AppFactor’s Post

When customers move to Chainguard Images, they're effectively offloading their container vulnerability management program to us. It's a beautiful thing: the material change is small (changing the source of your base images) - however the impact is massive - ensuring you're perpetually at or close to zero CVEs, putting countless of hours back in dev/engineering teams' hands, and knowing your OSS usage is from a trusted source. This is a great example of some of the work that goes on behind the scenes so customers don't have to worry about it. https://lnkd.in/e2qHVP4r

Every major exploit was once a minor oversight. Reminder for devs: Security starts in the design phase—document your assumptions and edge cases. Reminder for auditors: Question every assumption in the code and test against it.

Security is a crucial concern when deploying applications, and it is essential to address any vulnerabilities that may arise. In this article, I will share my experience in solving the CVE-2024-21538 issue, particularly for individuals who have built their applications using Next.js. CVE-2024-21538 is a vulnerability that was discovered in the Node.js runtime, which is a core component used by Next.js. This vulnerability could potentially allow an attacker to execute arbitrary code on the server, which could have severe consequences for the application and its users. Happy read to solve that issues. 😁 #nextjs #nodejs #websecurity #devops

One of your best ally and worst enemy when doing Pentest and Code Review: Assumptions! What assumptions are the sysadmins making when deploying the application? What assumptions are the developers making when writing the code? What assumptions are you making when pentesting or reviewing the application? The vulnerabilities are in those assumptions!

MFA Code ReplayMattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail...Mattermost versions 9.11.x https://lnkd.in/dyzJsMmx MFA, Code, ReplayMattermost, versions, 9.11.x, 9.11.2, and, 9.5.x, 9.5.10, fail...

For developers, Application Security usually feels like a hard uphill battle. How do you ease that pain? Here are some things that work in my experience: ⏭ Sit down with your software architects and look at the issues that have come up. ⏭ Separate the ones that really matter and start there. This helps to streamline your developers’ work and reduce overload. ⏭ At the same time, make sure you’re training your developers. They need to know how to write clean code. If they don’t, you’re just creating more vulnerabilities while trying to fix others. These steps can really help you to break out of reactive mode and move towards a proactive stance that’s better for everyone. As always, stay secure my friends!

Effective secure by design relies on developers implementing its principles, requiring the highest level of security competencies. To power this, SCW Trust Agent delivers visibility across your entire code repository analyzing every developer commit against their secure code skills.

One of the best security papers you'll read this year. Memory safety vulns still affect a huge amount of deployed software. This is a problem that can be fixed just by a choice of language. Its not your fault if you have a large C/C++ codebase that you've inherited, but anyone doing greenfield development in a memory unsafe language (outside of maybe a few weird niches) is probably making a mistake. https://lnkd.in/erjJQ3T3

Shields.io Remote Code Execution vulnerability in Dynamic JSON/TOML/YAML badg...Shields.io is a service for concise, consistent, and legible badges in SVG and raster format. Shields.io and users self-hosting their own instance of shields using version < `server-2024-09-25` are...https://lnkd.in/dunWgPY6

Let's exploit a buffer overflow vulnerability today! These vulnerabilities have existed for many years, and unfortunately, they remain responsible for many zero-days impacting modern software. Andrew Bellini created the tool Overflowme to teach the basics of buffer and stack overflows, and in this video, he walks through the tool's Level 1 challenge. If you follow along with Andrew (link to Overflowme in the comments), you get to crack a hidden message. Up for the challenge? Let us know in the comments! https://lnkd.in/gVkXGTGJ