Security debt is a major and growing problem in software development with significant implications for application security, according to Veracode's State of Software Security 2024 Report. Let’s delve a bit deeper into the scope and risk of security debt, and gain some insights for application security managers to effectively address this challenge. Security debt refers to software flaws that remain unfixed for a year or more.

CI/CD pipelines are formed by a series of steps that automate the process of software delivery. They integrate the practices of Continuous Integration (CI) and Continuous Delivery (CD) along with the tools, platforms, and repositories that enable them. Their goal is to simplify, streamline and automate large parts of the software development process.

In the ever-evolving landscape of cloud-native applications built with containers and Kubernetes, webhooks serve as the communication backbone, facilitating seamless integration between various components, especially in the realms of security, networking, and troubleshooting. This is further amplified when combined with popular collaboration tools such as Jira and Slack.

Test API specification With the growing footprint of APIs, there is a strong need for secure-by-design APIs. A design blueprint of an API would be a helpful start in determining the security standard of an API. Fortunately, APIs have that blueprint known as an OpenAPI Specification. API Specifications play a crucial role in ensuring the security and functionality of APIs.

Picture a domino effect in the business world: one weak link in a supply chain triggers a cascade of disruptions. This is the reality of supply chain attacks, where a minor breach can escalate into a major crisis. It underscores the urgent need for robust security across the whole supply chain. Supply chain attacks represent a sophisticated threat to organizations, often involving multiple stages of exploitation.

CVE-2022-39327 is a code injection vulnerability that affects the command-line interface for Microsoft Azure (Azure CLI). The vulnerability allows an attacker to execute arbitrary commands on a Windows machine that runs an Azure CLI command with untrusted parameter values. The vulnerability was discovered by GitHub Security Lab and reported to Microsoft on October 7, 2022. Microsoft released a patch for the vulnerability on October 25, 2022, in version 2.40.0 of the Azure CLI.

Mobile Security Framework (MobSF), launched by OWASP in 2015, is a partially automated, open-source, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic, and malware analysis. MobSF is one of the most widely used security applications where the testing framework - a simple, flexible, and incredibly powerful tool has quickly become the lingua franca of security. The flexibility and accessibility of the tool are helpful but also dangerous.

A few years ago, REI embarked on its digital transformation and cloud migration journey, moving on-prem development environments to AWS. But, as REI’s development teams began this transition, their security counterparts noticed that application security just wasn’t keeping up. As a result, REI began another journey: identifying the right security tooling and cultural shifts for AppSec success.

Most security tools waste developers’ time. We’re on a mission to fix this. Application Developers aren't paid to care about security. Their performance is measured by the speed at which they can add value to the business through new features or enhancements. This makes traditional security tools a hindrance as they're not built for developers — plus, they're not designed to be helpful.