Aqua Blog

DevSecOps

PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks

PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks

Recent findings by Aqua Nautilus have exposed significant flaws that are still active in the PowerShell Gallery's policy regarding package names and owners. These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package. …

Continue reading ›
Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries

Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries

What if you were told that you had a misconfigured registry with hundreds of millions of software artifacts containing highly confidential and sensitive proprietary code and secrets exposed in your environment right now? This would be what you’d call a really bad day for security. Recently, the Aqua Nautilus research …

Continue reading ›
Establishing a Resilient DevSecOps Action Plan

Establishing a Resilient DevSecOps Action Plan

DevSecOps is an easy term to toss around. But what does it mean, exactly? What actually goes into an effective DevSecOps strategy? And how do cloud and DevOps impact DevSecOps processes? To find out, I participated in a conversation with Merritt Baer, principal in the AWS Office of the CISO, to discuss the best ways …

Continue reading ›
Can You Trust Your VSCode Extensions?

Can You Trust Your VSCode Extensions?

Aqua Nautilus researchers have recently discovered that attackers can easily impersonate popular Visual Studio Code extensions and trick unknowing developers into downloading them. In original vulnerability research, we’ve uncovered a new attack method which could act as an entry point for an attack on many …

Continue reading ›
Golang Scanning with Trivy: Detect Vulnerabilities Accurately

Golang Scanning with Trivy: Detect Vulnerabilities Accurately

A standard piece of security advice is to reduce the size of your container images, usually by using statically compiled binaries in a scratch or distroless container. However, that complicates container vulnerability scanning, because it becomes impossible to determine the versions of software installed in a …

Continue reading ›
Key Requirements for CWPP (Cloud Workload Protection Platforms)

Key Requirements for CWPP (Cloud Workload Protection Platforms)

Cloud Workload Protection Platforms (CWPPs), now part of the emerging category of Cloud Native Application Protection Platforms (CNAPPs), are designed to secure different types of cloud workloads — such as VMs, containers, and serverless functions — deployed in public, hybrid, or multi-cloud environments. In this …

Continue reading ›
A Brief Guide to Supply Chain Security Best Practices

A Brief Guide to Supply Chain Security Best Practices

With the rise in attacks targeting the supply chain of cloud native applications, it’s important to understand how you can prepare for and stifle risks that enter your environments through third-party packages and tools. This post outlines the top software supply chain security best practices that should be included …

Continue reading ›
How GitLab Innovates DevOps Security Using Aqua Trivy

How GitLab Innovates DevOps Security Using Aqua Trivy

Digital leaders must adapt, scale, and fine-tune their operations and the solutions they provide to their customers to keep up with market demands. GitLab provides a complete DevOps platform in a single application to help developers and engineers across all industries to be successful. With many high-profile security …

Continue reading ›
Cloud Native Best Practices: Security Policies in CI/CD Pipelines

Cloud Native Best Practices: Security Policies in CI/CD Pipelines

With the continual leftward shifting movement of traditional DevOps responsibilities, organizations can now detect security issues earlier in the software development lifecycle (SDLC). Using CI/CD tools such as Jenkins, GoCD, or Bamboo, organizations can continually develop, test, and ship applications. As containers …

Continue reading ›
BeerSecOps: Podcasts About Dev, Sec, Ops, and Everything in Between

BeerSecOps: Podcasts About Dev, Sec, Ops, and Everything in Between

Steve Giguere is a DevSecOps Architect and Evangelist for Aqua. He spends his days working with organizations adopting cloud native technologies and how they can effectively secure their applications in the (relatively) new world of microservices. The evangelist part of him enjoys educating and learning from other …

Continue reading ›
DevSecOps with Trivy and GitHub Actions

DevSecOps with Trivy and GitHub Actions

The premise of DevSecOps is that in the Software Development Life Cycle (SDLC), each member is responsible for security. This unifies the operations and development teams in terms of security operations. DevSecOps’ goal is to add security to each step of the development process by integrating security controls and …

Continue reading ›

Subscribe to Email Updates

Popular Posts