After almost a decade in business, we’ve had the opportunity to watch the software development industry change dramatically. Developers work with more moving parts than ever, relying on technologies like third-party resources and AI coding assistants to release sophisticated software on tight deadlines. While we’ve been talking about the relationship between development and security for the past decade, the DevSecOps conversation has shifted quite a bit.

This story starts when Sébastien Lorber, maintainer of Docusaurus, the React-based open-source documentation project, notices a Pull Request change to the package manifest. Here’s the change proposed to the popular cliui npm package: Specifically, drawing our attention to the npm dependencies change that use an unfamiliar syntax: Most developers would expect to see a semver version range in the value of a package or perhaps a Git or file-based URL.

What are some of the growing cybersecurity risks in the modern software development landscape that keep CISOs busy? Developers and security teams face an ever-increasing array of threats, from sophisticated open source and vendor-controlled supply chain attacks to vulnerabilities introduced by AI-generated code like prompt injection and poor code security by GitHub Copilot.