Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Speed and innovation rule in software development, which makes it easy to overlook one crucial aspect: security. As a Staff Solutions Engineer at Snyk, I’ve seen firsthand how a single overlooked vulnerability can spiral into a crisis, affecting businesses, customers, and trust. Secure coding isn’t just about writing better code—it’s about protecting what matters, which includes the credibility and reputation of individuals, teams, and the business.

In the afternoon on Friday, March 14, 2025, details began to emerge about a serious security exploit on a popular GitHub Action called changed files (tj-actions/changed-files). About 23,000 GitHub repos use this Action as part of their CI and DevOps workflows. It allows you to track which files have changed across branches and commits. An attacker with write privileges on the Action repo made a commit that caused encrypted secrets to appear in plaintext in the GitHub Action logs.

As organizations continue to evolve their DevSecOps programs by adopting comprehensive testing and monitoring, the next step is to take action on the insights uncovered. This means remediating security issues as early as possible and responding to security alerts and incidents in a timely manner. However, many security and development teams find that triaging the findings of every tool and managing remediation efforts is time-consuming and costly.

Managing the risks of AI development tools is crucial for organizations looking to responsibly and effectively leverage this technology’s potential. AI offers transformative capabilities, particularly in coding assistance, where tools can speed up development and reduce manual workloads. However, these benefits can come with risks, such as security vulnerabilities and compliance challenges, that cannot be overlooked.

Snyk is exploring using the open-source Golang project Bento to read data from Kafka streams and materialize intelligence to various outputs. We are pleased to share that we are proactively helping secure the Bento project by contributing dependency fix updates.

Snyk is committed to our partnership with ServiceNow, and together, we're revolutionizing how organizations manage Application vulnerabilities and risk. Snyk's market-leading developer security platform and ServiceNow's robust Security Operations (SecOps) capabilities offer a powerful solution for Application Security teams and Enterprise CISOs.

Security is often seen as a roadblock in development, slowing releases and adding friction between teams. However, as software development cycles become faster and more complex, security must evolve from a blocker to an innovation driver. DevSecOps ensures security is a core part of the development workflow, and automation plays a crucial role in making this integration smooth and effective.

AI code generation is exactly what it sounds like — using artificial intelligence to write and improve code. Tools powered by large language models (LLMs) and specialized AI systems can help developers generate boilerplate code, fix bugs, and even refactor entire sections of an application. And developers are leaning in. According to a GitHub survey, 92% of developers have already used AI coding tools at work or on personal projects.

Snyk Learn, our developer security education platform, now includes lessons on API security! Check out the new learning path that covers the OWASP Top 10 for API security risks. APIs power the modern web, connecting applications and services in ways that drive innovation and efficiency. However, with this interconnectivity comes significant security risks.

JWTs are often used by developers who seek to implement authentication over traditional cookie-based sessions. However, what happens when developers misunderstand JWT security and risk a severe broken authentication vulnerability?