This report uses data from the Synopsys Black Duck Audit Services team’s analysis of anonymized findings from 1,067 commercial codebases across 17 industries during 2023. The Audit Services team has helped security, development, and legal teams around the world strengthen their security and license compliance programs for over 20 years. The team audits thousands of codebases for our customers each year, with the primary aim of identifying software risks during merger and acquisition (M&A) transactions.

The 7th annual Hacker-Powered Security Report goes deeper than ever before with customer insights, in addition to the opinions of some of the world’s top hackers. We also take a more comprehensive look at the top ten vulnerabilities and how various industries are performing when it comes to incentivizing hackers to find the vulnerabilities that are most important to them.

This latest installment of the Prioritization to Prediction research series, created by the Cyentia Institute and sponsored by Cisco (formerly commissioned by Kenna Security), does just that: It explores the KEV and gives some context to what it means (and doesn’t mean) for other organizations. Moreover, we demonstrate how the KEV can fit into any risk-based vulnerability management program. In fact, here are some key findings, but you’ll really want to read the whole report to get the good stuff.

In our bi-annual AppSec Indicator report, we uncover insights and trends to guide best practices in vulnerability identification and remediation. For this year’s Spring edition of the Invicti AppSec Indicator, we analyzed data from 1.7 million scans conducted by the 1,700 customers that use our cloud dynamic application security testing (DAST) offering, representing approximately half of our entire customer base.

The 2020 OSSRA includes insights and recommendations to help security, risk, legal, and development teams better understand the open source security and license risk landscape.

The annual report from Snyk on the state of open source software from a security perspective. Includes survey data from 500+ developers, internal Snyk vulnerability data from the projects monitored by Snyk, and additional aggregated source code repository data.

The third annual report from Hacker One on the state of the hacker/security testing community. Data is drawn from Hacker One’s community of bug bounty registrants and subscribing platforms.

This report offers advice for what to do when the barbarians are at your door…

From the report, “On November 26th, Slovakian Anonymous leader ‘Abaddon’ posted in the deep web message board ‘Hidden Answers’, looking to recruit accomplices for an operation targeting NATO and EU websites. The proposed attacks would potentially arrive by means of XSS (cross-site scripting), SQL injection, or a combination of both. And by DDoS (distributed denial of service), a type of attack that is intended to make an online resource unavailable to its legitimate users by overwhelming it with traffic. It is not yet clear what the motives for the operation are, or what the official name will be.”

Contributors to this paper include security professionals, including the Security Intelligence Response Team (SIRT), the Threat Research Unit, Information Security, and the Custom Analytics group.

This report provides helpful information on XSS.

This is a threat advisory for Ticketac Mobile Apps

This report takes a look at the harmful practice of web scraping.

This monthly report details Application Security obvservations from March 2018.

What’s not open to discussion is that the role of information security executives has evolved. CISOs may now find themselves talking to investors about how an attack impacted quarterly earnings in addition to more traditional duties like managing a SOC.

This document presents the definition, category, means, and examples of the underground network industry, as well as protection measures.

This report is based on a study done in 2017 to analyze security issues in CakePHP.

This annual report takes a look at the bug bounty industry in 2018.

This paper investigates many observable characteristics of web-servers that may affect the likelihood of compromise.