Scaling a risk-based AppSec program involves adapting your security practices to accommodate the growth and evolving needs of your business, while effectively managing and mitigating security risks.

On October 3, 2023, the curl team preannounced a pending fix for a high-severity vulnerability, which impacts both libcurl and curl. Snyk products help you identify and fix vulnerable packages and containers, but this vulnerability impacts curl, a command-line tool that many developers use on a daily basis. It's also distributed with many operating systems, so we thought it would be beneficial to provide some tips on how you can get it upgraded on your system.

Researchers and vendors have conducted an investigation into volumetric DDoS attacks in the wild between August – October 2023 that has resulted in the discovery of a novel “rapid reset” technique that leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol. Disclosed today, the HTTP/2 rapid reset vulnerability is being tracked as CVE-2023-44487 and has been designated a High severity vulnerability with a CVSS score of 7.5 (out of 10).

Most enterprises' critical infrastructure and operational pipelines rely on an intricate web of software, online services, and cloud applications. This level of complexity makes supply chain risk management one of (if not the) biggest challenges for CISOs today. Today, malicious actors choose to exploit software supply chain vulnerabilities rather than just target end users. These SSC attacks have caused some of the most notable cybersecurity incidents and data breaches in recent years.

Composing song lyrics, writing code, securing networks — sometimes it seems like AI can do it all. And with the rise of LLM-based engines like ChatGPT and Google Bard, what once seemed like science fiction is now accessible to anyone with an internet connection. These AI advancements are top-of-mind for most businesses and bring up a lot of questions.

The developer role is steadily expanding, now encompassing operations and security functions in addition to writing and testing code.

Last month, two Critical vulnerabilities (CVE-2023-4863 and CVE-2023-5129) were identified by Apple Security Engineering and Architecture (SEA) in collaboration with The Citizen Lab at the University of Toronto’s Munk School. The vulnerabilities involved maliciously formed WebP images that would exploit Chromium-based browsers and the webmproject/libwebp library provided by Google. You can learn more about the vulnerability and the recent history of it in our previous blog post.

On October 3, 2023, Daniel Stenberg, the long-time curl maintainer and original author, published a note on both LinkedIn and X (formerly Twitter) regarding the shipping of curl version 8.4.0, which will contain a fix for "probably the worst security problem found in curl in a long time." This issue should be taken seriously as curl maintainers have been vocal about downplaying the risk associated with most vulnerabilities reported against curl in the past (a recent example is the article CVE-2020-1990

Snyk has been a long-time active participant in and sponsor of the Open Source Security Foundation (OpenSSF). We’re there because we believe in supporting its mission of securing the open source ecosystem. A recent summit meeting convened by the OpenSSF with the White House brought together various US Government departments for a chat about open source security.

Designing and maintaining secure infrastructure configurations from code to cloud is a complex process involving multiple technical teams and security stakeholders. The first challenge is writing secure infrastructure configurations pre-deployment.