Intro
Hey everyone!
Hope you’re doing great! This week’s edition is packed with a mix of interesting vulnerabilities, cutting-edge security research, and key industry updates that you won’t want to miss.
We kick things off with an in-depth look at a PyPI supply chain attack that put 22,000 packages at risk, and follow that up with a guide for financial institutions to prepare their Threat and Vulnerability Management programs for DORA compliance. On the software development front, you’ll find an insightful podcast on why “Shift Left” might not be enough for securing applications — a must-listen for DevOps and AppSec professionals.
I’ve also included a fascinating read on the projected growth of the security testing market, plus tips on SQL injection prevention for backend developers. For those into vulnerability exploitation, there are some great resources, from exploiting CI/CD pipelines to a step-by-step guide on misconfigured GitLab OIDC AWS IAM roles.
Whether you’re into security testing tools, like Burp Suite’s latest performance updates, or interested in zero-click vulnerabilities in macOS, there’s something here for everyone. Don’t miss the final deep dive into Android bytecode exploitation — it’s a wild ride for anyone looking to bolster their mobile app security knowledge.
Enjoy the materials and stay secure!
Materials
📃 Revival Hijack – PyPI hijack technique exploited in the wild, puts 22K packages at risk
What is the Revival Hijack technique used in PyPI supply chain attack? Who’s at risk? This article by JFrog Security Researchers details how attackers were identified to hijack PyPI packages and how they were stopped. Great research dedicated for application security enthusiasts.
📃 DORA Compliance and your Threat & Vulnerability Management (TVM) Programme. What you need to know
Are you prepared for DORA compliance? Financial institutions need to enhance Threat Vulnerability Management programs to meet DORA regulations by January 2025. Learn about key areas, challenges, and practical tips for strengthening your vulnerability management in the ever-evolving cybersecurity landscape. Audience: Financial institutions, cybersecurity professionals.
🎥 Why “shift-left” isn’t good enough ⎪ Chris Romeo
Why is “Shift Left” not enough for software security? Who should rethink their strategies based on Chris Romeo’s insights? This podcast challenges the effectiveness of “Shift Left,” emphasizing the need for a holistic security approach post-deployment. DevOps, CISOs, and AppSec professionals would benefit from this podcast.
📈 Security Testing Market Worth $43.9B by 2029
What is the projected growth of the global Security Testing Market? Who should be interested in this information? The market size is expected to increase from USD 14.5 billion in 2024 to USD 43.9 billion by 2029. Organizations prioritizing secure software development, especially in web applications, and those concerned with cybersecurity risks should take note.
📃 Quantifying the Value of Bug Bounty Programs: ROI, ROM, or Both?
Are bug bounty programs worth the investment? The article explores ROI vs. ROM in security measures, emphasizing the value of bug bounties. Security leaders seeking to measure and communicate the financial impact of bug bounty programs will find this article insightful.
📃 How to Prevent SQL Injection Attacks with Validators and Prepared Statements in Backend Code
How can you prevent SQL injection attacks in backend code? This article explains the use of validators and prepared statements to secure web applications. The audience is developers looking to protect against malicious database manipulation.
📃 GitLab Critical Patch Release: Unrestricted Pipeline Execution
The release includes a number of security fixes for GitLab CE and EE, including unrestricted pipeline execution vulnerability. All self-managed installations should upgrade immediately.
📃 Introducing Burp Suite’s game-changing performance update ⚡🏎️
What does the latest update of Burp Suite offer for security testers? Find out how the enhanced performance benefits optimize workflow and efficiency. This article is intended for hands-on security testers seeking faster and more efficient tools.
🕵️ Exploiting CI / CD Pipelines for fun and profit
How can exploiting CI/CD pipelines lead to server takeover? This article reveals a chain of vulnerabilities from a public git directory exposure to gaining server control. Targeted at developers, DevOps and application security enthusiasts as it emphasizes the importance of secure practices in code repositories and deployment pipelines.
🕵️ Exploiting Misconfigured GitLab OIDC AWS IAM Roles
Learn how to exploit misconfigured GitLab OIDC AWS IAM role step by step. This article by Nick Frichette is for AWS users interested in securing their IAM roles and understanding potential vulnerabilities caused by default AWS Console settings. Target audience: AWS developers and security professionals.
🕵️ Zero-Click Calendar invite – Critical zero-click vulnerability chain in macOS
Would you like to know about the critical zero click vulnerability chain in macOS Calendar? The article describes how an attacker could exploit vulnerabilities to execute malicious code and access sensitive Photos data. Security enthusiasts and macOS users may find this article informative.
🕵️ Blog Series on Android Bytecode Exploitation
Deep dive into the arms race of binary exploitation, where bytecode injection prompts the need for advanced security mechanisms. This blog series targets developers and security professionals interested in Android Bytecode Exploitation.