Legit Security Blog

Embracing the Future of Secure Software Development: A Comprehensive Look at the SSDF

This article delves into the Secure Software Development Framework (SSDF), looks at the differences between the traditional Secure Software Development Life Cycle (SSDLC), and goes over the benefits of adopting the SSDF for improved security,...

Read More

Supply Chain Attacks Overflow: PyPI Suspended New Registrations

On May 20th, in an unprecedented move, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new...

Read More

What is Application Security Posture Management – Insights Into Gartner’s® New Report

On May 5th, Gartner published an Innovation Insights Report that outlines the latest evolution in AppSec– Application Security Posture Management (or...

Read More

SLSA Provenance Blog Series, Part 1: What Is Software Attestation

In this blog series, we will uncover the details of SLSA provenance which refers to the ability to trust the authenticity of artifacts. SLSA (Supply...

Read More

1 min read

New Techniques Attackers Are Using to Harvest Your Secrets

Toyota Motor Corporation recently suffered a data breach due to a mistakenly exposed access key on GitHub. That hardcoded access key evaded detection...

Read More

The Business Risks and Costs of Source Code Leaks and Prevention Tips

Code leaks can pose significant threats to the security and well-being of businesses, potentially resulting in a range of negative outcomes including...

Read More

Modern AppSec Needs Code to Cloud Traceability

“Code to cloud” is an emerging capability that spans both application security and cloud security and has been gaining a lot of traction recently—and...

Read More

Tips to Secure the Software Development Lifecycle (SDLC) in Each Phase

As the modern DevOps revolution became prominent within most businesses, the SDLC security was typically an afterthought. Compounding that is the...

Read More

1 min read

Sophisticated 3CX Software Supply Chain Attack Affects Millions of Users

On March 29th, 2023, it was published that 3CX, the international VoIP IPBX software, was under an ongoing software supply chain attack. The...

Read More

Remote Code Execution Vulnerability in Azure Pipelines Can Lead To Software Supply Chain Attack

The Legit Security research team has found a vulnerability in Azure Pipelines (CVE-2023-21553) that allows an attacker to execute malicious code in a...

Read More

The Top 8 Cloud Application Threats in 2023

In this blog post, we'll discuss 8 of the top threats targeting cloud applications in 2023. Taking steps to protect your cloud applications against...

Read More

Exposing Secrets Via SDLC Tools: The Artifactory Case

Development secrets are any data sensitive to an organization or person and should not be exposed publicly. It can be a password, an access key, an...

Read More

5 Best Practices for Successful Application Risk Assessments

Rapid innovation is the lifeblood of many companies in the digital age. If your organization employs a CI/CD workflow, you need an effective...

Read More

Top Open Source Software Supply Chain Security Tips

As more organizations and applications rely on open-source software, it is crucial to ensure that the software is secure and free from...

Read More

What is a Secure SDLC?

SDLC (Software Development Life Cycle) is a breakdown of all the stages involved in software creation. There are distinct SDLC stages and many...

Read More

GUAC Explained in 5 Minutes

GUAC stands for Graph for Understanding Artifact Composition and was developed by Google in collaboration with industry leaders to make it easier to...

Read More

Legitify adds support for GitLab and GitHub Enterprise Server

We encounter security incidents on a weekly basis with prospective customers that involve pipeline manipulation, code theft, and sensitive data...

Read More

What are the Five Elements of the NIST Cybersecurity Framework?

A cybersecurity framework is a group of documents outlining guidelines, security-related standards, and best practices to help organizations manage...

Read More

1 min read

Exposing Secrets Via SDLC Tools: The SonarQube Case

Secrets are any data that is sensitive to an organization or person and should not be exposed publicly. It can be a password, an access key, an API...

Read More

1 min read

The MarkdownTime Vulnerability: How to Avoid This DoS Attack on Business Critical Services

Everybody is familiar with downtimes in major services. It can be very frustrating when a platform your organization depends upon becomes...

Read More

2023 Predictions for Modern Application Security

Software dominates the world and remains abig and accessible attack surface.In 2022, an estimated $6Bwas invested in Application Security, with that...

Read More

How to Continuously Detect Vulnerable Jenkins Plugins to Avoid a Software Supply Chain Attack

Jenkins is an open-source automation and build platform that allows for automated tests, integrations, builds, and much more. However, Jenkins also...

Read More

A DevOps Security Tutorial for Digital Business Leaders

DevOps is a great approach to improve the speed and efficiency of software development, but there are practices that your team can implement to...

Read More

Modern AppSec Requires Extending Beyond SCA and SAST

Once upon a time in Application Security, times were simpler. Not long ago security and development teams could simply scan their code for...

Read More

Novel Pipeline Vulnerability Discovered; Rust  Found Vulnerable

The Legit Security Research Team discovered a new class of software supply chain vulnerabilities that leverages artifact poisoning and attacks the...

Read More

Top Software Supply Chain Security Solution Approaches: Pros and Cons

What are different solution approaches to software supply chain security and what are the Pros and Cons for your organization? What is the modern...

Read More

1 min read

Critical and Time Sensitive OpenSSL Vulnerability - The Race Between Attackers and Defenders

Update: On November 1st the OpenSSL project maintainers released their fix for the vulnerabilities. There were two vulnerabilities discovered. After...

Read More

Toyota Customer Data Leaked Due To Software Supply Chain Attack

On Oct 7th, Toyota announced a possible data leakage incident stemming from a code repository in their software supply chain. The compromised data...

Read More

Integrating Security into DevOps: A Step-By-Step Guide

If you haven’t already been integrating security into DevOps, we've provided this 4-step guide to help smooth the transition as well as describe the...

Read More

Introducing Legitify: A Better Way To Secure GitHub

We’re pleased to announce the launch of Legitify – an open-source security tool for GitHub users to automatically discover and remediate insecure...

Read More

Software Supply Chain Attack Leads to Trojanized Comm100 Installer

On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The...

Read More

GitHub Codespaces Security Best Practices

When GitHub released Codespaces last year it was touted as their best release since GitHub Actions. If you’re using Codespaces or thinking about it,...

Read More

Software Supply Chain Risks: What Every CISO Needs to Know

Today most business leaders realize that no matter what industry they operate in, their organizations are truly technology companies that serve...

Read More

Why You Can Still Get Hacked Even After Signing Your Software Artifacts

Malicious actors are poisoning your artifacts in an attempt to infect your software supply chain so that you deploy those compromised (i.e.,...

Read More

New Software Supply Chain Attack Installs Trojans on Adobe's Magento E-Commerce Platform

A popular vendor of Magento-Wordpress plug-ins/integrations with over 200,000 downloads, has been hacked. This recent attack is a reminder that...

Read More

8 Best Practices in Cyber Supply Chain Risk Management to Stay Safe

In this blog post, we'll discuss the four types of software supply chain threats businesses face. Use these 8 best practices in cyber supply chain...

Read More

Attackers Can Bypass GitHub Required Reviewers to Submit Malicious Code

Update: a few weeks after this publication, GitHub decided to fix the issue and employed the mitigation we recommended to them in our initial report....

Read More

Google & Apache Found Vulnerable to GitHub Environment Injection

In this blog post, we'll discuss a new type of GitHub Actions workflow vulnerability we called "GitHub Environment Injection". We've found a couple of

Read More

10 Agile Software Development Security Concerns You Need to Know

Agile software development is a type of methodology that centers around the core principle of flexibility. Agile development methods recognize that a...

Read More

1 min read

LastPass Software Supply Chain Attack: What Happened and Tips to Protect Against Similar Attacks

LastPass, one of the world's largest password managers with 25 million users, disclosed that an unauthorized party had gained access to portions of...

Read More

5 Things You Need to Know About Application Security in DevOps

Application Security (AppSec) is the process of identifying, testing, and fixing security flaws in an application. Although it may be tempting to...

Read More

Breaking News: How a Massive Malware Attack Almost Occurred on GitHub

Earlier today, Stephen Lacy published a Twitter post about a massive attack attempt on GitHub. This attack attempt is a huge deal, but fortunately it...

Read More

How to Secure Your Software Supply Chain in 10 Steps

A software supply chain is the list of components, libraries, and tools used to build a software application. Software vendors often create products...

Read More

A Complete Guide to the Secure Software Development Lifecycle (SDLC)

Development teams already work in a very methodical repeating process – the Software Development Lifecycle (SDLC) – and a huge opportunity exists to ...

Read More

Secure SDLC: The Best Advice for Securing Your Code and Application Data in 2022 and Beyond

The principles of data security are pretty simple, although organizations have a tendency to short cut them in their SDLCs. Data security is defined...

Read More

Securing GitHub: How to Keep Your Code and Pipelines Safe from Hackers

GitHub is one of the most widely used software development platforms. You’d be hard-pressed to find a developer or a business that has never used or...

Read More

The Open Source Community And Its Critical Role in Software Supply Chain Security

As we head to the Open Source Summit conference next week, we wanted to discuss our contributions to the open source community, why we invest so much...

Read More

A 10-Step Application Security Risk Assessment Checklist

An application security risk assessment is a process of identifying, assessing, and managing the potential risks to an application.

Read More

GitHub Security Best Practices Your Team Should Be Following

Configuring security in GitHub correctly can offer strong protection against breaches related to application vulnerabilities. The platform comes with...

Read More

How to Use DevOps Security Tools to Protect Your Business

DevOps is a practice used to deliver software and services faster. As more businesses adopt DevOps, they are also adopting DevOps security tools to...

Read More

Forget Everything You Thought You Knew About DevOps and Security

DevOps isn’t a new concept. The term was first coined around 2009 by Patrick Debois as a way to describe not only technology and standards, but also...

Read More

What Are Immutable Tags And Can They Protect You From Supply Chain Attacks?

Artifacts, such as container images, are referenced during the development lifecycle using tags – a readable short name (usually a version like...

Read More

Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks

In this blog post, we’ll explore a bug we’ve found in a popular third-party action and how in some cases it could lead to your SDLC pipeline being...

Read More

Re-thinking Application Security for DevSecOps and Scale

Application Security (AppSec) has been around for decades, but it has fallen behind application development advancements like DevOps and cloud. How...

Read More

Latest GitHub OAuth Tokens Attack Explained and How to Protect Yourself

On Friday April 15, GitHub Security announced it had detected the compromise of OAuth access tokens issued to Heroku and Travis-CI integrations to...

Read More

What is an SBOM? SBOM explained in 5 minutes

SBOM stands for Software Bill Of Materials: a nested description of software artifact components and metadata. This information can also include...

Read More

A Cautionary Tale: The Untold Story of the GitLab CVE Backdoor (CVE-2022-1162)

On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important...

Read More

Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline

At Legit Security, we’re focused on preventing software supply chain attacks and securing the SDLC for our customers and the broader cybersecurity...

Read More

Detecting Secrets in Your Source Code

Exposed secrets in source code pose a risk to you, your team and your entire organization. But what are secrets exactly? How do they become exposed?...

Read More

Announcing Legit Security: The Story Behind Our Mission

I'm excited to share that Legit Security is officially launching out of stealth mode. While in stealth, we’ve been incredibly busy acquiring our...

Read More

What Is SLSA? SLSA Explained In 5 Minutes

You’ve probably heard that software supply chain attacks are increasing rapidly and that the damage can be devastating. Both business and security...

Read More

History Repeats Itself: The Recurring Pattern of Supply Chain Security

For many business executives, familiarity with “software supply chain security” started around December 2020 when global news headlines covered the...

Read More

Software Supply Chain Security: How To Get Started?

In response to a rapid increase in software supply chain attacks, Security Professionals and Software Development Leaders are increasingly motivated...

Read More

Stay Connected

 Please join our mailing list for future updates and announcements.