%term

PyPi Malware Stealing Discord and Roblox Payment Info

Nov 16, 2022 By Snyk In Snyk

In this livestream we dive into the latest set of malicious packages discovered by the Snyk security research team. We are joined by senior security researcher at Snyk Raul Onitza-Klugman as we also discuss how these findings came to be, what they mean for open source security, and some hypotheses about the future of supply chain security. Didn't catch the live stream? Ask all of your Snyk questions and we’ll do our very best to answer them in the comment section.

View Video

Snyk

Read more about PyPi Malware Stealing Discord and Roblox Payment Info

Stranger Danger: Your JavaScript Attack Surface Just Got Bigger

Nov 16, 2022 By Snyk In Snyk

Building JavaScript applications today means that we take a step further from writing code. We use open-source dependencies, create a Dockerfile to deploy containers to the cloud, and orchestrate this infrastructure with Kubernetes. Welcome - you're a cloud native application developer! As developers, our responsibility has broadened, and more software means more software security concerns for us to address.

View Video

Snyk

Read more about Stranger Danger: Your JavaScript Attack Surface Just Got Bigger

Turns out 78% of reported CVEs on top DockerHub images are not really exploitable

Nov 15, 2022 By Shachar Menashe In JFrog

Similarly to our previous research on “Secrets Detection,” during the development and testing of JFrog Xray’s new “Contextual Analysis” feature, we wanted to test our detection in a large-scale real-world use case, both for eliminating bugs and testing the real-world viability of our current solution.

Read Post

JFrog

Read more about Turns out 78% of reported CVEs on top DockerHub images are not really exploitable

5 best practices for building modern access control for cloud applications

Nov 15, 2022 By Brian Clark In Snyk

Recently, I met with Or Weis — a Snyk Ambassador — to discuss access control in the cloud. Or is an entrepreneur, based in Tel Aviv, where he founded Permit.io, a solution that empowers developers to bake in permissions and access control into any product in minutes and takes away the pain of constantly rebuilding them.

Read Post

Snyk

Read more about 5 best practices for building modern access control for cloud applications

4 Reasons Scan Results May Differ Over Time: Advice from an Application Security Consultant

Nov 15, 2022 By Jim Jastrzebski In Veracode

You didn’t change anything in your code, yet the scan is different this time. Here’s advice from an Application Security Consultant on why that may be. Have you ever wondered why you scan code one day and get one result, and then scan the same code a month later and get different results – even though you never changed anything?

Read Post

Veracode

Read more about 4 Reasons Scan Results May Differ Over Time: Advice from an Application Security Consultant

Stories from the SOC: Fortinet authentication bypass observed in the wild

Nov 14, 2022 By Amer Amer In AT&T Cybersecurity

Fortinet’s newest vulnerability, CVE-2022-40684, allowing for authentication bypass to manipulate admin SSH keys, unauthorized downloading of configuration files, and creating of super admin accounts, has put a big target on the backs of unpatched and exposed Fortinet devices.

Read Post

AT&T Cybersecurity

Read more about Stories from the SOC: Fortinet authentication bypass observed in the wild

SREs bring O.R.D.E.R(R) to C.H.A.O.S - Snyk Ambassadors Show

Nov 14, 2022 By Snyk In Snyk

Join Snyk ambassador Keith McDuffee as he discusses with Brian Clark the role of SREs, their responsibilities and the challenges they face and what are the things keeping SREs on their toes and restless at night?

View Video

Snyk

Read more about SREs bring O.R.D.E.R(R) to C.H.A.O.S - Snyk Ambassadors Show

Cloud security fundamentals part 5: measure what matters

Nov 11, 2022 By Drew Wright In Snyk

Many security engineers have woken up to dozens of Slack messages and emails telling them the day they dreaded is here: a vulnerability has been deployed, and now it must be fixed. Meetings and plans are abandoned while security engineers rush to fix the problem. It’s often a process failure that has led to the now-urgent issue. And these emergency issues can appear across a spectrum that includes all types of remediation efforts.

Read Post

Snyk

Read more about Cloud security fundamentals part 5: measure what matters

Three Critical Vulnerabilities Impacting VMware Workspace ONE Assist Server CVE-2022-31685, CVE-2022-31686 and CVE-2022-31687

Nov 10, 2022 By Steven Campbell In Arctic Wolf

On Tuesday, November 8, 2022, VMware disclosed three critical-severity vulnerabilities impacting VMware Workspace ONE Assist Server versions 21.x and 22.x. If successfully exploited, the reported vulnerabilities could lead to a threat actor obtaining administrative access to the application without the need to authenticate.

Read Post

Arctic Wolf

Read more about Three Critical Vulnerabilities Impacting VMware Workspace ONE Assist Server CVE-2022-31685, CVE-2022-31686 and CVE-2022-31687

Using Sysdig Secure to Detect and Prioritize Mitigation of CVE 2022-3602 & CVE 2022-3786: OpenSSL 3.0.7

Nov 10, 2022 By Daniella Pontes In Sysdig

The awaited OpenSSL 3.0.7 patch was released on Nov. 1. The OpenSSL Project team announced two HIGH severity vulnerabilities (CVE-2022-3602, CVE-2022-3786), which affect all OpenSSL v3 versions up to 3.0.6. These vulnerabilities are remediated in version 3.0.7, which was released Nov. 1. The vulnerabilities fixed include two stack-based buffer overflows in the name constraint checking portion of X.509 certificate verification.

Read Post