The security landscape is constantly changing. As such, this blog has been updated to reflect the risks developers and security teams face today and how to overcome them. In our rapidly advancing, code-dominated digital landscape, safeguarding your codebase takes center stage. GitHub is the go-to platform for code sharing and version control in the developer community. However, given its widespread adoption, GitHub is not immune to many of the security challenges that developers face daily.

Snyk has discovered a vulnerability in all versions of Docker Buildkit <=v0.12.4, as used by the Docker engine. The exploitation of this issue can result in container escape to the underlying host OS when building an image using a malicious Dockerfile or upstream image (i.e. when using FROM). This issue has been assigned CVE-2024-23651.

Snyk has discovered a vulnerability in all versions of runc <=1.1.11, as used by the Docker engine, along with other containerization technologies such as Kubernetes. Exploitation of this issue can result in container escape to the underlying host OS, either through executing a malicious image or building an image using a malicious Dockerfile or upstream image (i.e., when using FROM). This issue has been assigned the CVE-2024-21626.

Snyk security researcher Rory McNamara, with the Snyk Security Labs team, identified four vulnerabilities — dubbed "Leaky Vessels" — in core container infrastructure components that allow container escapes. An attacker could use these container escapes to gain unauthorized access to the underlying host operating system from within the container.

Bug bounty hunting is a process where security researchers or hackers actively search for and identify security vulnerabilities or "bugs" in web applications, IoT devices, mobile applications, or even smart contracts. These vulnerabilities can range from relatively simple issues like cross-site scripting (XSS) or SQL injection to more complex and critical weaknesses that could potentially compromise the security and privacy of users' data.

When a security incident happens, it’s one thing to reactively fix the issue, sweep it under the rug, and move on. It’s a whole other to respond to the situation with a proactive, forward-facing response — not only solving the existing issues but preparing the entire organization for the future. DISH Network did just that, responding to a significant security incident with new, shift-left initiatives that made their security and development teams stronger than ever.

McKinsey is calling 2023 “generative AI’s breakout year.” In one of their recent surveys, a third of respondents reported their organizations use GenAI regularly in at least one business function. But as advancements in AI continue to reshape the tech landscape, many CCISOs are left grappling with this question: How does AI impact software development cycles and the overall security of business applications?

On January 11th, 2024, a significant security vulnerability was disclosed in Jinja2, a widely used Python templating library. Identified as CVE-2024-22195, this cross-site scripting (XSS) vulnerability has raised concerns due to its impact on numerous projects. Jinja2 boasts over 33 million weekly downloads, nearly 10,000 GitHub stars, and over 90,000 dependent projects. The vulnerability affects all versions prior to 3.1.3, with the patched version 3.1.3 being the only safe option.