Intro
Hey everyone!
In this edition, I highly recommend taking a look at the 2023 Top Routinely Exploited Vulnerabilities report from CISA, which highlights the most commonly exploited vulnerabilities over the past year.
You’ll also find some fascinating researches, essential one-liner commands for bug bounty hunters, and some interesting open-source tools for security engineers.
Finally, in industry news, Snyk has acquired Probely, a developer-first DAST provider, enhancing its API security testing capabilities.
Enjoy the materials and stay secure!
Materials
🔓 2023 Top Routinely Exploited Vulnerabilities
What are the most exploited cybersecurity vulnerabilities of 2023? This article details a joint advisory from cybersecurity agencies highlighting top vulnerabilities, their impacts, and recommendations for vendors and users. It’s valuable for developers, IT professionals, and organizations looking to enhance security measures against cyber threats.
📄 DoD Enterprise DevSecOps Fundamentals [pdf]
The “DoD Enterprise DevSecOps Fundamentals” outlines the DoD’s approach to integrating DevSecOps for secure, efficient software delivery. It emphasizes automation, continuous monitoring, and collaboration among development, security, and operations. This guide helps DoD teams modernize software practices with security embedded throughout the lifecycle.
📄 Does ChatGPT Help Novices Write Better Code? Results from Static Code Analysis
Results from Static Code Analysis” investigates whether ChatGPT aids beginner programmers in producing higher-quality code. Using static code analysis, it evaluates the improvements or challenges novices face when leveraging ChatGPT for coding tasks. The study aims to provide insights into ChatGPT’s effectiveness as a coding assistant for newcomers and its impact on code quality.
📄 How a Cross-Site Scripting Vulnerability Led to Account Takeover
What is Cross Site Scripting (XSS) and how can it compromise your user’s security? This article explores XSS vulnerabilities, their impact across industries, and real-life examples like Yelp’s case. It is aimed at cybersecurity professionals, penetration testers and security engineers.
🕵️ Essential One-Liner Commands for Bug Bounty Hunters and Pentesters
Looking to enhance your bug bounty hunting skills? This article presents essential one-liner commands for ethical hackers and pentesters, focusing on tools like nmap and Sublist3r for tasks such as open port identification and subdomain enumeration. Ideal for security penetration testers and bug bounty hunters looking for efficient and commonly used one-liners.
🕵️ Machine Learning Bug Bonanza – Exploiting ML Services
Are you interested in the security vulnerabilities in machine learning services? The article reveals findings from JFrog’s security research team that identified 22 unique vulnerabilities in ML projects, illustrating the risks associated with poorly secured ML frameworks. It’s essential reading for developers and security professionals concerned with MLOps.
🕵️ Crypto-Stealing Code Lurking in Python Package Dependencies
Are your cryptocurrency wallets safe from deceptive package attacks? This article reveals how malicious Python packages disguised as legitimate tools targeted users of popular wallets, stealing sensitive data like private keys and mnemonic phrases. It’s essential reading for developers and crypto users to understand the evolving security threats in open source software.
🛠️ Guard.dev – Open Source Cloud Security Tool
Are there any free and open-source cloud security tools? The linked repository contains Guard, an open-source AI-powered tool for scanning AWS environments for vulnerabilities and misconfigurations. It might be interesting security professionals and DevOps team seeking actionable insights that does not come up with an expensive SaaS.
🛠️ Am I Isolated: Open-source container security benchmark
Curious about enhancing your container security? “Am I Isolated” is a tool designed to benchmark security posture in container environments, offering evaluations and suggestions for improvement. It might be ideal for security engineers who wants to ensure that their environments are properly isolated.
🛠️ Whispr: Open-source multi-vault secret injection tool
Whispr is an open-source CLI tool for injecting secrets from vaults like AWS and Azure securely. It emphasizes improved security for developers by eliminating plain text storage and offers easy installation. Might be interesting for developers and security engineers seeking to streamline secret management.
📰 Snyk Acquires Developer-First DAST Provider Probely
This news presents Snyk’s acquisition of the Dynamic Application Security Testing provider Probely, expanding its API security testing capabilities crucial for modern API development.