Containers are integral to modern application development portability, resource efficiency, and ease of deployment. But there is a flip side to these benefits. Unlike traditional applications, containers bundle everything needed to run, making them a scattered setup for hidden security issues. 54% of container images in Docker Hub were found to contain sensitive information that could lead to unauthorized access, data breaches, or identity theft.

A Software Bill of Materials (SBOM) inventories all of the open source components and other third-party libraries within a codebase. Much like IKEA instructions explain which parts are included in the package for your new furniture, an SBOM describes all of the third party components in your codebase. Most SBOMs contain the following information about the make-up of an application: Security vulnerabilities: a key use case for SBOM is understanding the security risks of third party components.

As cybersecurity becomes increasingly important in software development, the “shift left” security approach is widely recognized as a best practice for ensuring superior application security. Numerous traditional security firms are introducing shift-left products and capabilities, and the concept is gaining traction. However, some open source application security tools are more developer-friendly than others.

In the race for technological innovation, companies often sprint toward product launches but find themselves in a marathon when fixing vulnerabilities. This dichotomy poses a significant challenge, especially with the ever-increasing security loopholes. CISA recommends addressing critical issues in less than 15 days, but it may be wishful thinking. IT teams are inundated with an ever-increasing volume of security alerts, making it challenging to prioritize and address each one effectively.

Cloud workloads continue to grow as new digital innovations arise monthly in the worlds of IoT applications, cloud services, and big data analytics. However, the cloud's dynamic and often complex nature can make cloud application security challenging. This gap in cloud security readiness is a growing concern for organizations worldwide, with CISOs feeling the pressure. 61% of CISOs feel unequipped to cope with a targeted attack, and 68% expect such an attack within the following year.

Developers are responsible for mitigating risk of web applications through secure software development. This requires a culture of secure software development, which can be promoted with tactics that engage developers in the security process.

Software Composition Analysis (SCA) tools have been around since 2002, and they are now more critical than ever for identifying vulnerabilities in your codebase's libraries, frameworks, and third-party components. According to a Capterra report, 61% of businesses have been affected by a supply chain threat in the last year. If you’re one of the lucky 39%, Capterra suggests it really came down to luck - as nearly all companies use at least one third-party vendor.

In the famous book “Code Complete,” published by Microsoft Press, author Steve McConnel emphasized the importance of writing code for people first and computers second for better code readability. This was in 1993, when cyber attacks were practically non-existent. Fast forward to 2023, we have a greater challenge: writing code for tackling hackers first and users second.  This challenge is compounded by the rise of cybersecurity incidents due to security vulnerabilities in code.

The OWASP Top 10 list is the go-to resource to begin understand application security risk for software developers and information security professionals. Most of us don't know we're harboring vulnerabilities in plain sight. During 2020 and 2021, there were an average of 15 vulnerabilities per site, and two out of these fifteen vulnerabilities were of high severity. ‍To protect against vulnerabilities, you first need to be aware of them. That’s where the OWASP Top 10 list comes in handy.

By now, you have probably heard about the recently discovered backdoor into versions 5.6.0 and 5.6.1 of the tarballs of the xz utilities, a popular compression/decompression library for xz files, which provides unauthorized remote access under certain conditions. This vulnerability was reported under CVE-2024-3094. Andres Freund, of Microsoft, who discovered the vulnerability, summarized it well.

We recently wrote about npm audit fix, which is an add-on to the excellent npm audit, that has become a fundamental tool for managing software packages in Node.js projects. However, developers working with other languages also require specialized tools for Software Composition Analysis (SCA). At Jit, our tool of choice for SCA scanning across a diversity of programming languages is OSV Scanner, a best of breed OSS solution maintained by Google.

If over 40 major banks can be the target of JavaScript injection attacks, let’s be honest – so can you. In 2023, a malware campaign using this attack method affected 50,000 user sessions across more than 40 financial institutions worldwide, leaving many dev teams in pure damage-control mode. A large number of professional developers (especially front-end developers) use JavaScript more often than any other programming language.

A product is only as secure as its weakest link. That is why many talented security engineers and researchers recommend embedding security as early in the software development life cycle (SDLC) as possible, even from the very first line of code. Or better yet, even before the very first line of code, during the threat modeling and architecture phase. Smart people have been saying this for a very long time. So, why does product security still remain difficult?

Zero-day vulnerabilities are the surprise no developer wants to get. Because these security flaws are unknown to developers, they have zero days to prepare or mitigate the vulnerability before an exploit can occur. 62% of vulnerabilities were first exploited as zero-day vulnerabilities, so they are far more prevalent than we think. Even Google Chrome can attest to that after discovering a series of zero-day vulnerabilities that left its billions of users at risk in 2023.

If over 40 major banks can be the target of JavaScript injection attacks, let’s be honest – so can you. In 2023, a malware campaign using this attack method affected 50,000 user sessions across more than 40 financial institutions worldwide, leaving many dev teams in pure damage-control mode. 67.9% of professional developers use JavaScript more often than any other programming language. Its popularity is understandable, given its versatile and interactive capabilities.

In the evolving landscape of software development, where dependencies and third-party packages are increasingly baked into the fabric of our applications, understanding and managing the risk associated with these components has become paramount.

As a company building a SaaS security product, our inherent culture is not only focused on building best of breed security products for our users, but also ensuring that our systems, practices and workflows are engineered to support a continuously evolving threat landscape, and to protect our users’ data. We’ve written about our design for tenant isolation for our serverless based architecture in the past, and practical methods to avoid data leakage between clients.