Aqua Nautilus researchers have discovered a chain of vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially …
Finally, the long-lasting “agentless vs. agent” debate is over. The inevitable result? If you want great cloud workload security, you need an agent. While many security professionals knew this from the start, plenty were misled into believing in the overhyped promise of agentless security. Why is this news? Because …
This week, the White House released its updated National Cybersecurity Strategy detailing the comprehensive approach the U.S. Government’s Administration is taking to cybersecurity.
Supply chain security has made lots of headlines recently thanks to events like the SolarWinds breach. That and similar events highlight the importance of having a strategy in place to respond to zero-day attacks which can take advantage of vulnerable software components.
DevSecOps is an easy term to toss around. But what does it mean, exactly? What actually goes into an effective DevSecOps strategy? And how do cloud and DevOps impact DevSecOps processes? To find out, I participated in a webinar with Merritt Baer, principal in the AWS Office of the CISO, to discuss the best ways to …
Containers as a Service (CaaS) like AWS Fargate have proven to be a valuable mechanism for DevOps teams to build and deploy complex applications at scale. By removing the need for infrastructure management and security, customers can also reduce development costs using AWS Fargate.
As reliance on software increases in both personal and professional contexts, security of the software supply chain has become a critical concern. Ensuring the security and quality of software is essential for protecting against digital attacks, data breaches, and other cyber threats. Two practices that play a key …
This blog was co-authored by Nitzan Yaakov
Aqua Nautilus researchers discovered a new elusive and severe threat that has been infiltrating and residing on servers worldwide since early September 2021. Known as HeadCrab, this advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by …
One of Trivy’s core features is Trivy Kubernetes for in-cluster security scans of running workloads. This tutorial will showcase how to generate CIS and NSA reports both through the Trivy CLI and the Trivy Operator.Additionally, we will look at how users can add the Kubernetes Specification for their own Compliance …
NIST has recently researched, defined, and released an entirely new standard for incorporating security into the software development lifecycle called The Secure Software Development Framework. It was uniquely designed to help address the tremendous gaps in software supply chain security that expose organizations to …
Last month Aqua published a blog with the predictions from our Nautilus security research team regarding trends and new threats we are watching for 2023. In case you missed it over the holidays, we’ve included a link at the end of this post – it’s definitely worth the read.