Dex Tovin : May 25, 2023 7:00:00 AM
This article delves into the Secure Software Development Framework (SSDF), looks at the differences between the traditional Secure Software Development Life Cycle (SSDLC), and goes over the benefits of adopting the SSDF for improved security,...
Read More
Neta Spektor : May 22, 2023 1:50:07 PM
On May 20th, in an unprecedented move, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new...
Liav Caspi : May 15, 2023 11:40:59 PM
On May 5th, Gartner published an Innovation Insights Report that outlines the latest evolution in AppSec– Application Security Posture Management (or...
Gal Ofri : May 9, 2023 9:00:00 AM
In this blog series, we will uncover the details of SLSA provenance which refers to the ability to trust the authenticity of artifacts. SLSA (Supply...
1 min read
Roy Blit : Apr 25, 2023 8:00:00 AM
Toyota Motor Corporation recently suffered a data breach due to a mistakenly exposed access key on GitHub. That hardcoded access key evaded detection...
Dex Tovin : Apr 24, 2023 8:00:00 AM
Code leaks can pose significant threats to the security and well-being of businesses, potentially resulting in a range of negative outcomes including...
Kevin Broughton : Apr 17, 2023 10:46:34 AM
“Code to cloud” is an emerging capability that spans both application security and cloud security and has been gaining a lot of traction recently—and...
Alan Bitterman : Apr 12, 2023 2:12:07 PM
As the modern DevOps revolution became prominent within most businesses, the SDLC security was typically an afterthought. Compounding that is the...
1 min read
-1.jpg?width=30&name=DSC08054%20(2)-1.jpg){kind=small}
Nadav Noy : Mar 31, 2023 8:30:00 AM
On March 29th, 2023, it was published that 3CX, the international VoIP IPBX software, was under an ongoing software supply chain attack. The...
Nadav Noy : Mar 30, 2023 2:53:39 PM
The Legit Security research team has found a vulnerability in Azure Pipelines (CVE-2023-21553) that allows an attacker to execute malicious code in a...
Kevin Broughton : Mar 14, 2023 2:18:50 PM
In this blog post, we'll discuss 8 of the top threats targeting cloud applications in 2023. Taking steps to protect your cloud applications against...
Tor Beer : Feb 28, 2023 7:00:00 AM
Development secrets are any data sensitive to an organization or person and should not be exposed publicly. It can be a password, an access key, an...
Kevin Broughton : Feb 15, 2023 7:03:58 PM
Rapid innovation is the lifeblood of many companies in the digital age. If your organization employs a CI/CD workflow, you need an effective...
.jpg?width=30&name=LW_LEGIT_20_EladNamdar_1132%20(1).jpg){kind=small}
Elad Namdar : Feb 13, 2023 7:00:00 PM
As more organizations and applications rely on open-source software, it is crucial to ensure that the software is secure and free from...
Tali Orenbach : Feb 7, 2023 6:00:00 AM
SDLC (Software Development Life Cycle) is a breakdown of all the stages involved in software creation. There are distinct SDLC stages and many...
Amit Hofree : Jan 31, 2023 12:00:00 AM
GUAC stands for Graph for Understanding Artifact Composition and was developed by Google in collaboration with industry leaders to make it easier to...
Roy Blit : Jan 25, 2023 3:09:07 PM
We encounter security incidents on a weekly basis with prospective customers that involve pipeline manipulation, code theft, and sensitive data...
.jpeg?width=30&name=Image%20(1).jpeg){kind=small}
Arnon Trabelsi : Jan 23, 2023 3:47:08 PM
A cybersecurity framework is a group of documents outlining guidelines, security-related standards, and best practices to help organizations manage...
1 min read
Tor Beer : Jan 19, 2023 7:15:00 AM
Secrets are any data that is sensitive to an organization or person and should not be exposed publicly. It can be a password, an access key, an API...
1 min read
Tor Beer : Jan 18, 2023 5:43:00 AM
Everybody is familiar with downtimes in major services. It can be very frustrating when a platform your organization depends upon becomes...
Liav Caspi : Jan 9, 2023 10:23:37 AM
Software dominates the world and remains abig and accessible attack surface.In 2022, an estimated $6Bwas invested in Application Security, with that...
Nadav Noy : Jan 4, 2023 6:21:15 AM
Jenkins is an open-source automation and build platform that allows for automated tests, integrations, builds, and much more. However, Jenkins also...
Ofer Kozokaro : Dec 28, 2022 8:03:17 AM
DevOps is a great approach to improve the speed and efficiency of software development, but there are practices that your team can implement to...
John Tierney : Dec 6, 2022 6:30:05 AM
Once upon a time in Application Security, times were simpler. Not long ago security and development teams could simply scan their code for...
Noam Dotan : Dec 1, 2022 9:02:33 AM
The Legit Security Research Team discovered a new class of software supply chain vulnerabilities that leverages artifact poisoning and attacks the...
Justin Bahr : Nov 29, 2022 6:45:38 AM
What are different solution approaches to software supply chain security and what are the Pros and Cons for your organization? What is the modern...
1 min read
Roy Blit : Oct 31, 2022 12:45:39 PM
Update: On November 1st the OpenSSL project maintainers released their fix for the vulnerabilities. There were two vulnerabilities discovered. After...
Nadav Noy : Oct 12, 2022 11:00:10 AM
On Oct 7th, Toyota announced a possible data leakage incident stemming from a code repository in their software supply chain. The compromised data...
Justin Bahr : Oct 11, 2022 6:31:03 AM
If you haven’t already been integrating security into DevOps, we've provided this 4-step guide to help smooth the transition as well as describe the...
Roy Blit : Oct 5, 2022 8:07:38 AM
We’re pleased to announce the launch of Legitify – an open-source security tool for GitHub users to automatically discover and remediate insecure...
Nadav Noy : Oct 3, 2022 4:23:08 PM
On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The...
Noam Dotan : Sep 28, 2022 1:37:33 PM
When GitHub released Codespaces last year it was touted as their best release since GitHub Actions. If you’re using Codespaces or thinking about it,...
Gal Ofri : Sep 22, 2022 8:45:00 AM
Today most business leaders realize that no matter what industry they operate in, their organizations are truly technology companies that serve...
Gal Ofri : Sep 19, 2022 2:58:57 PM
Malicious actors are poisoning your artifacts in an attempt to infect your software supply chain so that you deploy those compromised (i.e.,...
Gal Ofri : Sep 15, 2022 2:12:43 PM
A popular vendor of Magento-Wordpress plug-ins/integrations with over 200,000 downloads, has been hacked. This recent attack is a reminder that...
Justin Bahr : Sep 13, 2022 6:28:38 AM
In this blog post, we'll discuss the four types of software supply chain threats businesses face. Use these 8 best practices in cyber supply chain...
Noam Dotan : Sep 8, 2022 11:47:40 AM
Update: a few weeks after this publication, GitHub decided to fix the issue and employed the mitigation we recommended to them in our initial report....
Noam Dotan : Sep 1, 2022 10:00:03 AM
In this blog post, we'll discuss a new type of GitHub Actions workflow vulnerability we called "GitHub Environment Injection". We've found a couple of
Alex Babar : Aug 31, 2022 11:45:58 AM
Agile software development is a type of methodology that centers around the core principle of flexibility. Agile development methods recognize that a...
1 min read
Noam Dotan : Aug 29, 2022 9:17:15 PM
LastPass, one of the world's largest password managers with 25 million users, disclosed that an unauthorized party had gained access to portions of...
Nadav Noy : Aug 22, 2022 1:53:35 PM
Application Security (AppSec) is the process of identifying, testing, and fixing security flaws in an application. Although it may be tempting to...
Tor Beer : Aug 3, 2022 6:30:29 PM
Earlier today, Stephen Lacy published a Twitter post about a massive attack attempt on GitHub. This attack attempt is a huge deal, but fortunately it...
Tor Beer : Aug 2, 2022 12:39:59 PM
A software supply chain is the list of components, libraries, and tools used to build a software application. Software vendors often create products...
Liav Caspi : Jul 18, 2022 7:49:58 AM
Development teams already work in a very methodical repeating process – the Software Development Lifecycle (SDLC) – and a huge opportunity exists to ...
Dex Tovin : Jul 5, 2022 7:11:28 AM
The principles of data security are pretty simple, although organizations have a tendency to short cut them in their SDLCs. Data security is defined...
Amit Hofree : Jun 20, 2022 11:27:37 AM
GitHub is one of the most widely used software development platforms. You’d be hard-pressed to find a developer or a business that has never used or...
Liav Caspi : Jun 13, 2022 7:57:25 AM
As we head to the Open Source Summit conference next week, we wanted to discuss our contributions to the open source community, why we invest so much...
Dex Tovin : Jun 6, 2022 8:57:50 AM
An application security risk assessment is a process of identifying, assessing, and managing the potential risks to an application.
Roy Blit : May 31, 2022 8:18:08 AM
Configuring security in GitHub correctly can offer strong protection against breaches related to application vulnerabilities. The platform comes with...
Dex Tovin : May 23, 2022 1:41:56 PM
DevOps is a practice used to deliver software and services faster. As more businesses adopt DevOps, they are also adopting DevOps security tools to...
Shay Elmualem : May 16, 2022 8:37:35 AM
DevOps isn’t a new concept. The term was first coined around 2009 by Patrick Debois as a way to describe not only technology and standards, but also...
Shay Elmualem : May 9, 2022 9:11:30 AM
Artifacts, such as container images, are referenced during the development lifecycle using tags – a readable short name (usually a version like...
Noam Dotan : May 2, 2022 10:44:09 AM
In this blog post, we’ll explore a bug we’ve found in a popular third-party action and how in some cases it could lead to your SDLC pipeline being...
Roni Fuchs : Apr 25, 2022 11:15:04 AM
Application Security (AppSec) has been around for decades, but it has fallen behind application development advancements like DevOps and cloud. How...
Roy Blit : Apr 18, 2022 2:02:36 PM
On Friday April 15, GitHub Security announced it had detected the compromise of OAuth access tokens issued to Heroku and Travis-CI integrations to...
Gal Ofri : Apr 11, 2022 6:47:38 AM
SBOM stands for Software Bill Of Materials: a nested description of software artifact components and metadata. This information can also include...
Tor Beer : Apr 6, 2022 7:20:02 AM
On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important...
Noam Dotan : Apr 4, 2022 3:01:54 PM
At Legit Security, we’re focused on preventing software supply chain attacks and securing the SDLC for our customers and the broader cybersecurity...
Nir Bashan : Mar 11, 2022 9:18:44 AM
Exposed secrets in source code pose a risk to you, your team and your entire organization. But what are secrets exactly? How do they become exposed?...
Roni Fuchs : Jan 28, 2022 11:48:00 AM
I'm excited to share that Legit Security is officially launching out of stealth mode. While in stealth, we’ve been incredibly busy acquiring our...
Roy Blit : Jan 21, 2022 9:00:00 AM
You’ve probably heard that software supply chain attacks are increasing rapidly and that the damage can be devastating. Both business and security...
Alex Babar : Jan 14, 2022 1:00:00 PM
For many business executives, familiarity with “software supply chain security” started around December 2020 when global news headlines covered the...
Amit Hofree : Jan 7, 2022 12:30:00 PM
In response to a rapid increase in software supply chain attacks, Security Professionals and Software Development Leaders are increasingly motivated...
