The post Universal CNAPP Traceability Now Possible with Cycode’s Complete ASPM and ConnectorX appeared first on Cycode Read More

The post What Is Software Composition Analysis (SCA)? appeared first on Cycode Read More

The post Introducing Cycode’s SCA Reachability Analysis appeared first on Cycode Read More

The post Sisense Breach: Using Secrets Scanning to Strengthen Your Defenses appeared first on Cycode Read More

The post Cracking the Code: A Comprehensive Guide to Secrets Detection appeared first on Cycode Read More

The post ASPM as a Force Multiplier in Secure Business Resilience: A CISO’s Perspective appeared first on Cycode Read More

The post Enhancing Security Prioritization with Cycode’s Advanced Risk Scoring appeared first on Cycode Read More

The post XZ Backdoor Software Supply Chain Attack: Strengthening Our Defenses appeared first on Cycode Read More

The post What Is Static Application Security Testing (SAST)? appeared first on Cycode Read More

The post Cycode + Wiz: Bringing Cloud Security into Your Complete ASPM via ConnectorX appeared first on Cycode Read More

The post Introducing Cycode’s New Security Tools for Developers and AppSec Teams appeared first on Cycode Read More

The post How CISOs and CEOs Can Build a Cyber Resilient Org with a Complete ASPM appeared first on Cycode Read More

The post Cycode Acquires Bearer to Deliver AI-Powered SAST and API Discovery to Its Complete ASPM appeared first on Cycode Read More

The post Key Insights from the Industry’s First Ever ASPM Nation Event appeared first on Cycode Read More

The post Top Source Code Leaks, 2020-2024 appeared first on Cycode Read More

The post Building Secure CI/CD Pipelines: Key Strategies from NIST SP 800-204D appeared first on Cycode Read More

Cycode is excited to announce the launch of new GenAI capabilities in our Risk Intelligence Graph (RIG). This brings the power of natural language query to the deep insights delivered by Cyc… Read More

Cycode recognized as a Sample Vendor for Software Supply Chain Security in the 2024 Gartner® Emerging Tech Impact Radar: Cloud-Native Platforms report. Cycode, the leading application se… Read More

Roses are red, violets are blue, and if you’re into cybersecurity, ASPM Nation is for you! Picture this: a virtual gathering of cybersecurity aficionados, all geared up to delve into t… Read More

Just think about your own personal finances. Understanding your credit score involves knowing what debts you owe, how timely you are with payments, and how your financial decisions affect yo… Read More

Intro to Application Security Posture Management (ASPM) Given the pace of digital transformation and the complexity of modern applications, the way developers build and deliver software has… Read More

Executive Summary The Cycode Research Team discovered a software supply chain vulnerability in one of Google’s open source flagship products, Bazel.We found that a GitHub Actions workf… Read More

CI/CD Pipeline Security Given the demand for rapid innovation and the adoption of agile methodologies, Continuous Integration/Continuous Deployment (CI/CD) pipelines have become the foundati… Read More

We live in a world filled with constant notifications. From medical devices to severe weather warnings on your phone to your car’s lane departure warning systems, automated alerts play… Read More

The typical global enterprise has over 12,000 web-based applications, including APIs, SaaS applications, servers, and databases. While these applications play a vital role in driving efficie… Read More

In the last several years, software supply chain security has become a critical focus for organizations worldwide.  While the SolarWinds software supply chain attack in 2020 and the Kas… Read More

In today’s hyper-connected world, secure software development is no longer an option, it’s a necessity. Yet achieving true security demands more than just guidelines and good int… Read More

On December 14, 2023, the crypto community held its breath as news of a critical compromise involving the Ledger Connect Kit, a vital software component connecting hardware wallets to dApps… Read More

In the ever-evolving landscape of software development, it’s become absolutely paramount to ensure robust security measures throughout the Software Development Lifecycle (SDLC). Need p… Read More

Cycode is excited to announce the release of our State of ASPM 2024 report, the first ever report to analyze the state of application security and Application Security Posture Management (AS… Read More

Like many other industries, Healthcare has undergone significant digital transformation over the past decade. From the passage of the Health Information Technology for Economic and Clinical… Read More

Thanksgiving is the perfect time of year to reflect on all the things we are truly grateful for. Here at Cycode, we try to practice gratitude every day. As we reflect what we are most thankf… Read More

Organizations are looking for effective ways to protect both their applications and cloud-based assets. With malicious actors becoming more advanced in their methods and the number of assets… Read More

There’s no surprise that in today’s lightning fast paced development environment, speed, and efficiency are non-negotiable. Developers bear the weighty responsibility of deliveri… Read More

Bulk Remediation Cycode Software Composition Analysis (SCA) now includes bulk remediation. This new feature allows users to efficiently address multiple vulnerabilities across different repo… Read More

What Is Application Security Posture Management (ASPM)? Application Security Posture Management (ASPM) is an AppSec platform that continuously assesses, manages, and enhances the security of… Read More

Cycode is proud to announce the public release of Raven, our cutting-edge CI/CD Pipeline Security Scanner. Launching with GitHub Actions as its first use case. Raven, which stands for Risk A… Read More

For security professionals, choosing the right approach to application security testing is crucial. This blog post navigates the differences between two popular methodologies: Software Compo… Read More

Today, digital transformation is mainstream, and every company is a software company. Application Security (AppSec) teams are responsible for the practices and measures needed to protect sof… Read More

CISA initially set a deadline of June 11, 2023 for critical* software and September 13, 2023 for non-critical** software to comply with the Secure Software Development Framework (SSDF). Both… Read More

In the dynamic realm of software development, the concept of “Shift Left” has evolved from a mere buzzword to a necessity. It emphasizes the idea of integrating security measures… Read More

Exposed credentials are one of the most abused methods for gaining initial access. Breaches such as the Zendesk breach have been started by employees’ compromised credentials. GitHub s… Read More

Many organizations use CI/CD pipelines to enforce development or security policies. For example, a pipeline may check whether any vulnerable dependencies are included in the build. These pip… Read More

Financial service companies, often referred to as “finservs,” are prime targets for cybercriminals due to their central role in the global economy and the sensitive data they man… Read More

Hardcoded secrets have been the gateway into – and the target of – several high-profile security breaches in recent years. According to IBM’s Cost of a Data Breach Report 2… Read More

With the rise of cloud-native software and the more recent explosion in the use of generative AI, the importance of secure development best practices cannot be overlooked. This is underlined… Read More

In the dynamic landscape of cloud infrastructure and its security, organizations must stay one step ahead of vulnerabilities. That’s why we’re pleased to announce an addition to… Read More

We’re happy to share that we’ve expanded our CI/CD security value proposition for Azure DevOps users with Azure Pipelines support! This new expansion allows organizations to scan… Read More

On July 26th, Cycode hosted a webinar to discuss the burgeoning use of AI and Large Language Models (LLMs) in generating code. We explored the intersection of innovation and risk, focusing o… Read More

What is SBOM? What does it have to do with the Executive Order on Improving the Nation’s Cybersecurity (Executive Order 14028)? Is my software supply chain compliant? How do I make sur… Read More

In a recent cybersecurity incident, North Korean hackers targeted JumpCloud, an enterprise software company. Mandiant, CrowdStrike and SentinelOne attributed the breach to North Korea’… Read More

This is the full story of the vulnerability we have discovered within Visual Studio Code (VS Code) concerning the handling of secure token storage. While designed for isolated storage for ea… Read More

We are excited to announce the release of a powerful tool designed to help companies achieve SLSA (Supply Chain Levels for Software Artifacts) compliance in Azure Pipelines CI/CD systems. Wi… Read More

In the world of DevOps and cybersecurity, secrets like API keys, tokens, or passwords maintain the functionality and security of your applications. However, managing these secrets can pose a… Read More

Gerrit is a well-regarded, free code collaboration tool, primarily used for team code review. Its excellent integration with Git, a distributed version control system, supports a wide range… Read More

Continuous Integration and Continuous Deployment (CI/CD) environments are integral to the modern software development lifecycle. While pivotal in ensuring a streamlined and efficient develop… Read More

We are excited to announce the release of Cimon, a revolutionary tool designed to secure your CI/CD pipelines through a runtime security agent. And the best part? Cimon is now available as a… Read More

Cycode is excited to announce the immediate availability of our new Software Bill of Materials (SBOM) feature. Cycode SBOM is a complementary technology to our Next-Gen Software Composition… Read More

It’s undeniable that machine learning, particularly Language Learning Models (LLMs), has paved the way for groundbreaking advancements in many fields, including code generation. Howeve… Read More

GitLab, a popular web-based Git repository management tool, has recently patched a critical vulnerability that allows attackers to attach malicious runners to any project on the instance. Th… Read More

The OpenSSF recently made a big announcement with the release of SLSA (Supply-chain Levels for Software Artifacts) version 1.0. This framework was developed by community experts and provides… Read More

As the demand for faster and more efficient application deployment grows, the use of pipelines in the CI/CD process has become increasingly common. Pipelines enable the automation of testing… Read More

Organizations are struggling to manage and secure their development infrastructure. The number of development tools in modern software delivery pipelines has exploded. These tools are often… Read More

Organizations are struggling to manage and secure their development infrastructure. The number of development tools in modern software delivery pipelines has exploded. These tools are often… Read More

When considering open source risk, you immediately think of vulnerabilities that have led to high-profile breaches like Equifax’s. Though open source license violations grab fewer head… Read More

We’re excited to announce a new feature in Cycode that enhances the security of AWS S3 storage. Our S3 scanning feature scans the contents of files stored in AWS S3 buckets for potenti… Read More

As part of our ongoing research in the open-source ecosystem, Cycode Labs has found and disclosed a novel attack that could have led to the compromise of every user of the Microsoft 365 suit… Read More

At Cycode, we always strive to make your application security workflows more efficient and effective. We’re excited to announce two new capabilities in our JIRA integration: status vis… Read More

The National Telecommunications and Information Administration (NTIA), under the guidance of the US Department of Commerce, recently released a white paper outlining the minimum requirements… Read More

Even though Software Bills of Materials (SBOMs) have been around for about 10 years, they have recently gained a lot of buzz in the software industry. This blog explores why everyone is sudd… Read More

In the fast-paced world of software development, organizations are under constant pressure to deliver new features and updates quickly and efficiently. One of the key tools in this effort is… Read More

TL;DR Cycode extends its platform to scan Azure Container Registry images for secrets and vulnerabilities. Securing Docker Images Docker images have become the cornerstone of modern applica… Read More

While many developers understand the risks associated with hardcoding credentials into code, when it comes to containers, understanding that risk is the exception, not the rule. As a result… Read More

TL;DR Cycode Labs discovered a vulnerability in Github’s API in which GitHub Actions workflows could be created without the necessary “workflow” scope authorization. This w… Read More

The “SaaS explosion” of our era has multiplied the risk of “Secrets sprawl”. Companies are using an unprecedented amount of cloud software applications, resulting in… Read More

On January 4th, 2023, CircleCI reported a data breach that affected some of their customers (for more information on that please see our previous blog post). In an effort to ensure transpare… Read More

Hardcoded secrets in your code are a security risk. If these secrets are accidentally made public, malicious actors could exploit them and gain unauthorized access to your system. In this bl… Read More

CircleCI was breached. If you are using this tool: Immediately rotate all stored secrets and environment variables in CircleCI. These secrets are the holy grail for attackers targeting CI sy… Read More

Securing open-source projects is hard. Securing CI workflows for open-source projects is no less complex. The CI workflows of open-source projects are by definition exposed to the world and… Read More

Software supply chain attacks have been on the rise over the past several years. We see evidence of this daily with more and more headlines proclaiming SolarWinds-style attacks. In fact, Gar… Read More

StoryBook is an extremely popular open-source frontend framework that allows the building of isolated UI components and pages. Several factors indicate its popularity: It is one of the most… Read More

Software supply chain attacks are growing. Gartner reports that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a threefold increase fr… Read More

Security doesn’t begin with developers, but they are often affected by security. In my career as a developer, I would say I spent roughly a week per quarter performing tasks to fulfill… Read More

While OpenSSL downgraded the criticality of its 3.0.7 security patch from Critical to High (CVE-2022-3786 and CVE-2022-3602), and it’s fair to say that this is not the next Heartbleed… Read More

It is a time of ghouls, mischievous spirits, and David S. Pumpkins. In the spirit of Halloween, here are the top five scariest limitations of software composition analysis (SCA) tools that a… Read More

On Tuesday, November 1st, OpenSSL is releasing a critical patch. This fix to the OpenSSL vulnerability will fix all affected versions (3.x). Given the ubiquity of OpenSSL, rapid remediation… Read More

GitHub Security Lab recently published a security advisory regarding a newly discovered vulnerability enabling Remote Code Execution (RCE) in Apache Commons Text. Affected versions of Apache… Read More

Software composition analysis (SCA) is a necessary tool that detects vulnerabilities within dependencies such as open source libraries. As the composition of modern applications has shifted… Read More

A Software Bill of Materials (SBOM) refers to a list of all software components, open source or commercial, utilized to build a software solution. However, this doesn’t includ… Read More

The IconBurst attack is a software supply chain attack designed to grab data from apps and websites. This attack campaign seeks to install malicious NPM modules that harvest sensiti… Read More

Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open source automation server.  With over 1,700 plugins available, Jenkins is an extreme… Read More

The innovation of DevOps toolchains has delivered increased efficiency for engineering teams. At the same time, these innovations have also increased security risk as shown by the rise of at… Read More

Every software manufacturer nowadays implements robust DevOps processes to increase its ability to deliver applications and services at high velocity. These processes usually include testing… Read More

ISO 27001, formally known as ISO/IEC 27001, is designed to help organizations manage the security of financial information, intellectual property, employee details, and other assets… Read More

Compliance isn’t a sexy topic, but it’s often mission-critical for organizations because failure to achieve compliance can have huge repercussions. Whether it be fines, reputatio… Read More

We’ve had a busy month in terms of software supply-chain incidents. In this article, we will discuss prominent recent attacks, explain the attack chain, and elaborate on the r… Read More

CrateDepression is a software supply chain attack designed to target GitLab CI Pipelines by impersonating legitimate Rust packages and their developers. Since a GitHub user notified… Read More

What is PCI DSS? Any financial institution, proprietor, or other entity that handles sensitive information must adhere to adequate security standards. Payment security is essential… Read More

We’re thrilled to announce that Gartner recognized Cycode as a Cool Vendor in the April 2022 Gartner® Cool Vendors in Application Security: Protection of Cloud-Native Applications… Read More