For too long, security has been cast as a bottleneck – swooping in after developers build and engineers test to slow things down. The reality is blunt; if it’s bolted on, you’ve already lost. The ones that win make security part of every decision, from the first line of code to the last boardroom conversation...

The post Cultural Lag Leaves Security as the Weakest Link appeared first on Security Boulevard.

AI-generated code is reshaping software development and introducing new security risks. Organizations must strengthen governance, expand testing and train developers to ensure AI-assisted coding remains secure and compliant.

The post Securing AI-Generated Code in Enterprise Applications: The New Frontier for AppSec Teams  appeared first on Security Boulevard.

Alan reflects on a turbulent year in DevSecOps, highlighting the rise of AI-driven security, the maturing of hybrid work culture, the growing influence of platform engineering, and the incredible strength of the DevSecOps community — while calling out the talent crunch, tool sprawl and security theater the industry must still overcome.

The post What I’m Thankful for in DevSecOps This Year: Living Through Interesting Times appeared first on Security Boulevard.

Discover what’s changed in the OWASP 2025 Top 10 and how GitGuardian helps you mitigate risks like broken access control and software supply chain failures.

The post OWASP Top 10 2025 Updates: Supply Chain, Secrets, And Misconfigurations Take Center Stage appeared first on Security Boulevard.

Securing the Digital Frontier: How AI is Reshaping Application Security The software development landscape is transforming at breakneck speed. Developers now generate code faster than ever, but this acceleration comes...

The post Innovator Spotlight: Harness appeared first on Cyber Defense Magazine.

Yet Another Testing & Auditing Solution

The goal of YATAS is to help you create a secure AWS environment without too much hassle. It won't check for all best practices but only for the ones that are important for you based on my experience. Please feel free to tell me if you find something that is not covered.

Features

YATAS is a simple and easy to use tool to audit your infrastructure for misconfiguration or potential security issues.

No details	Details

Installation

brew tap padok-team/tap
brew install yatas

yatas --init

Modify .yatas.yml to your needs.

yatas --install

Installs the plugins you need.

Usage

yatas -h

Flags:

• --details: Show details of the issues found.
• --compare: Compare the results of the previous run with the current run and show the differences.
• --ci: Exit code 1 if there are issues found, 0 otherwise.
• --resume: Only shows the number of tests passing and failing.
• --time: Shows the time each test took to run in order to help you find bottlenecks.
• --init: Creates a .yatas.yml file in the current directory.
• --install: Installs the plugins you need.
• --only-failure: Only show the tests that failed.

Plugins

Checks

Ignore results for known issues

You can ignore results of checks by adding the following to your .yatas.yml file:

ignore:
  - id: "AWS_VPC_004"
    regex: true
    values: 
      - "VPC Flow Logs are not enabled on vpc-.*"
  - id: "AWS_VPC_003"
    regex: false
    values: 
      - "VPC has only one gateway on vpc-08ffec87e034a8953"

Exclude a test

You can exclude a test by adding the following to your .yatas.yml file:

plugins:
  - name: "aws"
    enabled: true
    description: "Check for AWS good practices"
    exclude:
      - AWS_S3_001

Specify which tests to run

To only run a specific test, add the following to your .yatas.yml file:

plugins:
  - name: "aws"
    enabled: true
    description: "Check for AWS good practices"
    include:
      - "AWS_VPC_003"
      - "AWS_VPC_004"

Get error logs

You can get the error logs by adding the following to your env variables:

export YATAS_LOG_LEVEL=debug

The available log levels are: debug, info, warn, error, fatal, panic and off by default

AWS - 63 Checks

AWS Certificate Manager

• AWS_ACM_001 ACM certificates are valid
• AWS_ACM_002 ACM certificate expires in more than 90 days
• AWS_ACM_003 ACM certificates are used

APIGateway

• AWS_APG_001 ApiGateways logs are sent to Cloudwatch
• AWS_APG_002 ApiGateways are protected by an ACL
• AWS_APG_003 ApiGateways have tracing enabled

AutoScaling

• AWS_ASG_001 Autoscaling maximum capacity is below 80%
• AWS_ASG_002 Autoscaling group are in two availability zones

Backup

• AWS_BAK_001 EC2's Snapshots are encrypted
• AWS_BAK_002 EC2's snapshots are younger than a day old

Cloudfront

• AWS_CFT_001 Cloudfronts enforce TLS 1.2 at least
• AWS_CFT_002 Cloudfronts only allow HTTPS or redirect to HTTPS
• AWS_CFT_003 Cloudfronts queries are logged
• AWS_CFT_004 Cloudfronts are logging Cookies
• AWS_CFT_005 Cloudfronts are protected by an ACL

CloudTrail

• AWS_CLD_001 Cloudtrails are encrypted
• AWS_CLD_002 Cloudtrails have Global Service Events Activated
• AWS_CLD_003 Cloudtrails are in multiple regions

COG

• AWS_COG_001 Cognito allows unauthenticated users

DynamoDB

• AWS_DYN_001 Dynamodbs are encrypted
• AWS_DYN_002 Dynamodb have continuous backup enabled with PITR

EC2

• AWS_EC2_001 EC2s don't have a public IP
• AWS_EC2_002 EC2s have the monitoring option enabled

ECR

• AWS_ECR_001 ECRs image are scanned on push
• AWS_ECR_002 ECRs are encrypted
• AWS_ECR_003 ECRs tags are immutable

EKS

• AWS_EKS_001 EKS clusters have logging enabled
• AWS_EKS_002 EKS clusters have private endpoint or strict public access

LoadBalancer

• AWS_ELB_001 ELB have access logs enabled

GuardDuty

• AWS_GDT_001 GuardDuty is enabled in the account

IAM

• AWS_IAM_001 IAM Users have 2FA activated
• AWS_IAM_002 IAM access key younger than 90 days
• AWS_IAM_003 IAM User can't elevate rights
• AWS_IAM_004 IAM Users have not used their password for 120 days

Lambda

• AWS_LMD_001 Lambdas are private
• AWS_LMD_002 Lambdas are in a security group
• AWS_LMD_003 Lambdas are not with errors

RDS

• AWS_RDS_001 RDS are encrypted
• AWS_RDS_002 RDS are backedup automatically with PITR
• AWS_RDS_003 RDS have minor versions automatically updated
• AWS_RDS_004 RDS aren't publicly accessible
• AWS_RDS_005 RDS logs are exported to cloudwatch
• AWS_RDS_006 RDS have the deletion protection enabled
• AWS_RDS_007 Aurora Clusters have minor versions automatically updated
• AWS_RDS_008 Aurora RDS are backedup automatically with PITR
• AWS_RDS_009 Aurora RDS have the deletion protection enabled
• AWS_RDS_010 Aurora RDS are encrypted
• AWS_RDS_011 Aurora RDS logs are exported to cloudwatch
• AWS_RDS_012 Aurora RDS aren't publicly accessible

S3 Bucket

• AWS_S3_001 S3 are encrypted
• AWS_S3_002 S3 buckets are not global but in one zone
• AWS_S3_003 S3 buckets are versioned
• AWS_S3_004 S3 buckets have a retention policy
• AWS_S3_005 S3 bucket have public access block enabled

Volume

• AWS_VOL_001 EC2's volumes are encrypted
• AWS_VOL_002 EC2 are using GP3
• AWS_VOL_003 EC2 have snapshots
• AWS_VOL_004 EC2's volumes are unused

VPC

• AWS_VPC_001 VPC CIDRs are bigger than /20
• AWS_VPC_002 VPC can't be in the same account
• AWS_VPC_003 VPC only have one Gateway
• AWS_VPC_004 VPC Flow Logs are activated
• AWS_VPC_005 VPC have at least 2 subnets

How to create a new plugin ?

You'd like to add a new plugin ? Then simply visit yatas-plugin and follow the instructions.

The post How to reduce your attack surface appeared first on Detectify Blog.

The post M. Loewinger, Smartbear: “Each product has a DevOps lead who manages Detectify and all its findings” appeared first on Detectify Blog.

The post Web security trends to watch for 2020 appeared first on Detectify Blog.

The post Fitting automated security throughout the CI/CD pipeline appeared first on Detectify Blog.

The post Scaling up Security with DevOps and CI/CD practices appeared first on Detectify Blog.

Security is too often an afterthought in the software development process. It’s easy to understand why: Application and software developers are tasked with getting rid of bugs and adding in new features in updates that must meet a grueling release schedule. 

Asking to include security testing before an update is deployed can bring up problems needing to be fixed. In an already tight timeline, that creates tension between developers and the security team. 

If you’re using traditional pentesting methods, the delays and disruption are too great to burden the development team, who are likely working a continuous integration and continuous delivery process (CI/CD). Or if you’re using an automatic scanner to detect potential vulnerabilities, you’re receiving a long list of low-level vulns that obscures the most critical issues to address first. 

Instead, continuous pentesting, or even scanning for a particular CVE, can harmonize development and security teams. And it’s increasingly important. A shocking 85% of commercial apps contain at least one critical vulnerability, according to a 2021 report, while 100% use open-source software, such as the now infamous Log4j. That’s not to knock on open-source software, but rather to say that a critical vulnerability can pop up at any time and it’s more likely to happen than not. 

If a critical vulnerability is found–or worse, exploited–the potential fines or settlement from a data breach could be astronomical. In the latest data breach settlement, T-Mobile agreed to pay $350 million to customers in a class action lawsuit and invest additional $150 million in their data security operations.

This is why many companies are hiring for development security operations (DevSecOps). The people in these roles work in concert with the development team to build a secure software development process into the existing deployment schedule. But with 700,000 infosec positions sitting open in the United States, it might be hard to find the right candidate. 

If you want to improve the security of your software and app development, here are some tips from Synack customers: 

• Highlight only the most critical vulns to the dev team. The development team has time only to address what’s most important. Sorting through an endless list of vulns that might never be exploited won’t work. Synack delivers vulnerabilities that matter by incentivizing our researchers to focus on finding severe vulnerabilities.

• Don’t shame, celebrate. Mistakes are inevitable. Instead of shaming or blaming the development team for a security flaw, cheer on the wins. Finding and fixing vulnerabilities before an update is released is a cause for celebration. Working together to protect the company’s reputation and your customers’ data is the shared goal. 

• Embrace the pace. CI/CD isn’t going away and the key to deploying more secure apps and software is to find ways to work with developers. When vulns are found to be fixed, document the process for next time. And if there’s enough time, try testing for specific, relevant CVEs. Synack Red Team (SRT) members document their path to finding and exploiting vulnerabilities and can verify patches were implemented successfully. SRT security researchers can also test as narrow or broad a scope as you’d like with Synack’s testing offerings and catalog of specific checks, such as CVE and zero day checks.

Security is a vital component to all companies’ IT infrastructure, but it can’t stand in the way of the business. For more information about how Synack can help you integrate security checkpoints in your dev process, request a demo.

The post Testing Early and Often Can Reduce Flaws in App Development appeared first on Synack.

Yet Another Testing & Auditing Solution

The goal of YATAS is to help you create a secure AWS environment without too much hassle. It won't check for all best practices but only for the ones that are important for you based on my experience. Please feel free to tell me if you find something that is not covered.

Features

YATAS is a simple and easy to use tool to audit your infrastructure for misconfiguration or potential security issues.

No details	Details

Installation

brew tap padok-team/tap
brew install yatas

yatas --init

Modify .yatas.yml to your needs.

yatas --install

Installs the plugins you need.

Usage

yatas -h

Flags:

• --details: Show details of the issues found.
• --compare: Compare the results of the previous run with the current run and show the differences.
• --ci: Exit code 1 if there are issues found, 0 otherwise.
• --resume: Only shows the number of tests passing and failing.
• --time: Shows the time each test took to run in order to help you find bottlenecks.
• --init: Creates a .yatas.yml file in the current directory.
• --install: Installs the plugins you need.
• --only-failure: Only show the tests that failed.

Plugins

Checks

Ignore results for known issues

You can ignore results of checks by adding the following to your .yatas.yml file:

ignore:
  - id: "AWS_VPC_004"
    regex: true
    values: 
      - "VPC Flow Logs are not enabled on vpc-.*"
  - id: "AWS_VPC_003"
    regex: false
    values: 
      - "VPC has only one gateway on vpc-08ffec87e034a8953"

Exclude a test

You can exclude a test by adding the following to your .yatas.yml file:

plugins:
  - name: "aws"
    enabled: true
    description: "Check for AWS good practices"
    exclude:
      - AWS_S3_001

Specify which tests to run

To only run a specific test, add the following to your .yatas.yml file:

plugins:
  - name: "aws"
    enabled: true
    description: "Check for AWS good practices"
    include:
      - "AWS_VPC_003"
      - "AWS_VPC_004"

Get error logs

You can get the error logs by adding the following to your env variables:

export YATAS_LOG_LEVEL=debug

The available log levels are: debug, info, warn, error, fatal, panic and off by default

AWS - 63 Checks

AWS Certificate Manager

• AWS_ACM_001 ACM certificates are valid
• AWS_ACM_002 ACM certificate expires in more than 90 days
• AWS_ACM_003 ACM certificates are used

APIGateway

• AWS_APG_001 ApiGateways logs are sent to Cloudwatch
• AWS_APG_002 ApiGateways are protected by an ACL
• AWS_APG_003 ApiGateways have tracing enabled

AutoScaling

• AWS_ASG_001 Autoscaling maximum capacity is below 80%
• AWS_ASG_002 Autoscaling group are in two availability zones

Backup

• AWS_BAK_001 EC2's Snapshots are encrypted
• AWS_BAK_002 EC2's snapshots are younger than a day old

Cloudfront

• AWS_CFT_001 Cloudfronts enforce TLS 1.2 at least
• AWS_CFT_002 Cloudfronts only allow HTTPS or redirect to HTTPS
• AWS_CFT_003 Cloudfronts queries are logged
• AWS_CFT_004 Cloudfronts are logging Cookies
• AWS_CFT_005 Cloudfronts are protected by an ACL

CloudTrail

• AWS_CLD_001 Cloudtrails are encrypted
• AWS_CLD_002 Cloudtrails have Global Service Events Activated
• AWS_CLD_003 Cloudtrails are in multiple regions

COG

• AWS_COG_001 Cognito allows unauthenticated users

DynamoDB

• AWS_DYN_001 Dynamodbs are encrypted
• AWS_DYN_002 Dynamodb have continuous backup enabled with PITR

EC2

• AWS_EC2_001 EC2s don't have a public IP
• AWS_EC2_002 EC2s have the monitoring option enabled

ECR

• AWS_ECR_001 ECRs image are scanned on push
• AWS_ECR_002 ECRs are encrypted
• AWS_ECR_003 ECRs tags are immutable

EKS

• AWS_EKS_001 EKS clusters have logging enabled
• AWS_EKS_002 EKS clusters have private endpoint or strict public access

LoadBalancer

• AWS_ELB_001 ELB have access logs enabled

GuardDuty

• AWS_GDT_001 GuardDuty is enabled in the account

IAM

• AWS_IAM_001 IAM Users have 2FA activated
• AWS_IAM_002 IAM access key younger than 90 days
• AWS_IAM_003 IAM User can't elevate rights
• AWS_IAM_004 IAM Users have not used their password for 120 days

Lambda

• AWS_LMD_001 Lambdas are private
• AWS_LMD_002 Lambdas are in a security group
• AWS_LMD_003 Lambdas are not with errors

RDS

• AWS_RDS_001 RDS are encrypted
• AWS_RDS_002 RDS are backedup automatically with PITR
• AWS_RDS_003 RDS have minor versions automatically updated
• AWS_RDS_004 RDS aren't publicly accessible
• AWS_RDS_005 RDS logs are exported to cloudwatch
• AWS_RDS_006 RDS have the deletion protection enabled
• AWS_RDS_007 Aurora Clusters have minor versions automatically updated
• AWS_RDS_008 Aurora RDS are backedup automatically with PITR
• AWS_RDS_009 Aurora RDS have the deletion protection enabled
• AWS_RDS_010 Aurora RDS are encrypted
• AWS_RDS_011 Aurora RDS logs are exported to cloudwatch
• AWS_RDS_012 Aurora RDS aren't publicly accessible

S3 Bucket

• AWS_S3_001 S3 are encrypted
• AWS_S3_002 S3 buckets are not global but in one zone
• AWS_S3_003 S3 buckets are versioned
• AWS_S3_004 S3 buckets have a retention policy
• AWS_S3_005 S3 bucket have public access block enabled

Volume

• AWS_VOL_001 EC2's volumes are encrypted
• AWS_VOL_002 EC2 are using GP3
• AWS_VOL_003 EC2 have snapshots
• AWS_VOL_004 EC2's volumes are unused

VPC

• AWS_VPC_001 VPC CIDRs are bigger than /20
• AWS_VPC_002 VPC can't be in the same account
• AWS_VPC_003 VPC only have one Gateway
• AWS_VPC_004 VPC Flow Logs are activated
• AWS_VPC_005 VPC have at least 2 subnets

How to create a new plugin ?

You'd like to add a new plugin ? Then simply visit yatas-plugin and follow the instructions.