Welcome to our blog.

GHENT, November 14th 2023

Aikido Security, the developer-first software security app for growing SaaS companies, today announces it has raised €5m in a Seed round co-led by Notion Capital and Connect Ventures; with investment from Inovia Capital Precede Fund I, led by partners Raif Jacobs and former Google CFO Patrick Pichette; as well as an impressive roster of angel investors including Christina Cacioppo, CEO of Vanta.

The investment will go towards developing the functionality of the software, in particular ensuring that Aikido’s user-experience and auto-triage is best in class, while keeping the product simple; hiring staff across the product, development, marketing and sales teams; and further growing the Aikido customer base, with a particular focus on solidifying and expanding its already strong foothold across Europe and North America.

As CEO & CTO of Aikido, Willem Delbare explains, “SaaS companies that are building their platform often ‘secure’ their new software by installing numerous scattered tools. This can generate a lot of noise for the developers and throw up a myriad of disparate ‘false positives’, which require attention, but pose no real threat. This causes a huge burden on the staff managing platform security. The problem is only exacerbated by growth -- which can happen quickly in SaaS -- creating huge headaches for the staff responsible for security.”

Delbare continues “Alternatively, if startups choose not to install these tools, they may instead adopt expensive security software solutions which only cover a few factors of application security. Companies are then left with huge gaps in their software’s security, despite their investment. Due to their cost, vulnerability scanners are mostly tailored to larger enterprises, with SME and mid-market companies left without a viable solution to their growing platform’s security.”

Aikido is on a mission to simplify SaaS security with its all-in-one tool that consolidates various application security features. Instead of disjointed solutions, this unified approach enhances control and significantly cuts down on false positives. So far, the company has saved over 1,500 developer working days that would otherwise be spent on false positives. Aikido ranks vulnerabilities by severity, ensuring critical issues are addressed first. Plus, all security data stays within the platform, ensuring safety regardless of staff changes and aiding in business continuity.

Delbare, continues, “Throughout my career I have built multiple SaaS startups, and wasted hundreds of hours piecing together a patchwork of tools needed to secure a new platform. In starting Aikido, I saw a better way to identify critical breaches whilst downgrading the distracting ‘non-issues’ that waste an engineer’s time. We are the only company in Europe doing this, demonstrating a renewed energy for startups in the continent. Our customers now include startups, as well as companies that have grown to over 300 developers - which has resulted in over 1000 total installs in just one year - a rarity in the world of new SaaS solutions. Looking forward, we want to out-do our competitors by offering a solution tailored to those who have yet to find a product that meets their needs.”

Kamil Mieczakowski, Partner at Notion Capital says, “As the pressure on small and mid-sized businesses mounts to demonstrate ever-increasing levels of cyber resilience, the landscape of security tools available to them continues to present challenges, characterized by fragmentation, complexity, and cost. Aikido provides a powerful yet easy-to-use end-to-end solution for code and cloud security, empowering any business to secure itself and its customers through a single tool capable of transforming every developer into a security expert. Despite being only one year old, the company is already scaling rapidly, and we're thrilled to support them on this exciting trajectory alongside our friends at Connect Ventures and an incredible group of angel investors and advisors.”

Pietro Bezza, Co-Founder and Managing Partner at Connect Ventures says, "In this new b2b software world, businesses seek SaaS products that combine efficacy with efficiency, value for money, simplicity and focus. We are in the era of the Great Bundle. Driven by the need for efficiency, customers are consolidating point solution software into full-stack software suites. Aikido all-in-one platform for software security fits extremely well with this new framework. We couldn’t be more thrilled to back Willem, Roeland and Felix in democratising access to the best security toolings for every company's size and budget."

Aikido offers the fastest way for a growing SaaS company to secure its platform. The application delivers swift, customer-led onboarding with an instant view of all the critical vulnerabilities to be solved - typically in only a few minutes - lending users the time to focus on core business functions. With world-beating noise reduction, Aikido is able to massively reduce the number of false positives. It adopts a ‘shift left’ approach, the goal of which is to prevent security issues from entering the code which means that if anything goes wrong during the development process, it can be fixed before any breach occurs or that code reaches production.

Designed for SaaS companies, Aikido is a crucial component for meeting critical industry compliance standards, including SOC2, ISO 27001, CIS, HIPAA, and the upcoming European NIS 2 Directive.

About Aikido Security
Aikido is an all-in-one solution that brings together multiple aspects of application security in one intuitive platform. This inclusive approach provides greater control for end users, drastically reducing the number of false positives during security checks. Aikido is founded by Willem Delbare (former founder of Teamleader and Officient), Roeland Delrue (former Showpad), and Felix Garriau (former nexxworks) and venture-backed by Notion Capital, Connect Ventures, and Syndicate One.

We’re proud to announce that Aikido Security recently attained ISO 27001:2022 certification. This is a big milestone for us and demonstrates our commitment to information security.

What is ISO 27001:2022?

ISO 27001 is a globally recognized standard for the establishment and certification of an Information Security Management System (ISMS). The 2022 version of this certification ensures that Aikido Security is aligned with current best practices in information security management. We specifically chose the 2022 version (over the 2013 & 2017 versions), as this new version focuses more on secure coding, threat detection, etc. These are items that we consider important and relevant to a software company.

Achieving ISO 27001:2022 compliance is a significant accomplishment for Aikido Security. It underscores our dedication to providing secure and reliable solutions to our clients.
Willem Delbare, CEO of Aikido Security

What motivated Aikido to pursue ISO 27001 certification?

We're a challenger in the security space and one of the first things we ask from new customers, is that they give us read access to their codebase. That's a big deal. And we understand - and agree - that's a big deal.

For customers to comfortably trust us with their codebase, they need to trust us as a company and trust our product. Becoming ISO27001 compliant is a huge leap forward in building and proving that trust.

What we learned on the path to ISO 27001 compliance

In a future blog post I’ll lay out my key learnings, but I want take this opportunity to share some brief insights about our journey.

Our ISO 27001:2022 journey

We got through the whole process in about six months. We had previously implemented SOC 2, so we already had many policies, documents and best practices in place. This allowed us to re-use and apply a lot of that to our ISO.

Because we firmly believe in using the right tool for the job, we took the opportunity to take a modern approach and used Vanta, which automates a lot of the work required to obtain ISO 27001.

Achieving ISO 27001:2022 demands patience and commitment. It's essential to surround yourself with reliable partners and gather knowledge beforehand.
Roeland Delrue, COO & CRO of Aikido Security

The high-level process

1. Internal audit (pre-audit)

You can think of the internal audit as a 'general rehearsal' or 'mock audit', to make sure you're ready to do the 'real' audits. The internal audit makes sure you didn't miss any obvious things that you wouldn't be able to remediate in the later stages.

Quick tip: Use a good internal or external pre-auditor. This really helps you get set up correctly. Unless you have relevant and proven experience in ISO, it’s probably best to hire an external pre-auditor. Leveraging their experience will prove really valuable.

2. Stage 1 audit

Stage 1 is largely a “tabletop audit” or documentation review
This audit consists of an extensive documentation review. An external ISO 27001 auditor reviews policies and procedures to ensure they meet the requirements of the ISO standard and the organization’s own Information Security Management System (ISMS).

3. Stage 2 audit

Stage 2 is a full-on system audit with lots of control testing
The auditor performs tests to check that the Information Security Management System (ISMS) was properly designed and implemented and is functioning correctly. The auditor will also evaluate the fairness and suitability of the organization’s controls to determine whether the controls have been implemented and are operating effectively to meet the ISO 27001 standard requirements.

4. Certification

After you’ve remediated or come up with an action plan for your non-conformities, you’re ready for validation. ISO 27001 non-conformities are categorized as minor, major, or opportunities for improvement (OFIs). It’s of course critical to show you’ve remediated or you can clearly show you’re on a path to remediate all major non-conformities.

And then... it’s time to get your certificate 🎉🥳

How long does it take to become ISO 27001 compliant?

You can’t do it in less than two months. And that assumes that you have everything ready to go, including a pentest and auditor.

Even then, you might need a few months to make sure you encounter enough information security events, as some processes can only take place when a certain event happens (e.g. onboarding or offboarding an employee).

You also have to show that you can remediate non-conformities and demonstrate that you’re able to collect evidence. This process involves identifying the event, logging and classifying it, and thoroughly documenting the information security event.

How much does becoming ISO 27001 compliant cost?

Depending on how in-depth the pre-audit and pentest go, the whole process will typically cost you USD 20,000-50,000.
You’ll need to pay for the following:

• Pre-auditor
• Pentest (you can leverage this from other compliancy tracks, e.g. if you’re already doing one for SOC 2)
• Compliance platform license (we definitely recommend using this)
• Auditor
• Vulnerability and/or malware scanner licenses (e.g. Aikido Security)

The cost depends greatly on multiple factors, key ones being:

• The size of your company (If you have lots of employees, processes, offices, developers,... audit costs dramatically increase)
• Cost of the pentest (USD 3-30k, depending on what type of pentest you do and who performs it)
• Depth of the audits
• Compliance platform (e.g. Vanta)

ISO 27001:2022 technical vulnerability management

On your own path to ISO27001:2022 certification? Aikido Security fulfills all technical vulnerability management needs for ISO 27001:2022 applications. We also sync with Compliance Monitoring Platforms (like Vanta) to ensure that your vulnerability information is always up to date. This means that you can rely on accurate risk assessment and efficient remediation.

Request our report

Feel free to request our own ISO 27001:2022 report directly in our trust center.

Losing sleep imagining bad actors infiltrating your awesome new startup’s code? Not anymore! Aikido Security has designed startup security to be affordable, efficient, and fill the needs of CTOs. Let’s have a look at how Aikido transformed StoryChief’s security posture.

We love hearing about the experiences of our customers and partners, especially around startup security. We recently spoke to StoryChief’s co-founder and CTO, Gregory Claeyssens, and we were thrilled to hear about his success story using Aikido Security. In this customer case, we'll break down that conversation to show you how Aikido improved StoryChief’s security posture. And, in doing so, how it allowed Gregory some work-life balance – aka, sleeping better at night! (CTOs, we bet that sounds nice!)

💡 BTW, don’t forget to download our StoryChief/Aikido customer case at the end of this blog post.

What is StoryChief?

Founded in 2017 and headquartered in Ghent, Belgium, StoryChief is a startup offering a user-friendly, all-in-one content marketing solution. StoryChief empowers marketing agencies and content teams to streamline their content production and management. Or, as StoryChief says, ‘End content chaos.’

StoryChief’s collaborative and intuitive platform includes content planning, distribution, scheduling, and AI writing tools. It’s gained significant attention. Notably, StoryChief has raised $5.7 million in funding. That’s a testament to its innovative approach to providing comprehensive content marketing solutions. Currently, StoryChief has a large dedicated development team. And, engagingly, their logo is a likable sloth!

💡 Learn more about StoryChief and what it offers by visiting its website: https://www.storychief.io.

Startup Security Challenges

As StoryChief grew, managing the security of its code base, repositories, and infrastructure became increasingly complex. Gregory and his team found themselves in a challenging position to stay ahead of potential security vulnerabilities.

Being behind the security curve: Managing its security posture became more and more worrying. Gregory worried that he might be missing or overlooking something crucial. That led to unnecessary stress and concerns.

Using incomplete and pricey security tools: StoryChief used security tools that provided some peace of mind. But, there were two main obstacles with these. They didn’t meet Gregory’s full set of security requirements and didn’t target CTO needs. Additionally, there was an unexpected change in pricing by their main security tool provider.

Notification overload: Notifications should be useful and relevant. However, using multiple security tools led to an overload of notifications. This led to three results:

1. Some notifications lacked contextual information and accuracy,
2. Overwhelming numbers of notifications became white noise and, therefore, ignorable (they simply lacked value).

In a nutshell, inefficiency drained valuable resources and time. But, despite these headwinds, Gregory managed security effectively and didn’t experience any major security incidents. However, he felt unsettled due to the limitations and costs of their existing tools. Subsequently, this prompted him to search for a better solution.

How Aikido Security helped improve StoryChief’s security posture

StoryChief's journey to a better security posture led them to Aikido Security, which also enabled StoryChief to transition from a reactive to a proactive security approach.

No nasty price tag: Startup security should be affordable, and Aikido has startup-friendly pricing. This offered StoryChief a cost-effective solution. At the same time, Aikido boosted their confidence in their security posture thanks to the next two benefits.

I’m a CTO, not a security engineer: The various tools StoryChief had been using mainly targeted security engineers. However, unlike those tools, Aikido tailors its features and rules to the specific needs of CTOs and developers. Aikido also supplies a continual stream of new rules and features specifically designed to help CTOs out.

Tell me when it’s important and relevant: One of Aikido’s key strengths and USPs is reducing false positives. Aikido’s targeted alerts, therefore, provide StoryChief with real, actionable insights rather than overwhelming and ignorable notifications.

Shared ownership: Not only that, Aikido’s notifications are automatically shared with the dev team via Slack, fostering transparency and shared responsibility for security. In this way, Aikido also provided a team-working result. It helped Gregory with his goal of creating a more team-focused effort to manage the security posture.

StoryChief CTO sums up Aikido’s impact

"Aikido was exactly what I was looking for for a long time - the combo of features, being startup-focused, and the entry price. Aikido's made the team aware of security issues. It's created a sense of shared responsibility, engaging everyone in maintaining our security posture."

Aikido as Startup Security Insurance

Aikido Security is like an insurance policy for StoryChief's security. It offers budgetability and precision. Aikido also offers a clear focus on what really matters for Gregory and his team. With Aikido, StoryChief has not only improved its security posture but also empowered the CTO’s team to take ownership and work transparently. Aikido provides the ordered consolidation and prioritization of information needed to address security concerns.

Most importantly, it has given Gregory a high level of confidence in the security of the product:

"There are always vulnerabilities left - that's normal - but with Aikido at least I know! I have a very good idea of our security posture."

Download the StoryChief customer case

Download your own copy of the StoryChief X Aikido Security customer case:

There’s a good chance you’ve heard “CVE”, which stands for Common Vulnerabilities and Exposures. CVEs get listed in a huge database that tracks known computer security issues. This provides easy access and reference. So, if you hear someone talking about a CVE – or a CVE record – that means that the security flaw is known and has already been cataloged.

The point of tracking CVEs is this: sharing and cataloging known security flaws allows cybersecurity folks to prioritize and deal with vulnerabilities while making cloud, code, and any other IT system more secure.

Basically, the CVE system provides a common language and reference point. But – and this is the big ‘but’ – bear in mind that my problem may not be your problem!

Who maintains the CVE database?

The MITRE corporation oversees the CVE system, and all CVE records are free for the public to search and use. The Cybersecurity and Infrastructure Security Agency (CISA) helps to provide funding. CVE entries are short and sweet – no deep technical data here. CVE entries also don’t comment on fixes, risks, and impacts. The nitty-gritty details are recorded in other databases. Some examples of those include the U.S. National Vulnerability Database (NVD) and CERT/CC Vulnerability Notes Database.

What does a CVE ID look like?

A CVE ID is like a serial number. When you look at a CVE entry, you'll see the CVE ID, which looks like this: "CVE-YYYY-#####".

What does a CVE record include?

A CVE record includes the following information:

• CVE ID
• Description
• References
• Assigning CNA
• Date Record Created

CVE records also include some legacy bits and bobs, which aren’t relevant for new entries: phase, votes, comments, proposed.

How do they find vulnerabilities and exposures?

Anyone can report them, from a tech company to a curious user. Some even offer rewards for finding and reporting these issues. If it's open-source software, it's all about community support.

Once a vulnerability is reported, a CNA gives it a CVE ID, writes a short description, and adds some references. Then, it's posted on the CVE website. Sometimes, they even get an ID before the issue goes public. Keeps the bad guys at bay.

Now, not every issue gets a CVE. Of course, there are rules! Three main criteria apply:

1. Independently fixable. This means the flaw is fixable, independent, and irrelevant to other bugs.
2. Acknowledged by the vendor. This means that the vendor acknowledges that the bug exists and that it could negatively affect security. Another option is to have a shared vulnerability report that includes a description of the bug’s negative impact and how it violates the system’s security policy.
3. Affects just one codebase. If it impacts more than one product, they get separate CVEs. The idea is to create CVE records in as much isolation as possible.

How can I find CVE records?

First of all, CVE information is free and available to the public. So, that’s good news.

The easiest way to find the newest CVEs is to follow @CVEnew on X. This feed is constantly updating with tweets about multiple new CVEs every day. Just yesterday I looked and there were over 80 new CVEs! If you follow, your feed will be full of them!

What about a more thorough way to find past CVE records? If you want all the records since 1999 or a particular year, or even search by topic, just go to CVE.org/Downloads. Bulk files are now in JSON 5.0 format and can be downloaded via a GitHub repository. (Note: the previous filing system will become unavailable on January 1, 2024.)

CVEdetails.com has an easy-to-use online version of the database - with daily updates!

How do you match your libraries to the right CVE?

When analyzing a vulnerability you want to retrieve the correct CVE. To make sure you have the right CVE, best practice is to check for the version number and package name. There are many tools, such as Trivy, that do this automatically for you. (Aikido leverages Trivy for some of this functionality.)

Common Vulnerability Scoring System - CVSS

The NVD and others use the Common Vulnerability Scoring System (CVSS), which determines the severity of a vulnerability or an exposure. It's like a report card for security issues, ranging from 0.0 (no big deal) to 10.0 (huge problem). So, each CVE entry has a CVSS score.

How is a CVSS score calculated?

The CVSS score is calculated with a formula based on vulnerability-based metrics. A CVSS score comes out of scores from these three areas: Base, Temporal, and Environmental. The Base score is obligatory and the starting point and has impact and exploitability subscores. Then, the Temporal score can be calculated from the Base. Next, the Environmental score can be calculated from the Temporal. These calculations lead to the overall CVSS score.

Something for formula geeks! Check out how the scoring system and CVSS calculator work. Find out what the calculations are and which precise metrics create each score. Attack vector! Attach complexity! Lots of fun!

What is the CVSS scoring scale?

The current (v3.1) CVSS scoring scale includes five categories:

• 9.0 - 10.0 = Critical
• 7.0 - 8.9 = High
• 4.0 - 6.9 = Medium
• 0.1 - 3.9 = Low
• 0.0 = None

Download a copy of the full CVSS scoring system user’s guide.

How do I find a CVSS score for a CVE record?

This is easy! When you are in the online database each CVE record page has a link to the NVD’s CVSS score. Just click and go! For example, using CVE-2023-40033 from earlier in this post, when we click on “CVSS scores” (top right-hand corner of the record) we learn that this vulnerability has a score of 7.1 (High).

What is a CWE?

Common Weakness Enumeration, or CWE, is a list of common software and hardware weaknesses. CWE is a community-developed resource and provides standardization for the type and scope of weaknesses.

To quote MITRE, ‘the main goal of CWE is to stop vulnerabilities at the source ... to eliminate the most common mistakes before products are delivered.’ CWE also gives devs a framework for discussion and action against security threats while mapping to vulnerability databases (e.g. CVE).

How is that different from CVE? CWE focuses on the underlying weakness that might lead to a vulnerability. Meanwhile, CVE describes actual vulnerabilities. Like CVE, CWE also has severity scoring via CWSS and CWRAF.

Have a look at the top 25 most dangerous CWEs for 2023.

What can I do to maintain a strong security posture?

Don’t blindly follow the CVSS scores to set your security priorities

Are all CVEs a problem for you? Nope. These are information, but like a lot of information, not all CVEs will be relevant to your context. And, even for those that may seem to be, there are plenty of situations where even CVEs with high CVSS scores may not be relevant or a risk to you:

1. Level of business impact: A vulnerability, despite having a high CVSS score, does not pose a significant risk to the organization's specific business operations, customer data, or critical system. Or, a risk assessment or other tool determines that other factors (e.g. a function isn’t reachable) outweigh the CVSS score in importance.
2. Unique Systems: When using custom or unique software, CVSS scores may not accurately reflect the actual risk associated with vulnerabilities in specific systems.
3. Resource limitations: You'd love to fix every high-scoring CVSS vulnerability, but you've got to be realistic. Prioritize before pouring tons of resources into something that's not cost-effective.
4. Already Covered: You may already have solid defenses in place. Even if a vulnerability scores high, you might decide it's not worth the hype if you've already got safeguards that keep it in check.
5. CWE awareness: Stay aware of CWEs that might affect what you are delivering.

Get a vulnerability scanner

There are also new platforms popping up that help you spot emerging trends – check out Fletch, which specializes in awareness speed and contextualizing threats. Nessus scans for over 59,000 CVEs. Nexpose uses its own scoring system which takes into account the age of the vulnerabilities and what sort of patches and remedies are already in place. Nmap and OpenVAS are open-source vulnerability scanners.

Meanwhile, why not test Aikido Security to monitor and improve your overall security posture, too? Try out Aikido for free!

Get ahead of the CurVE

The thing about CVEs is that they are about the PAST, i.e. vulnerabilities and exposures that have already happened. That means the bad actors sometimes have time to do damage before you have time to react. In addition to using a vulnerability scanner, make sure you take steps to manage your risk. These can include making sure patches are up to date and carrying out penetration tests.

TL;DR sec provides a good breakdown of the software supply chain and, more importantly, how to secure each stage.

Additionally, we like to keep Aikido users (free and paying) and our LinkedIn followers in the loop with relevant LI posts. For example, here’s a recent post we’ve put up about CVE-2023-4911 – the (not-so-funny) Looney Tunables bug.

Check your code for the most common exploits

Use the OWASP Top 10 and CIS compliance benchmarks to check your code. These standard tools help you deal with the most common weaknesses (OWASP) and baseline configurations for cybersecurity (CIS).

Check out how you score directly in Aikido: CIS Report / OWASP Top 10 Report

We've isolated the top 3 critical web application security vulnerabilities that Aikido users face. This guide outlines what they are, why they're so common, and how to fix them - along with some risky runner-ups we couldn't ignore.

Address these early and effectively, and you'll already be well ahead in the fight to keep your web application secure against cybercrime.

1. Most common and critical code vulnerability (SAST)

Static Application Security Testing (SAST) is a testing method that scans source code for vulnerabilities early in the development cycle. It's called a white-box method because the workings of the application are known to the tester.

NoSQL injection attacks (code vulnerability: SAST)

NoSQL injection can lead to leaked data, corrupted databases, and even complete system compromise. Sadly, it's a critical web application security vulnerability and we've seen a lot of Aikido user accounts exposed to it.

What is NoSQL injection?

NoSQL injection is a type of attack where hackers use malicious code to manipulate or gain unauthorized access to a NoSQL database. Unlike SQL injections, which target SQL databases, NoSQL injections exploit vulnerabilities in NoSQL databases like MongoDB. It can lead to data leaks, corruption, or even full control over the database.

Why is this vulnerability so common?

NoSQL injection is common partly because of the increasing popularity of NoSQL databases, especially MongoDB. These databases offer performance benefits, but they come with unique security challenges.

On top of this, NoSQL databases are flexible in that they accept various formats like XML and JSON. This flexibility is great, but it can lead to web application security vulnerabilities, as standard security checks might not catch malicious inputs tailored to these formats.

And the vast array of NoSQL databases, each with its own syntax and structure, also makes it harder to create universal safeguards. Security professionals must understand the specific details of each database and that adds complexity to the prevention process.

Even worse, and unlike traditional SQL injections, NoSQL injections can occur in different parts of an application. This makes them even harder to detect.

How can you easily fix this vulnerability?

Use input validation and parameterized queries. Input validation ensures user inputs match expected types and formats, rejecting unsafe values. Parameterized queries prevent the embedding of unvalidated inputs.

In general, always implement database security features like authentication and encryption. Stay updated with the latest patches. And make sure you conduct regular audits of code and configurations to identify and fix this and other vulnerabilities.

Runner-up: Leaving dangerous debug functions in code (code vulnerability: SAST)

Exposed debug functions allow reconnaissance that assists attackers in exploiting systems - sometimes with significant security risk.

What are dangerous debug functions?

Debug functions like phpinfo() can expose sensitive information about your server and environment. This includes the PHP version, OS details, server information, and even environment variables that might contain secret keys (although we definitely don't recommend putting secret keys there in the first place!).

As a result, detecting the structure of your filesystem through these debug functions might allow hackers to carry out directory traversal attacks if your site is vulnerable. Exposing phpinfo() on its own isn't necessarily a high risk, but it can make it slightly easier for attackers. The principle is clear: the less specific info hackers have about your system, the better.

Why is this vulnerability so common?

This web application security vulnerability often occurs because developers use these functions for debugging and sometimes even push them to production for troubleshooting. Rushed releases, lack of code review, and underestimating risks all contribute to these functions being left exposed.

How can you easily fix this vulnerability?

• Code review: regularly check your code to identify and remove debug functions before deploying to production.
• Automated vulnerability scanning tools: use a tool, like Aikido, that can detect dangerous debug functions.
• Environment-specific configurations: make sure you disable debug functions in the production environment.

2. Most common and critical DAST vulnerability

Dynamic Application Security Testing (DAST) is a testing technique that identifies vulnerabilities in running applications. It's called a black-box method because it focuses only on observable behavior. DAST shows you what the system might look like to an attacker.

Forgetting major security headers: HSTS and CSP (cloud vulnerability: DAST)

A lack of proper HSTS and CSP implementation leaves web applications vulnerable to major attacks like XSS and information disclosure.

What is CSP?

Content Security Policy (CSP) is a security mechanism that helps defeat various browser-based attacks like cross-site scripting and clickjacking. It does this by restricting risky behaviors in web pages such as inline JavaScript and unsafe eval() functions. CSP enforces safer defaults to maintain the integrity and confidentiality of content. The key benefit is protecting against malicious injection of scripts.

Why is this DAST vulnerability so common?

It’s very common to neglect HSTS and CSP, especially CSP and developers often prioritize functionality over these headers.

You should plan CSP early in development, but it often gets overlooked. And when devs try to implement or retrofit it later it causes conflicts, so they skip CSP entirely to get on with other work. This leaves apps unprotected and subject to a range of web application security vulnerabilities.

How can you easily fix this DAST vulnerability?

• Implement HSTS to force HTTPS only connections. Enable on the server through configuration files or a WAF.
• Define and apply a strict CSP tailored to your app by restricting unsafe practices like inline scripts. Carefully test for compatibility.
• Continuously monitor and update headers as the app evolves to maintain protection.

3. Most common and critical cloud vulnerability (CSPM)

Cloud Security Posture Management (CSPM) tools continuously monitor cloud-based environments to ensure compliance with security standards and best practices. CSPM tools look for security misconfigurations and are aimed at mitigating risks.

Leaving EC2 IAM roles vulnerable to SSRF attacks (cloud: CSPM)

Open EC2 IAM roles frequently can enable attackers to move laterally and gain unauthorized access across cloud environments. The potential impact of this kind of attack can be devastating.

What are EC2 IAM roles?

EC2 IAM (Identity and Access Management) roles in Amazon Web Services (AWS) delegate permissions to determine allowed actions on specific resources. They enable EC2 instances to securely interact with other AWS services without having to store credentials directly on the instances themselves.

What is an SSRF attack?

A Server Side Request Forgery (SSRF) attack is where an attacker forces the server to make requests to internal resources as if it's the server itself asking. The attacker can potentially access unauthorized systems this way, bypass controls, or even execute commands. Check out this terrifying example of how an SSRF attack took over a startup’s cloud via a simple form to send an email.

Why is this CSPM vulnerability so common?

EC2 IAM roles are usually left vulnerable to SSRF attacks because of security misconfigurations or overly permissive roles. Juggling complex cloud permissions is hard and some developers might not fully understand the risks. On top of this, wanting services to work smoothly together can often nudge teams to grant more access than is really needed.

How can you easily fix this CSPM vulnerability?

There are some solid ways to tackle EC2 roles and mitigate SSRF web application security vulnerabilities. First off, stick to the principle of least privilege - only allow the exact access that's absolutely needed and nothing more. Overly permissive roles are asking for trouble.

Next up, make use of built-in AWS tools like security groups and network ACLs to lock down traffic and reduce the potential openings for SSRF attacks. The more you can limit access, the better.

It's also important to regularly review and audit roles to catch any unnecessary access that might be creeping in over time as things change. Stay on top of it.

And lastly, implement AWS security tools focused specifically on detecting and preventing SSRF attacks before they cause harm. The more layers of protection, the more secure you'll be.

Runner-up: Outdated cloud lambda runtimes (cloud: CSPM)

When these runtime environments become outdated, they may expose the lambda functions to attackers.

What are outdated lambda runtimes?

Outdated lambda runtimes refer to using older versions of programming languages or environments in serverless functions (lambdas). These outdated runtimes may lack the latest security patches or feature updates, potentially exposing applications to known web application security vulnerabilities.

Why is this CSPM vulnerability so common?

The vulnerability often arises from a “set and forget” mentality. Developers may deploy lambdas with a specific runtime and neglect to update them as new versions are released. They can also make the mistake of assuming that cloud providers handle all maintenance. Even though AWS and Google Cloud Functions will maintain runtimes for you with minor OS patches, they won’t do major language upgrades. On top of all that, the complexity of managing multiple lambdas makes it easy for outdated runtimes to fall through the cracks and create extra risk.

How can you easily fix this CSPM vulnerability?

You can mitigate the risk by following three simple rules:

• Regularly review which runtimes are used and check for updates.
• Upgrade to the latest supported versions with security patches.
• Use automation tools to manage and update runtimes where possible.

Web application security vulnerabilities and best practices

Understanding these web application security vulnerabilities is essential for system security, but remember to follow best security practices. Stay up to date, apply the appropriate fixes, and maintain regular monitoring to keep your environment safe and secure.

Scan your environment with Aikido right now to find out if you're exposed to any of these vulnerabilities.

Check out Aikido’s 2024 SaaS CTO Security Checklist to get concise advice on 40+ ways to improve security across your people, processes, code, infrastructure, and more.

In the last few weeks, we’ve released lots of new features and expanded support for different tool stacks. Most notably we’ve added support for scanning many container registries! Besides that:

• We’ve added lots of new AWS rules
• Autofix now also supports Python
• We’ve improved our exploit reachability analysis to support PNPM

Expanding container registry support

Many containers run web-facing software such as Apache, Nginx, Python, Node.js or other runtimes. Keep them secure with docker container scanning! Next to Docker Hub, Azure Container Registry, GCP Artifact Registry & AWS Elastic Container Registry we’re now also supporting the following registries:

GitLab container registry (Cloud & self-managed)

We now support GitLab’s Container Registry for Cloud & Self-Managed. As a GitLab Technology Alliance partner for Security, we couldn’t miss out on these features!

Read the docs to set up:

• Container scanning for Gitlab Container Registry
• Container scanning for Gitlab Self-Managed Container Registry

Digital Ocean container registry

DigitalOcean is a solid cloud solution that we couldn’t wait to support. We’re happy to say we now do so for containers!

Read the docs on how to set it up

Scaleway container registry

We’re proud to also do exploit scanning for Scaleway’s Container Registry, one of the few real European clouds!

Read the docs on how to set it up

Exploit reachability analysis improved

We've rolled out reachability analysis for PNPM lockfiles. To accomplish this at our standard of quality, we've made sure to cover many typical edge cases (aliasing, special version notation, etc.). This means our auto-triage engine gets rid of many false positives that others simply don’t.

If you’re using PNPM and using Aikido, you’re in luck! You’re using one of the only products in the industry with this level of noise reduction capabilities! 🎉

AWS rules expansion

We’ve upgraded our AWS ruleset to include more relevant rules. We want to make sure you’re notified about issues that really matter. Some new rules include:

• Checking for unused IAM Credentials
• SSL certificates that won't auto-renew
• ECR repositories that do not auto-delete old images.

Make sure to connect your AWS cloud to Aikido to check if you’ve got new findings.

Expanding autofix coverage: Python

With Aikido’s Autofix feature, you can create pull requests to fix vulnerabilities with just one click. We now also support Python! (Currently, this only applies to environments using requirements.txt, but not yet for poetry.lock files.) There’s nothing extra to configure. Just browse to a Python issue and find the Autofix button!

Read more on Autofix in our docs.

Try these out today

Log into your Aikido account to test these new features. Alternatively, you can request a demo from our team.

We would love to get your feedback on them. If any ideas pop to mind, please don’t hold back - just let us know! We’re always available via the in-app chat. 😉