commitment to strengthening its security offerings and providing comprehensive solutions to its customers. https://www.thesoftwarereport.com/wiz-acquires-dazz-to-revolutionize-risk-remediation/

 Open-source machine learning (ML) systems are highly vulnerable to security threats, with 22 flaws identified across 15 projects. Notably, MLflow is particularly susceptible. These vulnerabilities expose systems to unauthorized access, data breaches, and operational compromise. For example, a flaw in Weave (CVE-2024-7340) allows low-privileged users to access sensitive files, including admin API keys. ZenML's access control issues enable attackers to escalate permissions and access confidential data. These findings emphasize the need for robust security protocols to safeguard open-source ML systems. https://www.techradar.com/pro/Open-source-machine-learning-systems-are-highly-vulnerable-to-security-threats

 Quantum computing is moving from theory to practice, promising solutions to complex problems but posing risks to current cryptographic systems. Quantum capabilities could enable attackers to decrypt sensitive data, threatening assets like trade secrets. Post-quantum cryptography (PQC) aims to counter this, requiring organizations to plan for integration, assess risks, and update systems. NIST's new PQC standards highlight the urgency of preparation. With quantum breakthroughs expected within 5-15 years, proactive measures are essential to secure digital communications and data in the quantum era. https://www.infosecurity-magazine.com/opinions/quantum-next-big-leap/

 MITRE's "Mapping ATT&CK to CVE for Impact" project links Common Vulnerabilities and Exposures (CVEs) to MITRE ATT&CK® techniques, helping defenders understand how vulnerabilities can be exploited. This connection enhances risk modeling, prioritization, and the identification of security controls. Integrated into the Mappings Explorer program, the project provides a centralized resource for exploring how security capabilities align with ATT&CK techniques. This initiative bridges gaps between vulnerability management, threat modeling, and mitigating controls, enabling organizations to better assess and address cybersecurity risks. https://ctid.mitre.org/projects/mapping-attck-to-cve-for-impact/

 Kyndryl forecasts a cybersecurity focus on supply chains in 2025, particularly in Australia, due to recent high-profile attacks. CISOs will reassess supplier relationships, streamline partnerships, and invest in technologies for improved visibility and data integration. Distributed manufacturing may address supply chain integrity issues amid geopolitical conflicts. Blockchain, including NFTs, could see renewed use for authentication to counter deepfakes and insider threats. Vendor consolidation is expected to reduce tool redundancy, while regulatory demands may lead to the creation of "Ethical AI" departments to ensure compliance and mitigate risks. https://securitybrief.co.nz/story/kyndryl-forecasts-2025-cybersecurity-focus-on-supply-chains