About

Latest DevOps security news


Squaring the CircleCI

DevOps platform publishes post-mortem on recent breach16 January 2023Squaring the CircleCIDevOps platform publishes post-mortem on recent breach

Devs urged to rotate secrets after CircleCI suffers breach

05 January 2023Devs urged to rotate secrets after CircleCI suffers breachDevOps platform advises customers to revoke API tokens

Finding the next Log4j

OpenSSF’s Brian Behlendorf champions ‘risk-centered’ OS development23 December 2022Finding the next Log4jOpenSSF’s Brian Behlendorf champions ‘risk-centered’ OS development

Safeurl library brings SSRF protection to Go applications

19 December 2022Safeurl library brings SSRF protection to Go applicationsPrizes offered to anyone who can bypass the library and capture the flag

All Day DevOps

Third of Log4j downloads still pull vulnerable version despite growing awareness of supply chain attacks14 November 2022All Day DevOpsThird of Log4j downloads still pull vulnerable version despite growing awareness of supply chain attacks

‘We don’t teach devs how to write secure software’

Linux Foundation’s David A Wheeler on reversing the CVE surge14 October 2022‘We don’t teach devs how to write secure software’Linux Foundation’s David A Wheeler on reversing the CVE surge

GitLab patches RCE bug in GitHub data import function

13 October 2022GitLab patches RCE bug in GitHub data import functionData importation mechanism failed to sanitize imports

JavaScript sandbox RCE

vm2 addresses threat to dev, production environments04 October 2022JavaScript sandbox RCEvm2 addresses threat to dev, production environments

Webhook, line, and sinker

CI/CD servers can be breached through SCM webhooks23 September 2022Webhook, line, and sinkerCI/CD servers can be breached through SCM webhooks

Bug Bounty Radar

The latest bug bounty programs for September 202202 September 2022Bug Bounty RadarThe latest bug bounty programs for September 2022

Command injection vulnerability in GitHub Pages nets bug hunter $4k

31 August 2022Command injection vulnerability in GitHub Pages nets bug hunter $4kExploit involved duping developers into exposing repositories with social engineering techniques

Critical command injection vulnerability in Bitbucket Server and Data Center

26 August 2022Critical command injection vulnerability in Bitbucket Server and Data CenterUpdate now to protect against flaw

DevSecWhat?

Developers still struggling with security issues during code reviews17 August 2022DevSecWhat?Developers still struggling with security issues during code reviews

Black Hat USA

Log4j de-obfuscator Ox4Shell ‘dramatically’ reduces analysis time11 August 2022Black Hat USALog4j de-obfuscator Ox4Shell ‘dramatically’ reduces analysis time

HTTP parameter smuggling flaw found in Go projects

04 August 2022HTTP parameter smuggling flaw found in Go projectsHarbor, Traefik, and Skipper projects tackle unsafe URL parsing methods

Jenkins security

Unpatched XSS, CSRF bugs included in latest plugin advisory03 August 2022Jenkins securityUnpatched XSS, CSRF bugs included in latest plugin advisory

‘You get respect for owning what happened’

SolarWinds’ CISO on the legacy and lessons of Sunburst01 August 2022‘You get respect for owning what happened’SolarWinds’ CISO on the legacy and lessons of Sunburst

GitHub Actions

Workflow flaws provided write access to projects including Logstash29 July 2022GitHub ActionsWorkflow flaws provided write access to projects including Logstash

Google XSS vulnerabilities could lead to account hijacks

29 July 2022Google XSS vulnerabilities could lead to account hijacksReflected XSS and DOM-based XSS bugs net researchers $3,000 and $5,000 bug bounties

Bug Bounty Radar

The latest bug bounty programs for August 202229 July 2022Bug Bounty RadarThe latest bug bounty programs for August 2022

‘We’re still fighting last decade’s battle’

Sonatype CTO Brian Fox on the struggle to secure the neglected software supply chain22 July 2022‘We’re still fighting last decade’s battle’Sonatype CTO Brian Fox on the struggle to secure the neglected software supply chain

Atlassian patches batch of critical vulnerabilities

21 July 2022Atlassian patches batch of critical vulnerabilitiesJira, Bamboo, Bitbucket, Confluence, Fisheye/Crucible, and Questions for Confluence affected

GPS hacker

Zero-days in tracking device pose surveillance, fuel cut-off risks20 July 2022GPS hackerZero-days in tracking device pose surveillance, fuel cut-off risks

Better identity security

W3C launches Decentralized Identifiers as a web standard20 July 2022Better identity securityW3C launches Decentralized Identifiers as a web standard

‘Endemic’ Log4j bug will persist in wild for a ‘decade or longer’

18 July 2022‘Endemic’ Log4j bug will persist in wild for a ‘decade or longer’Inaugural report from cyber safety panel outlines strengths and weaknesses exposed by momentous security flaw

Patch now!

Vulnerability in AWS IAM Authenticator for Kubernetes could allow user impersonation attacks13 July 2022Patch now!Vulnerability in AWS IAM Authenticator for Kubernetes could allow user impersonation attacks

PyPI to send 4,000 security keys to ‘critical projects’

11 July 2022PyPI to send 4,000 security keys to ‘critical projects’Google is providing Titan Security Keys to maintainers of projects in top 1% of downloads

Decentralized Identifiers

Everything you need to know about the next-gen web ID tech08 July 2022Decentralized IdentifiersEverything you need to know about the next-gen web ID tech

DevOps disruption

Atlassian patches SSRF in Jira06 July 2022DevOps disruptionAtlassian patches SSRF in Jira

CWE Top 25

These are the most dangerous software weaknesses of 202205 July 2022CWE Top 25These are the most dangerous software weaknesses of 2022

Latest web hacking tools – Q3 2022

01 July 2022Latest web hacking tools – Q3 2022We take a look at the latest additions to security researchers’ armory

Bug Bounty Radar

The latest bug bounty programs for July 202230 June 2022Bug Bounty RadarThe latest bug bounty programs for July 2022

YARAify

Tool scans suspicious files against a large repository of YARA rules29 June 2022YARAifyTool scans suspicious files against a large repository of YARA rules

Splunk patches critical vulnerability while users push for legacy updates

23 June 2022Splunk patches critical vulnerability while users push for legacy updatesUsers call for security update back-port to support earlier versions

One in every 13 incidents blamed on API insecurity

22 June 2022One in every 13 incidents blamed on API insecurityLarger organizations are statistically more at risk, warns Imperva