Limited Time Offer: Start a free trial with Legit's Secrets Detection & Prevention. Learn more today →

Blog Contact Us Sign In
Platform
Platform - ASPM Icon
Application Security Posture Management (ASPM)
Platform - Secrets and Source Code Leakage Protection Icon
Secrets and Source Code Leakage Protection
Platform - Continuous Compliance and SBOM Icon
Continuous Compliance and SBOM
Platform - Software Supply Chain Security SSCS Icon
Software Supply Chain Security (SSCS)
Platform - AI Security Posture Management (AI-SPM) Icon
AI Security Posture Management (AI-SPM)
Platform - AppSec Vulnerability Management Icon
AppSec Vulnerability Management
Integrations
Why Legit
Why Legit - Customers Icon
Customers
Resources
header mobile nav icon
Resources
Resources - Blog Icon
Blog
Resources - Resource Library Icon
Resource Library
Resources - Open Source with Legitify Icon
Open Source w/ Legitify
Resources - Events Icon
Events
Company
Company - Partners Icon
Partners
Company - About Legit Icon 2
About Legit
Company - Press Releases Icon 1
Press Releases
Company - In the News Icon
In the News
Company - Careers Icon
Careers
    Content Type
    View All AppSec Best Practices CISO Compliance DevOps Explainers Legit Partners SCMs SLSA Threats
    Legit Security | We cover how to perform application security risk assessments that allow you to maintain innovative and rapid app development strategy.
    AppSec

    5 Best Practices for Successful Application Risk Assessments

    February 15, 2023

    We cover how to perform application security risk assessments that allow you to maintain innovative and rapid app development strategy.

    Read More
    Learn tips to strengthen software supply chain security and address open source software security risks and best practices.
    Best Practices AppSec

    Top Open Source Supply Chain Security Risks & Tips to Prevent

    February 13, 2023

    Learn tips to strengthen software supply chain security and address open source software security risks and best practices.

    Read More
    Understand SDLC security with our breakdown of each Software Development Life Cycle stage for enhanced software protection.
    Explainers Best Practices

    What is Secure SDLC? Best Practices for Enhanced Security

    February 07, 2023

    Understand SDLC security with our breakdown of each Software Development Life Cycle stage for enhanced software protection.

    Read More
    Legit Security | We cover GUAC and its value for your team once GUAC reaches maturity and untangle the complexity of security and dependency metadata.
    Explainers Best Practices

    GUAC Explained in 5 Minutes

    January 31, 2023

    We cover GUAC and its value for your team once GUAC reaches maturity and untangle the complexity of security and dependency metadata.

    Read More
    Legitify is an open-source GitHub and GitLab configuration scanner from Legit Security that helps manage & enforce SCM configuration best practices in a secure and scalable way
    Legit SCMs

    Legitify adds support for GitLab and GitHub Enterprise Server

    January 25, 2023

    Legitify is an open-source GitHub and GitLab configuration scanner from Legit Security that helps manage & enforce SCM configuration best practices in a secure and scalable way

    Read More
    Legit Security | This blog details the five elements of the NIST cybersecurity framework and identifies the critical aspects of protecting any org.
    Explainers Best Practices

    What are the Five Elements of the NIST Cybersecurity Framework?

    January 23, 2023

    This blog details the five elements of the NIST cybersecurity framework and identifies the critical aspects of protecting any org.

    Read More
    Legit Security | We investigate how sensitive information can get exposed via AppSec tools that you use in your dev pipeline, using the SonarQube Case.
    Threats

    Exposing Secrets Via SDLC Tools: The SonarQube Case

    January 19, 2023

    We investigate how sensitive information can get exposed via AppSec tools that you use in your dev pipeline, using the SonarQube Case.

    Read More
    Explore our findings on a common markdown syntax vulnerability and its potential to cause Denial-of-Service (DoS) attacks.
    Legit Threats

    The MarkdownTime Vulnerability: How to Avoid DoS Attack on Business

    January 18, 2023

    Explore our findings on a common markdown syntax vulnerability and its potential to cause Denial-of-Service (DoS) attacks.

    Read More
    See how attackers used compromised Jenkins plugins to attack the software supply chain and how to continuously detect vulnerable Jenkins plugins at scale.
    Best Practices Legit Threats

    How to Continuously Detect Vulnerable Jenkins Plugins to Avoid a Software Supply Chain Attack

    January 04, 2023

    See how attackers used compromised Jenkins plugins to attack the software supply chain and how to continuously detect vulnerable Jenkins plugins at scale.

    Read More
    DevOps is a good approach to improving the efficiency of the software development life cycle, but, DevSecOps is the better way to approach the process.
    DevOps Explainers

    A DevOps Security Tutorial for Digital Business Leaders

    December 28, 2022

    DevOps is a good approach to improving the efficiency of the software development life cycle, but, DevSecOps is the better way to approach the process.

    Read More
    Examining the evolution of application security and why securing the modern SDLC requires organizations to embrace new approaches to supply chain security.
    CISO Best Practices AppSec

    Modern AppSec Requires Extending Beyond SCA and SAST

    December 06, 2022

    Examining the evolution of application security and why securing the modern SDLC requires organizations to embrace new approaches to supply chain security.

    Read More
    New software supply chain vulnerabilities use artifact poisoning and attack the software development pipelines on projects using GitHub Actions.
    Threats SCMs

    Novel Pipeline Vulnerability Discovered; Rust  Found Vulnerable

    December 01, 2022

    New software supply chain vulnerabilities use artifact poisoning and attack the software development pipelines on projects using GitHub Actions.

    Read More
    OpenSSL has announced a critical fix in version 3.0.7 to be released Nov 1st. It means that on Tuesday the race will start between those who patch and those who exploit.
    Threats

    Critical and Time Sensitive OpenSSL Vulnerability - The Race Between Attackers and Defenders

    October 31, 2022

    OpenSSL has announced a critical fix in version 3.0.7 to be released Nov 1st. It means that on Tuesday the race will start between those who patch and those who exploit.

    Read More
    On Oct 7th, Toyota announced a possible data leakage incident. The compromised data contained 296,019 customers' private information, including customers' personal email addresses.
    Threats

    Toyota Customer Data Leaked Due To Software Supply Chain Attack

    October 12, 2022

    On Oct 7th, Toyota announced a possible data leakage incident. The compromised data contained 296,019 customers' private information, including customers' personal email addresses.

    Read More
    If you haven’t already been integrating security into DevOps, now’s the time. Learn about the benefits & use this 4-step guide to secure your DevOps.
    CISO DevOps Best Practices

    Integrating Security into DevOps: A Step-By-Step Guide

    October 11, 2022

    If you haven’t already been integrating security into DevOps, now’s the time. Learn about the benefits & use this 4-step guide to secure your DevOps.

    Read More
    Legitify is an open-source GitHub configuration scanner from Legit Security that helps manage & enforce GitHub configurations in a secure and scalable way
    Legit SCMs

    Introducing Legitify: A Better Way To Secure GitHub

    October 05, 2022

    Legitify is an open-source GitHub configuration scanner from Legit Security that helps manage & enforce GitHub configurations in a secure and scalable way

    Read More
    On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The installer was compromised using a supply chain attack on the Comm100 development pipeline.
    Threats

    Software Supply Chain Attack Leads to Trojanized Comm100 Installer

    October 03, 2022

    On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The installer was compromised using a supply chain attack on the Comm100 development pipeline.

    Read More
    GitHub configurations aren't secure out of the box. It's up to you to secure them. This blog discusses GitHub's new Codespaces product and how to secure it.
    Best Practices SCMs

    GitHub Codespaces Security Best Practices

    September 28, 2022

    GitHub configurations aren't secure out of the box. It's up to you to secure them. This blog discusses GitHub's new Codespaces product and how to secure it.

    Read More
    Discover four key supply chain risks every CISO must address as software technology evolves and security becomes crucial.
    CISO Best Practices

    Software Supply Chain Risks to Be Aware of

    September 22, 2022

    Discover four key supply chain risks every CISO must address as software technology evolves and security becomes crucial.

    Read More
    Malicious actors are poisoning your artifacts to compromise your software supply chain. Learn how to protect your software artifacts and secure servers.
    Best Practices Threats

    Software Artifacts Best Practices to Prevent Getting Hacked

    September 19, 2022

    Malicious actors are poisoning your artifacts to compromise your software supply chain. Learn how to protect your software artifacts and secure servers.

    Read More
    A popular vendor of Magento-Wordpress plug-ins/integrations with 200,000 downloads, has been hacked. This attack is a reminder that malicious 3rd party plug-ins for popular platforms, in this case FishPig integrations for Magento e-commerce platforms, can open the door to critical vulnerabilities.
    Threats

    New Software Supply Chain Attack Installs Trojans on Adobe's Magento E-Commerce Platform

    September 15, 2022

    A popular vendor of Magento-Wordpress plug-ins/integrations with 200,000 downloads, has been hacked. This attack is a reminder that malicious 3rd party plug-ins for popular platforms, in this case FishPig integrations for Magento e-commerce platforms, can open the door to critical vulnerabilities.

    Read More
    Discover the four types of threats to business software supply chains and the 8 best practices in risk management to help keep them secure.
    Best Practices

    8 Best Practices in Cyber Supply Chain Risk Management to Stay Safe

    September 13, 2022

    Discover the four types of threats to business software supply chains and the 8 best practices in risk management to help keep them secure.

    Read More
    GitHub’s required reviewers capability can be bypassed if currently using this setting to require at least one code review before merging code.
    Threats SCMs

    Attackers Can Bypass GitHub Required Reviewers to Submit Malicious Code

    September 08, 2022

    GitHub’s required reviewers capability can be bypassed if currently using this setting to require at least one code review before merging code.

    Read More
    Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.
    Legit Threats SCMs

    Google & Apache Found Vulnerable to GitHub Environment Injection

    September 01, 2022

    Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.

    Read More
    Agile development methodology has become increasingly popular, but it doesn’t come without security concerns. Get to know the top 10 agile software development security concerns you face.
    CISO DevOps Best Practices

    10 Agile Software Development Security Concerns You Need to Know

    August 31, 2022

    Agile development methodology has become increasingly popular, but it doesn’t come without security concerns. Get to know the top 10 agile software development security concerns you face.

    Read More
    LastPass data breach: unauthorized access compromised developer accounts and proprietary source code. Learn about the LastPass security incident details and how to protect your business.
    Best Practices Threats

    How Was LastPass Compromised?? Software Supply Chain Attack Tips

    August 29, 2022

    LastPass data breach: unauthorized access compromised developer accounts and proprietary source code. Learn about the LastPass security incident details and how to protect your business.

    Read More
    AppSec isn’t always top of mind - but it should be. And here’s why. Learn about the 5 things you need to know about application security in DevOps.
    DevOps Best Practices AppSec

    5 Things You Need to Know About Application Security in DevOps

    August 22, 2022

    AppSec isn’t always top of mind - but it should be. And here’s why. Learn about the 5 things you need to know about application security in DevOps.

    Read More
    Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.
    Threats SCMs

    Breaking News: How a Massive Malware Attack Almost Occurred on GitHub

    August 03, 2022

    Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.

    Read More
    Create a Secure Software Supply Chain in 10 Easy Steps In today’s age of security breaches, it’s more important than ever to create a secure software supply chain. Follow these 10 easy steps to keep your business safe.
    CISO Best Practices

    How to Secure Your Software Supply Chain in 10 Steps

    August 02, 2022

    Create a Secure Software Supply Chain in 10 Easy Steps In today’s age of security breaches, it’s more important than ever to create a secure software supply chain. Follow these 10 easy steps to keep your business safe.

    Read More
    Explore how to seamlessly integrate security into SDLC phases, transforming your development process to achieve enhanced protection and resilience.
    CISO DevOps Best Practices AppSec

    Secure Software Development Lifecycle (SDLC): Key Phases Guide

    July 18, 2022

    Explore how to seamlessly integrate security into SDLC phases, transforming your development process to achieve enhanced protection and resilience.

    Read More
    Boost your business with secure coding practices. Explore our list to improve data security practices and ensure success in your SDLC.
    Best Practices AppSec

    Data Security Best Practices to Code Securely and Protect Your Data

    July 05, 2022

    Boost your business with secure coding practices. Explore our list to improve data security practices and ensure success in your SDLC.

    Read More
    Is GitHub safe? Discover how developers can avoid misconfigurations and vulnerabilities to ensure secure collaboration on GitHub.
    Best Practices SCMs

    Secure GitHub: How to Keep Your Code and Pipelines Safe from Hackers

    June 20, 2022

    Is GitHub safe? Discover how developers can avoid misconfigurations and vulnerabilities to ensure secure collaboration on GitHub.

    Read More
    A review of our contributions to the open source community and why the open source community is important to the future of software supply chain security.
    Legit

    The Open Source Community And Its Critical Role in Software Supply Chain Security

    June 13, 2022

    A review of our contributions to the open source community and why the open source community is important to the future of software supply chain security.

    Read More
    An application risk assessment is an essential tool to help security and development teams spot hidden vulnerabilities before they become a problem.
    Best Practices AppSec

    A 10-Step Application Security Risk Assessment Checklist

    June 06, 2022

    An application risk assessment is an essential tool to help security and development teams spot hidden vulnerabilities before they become a problem.

    Read More
    This article will explain why security and GitHub should go hand in hand and describes a few best practices we believe any organization using GitHub should employ to reduce GitHub security risks.
    Best Practices SCMs

    GitHub Security Best Practices Your Team Should Be Following

    May 31, 2022

    This article will explain why security and GitHub should go hand in hand and describes a few best practices we believe any organization using GitHub should employ to reduce GitHub security risks.

    Read More
    Debunk common DevSecOps myths and discover why understanding the actual role of DevSecOps is essential for modern security and development practices.
    DevOps Best Practices

    Forget about DevOps, It’s Time to Adopt the DevSecOps Mindset

    May 16, 2022

    Debunk common DevSecOps myths and discover why understanding the actual role of DevSecOps is essential for modern security and development practices.

    Read More
    Some tags cannot be trusted to reference the same object all the time, and can be changed without the users’ knowledge, opening the door to a supply chain attack.
    Explainers Best Practices

    What Are Immutable Tags And Can They Protect You From Supply Chain Attacks?

    May 09, 2022

    Some tags cannot be trusted to reference the same object all the time, and can be changed without the users’ knowledge, opening the door to a supply chain attack.

    Read More
    We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.
    Best Practices Legit Threats SCMs

    Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks

    May 02, 2022

    We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.

    Read More
    AppSec and DevSecOps leaders need to secure the business from increasing software supply chain attacks, while improving their overall AppSec effectiveness and efficiency.
    CISO DevOps AppSec

    Re-thinking Application Security for DevSecOps and Scale

    April 25, 2022

    AppSec and DevSecOps leaders need to secure the business from increasing software supply chain attacks, while improving their overall AppSec effectiveness and efficiency.

    Read More
    This GitHub OAuth access token attack was announced by GitHub Security and is a compromise of OAuth access tokens issued to Heroku and Travis-CI integrations.
    Explainers Threats SCMs

    Latest GitHub OAuth Tokens Attack Explained and How to Protect Yourself

    April 18, 2022

    This GitHub OAuth access token attack was announced by GitHub Security and is a compromise of OAuth access tokens issued to Heroku and Travis-CI integrations.

    Read More
    What is an #SBOM, how is it used and why it is important to software supply chain security? We explain the SBOM in 5 minutes, discuss where SBOM adoption is headed and help you think beyond SBOM to gain greater visibility and security across your entire software supply chain environment.
    Explainers

    What is an SBOM? SBOM explained in 5 minutes

    April 11, 2022

    What is an #SBOM, how is it used and why it is important to software supply chain security? We explain the SBOM in 5 minutes, discuss where SBOM adoption is headed and help you think beyond SBOM to gain greater visibility and security across your entire software supply chain environment.

    Read More
    On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important lessons in securing a software supply chain.
    Threats SCMs

    A Cautionary Tale: The Untold Story of the GitLab CVE Backdoor (CVE-2022-1162)

    April 06, 2022

    On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important lessons in securing a software supply chain.

    Read More
    Learn how Legit Security discovered a vulnerable GitHub actions workflow. Get details on the vulnerability and and what you can do to mitigate it.
    Best Practices Legit Threats SCMs

    Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline

    April 04, 2022

    Learn how Legit Security discovered a vulnerable GitHub actions workflow. Get details on the vulnerability and and what you can do to mitigate it.

    Read More
    What are secrets in source code, why they must be protected, and how to keep them safe.
    Explainers Threats SCMs

    Detecting Secrets in Your Source Code

    March 11, 2022

    What are secrets in source code, why they must be protected, and how to keep them safe.

    Read More
    Join us in celebrating the release of stealth mode.
    CISO AppSec Legit

    Announcing Legit Security: The Story Behind Our Mission

    January 28, 2022

    Join us in celebrating the release of stealth mode.

    Read More
    Learn about SLSA (Supply-chain Levels for Software Artifacts), a security framework and a common language for improving software security and supply chain integrity.
    Explainers

    What Is SLSA? SLSA Explained In 5 Minutes

    January 21, 2022

    Learn about SLSA (Supply-chain Levels for Software Artifacts), a security framework and a common language for improving software security and supply chain integrity.

    Read More

    Request a Demo

    Request a demo including the option to analyze your own software supply chain.

    Request a Demo