Appsec adventures

Legit Security has upgraded its application security posture management (ASPM) platform with a risk-based vulnerability assessment feature. This new feature helps DevSecOps teams prioritize vulnerabilities based on their actual risk, rather than just severity scores. By using AI and machine learning, the platform analyzes security risks in code repositories, APIs, and documentation, providing critical context for effective remediation. It also generates a continuous software bill of materials to support ongoing security management. https://www.scworld.com/brief/legit-security-enhances-aspm-with-risk-based-vulnerability-assessment

ArmorCode has launched two new apps in the ServiceNow Store, enhancing vulnerability management by integrating AI-powered data correlation and remediation. The integration aggregates vulnerability data from over 260 tools into a single actionable item in ServiceNow's Vulnerability Response modules. This improves prioritization, automates deduplication, and accelerates remediation. ArmorCode's AI-driven insights help security teams reduce manual effort and focus on the most critical issues. https://www.businesswire.com/news/home/20250303468135/en/ArmorCode-Announces-ServiceNow-Vulnerability-Response-Integration-and-Apps-Now-Available-in-Store

Microsoft Defender for Cloud has introduced new security features for containers across the software development lifecycle (SDLC). These include a CLI tool for image scanning during the build and development phases, third-party registry vulnerability assessments (like Docker Hub and Jfrog Artifactory), and an AKS security dashboard for Kubernetes clusters. These advancements help developers detect vulnerabilities early, ensure compliance, and integrate security within DevSecOps processes. https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/secure-containers-software-supply-chain-across-the-sdlc/4384925

GitLab has addressed five security vulnerabilities in its Community and Enterprise Editions, with patches released for versions 17.7.6, 17.8.4, and 17.9.1. Two high-severity issues allow attackers to execute malicious code through XSS attacks, while other vulnerabilities could expose unauthorized data. The vulnerabilities were reported via GitLab's bug bounty program. Admins are advised to update their instances promptly. GitLab.com has already been patched, so GitLab Dedicated customers do not need to take further action. https://www.heise.de/en/news/Security-vulnerabilities-in-Gitlab-reported-via-bug-bounty-program-closed-10300345.html

Cryptosoft Inc., a provider of software supply chain managed services for dependency management and vulnerability tracking, has announced securing an investment to expand its services. This funding aims to enhance Cryptosoft's capabilities in managing software dependencies and tracking vulnerabilities, addressing critical challenges in software supply chain security. The investment underscores the growing importance of securing software supply chains and the role of managed services in mitigating associated risks. https://www.prweb.com/releases/cryptosoft-inc-secures-investment-to-expand-software-supply-chain-security-service-302387471.html

The RSA Conference (RSAC) 2025 is scheduled for April 28 to May 1, 2025, at the Moscone Center in San Francisco. The event will focus on key topics such as analytics and intelligence, cloud security, fraud prevention, and incident management. Vasu Jakkal, Microsoft's Corporate Vice President of Security, will deliver a keynote on "Security in the Age of Agentic AI." Other Microsoft executives, including Aanchal Gupta, Angelica Faber, Ann Johnson, Kelly Bissel, and Sherrod DeGrippo, will also participate. Additionally, partners like Akamai, EY, Huntress, MongoDB, and Schneider Electric will be present. Attendees can engage in networking sessions, interactive activities like an exhibition 'bar crawl', learning labs, and hands-on experiences in the sandbox area, featuring activities such as capture the flag and an escape room.   https://www.technologyrecord.com/article/rsac-2025-shaping-the-future-of-security

Google has called for industry-wide memory safety standards to enhance software security. The company emphasizes the importance of adopting secure coding practices and standards to prevent vulnerabilities that could be exploited by attackers. By collaborating on unified guidelines, the tech industry aims to improve the overall security posture of software applications. https://www.techspot.com/news/107006-google-calls-industry-wide-memory-safety-standards-enhance.html

 

The article discloses a command injection vulnerability in the git-checkout-tool npm package, which allows attackers to execute arbitrary commands by manipulating branch names. The vulnerability arises from unsanitized user input passed to the exec() function in Node.js. A proof-of-concept exploit is demonstrated, affecting all versions up to 1.0.6. The post emphasizes the risks of insecure CLI tools and the importance of secure-by-design software. https://www.nodejs-security.com/blog/disclosing-a-command-injection-vulnerability-in-git-checkout-tool/

The article "A Deep Dive into JS Trusted Types Violations" explores the technical process of identifying and addressing Trusted Types (TT) violations during the implementation in Gmail and AppSheet. Trusted Types is a web security mechanism designed to prevent cross-site scripting (XSS) attacks by enforcing safe handling of dynamic content in JavaScript. The article details the challenges faced, methodologies employed, and lessons learned in enforcing Trusted Types within these complex applications, providing insights into enhancing web application security.   https://bughunters.google.com/blog/5850786553528320/a-deep-dive-into-js-trusted-types-violations

The article advocates for standardizing memory safety principles to address long-standing security vulnerabilities in software. It argues that despite advancements in memory-safe technologies, the lack of a shared framework hinders adoption. The authors call for clear terminology and industry-wide standards to promote secure software development and reduce market failures. They emphasize the need for government and industry collaboration to implement effective policies and best practices. https://cacm.acm.org/opinion/it-is-time-to-standardize-principles-and-practices-for-software-memory-safety/

The NCSC report presents a method for distinguishing between forgivable and unforgivable vulnerabilities in software systems. It provides a structured approach to assessing vulnerabilities based on factors like intent, impact, and mitigation feasibility. This framework helps organizations prioritize security flaws, focusing on critical weaknesses that pose significant risks. The methodology supports informed decision-making for software developers, security teams, and policymakers. https://www.ncsc.gov.uk/report/a-method-to-assess-forgivable-vs-unforgivable-vulnerabilities

Google Cloud has introduced quantum-safe digital signatures in Cloud Key Management Service (KMS) to protect against future quantum computing threats. The feature, currently in preview, aligns with NIST's post-quantum cryptography standards and supports secure key management, encryption, and digital signatures. Google is also working with Hardware Security Module vendors to expand support. The goal is to mitigate the "Harvest Now, Decrypt Later" risk, where attackers store encrypted data now to decrypt it later with advanced quantum computing. https://thehackernews.com/2025/02/google-cloud-kms-adds-quantum-safe.html

The project "cvss-bt" enriches the National Vulnerability Database's (NVD) CVSS (Common Vulnerability Scoring System) scores by including temporal and threat metrics. It focuses on improving vulnerability prioritization by considering Exploit Code Maturity/Exploitability, a temporal metric that indicates the level of exploit development for vulnerabilities. This enhancement helps in better assessing the urgency and severity of vulnerabilities based on real-world exploit activity. https://github.com/t0sche/cvss-bt

The OWASP Threat and Safeguard Matrix (TaSM) is a framework designed to help organizations align their cybersecurity strategies with business goals. It overlays major threats with the NIST Cybersecurity Framework's five core functions—Identify, Protect, Detect, Respond, and Recover. The matrix assists in identifying and implementing appropriate safeguards tailored to specific threats, thereby enhancing an organization's overall security posture.  https://owasp.org/www-project-threat-and-safeguard-matrix

The article covers common vulnerabilities in OAuth2, emphasizing how misconfigurations and insufficient understanding of the protocol's complexities can lead to security flaws. It highlights different OAuth flows, including Implicit, Authorization Code, and Client Credentials Flows, along with attacks like token interception. The piece provides recommendations for secure implementations, including OAuth 2.1's updated practices and a comprehensive checklist for developers and testers. https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html

The article "Hardcoded Secrets, Unverified Tokens, and Other Common JWT Mistakes" from Semgrep highlights common security issues with JSON Web Tokens (JWTs). Key mistakes include hardcoding secret keys in code, using the insecure 'none' algorithm, and decoding tokens without verifying their authenticity. To avoid these pitfalls, developers should securely manage secrets, use secure algorithms like 'HS256,' and always verify tokens before processing them. These practices help enhance security and prevent JWT-related vulnerabilities.  https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes

The AWS Config Rules repository by AWS Labs provides a collection of sample custom rules for AWS Config, written in Node.js, Python, and Java. These rules help users evaluate the compliance of AWS resources by defining desired configurations and monitoring deviations. The repository includes guidance for developing custom rules and related tools like the AWS Config Rules Development Kit (RDK) and Config Rules Engine to support large-scale rule management.  https://github.com/awslabs/aws-config-rules

Google secures its cloud environment using a "defense in depth" strategy, ensuring multiple layers of security to prevent single points of failure. Strict access controls limit personnel access to production services, only allowing entry for legitimate business purposes. The company also emphasizes software supply chain security and enforces strong authentication and authorization for inter-service communications. By integrating service identity, integrity, and isolation mechanisms, Google maintains a secure infrastructure for both internal operations and cloud users.  https://cloud.google.com/transform/how-google-does-it-secure-our-own-cloud

In the article "Never Just One Termite: Six Months of Researching OAuth Application Attacks," published on February 11, 2025, Matt Kiely of Huntress details an extensive investigation into malicious OAuth applications targeting Microsoft 365 (M365) environments. Over a six-month period, Huntress discovered that a significant number of M365 tenants had unauthorized or malicious OAuth applications integrated into their systems. These applications, once granted permissions, could access and manipulate user data without detection, posing substantial security risks. The research emphasizes the importance for administrators of M365 tenants to conduct immediate audits of their OAuth applications. Given the prevalence of these malicious integrations, proactive measures are essential to identify and remove unauthorized applications, thereby safeguarding organizational data and maintaining overall security.  https://www.huntress.com/blog/never-just-one-termite-6-months-of-researching...

In the article "Death Knell of the NVD?" published on March 11, 2024, Chris Hughes examines recent concerns surrounding the National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD). The NVD serves as a critical repository for standardized vulnerability management data, widely utilized across the cybersecurity industry. Around February 15, 2024, the NVD announced a transition to a consortium-based approach for vulnerability analysis. This shift raised industry concerns regarding potential delays and the transparency of the analysis process. Data from researchers like Jay Jacobs and Jerry Gamblin indicated a significant increase in vulnerabilities awaiting analysis post-announcement, suggesting a slowdown in the NVD's processing capabilities. The article underscores the NVD's foundational role in the software and vulnerability management ecosystem. Any disruptions or delays in its operations could have widespread implications f...