Legit Security – Kuwait Financial Express http://www.kuwaitfinancialexpress.com Tue, 23 Jan 2024 15:00:00 +0000 en-US hourly 1 https://wordpress.org/?v=5.3.2 Legit Security Delivers AI-Powered Accuracy to Secrets Scanning http://www.kuwaitfinancialexpress.com/?p=309571/ Tue, 23 Jan 2024 15:00:00 +0000 http://www.kuwaitfinancialexpress.com/?p=309571 PALO ALTO, Calif., Jan. 23, 2024 (GLOBE NEWSWIRE) — Legit Security, the leading application security posture management (ASPM) platform that enables secure application delivery, today announced expanded and AI–powered capabilities to detect and protect secrets across the software development pipeline. With secrets at the heart of enabling applications to operate, understanding where they exist – beyond hard–coded secrets and source code – and preventing secrets from leaking is paramount.

Secrets – including API keys, access keys, passwords and personally identifiable information (PII) – are a focal point for attackers due to their high value and the increasing sprawl of such data within development environments. In addition, well–known supply chain attacks have resulted from the exposure of secrets often found within source code. Protecting secrets is also central to meeting global compliance requirements, such as the European Union General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS) and many other state, federal and industry requirements.

Innovating Secrets Scanning with AI
Secrets scanners are known to often have a high false positive rate, especially when not finely tuned or customized for the specific customer environment. With this release, Legit is the first to apply AI/ML to significantly reduce noise associated with secrets scanning. The context around many secrets, which can be complex, drives a significant volume of noise, and false positives. Legit uses a set of advanced heuristics and custom AI to deliver extremely accurate results.

Detecting Secrets Across Development Environments
Legit delivers comprehensive security by leveraging AI to detect secrets across all development assets, including code repositories, source code management (SCM) tools, build tools and logs, artifacts, private and public documentations, and more. In addition, Legit’s deep analysis uncovers buried secrets within assets such as source code history or modified Confluence pages. These assets are still accessible and sought after by malicious actors but are hard to discover by conventional means or available AppSec scanners. Legit's visibility and context enable CISOs and their teams to more effectively detect secrets, prioritize remediation, and put preventive guardrails in place.

“We see more CISOs and their teams prioritize secrets as a security initiative, driven heavily by the fact that many of their peers have experienced secrets compromised,” said Legit co–founder and CEO Roni Fuchs. “We are pioneering the way for a complete developer data security by introducing major innovations that give security and engineering teams a way of protecting sensitive data and preventing new secrets from being exposed everywhere.”

With Legit, CISOs and their teams can identify, remediate, and prevent the loss of secrets across developer tools, ranging from GitHub, GitLab, Azure DevOps, and Bitbucket to Docker images, artifacts, Confluence pages, and more. Key benefits of Legit secret scanning include:

  • End–to–end SDLC visibility and prioritization: Legit detects secrets beyond the source code to examine all components of the development pipeline. The Legit platform continuously discovers new assets and automatically protects them from loss.
  • Fast and simple administration: with centralized management, Legit makes creating custom policies, managing exceptions and executing secret scanning simple.
  • Complex risk detection and prioritization: Legit’s broad visibility enables the discovery of secrets that might otherwise be missed, including toxic combinations (e.g., those exposed by a user making a repo public). The context Legit provides allows users to prioritize what’s most important, like secret validity checks or adjusted severity levels that consider the criticality and exploitability of the service.
  • Reduce false positives: By leveraging a continuously learning analytics engine, Legit increases the accuracy of secrets detection. In addition, Legit brings a highly productive triage and baseline experience to build exceptions and fine–tune results in no time.
  • Scalable for large development teams: Unlike open source–based tools, Legit built secret scanning to meet large enterprises' performance and scalability requirements.
  • Secrets leak prevention and remediation: Legit enables preventive guardrails on developer endpoints using the Legit CLI and can stop secrets using SCM hooks before code push. In addition, automated workflow can reach developers as part of a pull–request or create Slack messages or Jira tickets to streamline remediation.

For more information, please visit: https://www.legitsecurity.com/.

About Legit Security
Legit Security provides an application security posture management platform that secures application delivery from code to cloud and protects an organization's software supply chain from attacks. The platform’s unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments and prioritize security issues based on context and business criticality to improve security team efficiency and effectiveness.


GLOBENEWSWIRE (Distribution ID 9022728)

]]>
Legit Security Announces Historic 2023 Year-End http://www.kuwaitfinancialexpress.com/?p=309503/ Wed, 10 Jan 2024 13:01:13 +0000 http://www.kuwaitfinancialexpress.com/?p=309503 Company named to elite Fortune Cyber 60 list; expands executive bench;
delivers nearly 250% year–over–year ARR growth

PALO ALTO, Calif., Jan. 10, 2024 (GLOBE NEWSWIRE) — Legit Security, the leading application security posture management (ASPM) platform that enables secure application delivery, today announced that 2023 delivered the most successful year in the company’s history, including most recently being named to the Fortune Cyber 60 list of the most important venture–backed startups.

Legit’s platform enables security leaders, including CISOs, product security leaders and security architects, to gain comprehensive visibility into risks across the development pipeline from the infrastructure to the application layer. With a crystal–clear view of the development lifecycle, customers ensure that the code deployed is traceable, secure, and compliant.

Key milestones Legit achieved in 2023 include:

  • Achieved nearly 250% ARR (annual recurring revenue) growth in 2023 and secured a net retention rate of 190% while doubling the company’s customer base.
  • Continuing to grow the company’s team in both Israel and the United States, including expanding its Tel Aviv office and opening a new office in Boston.
  • Being named to the Fortune Cyber 60 list of the most important venture–backed startups. For the inaugural list, Lightspeed Venture Partners partnered with Fortune to identify the top companies that offer enterprise–grade cybersecurity solutions. Legit was included in the “growth stage” category for its notable growth in 2023.
  • Expanding the company’s executive bench with the addition of Aaron Cote as chief revenue officer (CRO), Dave Howell as chief marketing officer (CMO), and Erez Rosenfeld as vice president of finance. All report to Roni Fuchs, Legit’s chief executive officer (CEO) and co–founder.
  • Announcing a $40 million Series B investment round led by CRV with participation from Cyberstarts, Bessemer Venture Partners and TCV.
  • Being named as a “sample vendor” in several Gartner research reports, including “Innovation Insight for Application Security Posture Management,” Emerging Tech Impact Radar: Security” (supply chain security), “Hype Cycle for Application Security, 2023 (ASPM),” and “How to Select DevSecOps Tools for Secure Software Delivery.”
  • Launching a collaboration with CrowdStrike to offer customers an integrated solution encompassing both Legit’s platform and CrowdStrike’s cloud security posture management (CSPM) platform, ensuring the cloud environments are optimally configured and safeguarded.

“It is clear that the fundamental approach to application security must change because the problems organizations face go well beyond what can be solved through yet another scanning tool,” said Fuchs. “I’m proud of the success the team achieved in 2023. It’s a testament to the fact that customers need the ability to understand the entire software pipeline to drive an effective security program.”

For more information, please visit: https://www.legitsecurity.com/. To learn about career opportunities with Legit, visit https://www.legitsecurity.com/careers.

About Legit Security
Legit Security provides an application security posture management platform that secures application delivery from code to cloud and protects an organization's software supply chain from attacks. The platform’s unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments and prioritize security issues based on context and business criticality to improve security team efficiency and effectiveness.


GLOBENEWSWIRE (Distribution ID 9015704)

]]>
Legit Security Wins 7 Industry Awards As RSA Conference Wraps Up http://www.kuwaitfinancialexpress.com/legit-security-wins-7-industry-awards-as-rsa-conference-wraps-up/ Tue, 02 May 2023 15:48:37 +0000 http://www.kuwaitfinancialexpress.com/?p=307493 PALO ALTO, Calif., May 02, 2023 (GLOBE NEWSWIRE) — Legit Security, a cybersecurity company with an enterprise platform that ensures secure application delivery from code to cloud and protects an organization's software supply chain from attack, today announced that it has won seven industry awards for its innovative cybersecurity solution. The company joins a rare group of companies that are broadly and consistently recognized for their innovation and market leadership from a consensus of leading cybersecurity experts and judges.

Legit Security has been recognized with the following awards leading up to and during the RSA Conference 2023 in San Francisco which is the world's largest cybersecurity event that concluded last week:

"We are thrilled to receive so many awards recognizing our unique platform innovations and rapid market success in securing application delivery from code to cloud for our enterprise customers," said Roni Fuchs, CEO of Legit Security. "We're honored to be so broadly recognized for our achievements and look forward to further success helping our customers ensure the governance, compliance, and integrity of every software release and defending against the latest threats to the software supply chain."

The Legit Security platform provides code–to–cloud visibility into vulnerabilities and risks throughout the software development lifecycle, from code in its earliest stages, through the pre–production development environment, and all the way to deployment in a runtime environment. By automatically mapping connections and dependencies between systems, code, artifacts, third parties, developers, and cloud environments, the platform is able to rapidly contextualize security risks, consolidate vulnerability management, and prioritize remediation so that application security teams can keep their businesses safe while releasing software fast.

For more information on the Legit Security platform, please visit the company's website at https://www.legitsecurity.com.

About Legit Security
Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform's unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.


GLOBENEWSWIRE (Distribution ID 8830150)

]]>
Legit Security Extends Platform Capabilities for Code to Cloud Visibility and Security http://www.kuwaitfinancialexpress.com/legit-security-extends-platform-capabilities-for-code-to-cloud-visibility-and-security/ Wed, 19 Apr 2023 14:18:53 +0000 http://www.kuwaitfinancialexpress.com/?p=307374 PALO ALTO, Calif., April 19, 2023 (GLOBE NEWSWIRE) — Legit Security, a cyber security company with an enterprise platform that protects an organization's software supply chain from attack and ensures secure application delivery, today announces new code to cloud traceability and security capabilities that capture deep security issue context and business insights to drive faster remediation and security issue prioritization for enterprise security teams. These capabilities extend the company's existing market leadership position in software supply chain security by providing broader and more automated security issue discovery, correlation and remediation capabilities from code creation to cloud delivery and runtime. By using the Legit Security platform, enterprise security teams can greatly improve their efficiency and effectiveness by leveraging critical insights and deep security issue context to cut through the noise and quickly remediate the security issues that matter most. More details on this latest capability can be found on the company's blog.

Modern software applications are driven by a demand for continuous innovation that has led to the adoption of DevOps, agile development, and rapid software releases to the cloud. However, this has created a sprawling and rapidly changing attack surface that requires a coordinated, real–time approach to security that spans Application Security, Cloud Security and Software Development teams. Yet, these teams lack end–to–end visibility and context into how applications are really built and deployed so they can cut through high levels of security issue noise, prioritize application risks effectively, and collaborate efficiently so they can quickly remediate the most critical risks first.

The Legit Security platform is providing deep visibility into security vulnerabilities and risks from code creation, through software build automation, to runtime deployment so that security teams can easily collaborate and build trust with software development teams while scaling their security operations to meet the speed of development. Automated code to cloud traceability and security also provides critical capabilities to define and track secure application delivery benchmarks, to build secure pipelines with optimal security guardrail coverage across the software development lifecycle (SDLC), and to manage clear cut strategies for shifting security left to improve efficiency.

"Traditional application security lacks an understanding of code lineage and how applications are built and shipped, creating a huge gap in the ability to secure application delivery end–to–end, in real time, across all stages of the SDLC," said Liav Caspi, CTO and co–founder of Legit Security. "Our code to cloud traceability closes this gap. We're providing visibility, context and correlation of both applications and their risks to bridge together the worlds of Application Security, Cloud Security and Development, which is exactly what the market needs to get to the next level of effectiveness. We're enabling enterprises to better understand and prioritize the real risks that vulnerabilities pose to their applications, how that risk originated, and how it moved through their SDLC and to the cloud."

Legit Security's code to cloud traceability works by tracking code from the time it's written, across all its pre–production build stages and binary forms, to when it's deployed to a runtime environment. The platform automatically discovers and maps the connections and dependencies between systems, code, artifacts, third parties, developers and cloud environments and tracks the pathways used by individual application releases. This allows organizations to see where vulnerabilities in code will ultimately be deployed and also where vulnerabilities discovered in runtime originated in the SDLC, so that teams can quickly understand their ultimate impact and prioritize remediation for the most critical threats.

For more information on the Legit Security platform's code to cloud capabilities, please visit our blog. To learn more about Legit's broader platform capabilities spanning software supply chain security, unified application security control plane, and regulatory compliance and continuous assurance, please visit https://www.legitsecurity.com.

About Legit Security
Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform's unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.


GLOBENEWSWIRE (Distribution ID 8811308)

]]>
Legit Security Announces New Partnership with Snyk http://www.kuwaitfinancialexpress.com/legit-security-announces-new-partnership-with-snyk/ Wed, 12 Apr 2023 13:59:58 +0000 http://www.kuwaitfinancialexpress.com/?p=307322 TEL AVIV, Israel, April 12, 2023 (GLOBE NEWSWIRE) — Legit Security, a cyber security company with an enterprise platform that protects software delivery from code to cloud, including the software supply chain, today announced a partnership with Snyk, the leader in developer security.

Together, Legit Security and Snyk help bridge the gap between security and development teams by scaling–up security from code to cloud through the combination of secure code and secure application delivery. The partnership enables organizations to greatly improve productivity by contextualizing cybersecurity risks, consolidating vulnerability management in a unified view, and prioritizing remediation to the most critical risks and applications so their businesses can stay safe while releasing trusted software fast.

Today's digital business models depend on rapid innovation, but security teams struggle to keep pace with the development of modern applications, DevOps and changing CI/CD pipelines. Legit Security helps application security teams align with iterative, fast paced DevOps models by protecting applications from code–to–cloud with automated SDLC discovery and a unified application security control plane that provides visibility, security, and governance over rapidly changing environments. By providing real–time security posture management and deep security issue context, security and development teams can rapidly prioritize security issues and accelerate their productivity, effectiveness, and collaboration.

"In most organizations today, software development pipelines are unchartered highways to cloud deployment," said Roni Fuchs, CEO and co–founder, Legit Security. "To build applications securely at scale, you need to have visibility and security control over your development environments including traceability from cloud apps back to their CI/CD software pipelines and originating source code. We are thrilled to partner with Snyk to combine our code to cloud security capabilities with their developer–first approach to secure code and open source dependencies."

"We're excited to further our relationship with Legit Security," said Jill Wilkins, Senior Director Global Alliances, Snyk. "As the demand for developer security grows, we are always looking to expand our partner ecosystem and help businesses all over the world capitalize on that opportunity. Our partnership with Legit Security will help us continue our mission to empower developers all over the world with developer first security, and offer our mutual customers the ability to seamlessly integrate Snyk into existing workflows, tools, and processes to help accelerate development and security team adoption of DevSecOps."

For more information, please visit Legit Security at www.legitsecurity.com.

Legit Security

Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform's unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.


GLOBENEWSWIRE (Distribution ID 8806564)

]]>
Legit Security Uncovers Remote Code Execution Vulnerability in Microsoft’s Azure Pipelines, Posing Serious Risks to Software Supply Chains http://www.kuwaitfinancialexpress.com/legit-security-uncovers-remote-code-execution-vulnerability-in-microsofts-azure-pipelines-posing-serious-risks-to-software-supply-chains/ Tue, 04 Apr 2023 17:48:38 +0000 http://www.kuwaitfinancialexpress.com/?p=307265 TEL AVIV, Israel, April 04, 2023 (GLOBE NEWSWIRE) — Legit Security, a cyber security company with an enterprise platform that protects software delivery from code to cloud, including the software supply chain, today announced that it has uncovered a remote code execution vulnerability in Microsoft's Azure Pipelines. The vulnerability allows attackers to exploit Microsoft's Azure DevOps Servers to initiate software supply chain attacks and execute malicious code that can compromise the security and integrity of an organization's software products. Given the widespread use of Azure Pipelines in software development, this vulnerability poses a significant risk to businesses that rely on the service to deliver their software. Legit Security worked closely with Microsoft to disclose and remediate the vulnerability and information on how to mitigate the risks can be found on Legit Security's technical disclosure blog.

The remote code execution vulnerability discovered by Legit Security has received designation CVE–2023–21553 and affects Azure Pipelines, a very popular continuous integration and continuous delivery (CI/CD) service from Microsoft. Software build systems such as Azure Pipelines are the foundation of the software development process and are responsible for creating and compiling code into software products and automating their release. Vulnerabilities within the build system are very dangerous since attackers can inject malicious code and infect the resulting software products delivered downstream to customers.

The discovered vulnerability originates in the logging commands mechanism of Azure Pipelines and enables attackers to execute code that could directly compromise the security and integrity of downstream software. Attackers could also leverage this vulnerability to access sensitive secrets contained within the software pipeline, such as passwords to sensitive resources and access keys to cloud services, to initiate lateral attacks and further compromise an organization. As a result, this vulnerability could have devastating consequences if left unaddressed for businesses that rely on Azure Pipelines to build and deploy their software.

"Software build pipelines are a critical part of the software supply chain, and vulnerabilities within them can enable malicious code injection and code tampering similar to the notorious SolarWinds attack," said Liav Caspi, CTO and co–founder of Legit Security. "Software producers need to be vigilant in protecting their software supply chains, which includes securing build pipelines and addressing vulnerabilities such as the one we discovered in Microsoft's Azure Pipelines."

Legit Security worked closely with Microsoft to address the vulnerability, and a patch has been released to mitigate the risk. Users with an out–of–date version of Azure DevOps Server could remain vulnerable, and users of the on–prem version (ADO Server version 2020.1.2 or lower) should apply the patch as soon as possible. It should be noted that not every pipeline in Azure Pipelines is vulnerable, depending upon the logging command features and patterns used. Organizations using Azure Pipelines are strongly encouraged to review Legit Security's technical disclosure blog to determine if they are affected and to mitigate the risks.

Legit Security

Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform's unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments, and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.


GLOBENEWSWIRE (Distribution ID 8802064)

]]>
Legit Security Add Supports For More Regulatory Compliance Frameworks To Strengthen Software Supply Chain Security http://www.kuwaitfinancialexpress.com/legit-security-add-supports-for-more-regulatory-compliance-frameworks-to-strengthen-software-supply-chain-security/ Wed, 22 Mar 2023 12:00:00 +0000 http://www.kuwaitfinancialexpress.com/?p=307125 TEL AVIV, Israel, March 22, 2023 (GLOBE NEWSWIRE) — Legit Security, a cyber security company with an enterprise platform that protects an organization's software supply chain from attack and ensures secure application delivery, today announces support for additional regulatory compliance frameworks and standards to improve software supply chain security including ISO 27001, SSDF, FedRAMP, SLSA, NIST, SBOM and SOC2. The Legit Security platform secures software supply chains by automatically discovering security issues, remediating threats, and ensuring the compliance of every software release. With support of these broad regulatory frameworks and standards, the company provides organizations with industry–leading capabilities to align their security guardrails to compliance requirements and deliver continuous insights into their state of compliance including drift detection and real–time alerts when security guardrails are violated.

Following the high profile cyber–attacks of SolarWinds, Codecov, Kaseya, Log4Shell, and many others, concerted efforts have been made by governments, industry leaders, and the software security community to regulate software supply chain security and ultimately software itself. The result is a rapidly evolving landscape of regulations and standards to keep the software development community thriving amid new threats.

Compliance with key frameworks and standards including ISO 27001, SSDF, FedRAMP, SLSA, NIST, SBOM and SOC2 are essential to improve security and are increasingly required by software customers. The Legit Security platform helps organizations ensure automated governance, compliance, and integrity of their software releases is support of these frameworks. The platform's ability to auto–discover and analyze software pipelines, tools, and security controls from code–to–cloud secures and governs applications in a single platform, and leverages risk scoring, security gap analysis, and remediation to streamline audits and ensure application release integrity.

"Enterprises are seeking solutions to improve the efficiency and effectiveness of their application security programs, often while needing to comply with one or more regulatory frameworks at the same time," said Liav Caspi, CTO and co–founder of Legit Security. "By supporting these top frameworks and standards in our platform, we're making the path to initial compliance much easier for our customers, and then helping them stay compliant with automated tools and reporting that lowers the cost of compliance while simultaneously improving the security of their software supply chains and application delivery."

The Legit Security platform supports the following frameworks and standards:

  • ISO 27001 is a standard specifying requirements for information security management systems, helping organizations protect their information assets.
  • SSDF (Secure Software Development Framework) is a set of secure software development practices based on best practices from organizations such as BSA, OWASP, and SAFECode.
  • FedRAMP (Federal Risk and Authorization Management Program) is a U.S. government program that provides a standardized approach to security assessments, authorization, and continuous monitoring for cloud products and services.
  • The NIST (National Institute of Standards and Technology) cybersecurity framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risks and protect their networks and data.
  • SLSA (Supply Chain Levels for Software Artifacts) is a framework developed by Google that helps software producers and consumers achieve defined levels of software supply chain security.
  • SOC2 (Service Organization Control 2) is a widely recognized auditing standard for service providers that demonstrate their ability to securely manage customer data.
  • SBOM (Software Bill of Materials) is a nested description of software artifact components, persistent references, metadata and other auxiliary information such as licensing information presented in one of several standardized formats.

In support of these frameworks and standards, Legit Security provide automated tooling and reporting to streamline compliance and audits while enabling organizations to effectively secure their software supply chains and mitigate the risk of cyberattacks.

For more information, please visit the Legit Security website or read the company's whitepaper for details on the rapidly evolving regulatory landscape for software supply chain security.

Legit Security

Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform's unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments, and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.


GLOBENEWSWIRE (Distribution ID 8793190)

]]>
Legit Security’s Open-Source Security Tool “Legitify” Adds Support for GitLab and GitHub Enterprise Server http://www.kuwaitfinancialexpress.com/legit-securitys-open-source-security-tool-legitify-adds-support-for-gitlab-and-github-enterprise-server/ Thu, 26 Jan 2023 15:12:59 +0000 http://www.kuwaitfinancialexpress.com/?p=306727 TEL AVIV, Israel, Jan. 26, 2023 (GLOBE NEWSWIRE) — Legit Security, a cyber security company with an enterprise platform that protects an organization's software supply chain from attack and ensures secure application delivery, today announced that Legitify, the open–source security tool that it maintains in addition to its enterprise SaaS platform, has expanded support to include GitHub Enterprise Server and GitLab. Now security and software development teams can easily detect and remediate insecure configurations and vulnerabilities in these popular source–code management (SCM) systems in addition to GitHub.com. To download Legitify, please visit the Legit Security website.

Legitify is a source–code management (SCM) misconfiguration scanner that helps Security, DevOps and Development teams manage and enforce SCM configurations in a secure and scalable way. Legitify was developed to provide the open–source community with a security tool to prevent a very common source of software supply chain attacks by detecting and remediating vulnerabilities that originate in SCM misconfigurations.

After Legitify's initial release in 2022, multiple requests were received by Legit Security to expand Legitify's support to additional popular SCM products used by enterprise organizations. GitHub Enterprise Server and GitLab Server are two of the most popular on–premise SCM systems used globally today. Insecure configurations in these SCM systems and others have opened the door to multiple cyberattacks, data breaches, and exploits that have made headline news. Legitify is designed to identify and address insecure SCM configurations in real–time, ensuring that both cloud and on–premise SCM implementations are secure and compliant. Legitify can also be scheduled to run periodically to validate secure configurations continuously.

In addition to broader SCM support, Legitify's latest release also includes other new features including:

  • Dozens of new SCM security policies that have been added, including a new security policy category called "Runner Groups", that can detect misconfigurations in GitHub's runner groups. You can browse all of Legitify's security policies at legitify.dev.
  • A new GitHub action that can be used to run Legitify as part of the organization's CI/CD pipeline, allowing users to gain continuous protection and receive immediate alerts when a new misconfiguration is detected.
  • To enhance the software supply chain security of Legitify's users, every Legitify release now contains a SLSA Level 3 Provenance attestation that can be used to verify the authenticity of the tool.

"We encounter security incidents on a weekly basis with prospective customers that involve pipeline manipulation, code theft and sensitive data exposure "" many of which result from bad SCM configurations," said Liav Caspi, CTO and co–founder of Legit Security. "We see a huge demand for an open–source tool like Legitify to quickly verify the secure configuration of SCM resources. Our mission with Legitify is to provide an extremely useful open–source security tool to complement our more capable and commercially available Legit Security Platform. We plan to have many more exciting capabilities released in Legitify over time."

Legitify's capabilities represent a subset of the broader security capabilities available on the enterprise–grade Legit Security Platform. The Legit Security Platform goes well beyond SCM misconfigurations by securing entire software supply chain environments inclusive of other development assets, build servers, artifact registries, code–to–cloud development pipelines and more. Additional information on the Legit Security Platform can be found on the company's website: https://www.legitsecurity.com.

Legit Security

Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform's unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments, and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.


GLOBENEWSWIRE (Distribution ID 8737343)

]]>
Legit Security Discovers “MarkdownTime”, A Vulnerability in Markdown Services Affecting GitHub, GitLab and Countless Others http://www.kuwaitfinancialexpress.com/legit-security-discovers-markdowntime-a-vulnerability-in-markdown-services-affecting-github-gitlab-and-countless-others/ Thu, 19 Jan 2023 16:13:07 +0000 http://www.kuwaitfinancialexpress.com/?p=306694 TEL AVIV, Israel, Jan. 19, 2023 (GLOBE NEWSWIRE) — Legit Security, a cyber security company with an enterprise platform that protects an organization's software supply chain from attack and ensures secure application delivery, today announced that it discovered an easy to exploit Denial–of–Service (DoS) vulnerability in Markdown libraries used by GitHub, GitLab and countless other applications using a popular markdown rendering service called commonmarker. Coined "MarkdownTime", a vulnerable version of the commonmarker service allows an attacker to deploy a simple DoS attack that would shut down innumerable digital business services across the globe by disrupting their application development pipelines. More information on the vulnerability and how to mitigate the risks are found on a technical disclosure blog found here.

Markdown refers to creating formatted text using a plain text editor which is commonly found in software development tools and environments. A wide range of applications and projects implement these popular open source markdown libraries, such as the popular variant found in GitHub's implementationGFM (GitHub Flavored Markdown). In this case, Legit Security researchers found that it was simple to trigger unbounded resource exhaustion leading to a Denial–of–Service attack which could take down the service. After bringing this vulnerability to the attention of the GitHub security team, GitHub recognized the issue and posted a formal acknowledgement and fix which can be found here: CVE–2022–39209. It should be noted that many other tools and services may also be susceptible to the same vulnerability.

"Open–source libraries are ubiquitous in modern software development, but when vulnerabilities emerge, they can be very difficult to track due to uncontrolled copies of the original vulnerable code," said Liav Caspi, CTO and co–founder of Legit Security. "When a library becomes popular and widespread, a vulnerability inside of it could potentially enable an attack on countless projects. Those attacks can include disruption of critical business services, such as crippling the software supply chain and the ability to release new business applications."

This is exactly what the Legit Security research team saw with MarkdownTime: a copy of the vulnerable GFM implementation was found in commonmarker, the popular Ruby package implementing Markdown support, which has more than 1 million dependent repositories. The Legit Security team found implementations across several business critical source code management services, among them GitHub and GitLab. Using this exploit, an unauthenticated attacker can bring down entire software production pipelines and causing significant damage to organization's digital business initiatives. Many other services beyond just software development environments may also be vulnerable to costly business disruption.

The Legit Security research team has disclosed this security issue to the maintainer of commonmarker, as well as to both GitHub and GitLab. All of them have fixed the issues, but many more copies of this markdown implementation have been deployed and are in use. An in–depth description of MarkdownTime, along with information on how to protect organizations and projects, can be found in Legit Security's blog.

Legit Security

Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform's unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments, and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.

Media Contact
Tony Keller
OutVox
tkeller@outvox.com


GLOBENEWSWIRE (Distribution ID 8732969)

]]>
Legit Security Discovers New Class of Development Pipeline Vulnerabilities; Open-Source Rust Programming Language Found Vulnerable http://www.kuwaitfinancialexpress.com/legit-security-discovers-new-class-of-development-pipeline-vulnerabilities-open-source-rust-programming-language-found-vulnerable/ Thu, 08 Dec 2022 13:00:00 +0000 http://www.kuwaitfinancialexpress.com/?p=306507 TEL AVIV, Israel, Dec. 08, 2022 (GLOBE NEWSWIRE) — Legit Security, a cyber security company with an enterprise platform that protects an organization's software supply chain from attack and ensures secure application delivery, today announced that it discovered a new class of software supply chain vulnerabilities that leverage artifact poisoning to attack underlying software development pipelines. The vulnerability was found in GitHub Actions, a platform for orchestrating and automating software development pipelines, and the vulnerability was identified in the highly popular programming language Rust. Many other GitHub Action projects remain potentially vulnerable and a technical disclosure blog including information to protect organizations from attack is available on Legit Security's website.

The discovered pipeline vulnerability could allow any GitHub user to replace legitimate development artifacts with malicious ones, enabling attackers to modify source code, steal secrets and create CodeCov–like wide–reaching software supply chain attacks. Rust, an extremely popular programming language used by millions of developers, acknowledged and fixed the vulnerability after initial disclosure by the Legit Security Research Team.

GitHub Actions is part of the extremely popular GitHub source code management system at the heart of many organization's software supply chains and used by software developers globally. The vulnerability affects the GitHub Actions artifacts storage mechanism, which is used to store and transfer build artifacts between software development build jobs. Due to a limitation in the cross–workflow artifact communication mechanism, vulnerable workflows cannot distinguish between legitimate project artifacts and artifacts that were created by the project's forks or copies, allowing any user to create a fork, and then craft a malicious artifact that will be treated as a legitimate one.

"This is a different class of vulnerability that can lead to attacks and modification of the development pipeline itself, not just modification of the code," said Liav Caspi, co–founder and CTO, Legit Security. "A simple analogy could be made to a car assembly line. This is an attack on the assembly line itself that could include stealing sensitive parts, turning off certain steps, or substituting any valid part for a malicious one. It's a powerful attack vector that gives cyber criminals a lot of options to inflict damage. In this case, the vulnerable targets are software supply chains that use GitHub Action."

The Legit Security Research Team also disclosed the security issue to the GitHub security team. GitHub responded by simply updating their API to include information that could help prevent this vulnerability. It should be noted that GitHub didn't address the root cause of the issue, thus leaving many other GitHub Action projects vulnerable to the aforementioned software supply chain attacks. Legit Security's technical disclosure blog includes important information on how to protect organizations from this type of attack. More information about general GitHub security best practices can also be found here.

Legit Security
Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform's unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments, and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.


GLOBENEWSWIRE (Distribution ID 8710685)

]]>