Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In today’s fast-moving world of cloud-native development and CI/CD pipelines, code flows from commit to production faster than ever. And with that speed comes risk. That’s why code scanning in SCM (Source Code Management) has become a critical part of modern DevSecOps. Veracode’s new SCM Integration makes it easy to secure applications from the very first commit, directly within the SCM, without disrupting developer workflows.

Ransomware distributors are bad enough, but there should be a special place in the dark web's basement that only offers ISDN connections and no Wi-Fi, reserved for those groups that insist their attack was a benign cybersecurity service or those who only attack entities that they say deserve to be struck. At least based on their logic.

Attackers are using a newly discovered phishing-as-a-service (PhaaS) platform dubbed “Salty 2FA” to target a wide range of industries across North America and Europe, according to researchers at ANYRUN. The phishing attacks are delivered via email and primarily attempt to steal Microsoft 365 credentials. Like many popular commodity phishing kits, Salty 2FA is designed to bypass a variety of multifactor authentication measures.

ReliaQuest has published a report on the cybercriminal recruitment ecosystem, finding that fluent English speakers with social engineering skills are highly sought-after. “Among the most in-demand skills is English-speaking social engineering, with job posts more than doubling from 2024 to 2025,” the researchers write.

This is a follow up to the blog Cybersecurity as a Business Enabler about the shifting cybersecurity from a cost center to a value driver. If you are a C-level executive looking to transform how your organization approaches cybersecurity, here is how to shift the mindset from viewing security as just another cost center to recognizing it as a true value driver.

In August 2025, a joint Cybersecurity Advisory (CSA) was issued by CISA, NSA, FBI, and allied cybersecurity agencies across the Five Eyes, EU, and partner nations. This advisory details a long-term espionage campaign by People’s Republic of China (PRC) state-sponsored actors—linked to companies supporting the Ministry of State Security (MSS) and People’s Liberation Army (PLA).

A new cybersecurity reality has taken shape across Europe: the European Union’s updated Network and Information Security Directive (also known as NIS2) went into effect in January 2025. This sweeping regulation expands the cybersecurity obligations of thousands of organizations in critical sectors from energy and transport to healthcare, finance, cloud and data centers. Much like the Digital Operational Resilience Act (DORA) in the financial world, NIS2 isn’t just another compliance checkbox.

In our increasingly interconnected world, mobile applications have become indispensable tools for accessing a vast array of services and sensitive data. This post provides an in-depth exploration of mobile application authentication, grounded in the OWASP Mobile Application Security Verification Standard (MASVS), with a particular focus on MASVS-AUTH.

Let’s catch up on the more interesting vulnerability disclosures and cyber security news gathered from articles across the web this week. This is what we have been reading about on our coffee break! I’m sure I’ve seen that Joker SDK mentioned before. No doubt under a new means of evasion.

In recent months, Trustwave SpiderLabs, A LevelBlue Company, saw a significant increase in phishing URLs containing familiar patterns, similar phishing templates, and a resurgence in the use of email marketing platforms. The use of URL redirectors, along with the abuse of Amazon Web Hosting and Cloudflare services, was also widely observed. Trustwave operates a URL-scanning system that we call PageML.