Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

We continue our series of DevOps incidents and failures. This time, we stopped our view on GitLab. What incidents made this secure service provider appear in Tech media in 2023? Well, let’s jump at the topic and see what vulnerability flaws and threat incidents GitLab had to deal with to help its users protect their data.

Ivanti released a patch for a critical vulnerability discovered in Ivanti Endpoint Manager (EPM) that could allow for remote code execution (RCE). This vulnerability is being tracked as CVE-2023-39336 with a CVSS score of 9.6 (Critical), which is not yet actively exploited. All versions of Ivanti EPM prior to Service Update 5 are impacted. Ivanti credits security researcher hir0t for the responsible disclosure.

On January 4, 2024, Ivanti published a security advisory regarding a SQL injection vulnerability in their Endpoint Manager (EPM) solution, CVE-2023-39336. The vulnerability was rated with a CVSS of 9.6, as an attacker with access to the internal network can exploit this vulnerability to execute arbitrary SQL queries without authentication.

“Not another AI tool!” Yes, we hear you. Nevertheless, AI is here to stay and generative AI coding tools, in particular, are causing a headache for security leaders. We discussed why recently in our Why you need a security companion for AI-generated code post. Purchasing a new security tool to secure generative AI code is a weighty consideration. It needs to serve both the needs of your security team and those of your developers, and it needs to have a roadmap to avoid obsolescence.

Kyocera’s Device Manager is a web-based application that allows network administrators to monitor and manage large fleets of Kyocera printers and multi-function devices. It provides a dedicated server and a unified interface to discover, organize, and manage devices, install applications, program alerts, schedule reports, and more. The latest versions of Kyocera’s Device Manager support installation on Windows Server 2012/2016/2019/2022 and Windows 10 and 11.

JavaScript is the most commonly-used programing language, according to the most recent StackOverflow developer survey. While JavaScript offers great flexibility and ease of use, it also introduces security risks that can be exploited by attackers. In this blog, we will explore vulnerabilities in JavaScript, best practices to secure your code, and tools to prevent attacks.

In this guide, we'll dive into the powerful combination of Platformatic and Fastify, unlocking rapid backend development with an emphasis on robustness and security. Whether you're a seasoned Node.js developer or just starting out, this article is a helpful start to enhancing your familiarity with Node.js PaaS environments such as Platformatic.

Apache Log4j 2, a Java-based logging library, was affected by a zero-day vulnerability on December 9, 2021. The vulnerability, known as Log4Shell and identified by the National Institute of Standards and Technology (NIST) as CVE-2021-44228, allows cybercriminals to take control of vulnerable systems and servers. Many web applications, open-source cloud platforms, and service providers utilize Log4j.

Vulnerability management is a critical aspect of vendor risk management (VRM). Organizations prioritizing third-party vulnerability management can mitigate third-party risk, ensure regulatory compliance, protect sensitive data, and maintain business continuity.

This is not a beginner’s blog post. As such, we will not tell you about the importance of securing your Kubernetes infrastructure (it’s important). However, if you are here to learn about increasing the efficiency of your security work and the blind spots you may have, you have come to the right place. You may have heard of and are already using CVSS as your gold standard for vulnerability prioritization.