Cycode is excited to announce the launch of new GenAI capabilities in our Risk Intelligence Graph (RIG). This brings the power of natural language query to the deep insights delivered by Cyc… Read More
Cycode recognized as a Sample Vendor for Software Supply Chain Security in the 2024 Gartner® Emerging Tech Impact Radar: Cloud-Native Platforms report.
Cycode, the leading application se… Read More
Roses are red, violets are blue, and if you’re into cybersecurity, ASPM Nation is for you! Picture this: a virtual gathering of cybersecurity aficionados, all geared up to delve into t… Read More
Just think about your own personal finances. Understanding your credit score involves knowing what debts you owe, how timely you are with payments, and how your financial decisions affect yo… Read More
Intro to Application Security Posture Management (ASPM)
Given the pace of digital transformation and the complexity of modern applications, the way developers build and deliver software has… Read More
Executive Summary
The Cycode Research Team discovered a software supply chain vulnerability in one of Google’s open source flagship products, Bazel.We found that a GitHub Actions workf… Read More
CI/CD Pipeline Security
Given the demand for rapid innovation and the adoption of agile methodologies, Continuous Integration/Continuous Deployment (CI/CD) pipelines have become the foundati… Read More
We live in a world filled with constant notifications. From medical devices to severe weather warnings on your phone to your car’s lane departure warning systems, automated alerts play… Read More
The typical global enterprise has over 12,000 web-based applications, including APIs, SaaS applications, servers, and databases. While these applications play a vital role in driving efficie… Read More
In the last several years, software supply chain security has become a critical focus for organizations worldwide.
While the SolarWinds software supply chain attack in 2020 and the Kas… Read More
In today’s hyper-connected world, secure software development is no longer an option, it’s a necessity. Yet achieving true security demands more than just guidelines and good int… Read More
On December 14, 2023, the crypto community held its breath as news of a critical compromise involving the Ledger Connect Kit, a vital software component connecting hardware wallets to dApps… Read More
In the ever-evolving landscape of software development, it’s become absolutely paramount to ensure robust security measures throughout the Software Development Lifecycle (SDLC).
Need p… Read More
Cycode is excited to announce the release of our State of ASPM 2024 report, the first ever report to analyze the state of application security and Application Security Posture Management (AS… Read More
Like many other industries, Healthcare has undergone significant digital transformation over the past decade. From the passage of the Health Information Technology for Economic and Clinical… Read More
Thanksgiving is the perfect time of year to reflect on all the things we are truly grateful for. Here at Cycode, we try to practice gratitude every day. As we reflect what we are most thankf… Read More
Organizations are looking for effective ways to protect both their applications and cloud-based assets. With malicious actors becoming more advanced in their methods and the number of assets… Read More
There’s no surprise that in today’s lightning fast paced development environment, speed, and efficiency are non-negotiable. Developers bear the weighty responsibility of deliveri… Read More
Bulk Remediation
Cycode Software Composition Analysis (SCA) now includes bulk remediation. This new feature allows users to efficiently address multiple vulnerabilities across different repo… Read More
What Is Application Security Posture Management (ASPM)?
Application Security Posture Management (ASPM) is an AppSec platform that continuously assesses, manages, and enhances the security of… Read More
Cycode is proud to announce the public release of Raven, our cutting-edge CI/CD Pipeline Security Scanner. Launching with GitHub Actions as its first use case. Raven, which stands for Risk A… Read More
For security professionals, choosing the right approach to application security testing is crucial. This blog post navigates the differences between two popular methodologies: Software Compo… Read More
Today, digital transformation is mainstream, and every company is a software company. Application Security (AppSec) teams are responsible for the practices and measures needed to protect sof… Read More
CISA initially set a deadline of June 11, 2023 for critical* software and September 13, 2023 for non-critical** software to comply with the Secure Software Development Framework (SSDF). Both… Read More
In the dynamic realm of software development, the concept of “Shift Left” has evolved from a mere buzzword to a necessity. It emphasizes the idea of integrating security measures… Read More
Exposed credentials are one of the most abused methods for gaining initial access. Breaches such as the Zendesk breach have been started by employees’ compromised credentials. GitHub s… Read More
Many organizations use CI/CD pipelines to enforce development or security policies. For example, a pipeline may check whether any vulnerable dependencies are included in the build. These pip… Read More
Financial service companies, often referred to as “finservs,” are prime targets for cybercriminals due to their central role in the global economy and the sensitive data they man… Read More
Hardcoded secrets have been the gateway into – and the target of – several high-profile security breaches in recent years. According to IBM’s Cost of a Data Breach Report 2… Read More
With the rise of cloud-native software and the more recent explosion in the use of generative AI, the importance of secure development best practices cannot be overlooked. This is underlined… Read More
In the dynamic landscape of cloud infrastructure and its security, organizations must stay one step ahead of vulnerabilities. That’s why we’re pleased to announce an addition to… Read More
We’re happy to share that we’ve expanded our CI/CD security value proposition for Azure DevOps users with Azure Pipelines support! This new expansion allows organizations to scan… Read More
On July 26th, Cycode hosted a webinar to discuss the burgeoning use of AI and Large Language Models (LLMs) in generating code. We explored the intersection of innovation and risk, focusing o… Read More
What is SBOM? What does it have to do with the Executive Order on Improving the Nation’s Cybersecurity (Executive Order 14028)? Is my software supply chain compliant? How do I make sur… Read More
In a recent cybersecurity incident, North Korean hackers targeted JumpCloud, an enterprise software company. Mandiant, CrowdStrike and SentinelOne attributed the breach to North Korea’… Read More
This is the full story of the vulnerability we have discovered within Visual Studio Code (VS Code) concerning the handling of secure token storage. While designed for isolated storage for ea… Read More
We are excited to announce the release of a powerful tool designed to help companies achieve SLSA (Supply Chain Levels for Software Artifacts) compliance in Azure Pipelines CI/CD systems. Wi… Read More
In the world of DevOps and cybersecurity, secrets like API keys, tokens, or passwords maintain the functionality and security of your applications. However, managing these secrets can pose a… Read More
Gerrit is a well-regarded, free code collaboration tool, primarily used for team code review. Its excellent integration with Git, a distributed version control system, supports a wide range… Read More
Continuous Integration and Continuous Deployment (CI/CD) environments are integral to the modern software development lifecycle. While pivotal in ensuring a streamlined and efficient develop… Read More
We are excited to announce the release of Cimon, a revolutionary tool designed to secure your CI/CD pipelines through a runtime security agent. And the best part? Cimon is now available as a… Read More
Cycode is excited to announce the immediate availability of our new Software Bill of Materials (SBOM) feature. Cycode SBOM is a complementary technology to our Next-Gen Software Composition… Read More
It’s undeniable that machine learning, particularly Language Learning Models (LLMs), has paved the way for groundbreaking advancements in many fields, including code generation. Howeve… Read More
GitLab, a popular web-based Git repository management tool, has recently patched a critical vulnerability that allows attackers to attach malicious runners to any project on the instance. Th… Read More
The OpenSSF recently made a big announcement with the release of SLSA (Supply-chain Levels for Software Artifacts) version 1.0. This framework was developed by community experts and provides… Read More
As the demand for faster and more efficient application deployment grows, the use of pipelines in the CI/CD process has become increasingly common. Pipelines enable the automation of testing… Read More
Organizations are struggling to manage and secure their development infrastructure. The number of development tools in modern software delivery pipelines has exploded. These tools are often… Read More
Organizations are struggling to manage and secure their development infrastructure. The number of development tools in modern software delivery pipelines has exploded. These tools are often… Read More
When considering open source risk, you immediately think of vulnerabilities that have led to high-profile breaches like Equifax’s. Though open source license violations grab fewer head… Read More
We’re excited to announce a new feature in Cycode that enhances the security of AWS S3 storage. Our S3 scanning feature scans the contents of files stored in AWS S3 buckets for potenti… Read More
As part of our ongoing research in the open-source ecosystem, Cycode Labs has found and disclosed a novel attack that could have led to the compromise of every user of the Microsoft 365 suit… Read More
At Cycode, we always strive to make your application security workflows more efficient and effective. We’re excited to announce two new capabilities in our JIRA integration: status vis… Read More
The National Telecommunications and Information Administration (NTIA), under the guidance of the US Department of Commerce, recently released a white paper outlining the minimum requirements… Read More
Even though Software Bills of Materials (SBOMs) have been around for about 10 years, they have recently gained a lot of buzz in the software industry. This blog explores why everyone is sudd… Read More
In the fast-paced world of software development, organizations are under constant pressure to deliver new features and updates quickly and efficiently. One of the key tools in this effort is… Read More
TL;DR
Cycode extends its platform to scan Azure Container Registry images for secrets and vulnerabilities.
Securing Docker Images
Docker images have become the cornerstone of modern applica… Read More
While many developers understand the risks associated with hardcoding credentials into code, when it comes to containers, understanding that risk is the exception, not the rule. As a result… Read More
TL;DR
Cycode Labs discovered a vulnerability in Github’s API in which GitHub Actions workflows could be created without the necessary “workflow” scope authorization. This w… Read More
The “SaaS explosion” of our era has multiplied the risk of “Secrets sprawl”. Companies are using an unprecedented amount of cloud software applications, resulting in… Read More
On January 4th, 2023, CircleCI reported a data breach that affected some of their customers (for more information on that please see our previous blog post). In an effort to ensure transpare… Read More
Hardcoded secrets in your code are a security risk. If these secrets are accidentally made public, malicious actors could exploit them and gain unauthorized access to your system. In this bl… Read More
CircleCI was breached. If you are using this tool:
Immediately rotate all stored secrets and environment variables in CircleCI. These secrets are the holy grail for attackers targeting CI sy… Read More
Securing open-source projects is hard. Securing CI workflows for open-source projects is no less complex. The CI workflows of open-source projects are by definition exposed to the world and… Read More
Software supply chain attacks have been on the rise over the past several years. We see evidence of this daily with more and more headlines proclaiming SolarWinds-style attacks. In fact, Gar… Read More
StoryBook is an extremely popular open-source frontend framework that allows the building of isolated UI components and pages. Several factors indicate its popularity:
It is one of the most… Read More
Software supply chain attacks are growing. Gartner reports that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a threefold increase fr… Read More
Security doesn’t begin with developers, but they are often affected by security. In my career as a developer, I would say I spent roughly a week per quarter performing tasks to fulfill… Read More
While OpenSSL downgraded the criticality of its 3.0.7 security patch from Critical to High (CVE-2022-3786 and CVE-2022-3602), and it’s fair to say that this is not the next Heartbleed… Read More
It is a time of ghouls, mischievous spirits, and David S. Pumpkins. In the spirit of Halloween, here are the top five scariest limitations of software composition analysis (SCA) tools that a… Read More
On Tuesday, November 1st, OpenSSL is releasing a critical patch. This fix to the OpenSSL vulnerability will fix all affected versions (3.x). Given the ubiquity of OpenSSL, rapid remediation… Read More
GitHub Security Lab recently published a security advisory regarding a newly discovered vulnerability enabling Remote Code Execution (RCE) in Apache Commons Text. Affected versions of Apache… Read More
Software composition analysis (SCA) is a necessary tool that detects vulnerabilities within dependencies such as open source libraries. As the composition of modern applications has shifted… Read More
A Software Bill of Materials (SBOM) refers to a list of all software components, open source or commercial, utilized to build a software solution. However, this doesn’t includ… Read More
The IconBurst attack is a software supply chain attack designed to grab data from apps and websites. This attack campaign seeks to install malicious NPM modules that harvest sensiti… Read More
Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open source automation server.
With over 1,700 plugins available, Jenkins is an extreme… Read More
The innovation of DevOps toolchains has delivered increased efficiency for engineering teams. At the same time, these innovations have also increased security risk as shown by the rise of at… Read More
Every software manufacturer nowadays implements robust DevOps processes to increase its ability to deliver applications and services at high velocity. These processes usually include testing… Read More
ISO 27001, formally known as ISO/IEC 27001, is designed to help organizations manage the security of financial information, intellectual property, employee details, and other assets… Read More
Compliance isn’t a sexy topic, but it’s often mission-critical for organizations because failure to achieve compliance can have huge repercussions. Whether it be fines, reputatio… Read More
We’ve had a busy month in terms of software supply-chain incidents. In this article, we will discuss prominent recent attacks, explain the attack chain, and elaborate on the r… Read More
CrateDepression is a software supply chain attack designed to target GitLab CI Pipelines by impersonating legitimate Rust packages and their developers. Since a GitHub user notified… Read More
What is PCI DSS?
Any financial institution, proprietor, or other entity that handles sensitive information must adhere to adequate security standards. Payment security is essential… Read More
We’re thrilled to announce that Gartner recognized Cycode as a Cool Vendor in the April 2022 Gartner® Cool Vendors in Application Security: Protection of Cloud-Native Applications… Read More