Security | Threat Detection | Cyberattacks | DevSecOps | Compliance



Snyk is named a Strong Performer as a first-time entrant in the Forrester Wave: Static Application Security Testing (SAST) Q3 2023

In our first year participating in the Forrester Wave™: Static Application Security Testing (SAST) Q3 2023, we’re thrilled that Snyk has been recognized as a Strong Performer in a mature, yet evolving, enterprise software security category. Snyk is disrupting the SAST market with a developer-first approach to application security, illustrated by our position in strategy and market presence in the evaluation.


Forrester recognizes Synopsys as a Leader in static application security testing

Synopsys received the second-highest score in the Current Offering category, and tied for the second-highest scores in the Strategy and Market Presence categories. This week, Synopsys was named a Leader in “The Forrester Wave™: Static Application Security Testing, Q3, 2023,” based on its evaluation of Coverity®, our static application security testing (SAST) solution.


What Security Practitioners Can Learn from New SAST Vendor Analysis

Developing and maintaining secure code at scale is hard. Having the right Static Application Security Testing (SAST) solution makes it easier, but how are practitioners to choose? In the following interview, you’ll learn about three emerging trends from detailed analysis of the SAST landscape in The Forrester Wave™: Static Application Security Testing, Q3 2023.


Announcing JFrog SAST: Build Trust and Release Code With Confidence

Today’s software applications power almost every aspect of our lives, and ensuring the security of these applications is paramount. Threat actors can cause devastating consequences for companies, leading to financial losses, reputational damage, and legal repercussions. Companies building commercial or in-house applications must adopt robust security measures throughout their software development lifecycle to avoid releasing vulnerable code.

code intelligence

Breaking the Barrier of Dynamic Testing: Detect and Autoconfigure Entry Points With CI Spark

Finding deeply hidden and unexpected vulnerabilities early in the development process is key. However, time to invest in proactive tests is limited. Prioritizing speed over security is common. Our new AI-assistant CI Spark closes this gap and enables both speed and security. CI Spark makes use of LLMs to automatically identify attack surfaces and to suggest test code. Tests generated by CI Spark work like a unit test that automatically generates thousands of test cases.

How we found a prototype pollution in protobufjs - CVE-2023-36665

In this webinar excerpt, our colleague Peter Samarin demonstrates how our prototype pollution bug detectors were able to uncover a highly severe CVE in the popular JavaScript library protobufjs. This finding puts affected applications at risk of remote code execution and denial of service attacks.
code intelligence

New Vulnerability in tree-kit: Prototype Pollution - CVE-2023-38894

The maintainers have already released an update fixing the issue. Versions before 0.7.5 are affected and thus vulnerable to Prototype Pollution. We strongly recommend that impacted users upgrade to the newer version that includes the fixes, i.e., version 0.7.5 and above.We have found a new Prototype Pollution vulnerability in the JavaScript package tree-kit in all versions before 0.7.5. The maintainer of tree-kit has released an update that fixed the issue on 21 July 2023.

How we found a Prototype Pollution in protobuf.js

Our colleagues Peter Samarin, Norbert Schneider and Fabian Meumertzheim recently built a new bug detector enabling our JavaScript fuzzing engine Jazzer.js to identify Prototype Pollution. This work is now bearing its first fruits: As part of our ongoing collaboration with Google’s OSS-Fuzz, Jazzer.js recently uncovered a new Prototype Pollution vulnerability in protobuf.js (CVE-2023-36665). This finding puts affected applications at risk of remote code execution and denial of service attacks.