Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Most organizations still treat vulnerability assessment (VA) as a checkbox activity, run a scan, generate a report, and move on. But security doesn’t work in isolated snapshots. Applications are dynamic, threats evolve by the hour, and even minor code changes can open new attack surfaces. This is where continuous vulnerability assessment (CVA) becomes essential.

In a previous blog, we discussed how AI is reshaping software development at every level. This shift means developers need new skills to stay effective. In fact, Gartner predicts that generative AI will require 80% of the engineering workforce to upskill through 2027. So what can today’s developers do to stay ahead? Here are a few steps to consider.

XML external entity injection or XXE, is a type of web security vulnerability and an application-layer cybersecurity attack. This vulnerability allows the hacker to interfere with an application while it is processing XML data. The attacker can inject unsafe XML entities into the application and can interact with systems to which the application has access. The hackers can also view files on the server and even perform remote code execution (RCE).

The biggest cybersecurity bottleneck for today’s enterprises isn’t detection. It’s remediation. Organizations are flooded with vulnerability data, but that flood rarely translates into effective action. Instead, security teams spend their time wrangling data, chasing tickets, and firefighting the same risks week after week. The outcome? Wasted effort, missed SLAs, and real business risk.

Software development moves fast; updates are deployed daily, and new features seem to roll out constantly. For security professionals and developers, this pace brings both opportunities and risks. Building an application security program from scratch can be daunting. Expanding attack surfaces, unclear roles and responsibilities, and an endless stream of vulnerabilities from disparate tools create a complex and challenging landscape to navigate.

Today marks a significant milestone for Snyk and, more importantly, for the security posture of the U.S. government. I'm thrilled to introduce Snyk for Government, our FedRAMP Moderate authorized solution for the public sector. This authorization underscores our unwavering commitment to providing secure development solutions that meet the rigorous standards of the Federal Risk and Authorization Management Program (FedRAMP). It means that U.S.

On June 4, 2025, Cisco released fixes for multiple vulnerabilities, several of which were noted to have publicly available proof-of-concept (PoC) exploit code. The most severe issue, CVE-2025-20286, affects cloud deployments of Cisco Identity Services Engine (ISE) on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI).

In the last year, generative AI has dramatically accelerated how software is written. Developers can generate entire functions with a prompt, automate repetitive logic, and offload everything from boilerplate code to documentation. But with this newfound speed comes a deeper, more complex challenge: ensuring that what’s being created is secure, trustworthy, and production-ready.

On June 2, 2025, Hewlett Packard Enterprise (HPE) released fixes for multiple vulnerabilities affecting HPE StoreOnce VSA, an enterprise backup storage solution. The most severe of these was CVE-2025-37093, a critical authentication bypass vulnerability discovered by the Zero Day Initiative (ZDI). The flaw resides in the implementation of the machineAccountCheck method and stems from improper handling of an authentication algorithm.