Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Penetration testing (“pentesting”) has shifted from a once-a-year checkbox to a continuous necessity. In fact, by 2025 the pentesting industry is expected to hit $4.5 billion as companies race to find vulnerabilities before attackers do. Yet 38% of companies only run 1–2 pentests per year – leaving long gaps where new flaws can creep in. That’s a dangerous game when 73% of breaches involve exploiting web app vulnerabilities.

DevSecOps isn’t just a buzzword in 2025 – it’s how modern teams build software without leaving security behind. About 61% of DevOps teams have now adopted DevSecOps practices, meaning automated security checks are embedded throughout development. And for good reason: cyber threats are evolving, from surging open-source supply chain attacks (over 10,000 malicious packages were found in one quarter) to misconfigurations that attackers exploit in cloud infrastructure.

Containers have become the backbone of modern DevOps, but they also introduce new security headaches. A single vulnerable base image or misconfigured container can snowball into a major breach across dozens of services. In fact, recent research found that about 75% of container images carry high-severity or critical vulnerabilities. Add to this the 2025 trends of supply chain attacks and ever-evolving CVEs, and it’s clear that container scanning tools are a must-have.

Modern software teams have a buffet of security tools to choose from. Veracode, Checkmarx, and Fortify are three heavyweight application security platforms often considered by technical leaders. Each promises to secure your code and catch vulnerabilities early. But choosing the right one matters: it impacts developer workflow, security coverage, and how much time your team spends chasing false alarms.

Gain instant visibility into your cloud environment with Aikido Cloud Search. Search your cloud like a database. Whether you want to identify exposed databases, vulnerable virtual machines, or over-permissive IAM roles — Aikido gives you the power to uncover risk in seconds. No query language required, no waiting on devops. Just describe what you’re looking for, like “Give me all VMs with CVE-2025-32433 that have port 22 open.” Scroll down to "How It Works" to get technical.

The boy who cried wolf goes back to a fable where a shepherd boy mocked the other villagers by telling them that a wolf was attacking the flock. The villagers believed him at first, but he was just laughing with them. When the shepherd boy repeated his joke, villagers started to ignore him and at some point a real wolf comes and attacks the sheep. The boy ‘cried wolf’ but nobody believed him anymore.

Modern applications are no longer giant monoliths, they are a collection of micro services, open-source components, and third-party tools. But this makes it very difficult to actually understand the insides of our applications, particularly when you consider that our open-source dependencies also have open-source dependencies! The Software Bill of Materials (SBOM) plays a key role here. SBOMs provide a detailed inventory of all software components.

If it’s worth building, it’s worth securing. Vibe coding has been generating a lot of buzz. While automating and coding with AI isn’t new, vibe coding holds the promise of democratizing software development: simply describe what you want in natural language and let the LLM do the rest.

On March 19th, 2025, we discovered a package called os-info-checker-es6 and were taken aback. We could tell it was not doing what it said on the tin. But what's the deal? We decided to investigate the matter and initially hit some dead ends. But patience pays off, and we eventually got most of the answers we sought. We also learned about Unicode PUAs (No, not pick-up artists). It was a roller coaster ride of emotions!

Container security starts with your base image. But here’s the catch: In this post, we’ll explore why updating base images is harder than it seems, walk through real examples, and show how you can automate safe, intelligent upgrades without breaking your app.