Back
Cookies Notice
This site uses cookies to deliver services and to analyze traffic.
Introducing Apiiro Guardian Agent: Preventing Vulnerable and Non-Compliant Code from Ever Being Created
Moti Gindi
January 28 2026
The Era of Prevention Apiiro started by building our foundational pillars for delivering secure, compliant code – Deep Code Analysis (DCA) and the Software and Risk Graphs™. These enabled us to move security processes from reactive to proactive. From intermittent to continuous. With this Apiiro Data Fabric in place, we went AI-native; embedding AI in […]
When Static Rules Met a Dynamic Attack Surface: Why AI Coding Assistants Must Think Like the AI Era – Not Like 80s Firewalls
Idan Plotnik
December 29 2025
In the early days of network security, perimeter defense was simple: Inspect packets. Match them against a list of known bad patterns. Block anything that looked suspicious. That was the era of static firewall rules – a world where threats were relatively predictable, environments were mostly stable, and thick rulebooks somehow worked. Then came the […]
60-Second Read: AI-Assisted Coding, Vibe Coding, and Agentic Coding Explained
Timothy Jung
December 19 2025
Why Read This? Ask ten people what AI-assisted coding, vibe coding, or agentic coding mean – and you’ll likely get ten different answers. These terms are often mixed together, even though they describe very different ways of building software, aimed at very different audiences. The goal of this short read is to remove the confusion. […]
Introducing Apiiro AI-SAST: Static Scanning Reimagined – From Code to Runtime
Matan Giladi, Neta Coral
December 18 2025
Static Application Security Testing (SAST) is a legacy technology, invented decades ago and largely unchanged since. With the rapid adoption of AI coding assistants and agentic coding tools, development velocity and the application attack surface have increased exponentially, pushing traditional SAST beyond its breaking point. What was once an application security engineer and developer problem […]
Apiiro AI-SAST: Static Scanning Reimagined – From Code to Runtime – for the AI Era
Moti Gindi, Neta Coral
December 18 2025
Application security and development teams have relied on SAST scanners that excel at recognizing patterns based on static rules, but struggle to deeply understand the software architecture graph from code to runtime. Now, the supercharged speed of development – powered by AI-assisted coding – has made the SAST results unsustainable. Traditional scanners lack the ability to give application […]
Apiiro Achieves True Runtime API Endpoint Matching
Karen Cohen, Ella Bor
December 10 2025
AppSec teams face an explosion of API-related risks that are difficult to track, prioritize, and remediate. Many ASPM providers claim they offer true code-to-runtime endpoint matching, but in a best-case scenario, they can only match the runtime host or project to its code application or repository – not to the specific line of code. This […]
A Triple Recognition: After Gartner and IDC, Apiiro Named the Most Innovative ASPM Provider Worldwide in Frost & Sullivan’s 2025 Frost Radar™
Timothy Jung
December 9 2025
Frost & Sullivan has named Apiiro the most innovative Application Security Posture Management (ASPM) provider worldwide, recognizing Apiiro’s unique ability to prioritize the needs of an enterprise customer base while also pushing the envelope on AppSec innovation. This distinction reinforces Apiiro’s position as the most innovative ASPM company — not just for building groundbreaking technology, […]
Critical Vulnerability – RCE in React Server Components & Next.js
Nadav Shakarzy
December 4 2025
On December 3, 2025, coordinated disclosures revealed critical remote code execution (RCE) vulnerabilities in React Server Components (RSC) and Next.js: At the core, the issue is unsafe deserialization in the RSC “Flight” protocol. With a single crafted HTTP request to an exposed RSC / Server Function endpoint, an attacker can reach pre-auth arbitrary code execution […]
Shai-Hulud 2: A New Wave of npm Supply Chain Malware Targeting Developers and CI/CD Systems
Nadav Shakarzy
November 25 2025
A new and significantly more aggressive wave of Shai-Hulud malware is rapidly propagating across the npm ecosystem. Known as Shai-Hulud 2, this campaign is infecting hundreds of open-source packages with a trojanized preinstall script that executes an obfuscated Bun-based payload. Once activated, the malware steals sensitive credentials—including API tokens, SSH keys, cloud access keys, and […]
Apiiro Welcomes Former GitHub CEO Thomas Dohmke as Strategic Advisor to Safeguard AI Before Code Generation and Prevent Risks at Enterprise Scale
Idan Plotnik
November 24 2025
The software industry is in the middle of its most profound shift. AI is no longer an assistant on the sidelines; it is writing the majority of new code across modern engineering organizations in Fortune 500 enterprises. This pace unlocks incredible innovation, but it also introduces unprecedented risk. Today, I’m excited to share that Thomas […]
How to Detect and Stop Source Code, Data, and Secrets Exposure
Nadav Shakarzy
November 10 2025
When it comes to threats to source code, inadvertent leaks are far more common than open theft. Robust governance is the best way to identify and stop potential source code exposures – but shifts in security priorities have made this difficult, even for the largest organizations. Cloud-based source control systems, muddled identity models and democratized […]
Secure Software Design: Best Practices to Build Safe, Resilient Applications
Timothy Jung
November 9 2025
Key Takeaways You can write flawless code and still ship a vulnerable application. That’s the reality of insecure design. If the architecture lacks proper authorization controls, no amount of input validation will prevent privilege escalation. If session management is flawed at the blueprint level, secure coding practices can’t patch it. This is why OWASP added […]
12 Best Open Source Vulnerability Management Tools for 2026
Timothy Jung
November 7 2025
Key Takeaways Open source software now forms the foundation of modern applications. Recent audits show that roughly 74% of codebases contain high-risk vulnerabilities from open source dependencies. While AI coding assistants accelerate development, they often introduce unverified dependencies and subtle logic flaws. Traditional periodic scanning and manual triage can’t keep pace with this velocity. As […]
10 Best Practices That Will Transform Your Code Review Processes
Timothy Jung
November 5 2025
Key Takeaways Code review used to be about catching bugs before they shipped. Today, it carries far more weight. With AI-assisted development accelerating the pace of change and complexity, code review has become one of the last reliable points for preventing security, architectural, and business risks from reaching production. Modern teams are shipping more code, […]
The Top Code Execution Risks in Agentic AI Systems in 2026
Timothy Jung
November 3 2025
Key takeaways Code execution was once tightly controlled by developers, pipelines, and review gates. Now, agentic AI is changing that model by generating and running code dynamically, often with broad permissions and limited visibility into how decisions are made or actions are triggered. This shift is already happening. According to Gartner, 33% of enterprise software […]
Confidence in Agentic Code Fixes is rising – but not without a strong ASPM program
Timothy Jung
October 30 2025
The latest analysis from 451 Research and Daniel Kennedy indicates that security leaders are citing a lack of coordination between AST tools as a major pain point – and the complexity of application security tools is the #1 issue for InfoSec experts today. The Rise of Agentic AI — and the New Security Imperative In […]
Why 2026 Demands Better Application Security Training for Developers
Timothy Jung
October 20 2025
Key Takeaways The shift to high-velocity software development is complete. Teams push updates constantly, and AI coding assistants now support a large share of day-to-day coding tasks. According to GitHub’s Octoverse 2025 report, 80% of new developers on the platform use Copilot within their first week. And it’s not hard to see why, with developers […]
Modern Application Security Best Practices for an AI-Driven SDLC
Timothy Jung
October 16 2025
Key Takeaways Most security failures today come down to one issue: teams can’t see how their applications actually work. Scanners run in isolation and generate findings with no clear context, material changes slip through the cracks, and design flaws stay buried until they cause real problems in production. When the architecture is unclear, even the […]
Gartner Ranks Apiiro #1 in ASPM in 2025 Magic Quadrant for Application Security Testing (AST)
Timothy Jung
October 13 2025
Apiiro ranked number one in ASPM capabilities among all vendors with critical AST capabilities. Apiiro has been recognized in the 2025 Gartner® Magic Quadrant™ for Application Security Testing (AST). This marks Apiiro’s first appearance in a Magic Quadrant, and it comes with a notable distinction: Gartner ranked Apiiro #1 for Application Security Posture Management (ASPM). […]
Webinar Recap: The Evolution of AppSec for the AI Era
Timothy Jung
October 9 2025
AI isn’t arriving. It’s here—living inside our applications, accelerating how software gets built, and reshaping the relationship between developers and security. In a recent webinar, Apiiro’s Idan Plotnik and IDC analyst Katie Norton joined Application Security Weekly’s Mike Shima to unpack what this shift means for AppSec leaders and engineering teams on the ground: the […]
Securing AI-Assisted Software Development: Google + Apiiro
John Leon
October 1 2025
AI coding assistants like Gemini Code Assist are now part of the everyday developer toolkit. They accelerate progress in a way that still feels almost unbelievable—turning a rough prompt into working features in a matter of seconds. But in an enterprise environment, the measure of success isn’t just speed. Code that runs is not necessarily […]
Introducing Apiiro’s New OSS Licenses Experience
Nadav Shakarzy
September 29 2025
Open Source Software (OSS) is the backbone of modern development. With thousands of dependencies powering today’s applications, organizations must balance speed with governance, ensuring that licenses are properly managed and risks are minimized. Yet, navigating OSS license obligations has often been fragmented and frustrating. Apiiro is excited to introduce our new OSS Licenses experience—a streamlined, […]
Top 10 Application Security Testing Tools for 2026
Timothy Jung
September 27 2025
Key takeaways AI is helping developers move faster, but it’s also creating a flood of risky changes that security teams can’t triage manually. Every new commit, dependency update, and API release expands the attack surface. Teams are shipping more code than ever, but they’re also inheriting more complexity, including opaque supply chains, AI-generated functions with […]
Building Bridges Between Security and R&D: Apiiro’s Continuous Investment in Finding the Right Code Owner
Nadav Shakarzy, Karen Cohen
September 25 2025
The Challenge of Code Ownership In today’s fast-paced development environments, security and R&D often operate in silos. This disconnect makes it difficult to identify not just who contributed to a piece of code, but who is ultimately responsible for maintaining it and addressing vulnerabilities. Mapping ownership effectively is about more than tracking commits—it’s about connecting […]
Secure and Govern Your AI Early — Before It Becomes a Production Risk
Karen Cohen
September 24 2025
Enhancing Apiiro’s AI Bill of Materials (AI BOM) with AI Agents and MCP Server Detection Capabilities Back in 2023, we shared how Apiiro helps organizations uncover shadow GenAI frameworks in their codebases using our Deep Code Analysis (DCA) technology. That visibility-first approach gave AppSec leaders clarity into which frameworks and exit points were being introduced, […]
Multi-Agent Networks in Application Security: Strategies & Benefits
Timothy Jung
September 23 2025
Key takeaways Security teams deal with a growing volume of alerts and application signals that change with every commit, deployment, and service update. But traditional tools struggle to interpret this level of complexity, and important risks often hide inside large streams of low-value findings. A 2024 Columbia University study compared single-model reasoning to coordinated-agent reasoning […]
Top 11 code security tools in 2026 every security team should evaluate
Timothy Jung
September 22 2025
Most teams think their scanners tell them where the risks are. The reality is that scanners only show symptoms. The real risks live in the architecture, and most organizations never see them. Each release introduces new APIs, code paths, and data flows that reshape how exposure spreads, yet these structural shifts often happen quietly in […]
Apiiro Recognized as a Leader in the 2025 IDC MarketScape for Application Security Posture Management
Timothy Jung
September 19 2025
The application security landscape is at an inflection point. Development teams are shippingcode faster than ever with the help of AI coding assistants, and while productivity is soaring, sois risk. Organizations adopting generative AI tools in software development are experiencing10x more security risks, particularly around design flaws, data exposure, and policy violations. Against this backdrop, […]
The Latest Shai-Hulud Ongoing Package Supply Chain Worm
Nadav Shakarzy
September 17 2025
The open-source ecosystem has once again become the stage for a major supply chain attack, this time leveraging the popular npm package @ctrl/tinycolor and spreading virally across the registry. What began on September 15, 2025, quickly escalated into one of the most significant npm compromises to date, impacting over 180 packages across the ecosystem. This […]
Securing code with Cursor and Windsurf: advanced vulnerability detection & remediation
Timothy Jung
September 15 2025
AI coding assistants have become the latest accelerators of modern development and the new generators of hidden risk. Tools like Cursor and Windsurf can write, refactor, and even deploy production code in seconds. Every line they produce feels like progress. Yet every line also carries a question: how secure is the code you didn’t write […]
Best practices for integrating agentic AI into app security
Timothy Jung
September 12 2025
Software development now includes a new type of participant: agentic AI, better known as autonomous systems that perceive, decide, and act independently. These agents can write code, configure infrastructure, and trigger workflows without waiting for human approval, enabling exponential speed that’s accompanied by an equally steep rise in complexity and risk. Unlike generative AI, which […]
The 16 best infrastructure as code (IaC) tools in 2025
Timothy Jung
September 7 2025
Infrastructure-as-code (IaC) represents a shift from manual provisioning to programmable infrastructure. Instead of relying on scripts or human input, teams define networks, compute resources, and configurations as version-controlled code. This creates consistency across environments and transforms infrastructure management into a repeatable, testable engineering process. For DevOps and security leaders, the value extends far beyond automation. […]
Nx Supply Chain Breach Shows Why Malicious Package Detection Matters
Nadav Shakarzy
September 5 2025
On August 26, 2025, threat actors launched a sophisticated supply chain attack on the widely used Nx build system, publishing multiple malicious versions of the nx and @nx/* npm packages. These versions contained data-stealing malware that, once installed, executed post‑install scripts to exfiltrate sensitive developer data—such as SSH keys, API tokens, npm credentials, GitHub tokens, […]
4x Velocity, 10x Vulnerabilities: AI Coding Assistants Are Shipping More Risks
Itay Nussbaum
September 4 2025
Every CEO Is Mandating AI Coding. Few Realize They’re Mandating Risk Too. Here’s the Data to Prove It. When Coinbase CEO Brian Armstrong ordered every engineer to adopt AI coding assistants (and fired those who didn’t) he captured the new reality: AI adoption is no longer optional. He’s not alone. Lemonade’s CEO Daniel Schreiber has […]
Why generative AI security remains the blind spot for application security teams
Timothy Jung
September 1 2025
Key takeaways Generative AI is transforming how software gets built. What once took days of manual effort can now be generated in seconds, with AI assistants assembling entire features from a single prompt. This has led to a development cycle that moves faster than any before it, and one that’s introducing new kinds of complexity […]
Just Released: The 2025 Gartner Hype Cycle for Application Security – Featuring Apiiro
Timothy Jung
August 5 2025
How Apiiro is driving the shift towards intelligent, AI-Ready application security. Aligning Security with AI-Driven Development The 2025 Gartner® Hype Cycle™ for Application Security confirms what many security leaders are already starting to see: application security is being redefined by the pressures brought on by AI coding assistants. Code is being written faster, often by […]
A Completely New Way to Fix Design and Code Risks: Meet Apiiro’s AutoFix Agent
Ravit Tal, Ella Bor
August 4 2025
AI coding assistants like GitHub Copilot, Cursor, and Gemini Code Assist are fundamentally changing how software is built. Already by the end of 2024, 30% of code was AI-generated. By 2028, Gartner projects that 75% of enterprise developers will be using AI assistants as part of their daily workflow. This shift has unlocked significant gains […]
Preventing Incidents at Scale: Introducing Apiiro’s AutoFix Agent
Moti Gindi
August 4 2025
AI coding assistants like GitHub Copilot, Cursor, and Gemini Code Assist have transformed software development. Developer productivity has soared. So have the speed and volume of material code changes, code complexity, and risks. But AppSec teams haven’t scaled proportionally – and the resulting surge in design and code risks is unsustainable. Fortune 500 companies need a […]
Moving from AppSec to ASPM: the evolution of application security
Timothy Jung
August 3 2025
Application Security (AppSec) has long been the backbone of software protection. Secure coding practices, vulnerability testing, and penetration assessments built the foundation for keeping applications safe. But the modern software ecosystem has transformed. Cloud-native architectures, containerization, and microservices create a development environment defined by speed and complexity. Meanwhile, code moves from commit to production multiple […]
Vibe coding security vulnerabilities best practices: protecting your applications
Timothy Jung
August 1 2025
The way developers write software is shifting rapidly with the rise of vibe coding, a workflow where natural language prompts guide AI coding assistants to generate production-ready code. This new paradigm transforms developers into reviewers, testers, and refiners rather than line-by-line implementers. The gains in speed are undeniable. Boilerplate scaffolding, standard integrations, and even complex […]
Toward Secure Code Generation with LLMs: Why Context Is Everything
Idan Plotnik
July 31 2025
The Future Is LLM-Driven—and It Can Be Secure Large language models are now a staple in how developers write code. They’re used to scaffold new components, suggest implementations, and automate repetitive tasks. But as their adoption grows, so do the questions about the security of what they generate. A recent study by a research group […]
Why ~50% of CVEs in the Last 6 Months Trace Directly to Code‑Level Vulnerabilities
Idan Plotnik
July 23 2025
1. The Alarming Surge in CVEs As of June 2025, over 21,500 new vulnerabilities have flooded the market—an average of 133 CVEs per day. That means roughly 10,000–11,000 CVEs have been published in the last six months alone. 2. Understanding Code‑Level Root Causes While CVEs capture specific incidents, their underlying weakness types can be mapped […]
PBOM vs SBOM – Building a Complete Security Bill of Materials
Timothy Jung
July 15 2025
The software supply chain has become one of the most contested battlegrounds in security. Modern applications are no longer made up of monolithic code. They’re assembled from thousands of moving parts, including open-source libraries, commercial components, and proprietary modules , all stitched together inside fast-moving pipelines. When even one of those pieces is compromised, the […]
How to detect and prevent application security vulnerabilities in modern apps
Timothy Jung
July 11 2025
Every modern business is built on software. Applications deliver customer experiences, streamline operations, and drive revenue growth. But they’ve also become a prime target. Each new API, microservice, or dependency expands the attack surface, and with it, the opportunities for attackers to exploit design flaws, misconfigurations, or weak points in the supply chain. In fact, […]
Webinar Recap: Aligning CMDB and Vulnerability Response with Real-Time Code Context
Timothy Jung
June 27 2025
In a recent webinar, Apiiro and ServiceNow showcased a powerful new integration that helps security teams manage risk across the software development lifecycle with greater context, automation, and accuracy. The joint solution brings together Apiiro’s deep code analysis and code-to-runtime correlation with ServiceNow’s market-leading CMDB and Application Vulnerability Response (AVR) capabilities, creating the industry’s first […]
Secure vibe-coding is an oxymoron: Here’s how to change that
Idan Plotnik
June 23 2025
A reality check for no-code development A new wave of “vibe coding” platforms is putting software development in the hands of anyone, not just trained engineers. Users can design and deploy full-stack applications entirely using natural language, AI models, and low-code/no-code tools. But, as a recent security incident shows, there are still major wrinkles to […]
11 best SAST tools for 2025: how to choose the right SAST solution
Timothy Jung
June 20 2025
Static application security testing (SAST) has matured into a cornerstone of modern application security. By scanning source code, bytecode, or binaries before an application runs, these tools help developers detect and remediate issues while they’re still inexpensive to fix. In 2025, SAST has matured into a core element of DevSecOps pipelines and developer workflows across […]
GenAI is already in your code — what’s at risk depends on your industry
Itay Nussbaum
June 17 2025
Twice the adoption, 7Ă— the risk: GenAI in retail vs finance GenAI is already reshaping enterprise codebases — but how it’s adopted, built, and secured differs drastically across industries. Apiiro, the leading Agentic Application Security platform, used its patented Deep Code Analysis (DCA) engine to examine over 100,000 code repositories across the software development lifecycle. […]
AI Software Composition Analysis: How to Maximize Security and Compliance in Modern Development
Timothy Jung
June 13 2025
Modern development moves at a pace that depends on open source, third-party libraries, APIs, and even AI-generated code. Each of these accelerates innovation, but they also create a complex software supply chain where one overlooked dependency can expose sensitive data, disrupt compliance, or slow delivery. According to Gartner, nearly 30% of enterprise code was generated […]
Web application security testing checklist: steps + real-world breach examples
Timothy Jung
June 5 2025
Every customer login, payment, and API call runs through a web application. That makes web apps not just business enablers, but also prime attack targets. The landscape has shifted: attackers don’t need novel exploits to cause damage. Breaches like Equifax exposed the personal data of nearly 148 million Americans when a known Apache Struts vulnerability […]
Introducing Apiiro’s Code-to-Runtime Integration for ServiceNow CMDB
John Leon, Ravit Tal
May 7 2025
Enterprises rely on ServiceNow’s Configuration Management Database (CMDB) as the system of record for infrastructure and applications. It supports critical processes across IT operations, security, compliance, and risk. But as software delivery accelerates, and as architectures become more dynamic, distributed, and AI-assisted, keeping the CMDB current has become increasingly complex. Code repositories, APIs, containers, GenAI […]
AppSec Is a Data Problem
Idan Plotnik
April 28 2025
In today’s AI-accelerated development world, application security often feels like chasing shadows: endless alerts, manual checklists before delivery, and dashboards so noisy they drown out real risk. At the root of the problem? A lack of structured, actionable data. Without it, every scanner, workflow, and platform falls short. Three Critical AppSec Challenges in Large Enterprises […]
Visual Intelligence for Software Risk: Introducing Software Graph Visualization from Apiiro
Karen Cohen
April 28 2025
In fast-moving, agile development environments, software architecture evolves constantly. Lacking a reliable way to visualize how components are connected, security reviews risk being slow, shallow, or based on outdated assumptions, and vulnerability management becomes reactive. Apiiro’s new Software Graph Visualization gives security teams a real-time, visual map of how software components interact across your systems […]
Continuous, Accurate Threat Modeling Is Now a Reality with Apiiro’s Software Graph Visualization
Karen Cohen
April 28 2025
Modern applications are incredibly complex and ever-changing. Code is spread across many repositories, frameworks, and cloud services, making it difficult for security teams to get a clear, up-to-date picture of how everything fits together. Traditional threat modeling often relies on static diagrams or developer interviews that become outdated almost immediately. Apiiro’s Software Graph Visualization tackles […]
The top software security standards for modern applications
Timothy Jung
April 27 2025
Security standards aren’t the problem—how we apply them is. Embedding these standards into the development lifecycle, complete with the right level of context and automation, accelerates progress. It’s safe to say the real friction comes from fragmented tools, manual reviews, and unclear ownership. That’s what turns well-intentioned frameworks into slow, reactive processes. Modern development demands […]
Top 8 Continuous Security Monitoring Tools for 2025
Timothy Jung
April 26 2025
Continuous security monitoring (CSM) tools have never had more reach, but context is what turns reach into action. Today’s platforms ingest signals from endpoints, cloud services, CI/CD pipelines, and even source code, yet still struggle to prioritize what matters. Organizations are pouring resources into tools that promise 24/7 monitoring across endpoints, networks, cloud environments, and […]
Gartner® Publishes First-Ever Market Guide for Software Supply Chain Security—Here’s Why ASPM is Included
Timothy Jung
April 25 2025
In a major milestone for the AppSec industry, Gartner® has released its first-ever Market Guide for Software Supply Chain Security (SSCS). This inaugural report defines the SSCS market, outlines core capabilities buyers should prioritize, and names representative vendors across key adjacent categories, including Apiiro as a recognized ASPM vendor with SSCS capabilities. The release of […]
Agentic AI Risk Management: What Every CISO Needs to Know in 2025
Timothy Jung
April 24 2025
AI-driven development is rewriting the rules of application security as we know it. By the end of 2024, nearly one-third of enterprise code was AI-generated, and Gartner projects that number will surge to 75% by 2028. While this acceleration enables faster delivery and new features at scale, it also introduces risks that traditional security models […]
Agile Penetration Testing: Adapting Scope and Targets through Material Code Change Detection
Idan Plotnik
April 23 2025
Traditional penetration tests are too slow for modern development. They often require weeks of back-and-forth between security and engineering just to figure out what to test–never mind the test itself. And in the time it takes to scope targets manually, the codebase has already changed. Agile penetration testing turns this problem on its head. By […]
How to Strengthen Security in AI-Driven Software Engineering
Timothy Jung
April 21 2025
AI-driven software development has created a fundamental shift in how teams build and ship code. From GitHub Copilot to custom LLM agents, artificial intelligence is now embedded across the development lifecycle, accelerating everything from function creation to test generation and even full application builds. But that acceleration comes with tradeoffs. Code is being suggested—and accepted—without […]
Webinar Recap: Reimagining Application Security Posture Management
Timothy Jung
April 18 2025
In a timely discussion hosted by S&P Global Market Intelligence, Principal Research Analyst Daniel Kennedy sat down with Idan Plotnik (Founder of Apiiro) and Jason Espone (Global Head of Application Security Engineering at C.H. Robinson) to explore the evolution of Application Security Posture Management (ASPM). With application environments growing increasingly complex, the panel addressed how […]
Mitigating SCA Vulnerabilities: Strengthening Your Software Supply Chain for Maximum Security
Timothy Jung
April 17 2025
Open source has become indispensable to modern software development, but it’s also become one of the biggest attack surfaces. By compromising a single OSS component, attackers can exploit every application or system that includes it. And because these vulnerabilities often hide deep in your dependency tree, they’re easy to miss and hard to fix. That’s […]
AI-Generated Code Security: Security Risks and Opportunities
Timothy Jung
April 1 2025
More than 40% of AI-generated code is vulnerable. And developers are committing it faster than security teams can keep up. The explosion of popular AI coding solutions like GitHub Copilot, Windsurf, Cursor, and Claude Code has dramatically accelerated software delivery. But while teams race to ship faster, this new precedent introduces insecure code, risky dependencies, […]
Gartner Warns of Growing API Security Gaps—And AI-Driven Development Is the Cause
Timothy Jung
March 25 2025
At Apiiro, we’ve closely analyzed the impact of AI-driven development on API security, finding that while AI-powered coding assistants accelerate API creation, they often do so without prioritizing security—introducing new risks that can go undetected without proactive monitoring. This challenge is now validated by Gartner’s latest research, Leaders’ Guide to API Security, which highlights the […]
Gartner Highlights the Growing Importance of ASPM – Here’s How Apiiro Stands Out
Timothy Jung
March 18 2025
Application security has long struggled with a fundamental problem: too many vulnerabilities, not enough context. In its latest research, Improve Application Security With Posture Management Tooling (March 2025), Gartner underscores the role of Application Security Posture Management (ASPM) in addressing this issue. Apiiro is proud to be included in this report, which highlights how ASPM […]
Practical prevention of the next supply chain attack: Lessons from the tj-actions/changed-files Incident
Matan Giladi
March 17 2025
The recent compromise of the tj-actions/changed-files repository on March 14 caused significant security concerns. Now that the vulnerability was mitigated, the focus turns to preventing future incidents. What happened? A personal access token (GitHub PAT) of an overly permissioned account was compromised, pushed a malicious commit to the tj-actions/changed-files repository, and repointed all existing tags […]
How to Run an Application Vulnerability Scanning: Step by Step
Timothy Jung
March 17 2025
Why Regular Vulnerability Assessments Are Essential Applications are at the heart of modern business operations, but they’re also a top target for attackers. Vulnerability assessments are a crucial process that helps security teams identify and mitigate weaknesses before they can be exploited. Without regular application vulnerability scanning, even well-secured systems can become a liability, especially […]
Application Security vs. Product Security: Key Differences, Pros, and Cons
Timothy Jung
March 15 2025
Application security vs product security: which one is right for you? Securing applications is more challenging than ever. Even a simple web app has multiple layers, dependencies, and potential vulnerabilities. How do you ensure your application is protected without adding unnecessary complexity? Two main approaches—application security (AppSec) and product security—help mitigate risks, but they serve […]
Introducing Software Tech Stack Inventory: The Foundation of Scalable AppSec
Matan Giladi, Karen Cohen
March 6 2025
Today’s enterprises manage sprawling, complex codebases encompassing thousands–sometimes hundreds of thousands–of repositories. This scale is driven by factors including microservices architectures that fragment applications, multiple teams managing distinct services, legacy systems coexisting with modern applications, compliance requirements that mandate separate repositories, and inherited codebases from acquisitions. Without clear visibility into the underlying frameworks and technologies, AppSec […]
Gartner on ASPM: What it Means for Your Security Strategy
Timothy Jung
March 5 2025
Application Security Posture Management (ASPM) is gaining recognition as a core business requirement, not just a niche security function. This is evidenced by Gartner’s recent Innovation Insight: Application Security Posture Management (ASPM), authored by Giles Williams, Aaron Lord, and Dionisio Zumerle. Published in January of 2025 as an update to the 2023 edition, the report […]
ASPM vs ASOC: Unveiling the Key to Application Security Success in 2025
Timothy Jung
March 3 2025
Security leaders are under pressure to keep up with rising threats, stricter regulations, and fragmented security tooling. With application security risks at an all-time high, teams need a streamlined way to secure their software, without slowing down development. That’s where ASPM and ASOC come in. According to IBM, the average global data breach cost hit […]
CI/CD Pipeline Security: Best Practices to Safeguard Your Software Supply Chain
Timothy Jung
March 2 2025
The Continuous Integration/Continuous Deployment (CI/CD) model is an essential component of agile DevOps. But, poorly implemented, it can also create significant vulnerabilities that threat actors are happy to exploit. When compromised, a CI/CD pipeline becomes a direct line into your codebase, infrastructure, and customer environments. It’s why pipeline security has become a top priority, not […]
Best 10 Container Security Tools for 2025
Timothy Jung
March 1 2025
What Are Container Scanning Tools? Container scanning tools are specialized software solutions designed to analyze container images for known vulnerabilities, misconfigurations, and compliance issues. These Docker security tools inspect various components within a container, including operating systems, libraries, and application code, to identify potential security risks before deployment. Modern container vulnerability scanners examine container layers, […]
What is Agentic AI?
Timothy Jung
March 1 2025
Agentic AI refers to artificial intelligence systems capable of autonomously executing tasks, making informed decisions, and interacting with their environment proactively. Unlike traditional AI, which follows predefined instructions passively, Agentic AI actively sets and pursues goals, dynamically adapting to new information and evolving situations. Why is Agentic AI Revolutionary for Application and Cloud Security and […]
Top 7 ASPM Best Practices for Building Robust Application Security
Timothy Jung
February 28 2025
Security teams are drowning in vulnerabilities, false positives, and compliance demands—while development moves faster than ever. Traditional security tools can’t keep up, leaving organizations exposed. That’s why Application Security Posture Management (ASPM) has become the backbone of modern application security. ASPM systems are purpose-built security platforms that secure custom applications by reviewing code, APIs, and […]
Faster code, greater risks: The security trade-off of AI-driven development
Itay Nussbaum
February 26 2025
New research from Apiiro uncovers key trends in AI-powered code creation and application security business risks. Summary The rise of GenAI code assistants like GitHub Copilot has dramatically increased code creation velocity in the past two years, even as the number of developers has remained steady. However, this acceleration comes with significant security risks: a […]
Closing the Loop Between Application and Infrastructure Security with Our New Tenable Integration
Neta Coral
February 20 2025
Security teams are caught in a perfect storm: tightening budgets colliding with an ever-expanding attack surface. While your applications and the infrastructure they run on are inherently deeply connected, your security tools are not – forcing you to piece together a complete risk picture from multiple dashboards and fragmented data sources. Today, we’re excited to […]
ASPM vs. CSPM: Key Differences, Overlaps, and Choosing the Right Approach
Timothy Jung
February 19 2025
Applications and cloud environments have never been more complex, and securing them has never been more important. However, a strong security posture risks creating inefficiencies, especially in DevOps. How can you secure apps without bogging down development? Application Security Posture Management (ASPM) has quickly become the answer for many companies. This security methodology focuses on […]
Guard your Codebase: Practical Steps and Tools to Prevent Malicious Code
Matan Giladi
February 19 2025
Malicious code is widespread and easy to use against any target. This year, our security research and data science teams detected and analyzed thousands of malicious code instances in repositories and packages, with new ones emerging every day. For instance, we published findings on how millions of GitHub repositories were cloned and infected with malware […]
Drive Application Risk Reduction with Apiiro’s Team Leaderboard
Itay Nussbaum
February 14 2025
Engineering and security teams often accumulate security debt—unaddressed or poorly implemented measures that increase risk to their organization’s systems and data over time. Addressing this debt systematically is crucial, but competing priorities and fast-paced release cycles frequently lead to deep security backlogs and escalating risks. Apiiro helps security leaders and developers take control of these […]
ASPM Overview Dashboard: Empowering AppSec Leadership
Itay Nussbaum
February 10 2025
Application security leaders are faced with the challenge of making sense of data scattered across tools, workflows, and software development lifecycle stages. Without a real-time, code-to-runtime view of their risk posture, it’s difficult to track progress, prioritize risks, or clearly communicate the value of security efforts to stakeholders. As a result, inefficiencies are created, teams […]
A Year of Collaboration: Apiiro and Akamai Technical Alliance Strengthen
John Leon
January 21 2025
A year ago, we excitedly announced our technical alliance with Akamai to tackle one of the most pressing challenges in modern application development: securing the entire lifecycle of APIs from code to runtime. Together, we introduced a solution which connected Apiiro’s application security posture management (ASPM) with Akamai’s runtime API security, completing the path to […]
Fortune 100 Insurance Provider Projected to Save $3M in Security Savings with AppSec Automation, and the 2nd-Largest ASPM Deal in History
Geoff Akie
January 20 2025
The second-largest ASPM deal to date, valued at $4 million, comes second only to Apiiro’s record-breaking $5 million partnership with a Fortune 10 enterprise in 2024. This deal focuses on delivering millions in operational savings with application security automation. By automating thousands of developer hours, identifying sensitive data for PCI 4.0 compliance, and reallocating resources […]
Introducing Code-to-Runtime: Enriching AppSec with True End-to-End Visibility
Neta Coral, Ariel Levy
November 19 2024
For application security teams, connecting vulnerabilities identified in runtime back to their source in the code has long been a complex and time-consuming challenge. Apiiro’s new Code-to-Runtime capability directly addresses this difficulty, enabling AppSec practitioners to prioritize risks more effectively and ensure remediation reaches the right developers – without the need for manual setup or complex […]
Revolutionizing Application Security: Apiiro Unveils Groundbreaking Code-to-Runtime Technology
Timothy Jung
November 19 2024
Our advanced Code-to-Runtime Matching Technology powered by Deep Code Analysis (DCA) addresses one of the most significant challenges in modern software development and security: bridging the gap between source code and application runtime.
Apiiro Lands the Largest ASPM Deal in the Market with a Fortune 10 Global Enterprise
John Leon, Geoff Akie
October 23 2024
Apiiro has secured the largest ASPM deal in the market, a $5 million partnership that underscores the rising importance of risk-based application security. Discover more.
Aligning Teams, Managing Risks: Boost Your AppSec Program with Apiiro Organizational Teams & Custom Reports
Itay Nussbaum
October 2 2024
Apiiro and Bugcrowd team up to streamline risk remediation and boost AppSec security with unified visibility and automation. Discover more.
Unifying Offensive And Defensive AppSec With Apiiro + Bugcrowd
Karen Cohen, Justin Beachler
September 22 2024
Apiiro and Bugcrowd team up to streamline risk remediation and boost AppSec security with unified visibility and automation. Discover more.
Apiiro and Aerowave Join Forces to Revolutionize Application Security
John Leon
September 12 2024
Apiiro, the leader in application security posture management (ASPM), has forged an exciting partnership with Aerowave, a premier cybersecurity services consultancy based in Singapore. The collaboration marks a significant milestone in bringing cutting-edge ASPM solutions to the Asia Pacific (APAC) market, addressing the growing demand for comprehensive application security tools in the region. As enterprises […]
Enable AppSec Enhancements by Apiiro with Comprehensive Identity Matching
Itay Nussbaum, Ella Bor
September 11 2024
Managing identities across diverse systems is a daunting challenge, even for experienced application security experts. Practitioners need a reliable method to track and secure all user activities within their applications, especially when multiple systems are in play. Apiiro addresses this challenge with its powerful identity matching algorithm, which integrates data from various sources to provide […]
New from Apiiro: Detect and Address AppSec Risks with Apiiro Native LLM Models Before Code is Even Written
Ella Bor, Nadav Shakarzy
August 7 2024
A Better Way to “Shift Left” Application Security Traditional approaches to security in software development typically address security risks only after development has started, or even post-deployment, leading to costly fixes and potential security breaches. The modern DevSecOps approach aims to integrate security early in the software development lifecycle (SDLC). However, even this “shift left” […]
Introducing AI-Driven Risk Detection at Design Phase: Revolutionizing AppSec with AI-Powered Pre-Code Security
Emily Eaton
August 6 2024
At Apiiro, we’re always pushing the boundaries of what’s possible in application security. Today, we’re thrilled to announce our latest innovation: Risk Detection at Design Phase. This groundbreaking, first-of-its-kind feature shifts risk detection left in the software development lifecycle, and enables application security (AppSec) practitioners to mitigate security and compliance concerns before a single line […]
Apiiro Leads the Charge in Secure by Design: Among First 25 to Sign America’s Cyber Defense Agency Pledge
Emily Eaton
July 18 2024
In an era where cybersecurity threats are constantly evolving, it’s crucial for companies to take proactive steps in securing their software. That’s why we’re proud to announce that Apiiro is among the first 25 companies, and the first ASPM company, to sign America’s Cyber Defense Agency’s Secure by Design Pledge. This commitment underscores our dedication […]
Apiiro’s Countdown to Black Hat USA 2024
Emily Eaton
July 10 2024
Hey there, AppSec experts! The Apiiro team is buzzing with excitement as we gear up for Black Hat USA 2024. August 7-8, Las Vegas will transform into a cybersecurity wonderland, and we’re here to make sure you don’t miss a beat. Here’s what you need to know: Business Hall | Apiiro Booth 2622 | August […]
ASPM’s Secret Weapon: AI-Powered Code-to-Runtime Software Inventory
Emily Eaton
July 10 2024
Black Hat USA 2024 was a stellar event. In addition to Apiiro’s Booth on the trade show floor, our CEO, Idan Plotnik, spoke during one of the sponsor sessions on all things Application Security, Risk, Compliance and Security Management. Watch the session here: Here’s what Idan dove into: Understanding, prioritizing and remediation risks in modern […]
Cementing our open ASPM platform commitment with our new integrations program, SHINE
Moti Gindi, John Leon
May 1 2024
We are thrilled to formally announce SHINE, Apiiro’s new integration program! SHINE (which stands for the program’s guiding principles: seamless, holistic, interconnected, vendor-neutral, and enriched) is a direct reflection of our core ethos of connecting the tools our customers trust to securely develop and deliver their applications. Read more about the program principles here → […]
Contextual prioritization funnel: Narrow-in on real, business-critical app risks with Apiiro
Payton O'Neal
April 24 2024
Apiiro’s new interactive prioritization funnel uses risk likelihood and impact factors garnered from Deep Code Analysis (DCA), runtime context, and third-party databases to help you cut through the noise and narrow in on real, business-critical risks.
Omdia Application Security Posture Management Market Landscape: 4 Key ASPM Questions Answered
Payton O'Neal
March 28 2024
Get our take on the Omdia ASPM Market Landscape—distilled into 4 key ASPM questions answered.
Apiiro + Secure Code Warrior: Uplevel your AppSec program with hyper-relevant secure code training
Ravit Tal, John Leon
March 20 2024
Our newest integration brings together the best of Apiiro’s ASPM with Secure Code Warrior’s industry-leading developer security training.
From metrics to meaning: Optimizing your AppSec program with Apiiro Reports
Itay Nussbaum
March 18 2024
Learn how to measure, track, and optimize your AppSec program using the new Apiiro Reports.
Streamlining application risk response for the enterprise with ServiceNow integration
John Leon, Ravit Tal
March 13 2024
Our new integration with ServiceNow Vulnerability Response brings the power of Apiiro’s multidimensional application risk response to streamline management and response.
PCI DSS 4.0: What it Means for AppSec and How Apiiro’s Deep ASPM Helps
Saoirse Hinksmon
March 11 2024
Dig into the new and updated PCI 4.0 requirements and learn how a deep ASPM can help with achieving compliance.
Over 100,000 Infected Repos Found on GitHub
Matan Giladi, Gil David
February 28 2024
A new malicious code campaign impacting 100k GitHub repositories is evading detection and benefiting from unsuspecting developers actually helping the malware spread.
A dataset-free approach to leveraging LLMs for malicious code detection
Gil David, Ella Bor
February 6 2024
Dive into Apiiro's breakthrough LLM-based free-text code search engine that identifies malicious code patterns without depending on large datasets.
Apiiro + Akamai technical alliance: Complete code-to-runtime API security
John Leon, Moti Gindi
January 16 2024
Our newest technical alliance combines the power of Apiiro’s ASPM with deep code analysis and Akamai’s runtime API security and threat protection for unified and contextual code-to-runtime API security.
Navigate uncharted risk across your software supply chain with Apiiro’s Risk Graph Explorer
Martin Saad, Matan Giladi
January 10 2024
Explore these five hard-to-find application and supply chain risks with ease using Apiiro’s Risk Graph Explorer.
Apiiro and Wiz partner to unite application and cloud security
Moti Gindi, John Leon
December 19 2023
Apiiro’s new Wiz integration brings the power of Wiz’s CNAPP to Apiiro’s deep ASPM to unify application and cloud security.
Uncovering shadow GenAI frameworks in your codebase with Apiiro
Karen Cohen
December 14 2023
Apiiro’s ASPM platform now automatically detects GenAI frameworks, so organizations have full visibility into privacy, data, and legal risk introduced by these frameworks.
Introducing Apiiro SSCS: Software supply chain security with the power of ASPM
Moti Gindi, Neta Coral
December 6 2023
Apiiro adds integrated software supply chain security to its ASPM platform, extending it with native CI/CD pipeline and source control manager visibility, detection and assessment, and governance.
ASPM breakdown: Pros and cons of different application security posture management approaches
Saoirse Hinksmon
November 30 2023
Learn the pros and cons of different approaches to application security posture management (ASPM) and what a “deep ASPM” solution entails.
LLM Code Authorship Detection: Unmasking Malicious Package Contributions
Eli Shalom, Gil David
November 14 2023
Apiiro’s security research team has developed a revolutionary approach for accurately connecting code segments—such as open-source packages or commits—by similarity.
Unwavering empathy, resilience, and reliability during wartime challenges
Idan Plotnik
October 20 2023
Idan Plotnik, Apiiro Co-Founder and CEO shares open letter on how Apiiro is supporting its people, customers, and partners during wartime challenges.
Streamlining material code change detection and response for SEC compliance
Saoirse Hinksmon
October 12 2023
The new SEC rule for cybersecurity presents new challenges for AppSec teams. Here's how Apiiro can help companies identify, respond, and communicate material code changes to ensure SEC compliance.
CVE-2023-4863: Leverage Apiiro to determine risk from new WebP 0-day
Karen Cohen
October 6 2023
A critical security flaw, CVE-2023-4863, has been identified in libwebp. Identify and prioritize instances of the new WebP 0-day that are most risky to your business with Apiiro—without runtime agents.
3 dimensions of application risk you need to prioritize and reduce your alert backlog
Payton O'Neal
October 5 2023
Teams need a holistic way to prioritize risk based on their application architecture, the nature of their business, and overall risk tolerance. These dimensions of risk prioritization ensure you can remediate risk at the speed of development without sacrificing quality or security.
Go beyond detection with Apiiro’s new actionable secrets security features
Karen Cohen, Tomer Amir
September 29 2023
Managing secrets at the scale of modern development is also more complex than ever. Apiiro goes beyond secrets detection with new secrets security features including grouping and surfacing valid, invalid, or revoked insights.
The 6 non-negotiables of reducing modern application attack surfaces
Saoirse Hinksmon, Matan Giladi
September 14 2023
With just traditional tooling and manual processes, it’s nearly impossible for security teams to accurately map their application attack surfaces. Here are six essentials to effectively map and reduce application attack surfaces at scale.
Automating material code change detection for continuous compliance
Idan Plotnik
September 5 2023
Read our blog on detecting material code changes automatically and at scale to reduce application risk and satisfy compliance and regulatory requirements.
Top 5 AppSec metrics to track, right from Apiiro’s new dashboards
Itay Nussbaum, Martin Saad
August 24 2023
New overall and solution-specific dashboard tiles provide visual insights into important application security KPIs such as MTTR, risks over time, development velocity, material changes, and more.
Self-enhancing pattern detection with LLMs: Our answer to uncovering malicious packages at scale
Eli Shalom, Gil David
July 13 2023
Our approach to identifying malicious open-source packages combines LLMs with proprietary pattern detection and self-enhancement to improve accuracy at scale.
The eXtended Software Bill of Materials (XBOM): A Game Changer for Application and Supply Chain Security
Moti Gindi
June 13 2023
Introducing XBOM, our up-leveled approach to SBOM that provides unified visibility across all application and supply chain components, their connections, risks, and more.
Software supply chain attacks caused PyPI to temporarily suspend new users and projects
Payton O'Neal
May 24 2023
In response to overwhelming malicious activity, PyPI temporarily suspended the creation of all new users and projects.
4 highlights from the 2023 Gartner® Innovation Insight for Application Security Posture Management (ASPM)
Payton O'Neal
May 23 2023
Over the past few decades, application security has seen dozens of market categories, hundreds of new approaches, and thousands of solutions. From legacy point solutions like SAST, DAST, and SCA to new approaches like DevSecOps and software supply chain security. As per Gartner, “Application security tools invariably produce reams of data about potential vulnerabilities. Traditional, […]
Say Hello to Apiiro’s New Risk Graph™ Explorer
Eldan Ben Haim, Moti Gindi
April 25 2023
Modern applications are more complex, interconnected, and ephemeral than ever. They’re made up of countless code modules, dependencies, APIs, data models, and technologies developed across numerous languages, frameworks, and contributors, maintained, built, and deployed across multiple repositories, SCMs, CI/CD pipelines, and cloud environments. And they’re all constantly changing. At Apiiro, we always believed that effective […]
Apiiro partners with Nuaware to transform how companies in EMEA secure their cloud applications
Simon Price
February 15 2023
Applications are becoming more distributed, interconnected, and dependent on third-party components than ever.
Security industry veteran Moti Gindi joins the Apiiro as Chief Product Officer
Idan Plotnik
February 7 2023
Microsoft Defender founder, Moti Gindi, joins as Apiiro’s chief product officer to push Apiiro into the next hypergrowth phase.
Apiiro’s AI engine detected a software supply chain attack in PyPI
Gil David, Eli Shalom
December 7 2022
The Apiiro AI engine discovered a malicious Python package that is currently presented on the python PyPI package management portal.
Stop wasting your time on irrelevant changes while developing software
Yonatan Eldar
November 20 2022
Find out how you can identify and fix material changes with Apiiro so your developers can focus on bringing more value to customers!
Dropbox developer account breached: 130 private repositories, secrets leak
Moshe Zioni
November 8 2022
The latest incident involves Dropbox and relates to exposed secrets from 130 private repositories belonging to the company.
OpenSSL 3.0.7: Newest vulnerability patch aftermath
Moshe Zioni
November 2 2022
The latest release of OpenSSL contains a patch for recent vulnerabilities and announced just a week ago on October 25th.
New OpenSSL critical CVE: What you need to know
Moshe Zioni
November 1 2022
A few days ago OpenSSL, the widely-used cryptography/TLSÂ project released a very rare announcement that notified the public of an upcoming release of the project code that will fix a critical 0-day vulnerability. The release (OpenSSL version 3.0.7) is being released today and it is intended as a security fix for a critical vulnerability in […]
Inside Toyota’s secret leak from a supply chain vulnerability
Moshe Zioni
October 25 2022
A recent leak of almost 300,000 of Toyota's customer emails and control numbers showcases the risks of exposed secrets in code.
8 key NIST guidelines in new federal regulations to be aware of
Moshe Zioni
October 10 2022
Find our strategies to build cybersecurity around the NIST guidelines that form new regulations announced by the White House.
What is static application security testing (SAST)?
lucjan
August 29 2022
Static application security testing (SAST) analyzes app source code, byte code, and binaries for security vulnerabilities.
The practical guide to software bill of materials (SBOM)
lucjan
August 13 2022
Software bill of materials is a document that provides tracking for all of the key elements in the software development supply chain.
How to mitigate API risks during development
Idan Elor
July 14 2022
To effectively monitor security of APIs, you need to take the necessary steps and know what to look for in API code.
Detect application architecture drift early in the SDLC
Eldan Ben Haim
July 4 2022
Find out how to detect cloud-native application architecture drift and deal with it early in the SDLC.
Apiiro extends right! From code to runtime
Idan Plotnik
June 30 2022
Cloud has transformed the way development teams design, develop, build and deploy applications. Developers are moving fast and the number of changes and releases is increasing exponentially, as are the risks. In the era of cloud-native application development, the remediation lifecycle is getting longer and more complex because risks are distributed across design, code, open […]
Go beyond OSS dependencies with your SBOM
Moshe Zioni
May 4 2022
A comprehensive Software Bill of Materials (SBOM) provides full visibility to what makes up software including its cloud components.
What you need to know: 0-day vulnerability in Spring core framework (Spring4Shell)
Moshe Zioni
March 31 2022
What is Spring-Core remote code execution (RCE) vulnerability (“Spring4Shell”)? Here is what you should know.
Shift-left API security: Protect your APIs before releasing to the cloud
Moshe Zioni
March 24 2022
Learn how to shift left security and proactively fix API code risks early in the software development lifecycle.
Detecting Secrets in Code is a Feature, Not a Solution
Karen Cohen
March 10 2022
Detecting and remediating secrets is only one piece of the AppSec puzzle. Issues must be understood with context alongside other security risks.
What is DevSecOps? A primer
lucjan
February 22 2022
DevSecOps enables effective collaboration between Development, Security, and Operations throughout the software development lifecycle.
Where cloud-native AppSec mistakes are made: Known vs. unknown vulnerabilities
Moshe Zioni
February 15 2022
Attackers are always looking for the path of least resistance. Be sure to address simple known risks to close those gaps.
The OWASP Top 10: A new approach for cloud-native applications
Moshe Zioni
February 8 2022
With the rise of cloud-native applications, we need to change our approach to application security - not to the Top 10 itself, but how we understand and remediate Top 10 vulnerabilities.
Malicious Kubernetes Helm charts can be used to steal sensitive information from Argo CD deployments
Moshe Zioni
February 3 2022
Apiiro's Security Research team has discovered a major vulnerability in Argo CD platform (CVE-2022-24348).
Security during design isn’t just lip service: AppSec starts at the user story
Yonatan Eldar
January 11 2022
AppSec starts at the user story. Since the speed of development has grown rapidly over the past few years, “security during design” is critical.
Developer intentionally corrupts npm libraries, exposing weaknesses in OSS supply chain security
Moshe Zioni
January 10 2022
A rogue developer intentionally corrupted npm libraries, showing the need for developer activity analysis in supply chain security.
Legacy SAST has grown stale: It’s time for a new approach
Idan Plotnik
November 30 2021
Static application security testing has been vital to AppSec programs for decades, but SAST lacks the context to keep up with DevOps.
A leap forward in risk-based AppSec: The cloud native application protection platform (CNAPP)
Idan Plotnik
November 30 2021
The Cloud Native Application Protection Platform (CNAPP) is a new market definition of an integrated approach to secure cloud-native apps.
Secure your SDLC to avoid being the source of a supply chain attack
Idan Plotnik
November 10 2021
Software supply chain attacks have changed AppSec. SolarWinds, Codecov, and more show a need for defense from design to code to cloud.
Top 3 things we learned since winning the RSA Innovation Sandbox
Idan Plotnik
October 25 2021
Apiiro won the RSA Conference Innovation Sandbox Contest in May 2021 and we’ve been learning the following lessons since then.
Part 1: What we learned about AppSec programs from the Twitch code leak
Moshe Zioni
October 7 2021
On Wednesday, Oct. 7 2021, an anonymous 4chan user claimed to have posted 125 GB of data from 6,000 internal Git repositories. Twitch confirmed the massive data leak, including source code and creator earnings, and stated that the breach was due to a “server configuration change”. While there will be many negative repercussions of this […]
Don’t just shift left! Extend across layers with infrastructure as code security
Moshe Zioni
October 5 2021
Businesses can do more than shift left. “Extending right” by incorporating IaC processes increases agility and improves security.
From phishing to developers: What are the new attack vectors?
Moshe Zioni
September 22 2021
Developers are getting more responsibility and as a result, attackers can use developer identities to gain system access.
Better together: Security champions and application security engineers
Erni Avram
August 9 2021
Application security engineers and security champions must work together to achieve AppSec goals and a secure software development lifecycle.
Gartner continues the push for software supply chain security
Yonatan Eldar
July 20 2021
Gartner reports there are escalating threats to software supply chains. Discover the Apiiro platform’s supply chain security capabilities.
The secrets about exposed secrets in code
Igal Kreichman
June 9 2021
Understanding and remediating the risk of secrets in code cannot be done in isolation. Learn how to do both.
Application security is tactical. Application risk is strategic.
Yonatan Eldar
June 1 2021
Put simply: your board doesn’t care about application security. It cares about application risk, which includes both security and compliance.
Risk-based change management for the entire SDLC
Yonatan Eldar
May 4 2021
We need to take a new, risk-based approach to change management for the SDLC - and it needs to span from design to code to cloud.
Shut down your application security program
Yonatan Eldar
April 22 2021
Is your application security program aligned with your business goals and tolerance for risk? Here's how to find out.
Stop treating all applications the same: Business impact and your AppSec program
Idan Plotnik
April 9 2021
We have a collective prioritization problem. While this is true when analyzing individual applications, it is also true across applications. Organizations aren’t good at nuance. They tend to “think” in terms of rigid processes and ignore risk and potential business impact. Unfortunately, this approach has a real-world impact on application risk. Consider a list of […]
Detection and prevention of malicious commits to the PHP repository
Gil David
April 5 2021
This blog demonstrates some of Apiiro’s anomaly detection capabilities that are used by our clients to protect and secure their repositories.
Code risk is multi-dimensional: How to build an AppRisk program
Erni Avram
March 23 2021
A multi-dimensional approach to code risk analysis can optimize processes by focusing SDLC tools on the “changes that matter most.”
Security Alerts: Don’t developers have something better to do with their time?
Erni Avram
March 16 2021
Dealing with security alerts is a daunting task for developers and security architects as it requires much time and resources to review and triage them.
Visibility in application and cloud security is ripe for innovation
Idan Plotnik
March 11 2021
Better information leads to better decision-making. That’s not a particularly bold statement. But at the same time, we have a tendency to look for data in our narrow area and then … just more of it. More fields. More reports. More dashboards. We don’t often take the opportunity to step back and re-evaluate what you’d […]
Rethinking DevSecOps: Moving to a risk-based SDLC
Yonatan Eldar
March 2 2021
Current approaches to DevSecOps fail to fully automate existing app and cloud security processes, which are periodic and do not scale.
Detect and prevent the SolarWinds build-time code injection attack
Ariel Levy
February 17 2021
Apiiro has developed a patent-pending technology to detect and prevent SolarWinds-style attacks before shipping binaries to production.
Top 5 tips to prevent the SolarWinds Solorigate supply chain attack
Idan Plotnik
December 21 2020
Consider how to identify risky material code changes and prevent them from being deployed in the first place.
SDLC and DevSecOps: Moving to a continuous and simultaneous model
Yonatan Eldar
December 17 2020
By moving to continuous and simultaneous model, you are able to improve the speed of the entire DevOps process.
Taking security challenges from a board-level discussion to a DevSecOps solution
Idan Plotnik
November 20 2020
Enterprises that allow developers to be responsible for the end-to-end delivery are at the forefront of Digital Transformation.
Introducing Apiiro: Reinventing the secure development lifecycle
Idan Plotnik
October 13 2020
Apiiro's solution accelerates delivery and go-to-market by bridging the gap between development, security, and compliance teams.