Appsec adventures

 In 2024, startups in cybersecurity focused on securing data-in-motion and tackling the rising threat of deepfakes. As real-time face-swapping and synthetic voice technologies enable impersonation attacks, companies like Validia and RealityDefender are developing identity assurance solutions that assess liveness during video calls. Additionally, startups like Blackbird.AI, Alethea, and Logically are working on unified threat intelligence platforms to address issues like cybersecurity exfiltration, insider threats, impersonation, and information warfare, providing comprehensive insights for organizations to combat these emerging risks. https://www.darkreading.com/cybersecurity-operations/startups-focus-deepfakes-data-motion-model-security

 The DevSecOps Arsenal is a curated collection of tools, methodologies, and resources designed to integrate security seamlessly into every stage of the Software Development Life Cycle (SDLC) and DevOps workflows. It includes insights into embedding security throughout the SDLC, strategies for shifting security left in the development process, a categorized list of DevSecOps tools, and resources like whitepapers and architecture guidelines. The repository also provides contribution rules for those looking to add to the collection. It serves as a valuable resource for enhancing security practices within development and operational workflows. https://github.com/sk3pp3r/DevSecOps-Arsenal

 The BSIMM15 report from Black Duck Software focuses on how organizations are addressing security risks related to artificial intelligence (AI) and software supply chains. The study covers 121 organizations across industries like healthcare, IoT, and technology. Key findings include a rise in adversarial testing, with the number of companies conducting abuse case scenarios doubling from the previous year. Software composition analysis (SCA) on code repositories increased by 67%, and 30% more organizations are employing research groups to explore new attack methods. Additionally, 22% more organizations are generating software bills of materials (SBOMs) for transparency. The report emphasizes the importance of prioritizing security as AI and supply chain risks grow. https://securityboulevard.com/2025/01/bsimm15-new-focus-on-securing-ai-and-the-software-supply-chain/

 The Common Vulnerability Scoring System (CVSS) is used to assess the severity of vulnerabilities, with scores ranging from 0 to 10. CVSS 4.0, released in November 2023, generally assigns higher base scores than CVSS 3.1 due to its more detailed evaluation of exploitability and impact factors. However, these higher scores may not always reflect the actual risk in specific environments, as default settings often overlook organizational contexts. This can lead to misallocation of resources when prioritizing vulnerability remediation. The analysis highlights the importance of considering contextual factors for better risk assessment and prioritization. https://securityboulevard.com/2025/01/cvss-3-1-vs-cvss-4-0-a-look-at-the-data/

 RSA Conference 2025 is now accepting submissions for its 20th Annual Innovation Sandbox and 5th Annual Launch Pad contests, scheduled for April 28, 2025. The Innovation Sandbox contest is open to emerging cybersecurity companies with products launched between December 1, 2023, and February 14, 2025. The top 10 finalists will present at the conference, with each finalist receiving a $5 million investment. The Launch Pad contest is for earlier-stage companies seeking strategic advice and exposure. Submissions for both contests are open until February 14, 2025. https://www.prnewswire.com/news-releases/rsa-conference-2025-now-accepting-submissions-for-20th-annual-innovation-sandbox-fifth-annual-launch-pad-contests-302349898.html

In January 2025, a Snyk researcher published malicious npm packages seemingly aimed at Cursor, an AI coding company. The packages, named "cursor-retrieval," "cursor-always-local," and "cursor-shadow-workspace," collected system data, including environment variables containing sensitive information like AWS keys and GitHub credentials, and sent it to an attacker-controlled server. This resembles dependency confusion attacks, where public packages mimic private ones to trick developers. The OpenSSF package analysis scanner flagged these packages, and advisories were issued. The incident highlights the need for vigilance and robust security when using npm packages. https://sourcecodered.com/snyk-malicious-npm-package/

 In May 2024, Cloudflare signed the Cybersecurity and Infrastructure Security Agency's "Secure by Design" pledge, emphasizing security as a core aspect of software development. The initiative aims to eliminate classes of vulnerabilities, such as injection flaws and hardcoded secrets in code. Cloudflare's Product Security team implemented customized rulesets to detect and block these vulnerabilities, achieving a 79% reduction in secrets found in code over the last quarter. By establishing secure defaults and separating data from code, Cloudflare aligns with the pledge's goals, promoting resilient systems with built-in security. https://blog.cloudflare.com/cisa-pledge-commitment-reducing-vulnerability/

 In 2024, cybersecurity faced significant challenges as threat actors rapidly exploited vulnerabilities while organizations struggled to address them in time. Zero-day exploits were prevalent, targeting critical vulnerabilities in widely used enterprise products like Citrix NetScaler, Cisco IOS XE, and Log4Shell, which remained a significant risk years after its disclosure. The finance and insurance sector reported the most critical vulnerabilities, followed by healthcare. Forty percent of financial applications had unresolved flaws for over a year, with 75% of new vulnerabilities exploited within 19 days, while patching often took over 100 days. Critical vulnerabilities required an average of 4.5 months to remediate, with many surpassing CISA deadlines. Cybercriminals accelerated exploitation, with 41% of organizations detecting attacks from recent vulnerabilities. Time constraints led 91% of companies to release software with known vulnerabilities. These trends emphasize the urge...

The OWASP SAMM project has released version 2.1.0 with several enhancements to support secure software development. Key updates include Agile implementation guides, assessment tools, stream guidance, practitioner and user directories, crowdsourced translations, and a downloadable PDF version. The release also introduces free online training, train-the-trainer materials, and toolbox enhancements with bug fixes. These updates aim to make SAMM more accessible and practical for organizations enhancing their software security practices.  https://github.com/owaspsamm/core/releases/tag/v2.1.0

 Carahsoft Technology Corp. has partnered with Black Duck Software to distribute Black Duck's application security testing (AST) solutions to the U.S. public sector. Carahsoft will act as Black Duck's Master Government Aggregator®, providing access through its reseller network and contracts like NASA SEWP V and ITES-SW2. Black Duck's AST tools help identify security, quality, and compliance issues in proprietary, open source, and third-party code, enabling government agencies to better manage application security risks. https://www.globenewswire.com/news-release/2025/01/09/3007263/0/en/Carahsoft-Enters-Into-Distributor-Agreement-With-Black-Duck-to-Drive-Demand-for-Black-Duck-s-Application-Security-Solutions.html

Snyk, a developer security platform, has acquired Probely, a startup specializing in dynamic application security testing (DAST). Probely provides straightforward DAST scanning, integrates with DevSecOps workflows, and offers remediation guidance for modern applications. In contrast, Escape focuses on advanced testing, such as API discovery, automated documentation, and custom security tests, tailored for complex security environments. This acquisition strengthens Snyk's API security testing capabilities, complementing its developer security tools. https://securityboulevard.com/2025/01/escape-vs-probely-acquired-by-snyk/

 The blog post "Capturing the Flags of the Internet: Find 0-days in OSS and Write Scanners to Detect Them" highlights the importance of identifying and mitigating zero-day vulnerabilities in open-source software (OSS). Zero-day vulnerabilities are flaws unknown to vendors or security providers, making them highly exploitable. The post emphasizes that OSS, often lacking robust security resources, is a common target for such vulnerabilities. It stresses the need for developing detection tools to identify potential zero-day flaws in OSS and proactively address security risks before they can be exploited. https://bughunters.google.com/blog/6752136441233408/capturing-the-flags-of-the-internet-find-0-days-in-oss-and-write-scanners-to-detect-them

 Cymulate has acquired CYNC Secure, an Israeli cybersecurity startup, to enhance its Continuous Threat Exposure Management (CTEM) platform. This acquisition, announced on January 7, 2025, will help Cymulate accelerate its development of CTEM, which is set to launch in 2025. CYNC Secure's technology improves operational efficiency by consolidating vulnerability data and providing actionable insights. The integration will allow Cymulate to focus on exploitability proof and remediation decisions. CYNC Secure's leadership team, including CEO Meir Abergel, will join Cymulate to drive business development and new market solutions. https://www.securityinfowatch.com/cybersecurity/press-release/55253433/cymulate-acquires-cync-secure-to-accelerate-continuous-threat-exposure-management-capabilities

 Tony UcedaVélez, creator of the PASTA (Process for Attack Simulation and Threat Analysis) threat modeling methodology, provides an expert guide to threat modeling. He describes it as a proactive, strategic process aimed at identifying and preparing for threats, contrasting it with reactive tactics like threat detection and response. UcedaVélez emphasizes the importance of contextual information that is understandable to all stakeholders. He recommends the PASTA methodology, a seven-stage process that includes defining objectives, enumerating attack surfaces, and analyzing threats. https://securityboulevard.com/2025/01/from-the-creator-of-pasta-tony-ucedavelezs-expert-guide-to-threat-modeling/

 Qualys Patch Management is a cloud-native solution designed to automate and streamline patching, improving security while offering cost savings and operational benefits. Key advantages include reducing expenses by consolidating patch management, enhancing operational efficiency through automation for faster compliance, and mitigating risks by quickly addressing vulnerabilities to prevent breaches and ransomware attacks. The platform's ease of use and quick deployment allow organizations to see immediate benefits, strengthening security posture and delivering a strong ROI. https://blog.qualys.com/product-tech/2025/01/07/secure-efficient-cost-effective-how-qualys-patch-management-delivers-roi

 Endor Labs prioritizes open-source security patches by focusing on critical dependencies responsible for most security issues in the software supply chain. Their approach targets patches for these key components, significantly reducing risk exposure and optimizing resource allocation. This method follows the Pareto principle, addressing the most pressing security concerns that affect the majority of vulnerabilities. https://www.endorlabs.com/learn/how-endor-labs-prioritizes-open-source-security-patches

 Faraday Security provides an integrated platform for vulnerability management, helping enterprises, MSSPs, and security teams streamline the identification, prioritization, and remediation of vulnerabilities. It consolidates data from over 150 security tools, supporting a range of scanners and ticketing systems. Features include customizable automation workflows, collaboration tools for managing vulnerabilities, and penetration testing reporting with compliance-ready formats. Faraday also offers a free trial for organizations to explore its capabilities. https://faradaysec.com/

 SOOS offers a free Software Composition Analysis (SCA) tool for open-source projects with key features such as unlimited scans, user access, and integration with GitHub and Jira. It ranks vulnerabilities based on severity and impact, detects typos, generates Software Bills of Materials (SBOMs) in SPDX or CycloneDX formats, and performs license analysis. Supporting major programming languages like Java, Python, Ruby, and more, the Community Edition helps with vulnerability management and compliance. Users can quickly get started by signing up via GitHub or email for immediate integration and scanning. https://soos.io/products/community-edition

 In a Reddit discussion on the best static software composition analysis (SCA) tools, several platforms were recommended for managing open-source components and vulnerabilities: Snyk : Known for language support and integration into development workflows to identify vulnerabilities early. Sonatype Nexus Lifecycle : Enforces component governance policies throughout the software lifecycle. Mend (formerly WhiteSource) : Scans for vulnerabilities and licensing issues, integrating with popular DevSecOps tools. Veracode Software Composition Analysis : Identifies and prioritizes third-party component vulnerabilities. Black Duck by Synopsys : Identifies open-source components, vulnerabilities, and license compliance issues. These tools help identify vulnerabilities, ensure licensing compliance, and integrate seamlessly into development workflows. https://www.reddit.com/r/devsecops/comments/1hgphdy/what_is_the_best_static_software_composition/

 Semgrep announced key updates to its open-source tool, now called Semgrep Community Edition. Changes include the renaming to highlight its community focus, a new licensing model for Semgrep-maintained rules that limits their use to non-competing, internal, and non-SaaS contexts, and updates to output formats, with certain fields now reserved for the commercial engine. Additionally, previously experimental features have moved to the paid version. These updates aim to clarify the distinction between Semgrep’s community and commercial offerings. https://semgrep.dev/blog/2024/important-updates-to-semgrep-oss/

 Amplify Security provides an automated tool for quick remediation of software vulnerabilities. It features one-click fixes, seamless integration with version control systems like GitHub and GitLab, and supports compliance with industry standards. The platform streamlines vulnerability management, improving code security, reducing costs, and accelerating development cycles. https://amplify.security/

 Code Intelligence provides AI-driven application security testing tools, specializing in fuzz testing for detecting vulnerabilities in C and C++ projects. Their flagship product, CI Fuzz, integrates into development workflows, automating test case generation, achieving high code coverage, and identifying critical issues like memory corruption and buffer overflows. Trusted by companies like Google and Bosch, their solutions support compliance with industry standards and enhance software security. By enabling early vulnerability detection and remediation, Code Intelligence promotes secure and robust software development. https://www.code-intelligence.com/

 Jeff Williams discusses the power of vulnerability in fostering growth and trust in personal and professional settings. He argues that embracing vulnerability is a sign of courage and a pathway to innovation, not a weakness. By sharing challenges and uncertainties, individuals and teams can learn, connect, and develop stronger relationships. Williams highlights the importance of leaders modeling vulnerability to create safe and supportive environments, encouraging authenticity and engagement across their organizations. https://www.linkedin.com/pulse/how-vulnerability-jeff-williams/

 Veracode has acquired Phylum's technology to enhance its ability to detect and block malicious code in open-source software. This move integrates Phylum's automated analysis tools and package management firewall into Veracode's application risk management platform. The acquisition aims to address growing software supply chain threats, projected to cost $138 billion annually by 2031. With this integration, Veracode aims to provide robust, real-time security for open-source dependencies, bolstering its platform and expanding protection against evolving cyber risks. https://securitybrief.co.nz/story/veracode-acquires-phylum-s-tech-to-tackle-software-threats

 

 

 

 

 Patchthis.app is an open-source platform offering a curated list of Common Vulnerabilities and Exposures (CVEs) to help organizations prioritize patch management. It aggregates data from sources like the CISA Known Exploited Vulnerabilities Catalog, Rapid7 Metasploit Modules, Project Discovery Nuclei Templates, and EPSS. The database, updated hourly, includes over 6,000 CVEs. Users can access this data via an updated CSV file, and the source code is available on GitHub. Patchthis.app aims to support organizations in making informed patch management decisions with reliable vulnerability intelligence. https://patchthis.app/

 

 Black Duck Software has appointed Ishpreet Singh as Chief Information Officer (CIO) and Bruce Jenkins as Chief Information Security Officer (CISO). Singh, previously the global CIO at Qualys, will lead Black Duck's technology strategy, focusing on digital transformation and AI-driven growth. Jenkins, with 25 years of experience in security, will oversee the company's cybersecurity program, covering on-premise products, cloud solutions, IT infrastructure, and supply chain. These appointments aim to strengthen Black Duck's IT and security strategies, aligning with its mission to build trust in software. https://news.blackduck.com/2024-12-19-Black-Duck-Welcomes-New-CIO,-CISO-in-Latest-Executive-Expansion-Moves

 SmuggleShield is a browser extension designed to detect and prevent HTML smuggling attacks by identifying common patterns. It is compatible with Chrome and Edge browsers on Mac and Windows. The extension operates offline, ensuring privacy, and supports manual imports/exports of data. It also works in incognito mode with manual activation. Features include URL whitelisting to reduce overhead, maintaining a cache of blocked URLs for up to 10 days, and exporting blocked content logs for review. Version 2.0 is the stable release available for download. https://github.com/RootUp/SmuggleShield

 Integrating Chaos Engineering into DevSecOps can enhance security by proactively identifying vulnerabilities and improving resilience. Chaos Engineering, traditionally used for reliability, is now applied to security by intentionally introducing failures to uncover weaknesses. Key applications include simulating API failures to test Web Application Firewalls (WAFs), injecting network faults for DDoS testing, and stress-testing CI/CD pipelines. To implement, start small with isolated experiments, minimize the blast radius, monitor system behavior, and continuously iterate. By using Chaos Engineering, organizations can proactively address security vulnerabilities and foster a culture of continuous improvement. https://willbates1.medium.com/augmenting-devsecops-with-chaos-engineering-a-resiliency-revolution-f544b8ad88f0

 Threat modeling is a process used to identify, communicate, and understand potential threats and mitigations in securing an application. The purpose of this app is to streamline threat modeling sessions by focusing on core functionalities and avoiding distractions like complex tooling or academic jargon. The website operates offline, with all data stored locally on the user's computer, ensuring privacy and control over user data with manual imports and exports. https://dev.guardio.click/

 The article "Passkey Technology Is Elegant, but It's Most Definitely Not Usable Security" critiques passkeys, a password alternative aimed at enhancing security. While passkeys are seen as an advancement in preventing cyberattacks like phishing, the article highlights several usability challenges. These include inconsistent user experiences across platforms, complex synchronization across devices, and potential vendor lock-in. The article concludes that despite passkeys' technical promise, their usability issues may make traditional password management more practical for many users. https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/

 The article "Deepfakes, Quantum Attacks Loom Over APAC in 2025" examines emerging cybersecurity threats in the Asia-Pacific (APAC) region, specifically focusing on deepfakes and quantum computing. It highlights how cybercriminals are increasingly using AI tools for sophisticated attacks like AI-generated phishing, malware, and deepfakes. Notable incidents include deepfakes used in political disinformation and a $25 million scam in Hong Kong. The article stresses the importance of businesses adopting AI-driven security measures to protect against these evolving threats. https://www.darkreading.com/cyberattacks-data-breaches/deepfakes-quantum-attacks-apac-2025

 The article discusses proposed updates to the HIPAA Security Rule by the U.S. Department of Health and Human Services (HHS), aiming to enhance protection for electronic health information amid rising cyber threats. Key changes include mandating multifactor authentication (MFA) for access to electronic protected health information (ePHI), network segmentation to limit cyberattack spread, encryption of ePHI at rest and in transit, regular risk analysis and audits, and robust incident response planning. These updates are part of a broader strategy to strengthen healthcare cybersecurity, with an estimated cost of $9 billion in the first year. The public comment period begins January 6. https://www.darkreading.com/vulnerabilities-threats/hipaa-security-rules-pull-no-punches

 The GitHub repository AI-Agent-Solving-Security-Challenges features an AI agent designed to solve security challenges in the Damn Vulnerable RESTaurant API Game . Using the CrewAI framework, the agent autonomously identifies and addresses security vulnerabilities in the game. It also generates comprehensive reports to help understand and mitigate potential issues. The setup involves cloning the game repository, launching the game, and running the AI agent. This project demonstrates the potential of AI agents to autonomously identify and resolve security vulnerabilities in cybersecurity environments. https://github.com/theowni/AI-Agent-Solving-Security-Challenges

 Invicti has released Brainstorm , a tool designed to optimize web fuzzing by integrating local Large Language Models (LLMs) with the fuzzing tool ffuf . Brainstorm enhances the discovery of hidden endpoints, files, and directories in web applications. It generates AI-powered path suggestions based on initial links from a target website, performs targeted fuzzing with ffuf, and iteratively refines suggestions through learned data. This process improves efficiency and accuracy over time. The tool can be installed and run with simple commands, and its performance can be benchmarked using different LLM models. https://www.invicti.com/blog/security-labs/brainstorm-tool-release-optimizing-web-fuzzing-with-local-llms

 The Open Source Package Analysis project, developed by the Open Source Security Foundation (OpenSSF), enhances open-source security by analyzing packages for malicious behaviors. It monitors repositories for new packages and performs dynamic analysis in a sandbox environment to observe behaviors such as file access and network connections. The results are stored in BigQuery for further inspection. The project tracks changes in packages over time to identify potential threats and provides valuable data to consumers and researchers. Its infrastructure includes components for scheduling analysis, collecting behavior data, and pushing results into BigQuery. https://github.com/ossf/package-analysis

 The Checkmarx blog post "Falling Stars" highlights security risks tied to the popularity of open-source packages. Developers often assume widely used packages are secure, but this assumption can be risky. The article discusses "starjacking," where attackers exploit package popularity metrics to make malicious packages appear trustworthy. Research across multiple package repositories, including npm, Maven, and PyPI, shows that while some repositories have security measures to counter starjacking, the issue remains. The post stresses the importance of assessing package security beyond popularity metrics to reduce risks. https://checkmarx.com/blog/falling-stars

 Semgrep has introduced the Dependency Graph, a feature to improve visibility into software supply chains. This tool helps Application Security (AppSec) teams identify and address vulnerabilities in both direct and transitive dependencies, even without lockfiles. By visualizing dependency paths, the Dependency Graph simplifies scanning and prioritizes remediation efforts. Key benefits include effortless scanning, clear visual representations of dependency relationships, and a focus on critical transitive dependencies. This development reflects Semgrep's commitment to enhancing software supply chain security with deeper insights and less effort. https://semgrep.dev/blog/2024/less-effort-more-insight-introducing-dependency-graph-for-supply-chain

Reddit's engineering team created a self-hosted code scanning service to improve security. This service allows the use of any command-line interface (CLI) tool, whether open-source or internal, to scan code across repositories. By integrating this service into their development workflow, Reddit ensures consistent scanning for vulnerabilities, strengthening the overall security of their platform. https://www.reddit.com/r/RedditEng/comments/1hks4f3/how_we_are_self_hosting_code_scanning_at_reddit

 Imperva's 2025 application security predictions focus on key trends: API Vulnerabilities : A rise in API usage increases the attack surface, with more attacks targeting business logic vulnerabilities. DevSecOps Adoption : The growing risks associated with APIs will drive the shift toward DevSecOps practices, integrating security from the development stage. AI Security Risks : Generative AI introduces new threats, such as prompt injection, which could lead to intellectual property breaches. Advanced Hacking Tools : New cyberattack tools could automate and escalate phishing attacks, making them more sophisticated and frequent. These trends highlight the need for proactive security measures to address evolving threats. https://www.imperva.com/blog/impervas-wildest-2025-appsec-predictions/

 Wiz has acquired Dazz, a leader in unified security remediation and application security posture management, for $450 million. This acquisition enhances Wiz's cloud and AI security platform by integrating Dazz's advanced remediation engine. The combined capabilities will allow security teams to correlate data from multiple sources and manage application risks within a unified platform, streamlining remediation processes and improving overall security. This move highlights Wiz's commitment to strengthening its security offerings and providing comprehensive solutions to its customers. https://www.thesoftwarereport.com/wiz-acquires-dazz-to-revolutionize-risk-remediation/

 Open-source machine learning (ML) systems are highly vulnerable to security threats, with 22 flaws identified across 15 projects. Notably, MLflow is particularly susceptible. These vulnerabilities expose systems to unauthorized access, data breaches, and operational compromise. For example, a flaw in Weave (CVE-2024-7340) allows low-privileged users to access sensitive files, including admin API keys. ZenML's access control issues enable attackers to escalate permissions and access confidential data. These findings emphasize the need for robust security protocols to safeguard open-source ML systems. https://www.techradar.com/pro/Open-source-machine-learning-systems-are-highly-vulnerable-to-security-threats

 Quantum computing is moving from theory to practice, promising solutions to complex problems but posing risks to current cryptographic systems. Quantum capabilities could enable attackers to decrypt sensitive data, threatening assets like trade secrets. Post-quantum cryptography (PQC) aims to counter this, requiring organizations to plan for integration, assess risks, and update systems. NIST's new PQC standards highlight the urgency of preparation. With quantum breakthroughs expected within 5-15 years, proactive measures are essential to secure digital communications and data in the quantum era. https://www.infosecurity-magazine.com/opinions/quantum-next-big-leap/

 MITRE's "Mapping ATT&CK to CVE for Impact" project links Common Vulnerabilities and Exposures (CVEs) to MITRE ATT&CK® techniques, helping defenders understand how vulnerabilities can be exploited. This connection enhances risk modeling, prioritization, and the identification of security controls. Integrated into the Mappings Explorer program, the project provides a centralized resource for exploring how security capabilities align with ATT&CK techniques. This initiative bridges gaps between vulnerability management, threat modeling, and mitigating controls, enabling organizations to better assess and address cybersecurity risks. https://ctid.mitre.org/projects/mapping-attck-to-cve-for-impact/

 Kyndryl forecasts a cybersecurity focus on supply chains in 2025, particularly in Australia, due to recent high-profile attacks. CISOs will reassess supplier relationships, streamline partnerships, and invest in technologies for improved visibility and data integration. Distributed manufacturing may address supply chain integrity issues amid geopolitical conflicts. Blockchain, including NFTs, could see renewed use for authentication to counter deepfakes and insider threats. Vendor consolidation is expected to reduce tool redundancy, while regulatory demands may lead to the creation of "Ethical AI" departments to ensure compliance and mitigate risks. https://securitybrief.co.nz/story/kyndryl-forecasts-2025-cybersecurity-focus-on-supply-chains