Legit Security | This blog shows another case of GitHub Actions environment injection vulnerability in a Google repository.

How We Found Another GitHub Actions Environment Injection Vulnerability in a Google Project

July 03, 2023

This blog shows another case of GitHub Actions environment injection vulnerability in a Google repository.

Read More
 Legit Security | This blog analyzes trends in application security and predicts the future direction of enterprise application security programs.

2023 Predictions for Modern Application Security

July 03, 2023

This blog analyzes trends in application security and predicts the future direction of enterprise application security programs.

Read More
Compare SCA vs SAST to enhance cybersecurity. Understand their methods, benefits, and how they protect against software supply chain threats.

SCA vs SAST: Cybersecurity Comparison Tools

June 27, 2023

Compare SCA vs SAST to enhance cybersecurity. Understand their methods, benefits, and how they protect against software supply chain threats.

Read More
Discover core functions, benefits, and tips for selecting the best vulnerability management solutions to boost your cybersecurity efforts.

How to Choose the Right Vulnerability Management Tools

June 20, 2023

Discover core functions, benefits, and tips for selecting the best vulnerability management solutions to boost your cybersecurity efforts.

Read More
Boost the security of your code with the NIST SSDF (Secure Software Development Framework). Safeguard your business and stay ahead of evolving cyber threats.

NIST Secure Software Development Framework Tips to Stay Ahead of Future Requirements

June 02, 2023

Boost the security of your code with the NIST SSDF (Secure Software Development Framework). Safeguard your business and stay ahead of evolving cyber threats.

Read More
Legit Security | On May 20th, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new project registration.

Embracing the Future of Secure Software Development: A Comprehensive Look at the SSDF

May 25, 2023

On May 20th, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new project registration.

Read More
Legit Security | On May 20th, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new project registration.

Supply Chain Attacks Overflow: PyPI Suspended New Registrations

May 22, 2023

On May 20th, PyPI (the official Python Package manager) announced they are temporarily suspending new users and new project registration.

Read More
Legit Security | Get insights into the elements of ASPM to learn how this approach transforms AppSec and enables teams to deliver securely at scale. 

What is Application Security Posture Management – Insights Into Gartner’s® New Report

May 15, 2023

Get insights into the elements of ASPM to learn how this approach transforms AppSec and enables teams to deliver securely at scale. 

Read More
Discover the SLSA framework, designed to ensure the integrity of software artifacts and enhance overall software supply chain security.

Deep Dive Into SLSA Provenance and Software Attestation

May 10, 2023

Discover the SLSA framework, designed to ensure the integrity of software artifacts and enhance overall software supply chain security.

Read More
Legit Security | In this blog series, we uncover the details of SLSA provenance which refers to the ability to trust the authenticity of artifacts.

SLSA Provenance Blog Series, Part 1: What Is Software Attestation

May 09, 2023

In this blog series, we uncover the details of SLSA provenance which refers to the ability to trust the authenticity of artifacts.

Read More
Explore the risks of secret exposure through leaked source code & why traditional scanners may not fully protect against it. Learn effective security strategies for secrets in the SDLC.

5 Ways Attackers Exploit Hardcoded Secrets & How to Prevent

April 25, 2023

Explore the risks of secret exposure through leaked source code & why traditional scanners may not fully protect against it. Learn effective security strategies for secrets in the SDLC.

Read More
Legit Security | Protect your business from the serious consequences of code leaks by taking proactive measures to enhance your cybersecurity posture.

The Business Risks and Costs of Source Code Leaks and Prevention Tips

April 24, 2023

Protect your business from the serious consequences of code leaks by taking proactive measures to enhance your cybersecurity posture.

Read More
Legit Security | We talk about why you need code to cloud traceability to modernize your application security and secure your SDLC and CI/CD processes.

Modern AppSec Needs Code to Cloud Traceability

April 17, 2023

We talk about why you need code to cloud traceability to modernize your application security and secure your SDLC and CI/CD processes.

Read More
Legit Security | With the explosion of attacks in the modern DevOps stack, it has become a vital business requirement to provide security for SDLC.

Tips to Secure the Software Development Lifecycle (SDLC) in Each Phase

April 12, 2023

With the explosion of attacks in the modern DevOps stack, it has become a vital business requirement to provide security for SDLC.

Read More
Legit Security | 3CX, an international VoIP IPBX software, experienced software supply chain attack. We detail what occurred, and how it can be prevented.

Sophisticated 3CX Software Supply Chain Attack Affects Millions of Users

March 31, 2023

3CX, an international VoIP IPBX software, experienced software supply chain attack. We detail what occurred, and how it can be prevented.

Read More
Legit Security | Our team has found a vulnerability in Azure Pipelines (CVE-2023-21553) that allows an attacker to execute malicious code in a pipeline.

Remote Code Execution Vulnerability in Azure Pipelines Can Lead To Software Supply Chain Attack

March 30, 2023

Our team has found a vulnerability in Azure Pipelines (CVE-2023-21553) that allows an attacker to execute malicious code in a pipeline.

Read More
Discover top cloud security threats and learn effective techniques to keep your cloud applications secure year-round.

Top 8 Cloud Application Security Challenges and Issues

March 14, 2023

Discover top cloud security threats and learn effective techniques to keep your cloud applications secure year-round.

Read More
Legit Security | Our team investigated how sensitive information can get exposed via SDLC tools that may be used as part of your development pipeline.

Exposing Secrets Via SDLC Tools: The Artifactory Case

February 28, 2023

Our team investigated how sensitive information can get exposed via SDLC tools that may be used as part of your development pipeline.

Read More
Legit Security | We cover how to perform application security risk assessments that allow you to maintain innovative and rapid app development strategy.

5 Best Practices for Successful Application Risk Assessments

February 15, 2023

We cover how to perform application security risk assessments that allow you to maintain innovative and rapid app development strategy.

Read More
Learn tips to strengthen software supply chain security and address open source software security risks and best practices.

Top Open Source Supply Chain Security Risks & Tips to Prevent

February 13, 2023

Learn tips to strengthen software supply chain security and address open source software security risks and best practices.

Read More
Understand SDLC security with our breakdown of each Software Development Life Cycle stage for enhanced software protection.

What is Secure SDLC? Best Practices for Enhanced Security

February 07, 2023

Understand SDLC security with our breakdown of each Software Development Life Cycle stage for enhanced software protection.

Read More
Legit Security | We cover GUAC and its value for your team once GUAC reaches maturity and untangle the complexity of security and dependency metadata.

GUAC Explained in 5 Minutes

January 31, 2023

We cover GUAC and its value for your team once GUAC reaches maturity and untangle the complexity of security and dependency metadata.

Read More
Legitify is an open-source GitHub and GitLab configuration scanner from Legit Security that helps manage & enforce SCM configuration best practices in a secure and scalable way

Legitify adds support for GitLab and GitHub Enterprise Server

January 25, 2023

Legitify is an open-source GitHub and GitLab configuration scanner from Legit Security that helps manage & enforce SCM configuration best practices in a secure and scalable way

Read More
Legit Security | This blog details the five elements of the NIST cybersecurity framework and identifies the critical aspects of protecting any org.

What are the Five Elements of the NIST Cybersecurity Framework?

January 23, 2023

This blog details the five elements of the NIST cybersecurity framework and identifies the critical aspects of protecting any org.

Read More
Legit Security | We investigate how sensitive information can get exposed via AppSec tools that you use in your dev pipeline, using the SonarQube Case.

Exposing Secrets Via SDLC Tools: The SonarQube Case

January 19, 2023

We investigate how sensitive information can get exposed via AppSec tools that you use in your dev pipeline, using the SonarQube Case.

Read More
Explore our findings on a common markdown syntax vulnerability and its potential to cause Denial-of-Service (DoS) attacks.

The MarkdownTime Vulnerability: How to Avoid DoS Attack on Business

January 18, 2023

Explore our findings on a common markdown syntax vulnerability and its potential to cause Denial-of-Service (DoS) attacks.

Read More
See how attackers used compromised Jenkins plugins to attack the software supply chain and how to continuously detect vulnerable Jenkins plugins at scale.

How to Continuously Detect Vulnerable Jenkins Plugins to Avoid a Software Supply Chain Attack

January 04, 2023

See how attackers used compromised Jenkins plugins to attack the software supply chain and how to continuously detect vulnerable Jenkins plugins at scale.

Read More
DevOps is a good approach to improving the efficiency of the software development life cycle, but, DevSecOps is the better way to approach the process.

A DevOps Security Tutorial for Digital Business Leaders

December 28, 2022

DevOps is a good approach to improving the efficiency of the software development life cycle, but, DevSecOps is the better way to approach the process.

Read More
Examining the evolution of application security and why securing the modern SDLC requires organizations to embrace new approaches to supply chain security.

Modern AppSec Requires Extending Beyond SCA and SAST

December 06, 2022

Examining the evolution of application security and why securing the modern SDLC requires organizations to embrace new approaches to supply chain security.

Read More
 New software supply chain vulnerabilities use artifact poisoning and attack the software development pipelines on projects using GitHub Actions.

Novel Pipeline Vulnerability Discovered; Rust  Found Vulnerable

December 01, 2022

New software supply chain vulnerabilities use artifact poisoning and attack the software development pipelines on projects using GitHub Actions.

Read More
OpenSSL has announced a critical fix in version 3.0.7 to be released Nov 1st. It means that on Tuesday the race will start between those who patch and those who exploit.

Critical and Time Sensitive OpenSSL Vulnerability - The Race Between Attackers and Defenders

October 31, 2022

OpenSSL has announced a critical fix in version 3.0.7 to be released Nov 1st. It means that on Tuesday the race will start between those who patch and those who exploit.

Read More
On Oct 7th, Toyota announced a possible data leakage incident. The compromised data contained 296,019 customers' private information, including customers' personal email addresses.

Toyota Customer Data Leaked Due To Software Supply Chain Attack

October 12, 2022

On Oct 7th, Toyota announced a possible data leakage incident. The compromised data contained 296,019 customers' private information, including customers' personal email addresses.

Read More
If you haven’t already been integrating security into DevOps, now’s the time. Learn about the benefits & use this 4-step guide to secure your DevOps.

Integrating Security into DevOps: A Step-By-Step Guide

October 11, 2022

If you haven’t already been integrating security into DevOps, now’s the time. Learn about the benefits & use this 4-step guide to secure your DevOps.

Read More
Legitify is an open-source GitHub configuration scanner from Legit Security that helps manage & enforce GitHub configurations in a secure and scalable way

Introducing Legitify: A Better Way To Secure GitHub

October 05, 2022

Legitify is an open-source GitHub configuration scanner from Legit Security that helps manage & enforce GitHub configurations in a secure and scalable way

Read More
On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The installer was compromised using a supply chain attack on the Comm100 development pipeline.

Software Supply Chain Attack Leads to Trojanized Comm100 Installer

October 03, 2022

On the 29th of September, it was revealed that the installer for the widely used Comm100 Live Chat application included malicious trojan malware. The installer was compromised using a supply chain attack on the Comm100 development pipeline.

Read More
GitHub configurations aren't secure out of the box. It's up to you to secure them. This blog discusses GitHub's new Codespaces product and how to secure it.

GitHub Codespaces Security Best Practices

September 28, 2022

GitHub configurations aren't secure out of the box. It's up to you to secure them. This blog discusses GitHub's new Codespaces product and how to secure it.

Read More
Discover four key supply chain risks every CISO must address as software technology evolves and security becomes crucial.

Software Supply Chain Risks to Be Aware of

September 22, 2022

Discover four key supply chain risks every CISO must address as software technology evolves and security becomes crucial.

Read More
Malicious actors are poisoning your artifacts to compromise your software supply chain. Learn how to protect your software artifacts and secure servers.

Software Artifacts Best Practices to Prevent Getting Hacked

September 19, 2022

Malicious actors are poisoning your artifacts to compromise your software supply chain. Learn how to protect your software artifacts and secure servers.

Read More
A popular vendor of Magento-Wordpress plug-ins/integrations with 200,000 downloads, has been hacked. This attack is a reminder that malicious 3rd party plug-ins for popular platforms, in this case FishPig integrations for Magento e-commerce platforms, can open the door to critical vulnerabilities.

New Software Supply Chain Attack Installs Trojans on Adobe's Magento E-Commerce Platform

September 15, 2022

A popular vendor of Magento-Wordpress plug-ins/integrations with 200,000 downloads, has been hacked. This attack is a reminder that malicious 3rd party plug-ins for popular platforms, in this case FishPig integrations for Magento e-commerce platforms, can open the door to critical vulnerabilities.

Read More
Discover the four types of threats to business software supply chains and the 8 best practices in risk management to help keep them secure.

8 Best Practices in Cyber Supply Chain Risk Management to Stay Safe

September 13, 2022

Discover the four types of threats to business software supply chains and the 8 best practices in risk management to help keep them secure.

Read More
GitHub’s required reviewers capability can be bypassed if currently using this setting to require at least one code review before merging code.

Attackers Can Bypass GitHub Required Reviewers to Submit Malicious Code

September 08, 2022

GitHub’s required reviewers capability can be bypassed if currently using this setting to require at least one code review before merging code.

Read More
Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.

Google & Apache Found Vulnerable to GitHub Environment Injection

September 01, 2022

Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.

Read More
Agile development methodology has become increasingly popular, but it doesn’t come without security concerns. Get to know the top 10 agile software development security concerns you face.

10 Agile Software Development Security Concerns You Need to Know

August 31, 2022

Agile development methodology has become increasingly popular, but it doesn’t come without security concerns. Get to know the top 10 agile software development security concerns you face.

Read More
LastPass data breach: unauthorized access compromised developer accounts and proprietary source code. Learn about the LastPass security incident details and how to protect your business.

How Was LastPass Compromised?? Software Supply Chain Attack Tips

August 29, 2022

LastPass data breach: unauthorized access compromised developer accounts and proprietary source code. Learn about the LastPass security incident details and how to protect your business.

Read More
AppSec isn’t always top of mind - but it should be. And here’s why. Learn about the 5 things you need to know about application security in DevOps.

5 Things You Need to Know About Application Security in DevOps

August 22, 2022

AppSec isn’t always top of mind - but it should be. And here’s why. Learn about the 5 things you need to know about application security in DevOps.

Read More
Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.

Breaking News: How a Massive Malware Attack Almost Occurred on GitHub

August 03, 2022

Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.

Read More
Create a Secure Software Supply Chain in 10 Easy Steps

In today’s age of security breaches, it’s more important than ever to create a secure software supply chain. Follow these 10 easy steps to keep your business safe.

How to Secure Your Software Supply Chain in 10 Steps

August 02, 2022

Create a Secure Software Supply Chain in 10 Easy Steps In today’s age of security breaches, it’s more important than ever to create a secure software supply chain. Follow these 10 easy steps to keep your business safe.

Read More
Explore how to seamlessly integrate security into SDLC phases, transforming your development process to achieve enhanced protection and resilience.

Secure Software Development Lifecycle (SDLC): Key Phases Guide

July 18, 2022

Explore how to seamlessly integrate security into SDLC phases, transforming your development process to achieve enhanced protection and resilience.

Read More
Boost your business with secure coding practices. Explore our list to improve data security practices and ensure success in your SDLC.

Data Security Best Practices to Code Securely and Protect Your Data

July 05, 2022

Boost your business with secure coding practices. Explore our list to improve data security practices and ensure success in your SDLC.

Read More
Is GitHub safe? Discover how developers can avoid misconfigurations and vulnerabilities to ensure secure collaboration on GitHub.

Secure GitHub: How to Keep Your Code and Pipelines Safe from Hackers

June 20, 2022

Is GitHub safe? Discover how developers can avoid misconfigurations and vulnerabilities to ensure secure collaboration on GitHub.

Read More
A review of our contributions to the open source community and why the open source community is important to the future of software supply chain security.

The Open Source Community And Its Critical Role in Software Supply Chain Security

June 13, 2022

A review of our contributions to the open source community and why the open source community is important to the future of software supply chain security.

Read More
An application risk assessment is an essential tool to help security and development teams spot hidden vulnerabilities before they become a problem.

A 10-Step Application Security Risk Assessment Checklist

June 06, 2022

An application risk assessment is an essential tool to help security and development teams spot hidden vulnerabilities before they become a problem.

Read More
This article will explain why security and GitHub should go hand in hand and describes a few best practices we believe any organization using GitHub should employ to reduce GitHub security risks.

GitHub Security Best Practices Your Team Should Be Following

May 31, 2022

This article will explain why security and GitHub should go hand in hand and describes a few best practices we believe any organization using GitHub should employ to reduce GitHub security risks.

Read More
Debunk common DevSecOps myths and discover why understanding the actual role of DevSecOps is essential for modern security and development practices.

Forget about DevOps, It’s Time to Adopt the DevSecOps Mindset

May 16, 2022

Debunk common DevSecOps myths and discover why understanding the actual role of DevSecOps is essential for modern security and development practices.

Read More
Some tags cannot be trusted to reference the same object all the time, and can be changed without the users’ knowledge, opening the door to a supply chain attack.

What Are Immutable Tags And Can They Protect You From Supply Chain Attacks?

May 09, 2022

Some tags cannot be trusted to reference the same object all the time, and can be changed without the users’ knowledge, opening the door to a supply chain attack.

Read More
We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.

Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks

May 02, 2022

We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.

Read More
AppSec and DevSecOps leaders need to secure the business from increasing software supply chain attacks, while improving their overall AppSec effectiveness and efficiency.

Re-thinking Application Security for DevSecOps and Scale

April 25, 2022

AppSec and DevSecOps leaders need to secure the business from increasing software supply chain attacks, while improving their overall AppSec effectiveness and efficiency.

Read More
This GitHub OAuth access token attack was announced by GitHub Security and is a compromise of OAuth access tokens issued to Heroku and Travis-CI integrations.

Latest GitHub OAuth Tokens Attack Explained and How to Protect Yourself

April 18, 2022

This GitHub OAuth access token attack was announced by GitHub Security and is a compromise of OAuth access tokens issued to Heroku and Travis-CI integrations.

Read More
What is an #SBOM, how is it used and why it is important to software supply chain security? We explain the SBOM in 5 minutes, discuss where SBOM adoption is headed and help you think beyond SBOM to gain greater visibility and security across your entire software supply chain environment.

What is an SBOM? SBOM explained in 5 minutes

April 11, 2022

What is an #SBOM, how is it used and why it is important to software supply chain security? We explain the SBOM in 5 minutes, discuss where SBOM adoption is headed and help you think beyond SBOM to gain greater visibility and security across your entire software supply chain environment.

Read More
On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important lessons in securing a software supply chain.

A Cautionary Tale: The Untold Story of the GitLab CVE Backdoor (CVE-2022-1162)

April 06, 2022

On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important lessons in securing a software supply chain.

Read More
Learn how Legit Security discovered a vulnerable GitHub actions workflow. Get details on the vulnerability and and what you can do to mitigate it.

Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline

April 04, 2022

Learn how Legit Security discovered a vulnerable GitHub actions workflow. Get details on the vulnerability and and what you can do to mitigate it.

Read More
What are secrets in source code, why they must be protected, and how to keep them safe.

Detecting Secrets in Your Source Code

March 11, 2022

What are secrets in source code, why they must be protected, and how to keep them safe.

Read More
Join us in celebrating the release of stealth mode.

Announcing Legit Security: The Story Behind Our Mission

January 28, 2022

Join us in celebrating the release of stealth mode.

Read More
Learn about SLSA (Supply-chain Levels for Software Artifacts), a security framework and a common language for improving software security and supply chain integrity.

What Is SLSA? SLSA Explained In 5 Minutes

January 21, 2022

Learn about SLSA (Supply-chain Levels for Software Artifacts), a security framework and a common language for improving software security and supply chain integrity.

Read More

Request a demo including the option to analyze your own software supply chain.