https://www.aquasec.com/tag/software-supply-chain-security/ Cloud Native Security, Container Security & Serverless Security Mon, 15 Jul 2024 08:22:53 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.5 https://www.aquasec.com/blog/undetected-hard-code-secrets-expose-corporations/ Sun, 23 Jun 2024 14:22:10 +0000 https://www.aquasec.com/?p=20563 For years, we’ve been educating developers not to hard-code secrets into their code. Now it turns out that even doing this once might permanently expose that secret, even after its apparent removal – and worse, most secrets scanning methods will miss it. Our research found that almost 18% of secrets might be overlooked.   We uncovered …]]> https://www.aquasec.com/blog/linguistic-lumberjack-understanding-cve-2024-4323-in-fluent-bit/ Fri, 24 May 2024 22:18:42 +0000 https://www.aquasec.com/?p=20293 Linguistic Lumberjack is a new critical severity vulnerability (CVE-2024-4323) that affects Fluent Bit versions 2.0.7 through 3.0.3. The vulnerability involves a memory corruption error, potentially leading to denial of service, information disclosure, or remote code execution.   Fluent Bit is a highly popular open-source data collector and processor designed for handling large volumes of log data …]]> https://www.aquasec.com/blog/the-gaps-in-open-source-governance-that-threaten-the-software-supply-chain/ Tue, 23 Jan 2024 10:56:37 +0000 https://www.aquasec.com/?p=14142 The widespread issue of unmaintained and deprecated npm packages recently discovered by Aqua researchers affects more than a fifth of open source packages. Presenting yet another silent example of hidden threats to the software supply chain, it demonstrates how poor operational and structural integrity of dependencies can be just as risky as code vulnerabilities, while …]]> https://www.aquasec.com/blog/navigating-container-security-within-the-fedramp-guidelines/ Tue, 28 Nov 2023 11:57:58 +0000 https://www.aquasec.com/?p=14185 The digital transformation journey of many organizations heavily leans on cloud technologies. As they migrate to the cloud, adhering to stringent security protocols becomes paramount. Enter FedRAMP(R) (Federal Risk and Authorization Management Program). It’s a government-wide initiative designed to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. …]]> https://www.aquasec.com/blog/threat-alert-exploited-ssh-servers-offered-in-the-dark-web-as-proxy-pools/ Thu, 19 Oct 2023 10:10:45 +0000 https://www.aquasec.com/?p=14222 Aqua Nautilus researchers have shed brighter light on a long-standing threat to SSH in the context of the cloud. More specifically, the threat actor harnessed our SSH server to be a slave proxy and pass traffic through it. In this blog, we will explain this threat, demonstrate how attackers exploit SSH, what actions they take …]]> https://www.aquasec.com/blog/elevating-cloud-security-response-with-code-to-cloud-tracing/ Mon, 11 Sep 2023 11:00:07 +0000 https://www.aquasec.com/?p=14241 Data breaches and ransomware attacks have become a common headline around the globe. Meanwhile, protecting cloud environments has turned into an uphill battle for even the most seasoned CISO. With a broader attack surface, the dynamic nature of open source software, and a growing number of vulnerabilities being discovered each year, being prepared for the …]]> https://www.aquasec.com/blog/threat-alert-anatomy-of-silentbobs-cloud-attack/ Wed, 05 Jul 2023 11:01:13 +0000 https://www.aquasec.com/?p=14364 Aqua Nautilus researchers identified an infrastructure of a potentially massive campaign against cloud native environments. This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and …]]> https://www.aquasec.com/blog/250m-artifacts-exposed-via-misconfigured-registries/ Mon, 24 Apr 2023 08:58:28 +0000 https://www.aquasec.com/?p=14418 What if you were told that you had a misconfigured registry with hundreds of millions of software artifacts containing highly confidential and sensitive proprietary code and secrets exposed in your environment right now? This would be what you’d call a really bad day for security. Recently, the Aqua Nautilus research team found just that in …]]> https://www.aquasec.com/blog/white-house-shifts-cybersecurity-strategy-to-drive-resilience/ Fri, 03 Mar 2023 17:00:41 +0000 https://www.aquasec.com/?p=14459 This week, the White House released its updated National Cybersecurity Strategy detailing the comprehensive approach the U.S. Government’s Administration is taking to cybersecurity. The strategy contains a set of three pillars that outline collaboration between public and private sectors, dealing with systemic challenges within cybersecurity and realignment of incentives for the industry. Pillar Three specifically …]]> https://www.aquasec.com/blog/software-compositio-analysis-vs-supply-chain-security/ Thu, 09 Feb 2023 15:15:08 +0000 https://www.aquasec.com/?p=14463 As reliance on software increases in both personal and professional contexts, security of the software supply chain has become a critical concern. Ensuring the security and quality of software is essential for protecting against digital attacks, data breaches, and other cyber threats. Two practices that play a key role in ensuring software security are software …]]>