GitHub is announcing updates to its security offerings to help development teams tackle their security risk. Now generally available, security campaigns are a new way to bring security teams and development teams together. Security teams can prioritize the risks that need to be addressed across repositories and add them to a security campaign, which is … continue reading
Sonatype, a company focused on software supply chain security, has announced the results of its quarterly Open Source Malware Index, which provides insights into malicious open source packages. The index found 17,954 malicious open source software packages, including several hijacked npm crypto packages, a malicious npm package disguised as the Truffle for VS Code extension, … continue reading
GitHub announced it is making some changes to GitHub Advanced Security (GHAS), its AI-powered solution for application security that offers remediation, static analysis, secret scanning, and software composition analysis. Beginning April 1, GHAS will be split into two products that will be available as standalone options. GitHub Secret Protection prevents secret leaks by scanning secrets … continue reading
Symbiotic Security has announced updates to its application and IDE extension, which provides secure coding recommendations and fixes vulnerabilities as code is written. “With Symbiotic’s software, security is no longer an afterthought; it is where it should have always been – integrated into the software development lifecycle (SDLC) as a foundational part of the coding … continue reading
For years developers have been told to shift left, meaning that testing happens at the start of the software development process. The idea behind this is that it’s easier and more cost effective to find and fix an issue earlier on in an application’s life cycle. However, Dylan Thomas, senior director of product engineering at … continue reading
Integrations are nonnegotiable for SaaS companies. The average business’s SaaS portfolio encompasses 342 apps. Without integrations, these apps become data silos, and we all know the challenges with those. Customers expect seamless connectivity. According to G2, B2B software buyers consider integration capabilities a top factor in their decisions. Another survey found more than half of … continue reading
CISA, the government agency tasked with securing the U.S.’ cyber and physical infrastructure, has released new Information Technology (IT) Sector-Specific Goals (SSGs). According to the organization, the IT SSGs complement Cross-Sector Cybersecurity Performance Goals (CPGs) and offer “additional voluntary practices with high-impact security actions.” Organizations can use them to improve the security of their software … continue reading
Companies are planning to invest more heavily in AI skills and security governance, risk, and compliance initiatives this upcoming year, according to new research from O’Reilly. The company’s Technology Trends for 2025 report analyzed data from 2.8 million users on its learning platform. The research shows significant increases in interest in various AI skills, including … continue reading
Attackers are increasingly targeting open source projects, seeking to exploit holes in software that millions of organizations rely on as the foundation of their technology stacks. The staggering 280% year-over-year increase in software supply chain attacks in 2023 serves as a stark warning: open source projects and their leadership must elevate security to their highest … continue reading
The number of security challenges companies are facing continue to grow, but organizations are beginning to display signs of “AppSec exhaustion,” or decreased engagement in security practices. This is according to Snyk’s new State of Open Source report, which found that dependency tracking and code ship frequency has remained largely unchanged since last year. There … continue reading
MITRE recently released its yearly list of the 2024 CWE Top 25 Most Dangerous Software Weaknesses. This list differs from lists that contain the most common vulnerabilities, as it is not a list of vulnerabilities, but rather weaknesses in system design that can be exploited to leverage vulnerabilities. “By definition, code injection is an attack, … continue reading
While one might anticipate that the more complex an application is, the more likely it is to have security vulnerabilities, a recent analysis from Black Duck found the opposite to be true. Its 2024 Software Vulnerability Snapshot report analyzed data from 200,000 dynamic application security testing scans for 1,300 applications across 19 different industry sectors. … continue reading
