NEW Gartner® Report: Hype Cycle™ for Application Security, 2023

Download Now
Platform
header mobile nav icon
Platform
warranty-badge-highlight 1
Software Supply Chain Security

dashboard-3 1
Application Security Control Plane

cloud-data-transfer 1
Code To Cloud Traceability

shield-check 1
Compliance & SBOM

Customers Company
header mobile nav icon
Company
book icon primary 200
About Us

briefcase icon primary 200
Careers

message icon primary 200
News

calendar icon primary 200
Events

Resources
header mobile nav icon
Resources
squared pencil icon primary 200
Blog

bookmark icon primary 200
Resource Library

brackets icon primary 200
Open Source

Contact Us

Blogs about Threats

    Topic
    View All AppSec Best Practices CISO DevOps Explainers Legit Partners SCMs Threats
    Legit Security | Learn how the use of Large Language Models (LLMs) like OpenAI's GPT and Google's Bard can create security risks in your applications.
    Best Practices AppSec Threats

    Emerging Risks with Embedded LLM in Applications

    Learn how the use of Large Language Models (LLMs) like OpenAI's GPT and Google's Bard can create security risks in your applications.

    Read More
    Legit Security | This blog shows another case of GitHub Actions environment injection vulnerability in a Google repository.
    Legit Threats

    How We Found Another GitHub Actions Environment Injection Vulnerability in a Google Project

    This blog shows another case of GitHub Actions environment injection vulnerability in a Google repository.

    Read More
    Legit Security | On May 20th, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new project registration.
    Explainers AppSec Threats

    Supply Chain Attacks Overflow: PyPI Suspended New Registrations

    On May 20th, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new project registration.

    Read More
    Legit Security | In this blog series, we uncover the details of SLSA provenance which refers to the ability to trust the authenticity of artifacts.
    AppSec Threats

    SLSA Provenance Blog Series, Part 1: What Is Software Attestation

    In this blog series, we uncover the details of SLSA provenance which refers to the ability to trust the authenticity of artifacts.

    Read More
    Legit Security | Learn the risks of exposing secrets through leaked source code and why traditional code scanners may not be enough to fight threats.
    AppSec Threats

    New Techniques Attackers Are Using to Harvest Your Secrets

    Learn the risks of exposing secrets through leaked source code and why traditional code scanners may not be enough to fight threats.

    Read More
    Legit Security | Protect your business from the serious consequences of code leaks by taking proactive measures to enhance your cybersecurity posture.
    Best Practices Threats

    The Business Risks and Costs of Source Code Leaks and Prevention Tips

    Protect your business from the serious consequences of code leaks by taking proactive measures to enhance your cybersecurity posture.

    Read More
    Legit Security | 3CX, an international VoIP IPBX software, experienced software supply chain attack. We detail what occurred, and how it can be prevented.
    Explainers AppSec Threats

    Sophisticated 3CX Software Supply Chain Attack Affects Millions of Users

    3CX, an international VoIP IPBX software, experienced software supply chain attack. We detail what occurred, and how it can be prevented.

    Read More
    Legit Security | Our team has found a vulnerability in Azure Pipelines (CVE-2023-21553) that allows an attacker to execute malicious code in a pipeline.
    Threats

    Remote Code Execution Vulnerability in Azure Pipelines Can Lead To Software Supply Chain Attack

    Our team has found a vulnerability in Azure Pipelines (CVE-2023-21553) that allows an attacker to execute malicious code in a pipeline.

    Read More
    Discover 8 of the top threats to cloud applications in 2023 and learn about techniques that can be employed to help keep your cloud applications secure.
    Explainers Best Practices Threats

    The Top 8 Cloud Application Threats in 2023

    Discover 8 of the top threats to cloud applications in 2023 and learn about techniques that can be employed to help keep your cloud applications secure.

    Read More
    Legit Security | We investigate how sensitive information can get exposed via AppSec tools that you use in your dev pipeline, using the SonarQube Case.
    Threats

    Exposing Secrets Via SDLC Tools: The SonarQube Case

    We investigate how sensitive information can get exposed via AppSec tools that you use in your dev pipeline, using the SonarQube Case.

    Read More
    We explore a vulnerability we found in a popular implementation of the markdown engine and the potential Denial-of-Service (DoS) attack that it could cause on projects rendering markdown.
    Legit Threats

    The MarkdownTime Vulnerability: How to Avoid This DoS Attack on Business Critical Services

    We explore a vulnerability we found in a popular implementation of the markdown engine and the potential Denial-of-Service (DoS) attack that it could cause on projects rendering markdown.

    Read More
    See how attackers used compromised Jenkins plugins to attack the software supply chain and how to continuously detect vulnerable Jenkins plugins at scale.
    Best Practices Legit Threats

    How to Continuously Detect Vulnerable Jenkins Plugins to Avoid a Software Supply Chain Attack

    See how attackers used compromised Jenkins plugins to attack the software supply chain and how to continuously detect vulnerable Jenkins plugins at scale.

    Read More
    New software supply chain vulnerabilities use artifact poisoning and attack the software development pipelines on projects using GitHub Actions.
    Threats SCMs

    Novel Pipeline Vulnerability Discovered; Rust  Found Vulnerable

    New software supply chain vulnerabilities use artifact poisoning and attack the software development pipelines on projects using GitHub Actions.

    Read More
    OpenSSL has announced a critical fix in version 3.0.7 to be released Nov 1st. It means that on Tuesday the race will start between those who patch and those who exploit.
    Threats

    Critical and Time Sensitive OpenSSL Vulnerability - The Race Between Attackers and Defenders

    OpenSSL has announced a critical fix in version 3.0.7 to be released Nov 1st. It means that on Tuesday the race will start between those who patch and those who exploit.

    Read More
    On Oct 7th, Toyota announced a possible data leakage incident. The compromised data contained 296,019 customers' private information, including customers' personal email addresses.
    Threats

    Toyota Customer Data Leaked Due To Software Supply Chain Attack

    On Oct 7th, Toyota announced a possible data leakage incident. The compromised data contained 296,019 customers' private information, including customers' personal email addresses.

    Read More
    On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The installer was compromised using a supply chain attack on the Comm100 development pipeline.
    Threats

    Software Supply Chain Attack Leads to Trojanized Comm100 Installer

    On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The installer was compromised using a supply chain attack on the Comm100 development pipeline.

    Read More
    Malicious actors are poisoning your artifacts in an attempt to infect your software supply chain so that you deploy those compromised artifacts to your production servers.
    Best Practices Threats

    Why You Can Still Get Hacked Even After Signing Your Software Artifacts

    Malicious actors are poisoning your artifacts in an attempt to infect your software supply chain so that you deploy those compromised artifacts to your production servers.

    Read More
    A popular vendor of Magento-Wordpress plug-ins/integrations with 200,000 downloads, has been hacked. This attack is a reminder that malicious 3rd party plug-ins for popular platforms, in this case FishPig integrations for Magento e-commerce platforms, can open the door to critical vulnerabilities.
    Threats

    New Software Supply Chain Attack Installs Trojans on Adobe's Magento E-Commerce Platform

    A popular vendor of Magento-Wordpress plug-ins/integrations with 200,000 downloads, has been hacked. This attack is a reminder that malicious 3rd party plug-ins for popular platforms, in this case FishPig integrations for Magento e-commerce platforms, can open the door to critical vulnerabilities.

    Read More
    GitHub’s required reviewers capability can be bypassed if currently using this setting to require at least one code review before merging code.
    Threats SCMs

    Attackers Can Bypass GitHub Required Reviewers to Submit Malicious Code

    GitHub’s required reviewers capability can be bypassed if currently using this setting to require at least one code review before merging code.

    Read More
    Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.
    Legit Threats SCMs

    Google & Apache Found Vulnerable to GitHub Environment Injection

    Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.

    Read More
    LastPass disclosed that an unauthorized party had gained access to portions of the LastPass developer environment. An attacker gained access to developer account credentials and used them to exfiltrate portions of their proprietary source code.
    Best Practices Threats

    LastPass Software Supply Chain Attack: What Happened and Tips to Protect Against Similar Attacks

    LastPass disclosed that an unauthorized party had gained access to portions of the LastPass developer environment. An attacker gained access to developer account credentials and used them to exfiltrate portions of their proprietary source code.

    Read More
    Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.
    Threats SCMs

    Breaking News: How a Massive Malware Attack Almost Occurred on GitHub

    Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.

    Read More
    We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.
    Best Practices Legit Threats SCMs

    Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks

    We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.

    Read More
    This GitHub OAuth access token attack was announced by GitHub Security and is a compromise of OAuth access tokens issued to Heroku and Travis-CI integrations.
    Explainers Threats SCMs

    Latest GitHub OAuth Tokens Attack Explained and How to Protect Yourself

    This GitHub OAuth access token attack was announced by GitHub Security and is a compromise of OAuth access tokens issued to Heroku and Travis-CI integrations.

    Read More
    On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important lessons in securing a software supply chain.
    Threats SCMs

    A Cautionary Tale: The Untold Story of the GitLab CVE Backdoor (CVE-2022-1162)

    On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important lessons in securing a software supply chain.

    Read More
    Learn how Legit Security discovered a vulnerable GitHub actions workflow. Get details on the vulnerability and and what you can do to mitigate it.
    Best Practices Legit Threats SCMs

    Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline

    Learn how Legit Security discovered a vulnerable GitHub actions workflow. Get details on the vulnerability and and what you can do to mitigate it.

    Read More
    What are secrets in source code, why they must be protected, and how to keep them safe.
    Explainers Threats SCMs

    Detecting Secrets in Your Source Code

    What are secrets in source code, why they must be protected, and how to keep them safe.

    Read More

    Schedule a Demo

    Book a demo including the option to analyze your own software supply chain.

    Book a Demo