Aqua Blog

Software Supply Chain Security

Supply Chain Security: Shifting Left to the Golden Pipeline

Supply Chain Security: Shifting Left to the Golden Pipeline

According to an article in Security Magazine, 98% of organizations have been negatively impacted by a cybersecurity breach in their supply chain. Aqua’s 2021 Software Supply Chain Security Review notes that “attackers focused heavily on open source vulnerabilities and poisoning, code integrity issues, exploiting the …

Continue reading ›
Can You Trust Your VSCode Extensions?

Can You Trust Your VSCode Extensions?

Aqua Nautilus researchers have recently discovered that attackers can easily impersonate popular Visual Studio Code extensions and trick unknowing developers into downloading them. In original vulnerability research, we’ve uncovered a new attack method which could act as an entry point for an attack on many …

Continue reading ›
In-depth Analysis of the PyTorch Dependency Confusion Administered Malware

In-depth Analysis of the PyTorch Dependency Confusion Administered Malware

This blog was co-authored by Assaf Morag

Recently, a dependency of the widely used PyTorch-nightly Python package was targeted in a dependency confusion attack, resulting in thousands of individuals downloading a malicious binary that exfiltrated data through DNS. The individual responsible for this attack claimed to …

Continue reading ›
Achieve Software Supply Chain Compliance with US Executive Order 14028

Achieve Software Supply Chain Compliance with US Executive Order 14028

Thanks to many factors like the rise of the cloud infrastructure, the abundance of prebuilt open-source code, and process improvements in DevOps, innovating with software is happening faster than ever. The software supply chain is the assembly line for these technological innovations and can be thought of as any …

Continue reading ›
Updated Security Advisory: New OpenSSL Vulnerabilities

Updated Security Advisory: New OpenSSL Vulnerabilities

The OpenSSL project has pre-announced a new and critical severity vulnerability, which was downgraded to High as of today, Nov. 1, 2022. The initial pre-announcement blog has been updated here to reflect additional remediation guidance.

Continue reading ›
Text4Shell: CVE-2022-42889 in Apache Commons Text Explained

Text4Shell: CVE-2022-42889 in Apache Commons Text Explained

A new vulnerability in the Apache Commons Text library indicates that attackers can perform remote code execution (RCE). The media rushed to create hype around this vulnerability, comparing it to the infamous zero-day vulnerability Log4Shell, which emerged late last year and was broadly exploited by attackers. …

Continue reading ›
Aqua, HashiCorp Enable Cloud Native Security, Zero-Trust Approaches

Aqua, HashiCorp Enable Cloud Native Security, Zero-Trust Approaches

We’re delighted to announce our recent achievement of Premier tier status in HashiCorp’s partner ecosystem – a significant milestone in helping our mutual customers automate security and compliance as part of the cloud journey, and more effectively manage risk by shifting security left, securing the software supply …

Continue reading ›
Trivy: The Universal Scanner to Secure Your Cloud Migration

Trivy: The Universal Scanner to Secure Your Cloud Migration

Application security teams are challenged today with the need for a centralized view of exposure to security issues like Log4j and Spring4Shell. But an exploding set of artifacts and security tools makes it prohibitively difficult to secure the development life cycle. A universal scanner drastically reduces this …

Continue reading ›
Announcing Full Lifecycle Software Supply Chain Security

Announcing Full Lifecycle Software Supply Chain Security

Software supply chain attacks have an enormous blast radius and affect multiple targets by compromising a single, shared resource. And these types of attacks are on the rise: Aqua research showed an increase of 300% year-over-year.

Continue reading ›
Audit Your Software Supply Chain for CIS Compliance with Chain-bench

Audit Your Software Supply Chain for CIS Compliance with Chain-bench

The Center for Internet Security (CIS) has recently released the Software Supply Chain Security Guide, a set of practical, community-developed best practices for securing software delivery pipelines. As an initiator and one of the main contributors to this comprehensive and much-needed guidance, we at Aqua aim to help …

Continue reading ›
CVE-2022-32223 Discovery: DLL Hijacking via npm CLI

CVE-2022-32223 Discovery: DLL Hijacking via npm CLI

Aqua Team Nautilus recently discovered that all Node.js versions earlier than 16.16.0 (LTS) and 14.20.0 on Windows are vulnerable to dynamic link library (DLL) hijacking if OpenSSL is installed on the host. Attackers can exploit this vulnerability to escalate their privileges and establish persistence in a target …

Continue reading ›