Latest news with #DevSecOps
Business Wire
a day ago
- Business
- Business Wire
Security Compass Acquires Devici to Expand Threat Modeling Capabilities
TORONTO--(BUSINESS WIRE)-- Security Compass, The Security by Design Company, today announced the acquisition of Devici, a threat modeling solution purpose-built for modern security teams. This strategic acquisition enhances Security Compass's portfolio, complementing its flagship platform, SD Elements, and strengthening its mission to integrate secure development practices from the start of software development. 'By integrating Devici's innovative technology, we're empowering security and development teams with scalable threat modeling that aligns with their workflows, ultimately accelerating secure application delivery.' "Threat modeling is the cornerstone of secure software design, and Devici's intuitive, diagram-centric- approach fits seamlessly into our vision of Security by Design,' said Rohit Sethi, CEO of Security Compass. 'By integrating Devici's innovative technology, we're empowering security and development teams with scalable threat modeling that aligns with their workflows, ultimately accelerating secure application delivery.' Founded by renowned application security expert Chris Romeo, Devici is reshaping how teams approach threat modeling—making it accessible, actionable, and integrated across the software development lifecycle. Romeo, who will join Security Compass as Vice President, Devici, brings over 25 years of experience in security and is widely recognized for his work in building security champion programs and advancing threat modeling best practices. 'This acquisition unlocks tremendous potential,' said Chris Romeo. 'Security Compass shares our deep commitment to empowering software teams through scalable, secure design practices. Together, we're raising the bar for what modern threat modeling can look like—and delivering tools people actually want to use.' The addition of Devici underscores Security Compass's continued investment in building comprehensive, developer-centric security solutions and builds on last year's acquisition of Kontra, an application security training product. With SD Elements offering automated security requirements and compliance workflows and Devici enabling intuitive diagrammatic threat modeling, organizations can now integrate secure design earlier and more effectively than ever before. About Security Compass Security Compass helps organizations build secure and compliant software by design. SD Elements, our core platform, enables teams to identify potential threats and generate security requirements before coding begins. Seamless integrations with existing DevSecOps tools and workflows enable developers to produce secure code efficiently. Our Application Security Training combines a rigorous curriculum with hands-on labs, equipping developers with the skills to build secure software with confidence. To discover how Security Compass enables secure software development at scale, visit About Devici Devici is a modern threat modeling platform that empowers developers and security teams to integrate security into the software design phase—without disrupting development velocity. Created by security thought leader Chris Romeo, Devici is used by organizations seeking intuitive, scalable, and actionable approaches to identifying risks early in the development lifecycle. Romeo is also a General Partner at Kerr Ventures and hosts award-winning podcasts, including Application Security Podcast, The Security Table, and The Threat Modeling Podcast. His leadership at Security Journey and time as Cisco's Chief Security Advocate have positioned him as a leading voice in AppSec and developer enablement. Visit to learn more.
Business Wire
2 days ago
- Business
- Business Wire
GitLab Recognized as Leader by Independent Research Firm in DevOps Platforms Report
SAN FRANCISCO--(BUSINESS WIRE)--All Remote - GitLab Inc., the most comprehensive, intelligent DevSecOps platform, today announced it has been named a Leader by Forrester Research in The Forrester Wave™: DevOps Platforms, Q2 2025 report. The report evaluated 11 DevOps platform vendors across 26 criteria based on current offering, strategy, and customer feedback. GitLab received the highest scores possible in the project planning/alignment, build automation and CI, and pipeline security criteria. According to the report, 'GitLab is the most all-in-one of the all-in-one solutions and suits enterprises looking to standardize with a single purchase.' The report also cites GitLab's strong day zero experience, noting that 'everything is ready to run out-of-the-box,' supplemented by extensive migration tools and instructive video tutorials. Also cited are GitLab's strong developer tooling, Amazon Q integration with GitLab Duo, a cloud development environment (CDE), IDP, and wikis for documentation. The report includes feedback from customers appreciating GitLab's monthly release cadence, noting that the regular feature deliveries allow them to be nimble. According to the report, 'GitLab's community engagement outshines its larger rivals.' GitLab's end-to-end intelligent platform enables organizations to build better, more secure software faster, while increasing operational efficiency and improving developer experience. For more information, read the blog. Supporting Quotes: 'Organizations today are looking for opportunities to remove unnecessary complexity from their software development workflows. GitLab is working to meet that need by delivering a single platform that supports everyone involved in software development, from idea to deployment,' said David DeSanto, chief product officer at GitLab. 'We believe our Leader placement in Forrester's report validates why customers choose GitLab for a unified, AI-native solution that accelerates software delivery, enhances security, and fosters innovation.' About GitLab GitLab is the most comprehensive, intelligent DevSecOps platform for software innovation. GitLab enables organizations to increase developer productivity, improve operational efficiency, reduce security and compliance risk, and accelerate digital transformation. More than 50 million registered users and more than 50% of the Fortune 100 trust GitLab to ship better, more secure software faster. Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester's objectivity here.
Arabian Post
26-05-2025
- Arabian Post
Hidden Prompts in GitLab Duo Expose Source Code to Theft
A critical vulnerability in GitLab's AI-powered coding assistant, Duo, has exposed private source code repositories to theft through a sophisticated indirect prompt injection attack, cybersecurity researchers have revealed. The flaw, now patched, allowed attackers to embed hidden instructions within project content, leading the AI to leak sensitive data and manipulate its responses. GitLab Duo, introduced in June 2023 and built on Anthropic's Claude models, is designed to assist developers in writing, reviewing, and editing code. However, researchers from Legit Security discovered that Duo's deep integration across the DevSecOps pipeline made it susceptible to exploitation. By embedding concealed prompts in areas such as merge request descriptions, commit messages, and code comments, attackers could manipulate Duo's behavior without direct interaction. The attack exploited Duo's ability to process and render Markdown content directly in the browser. This feature, while enhancing user experience, introduced client-side injection risks. Malicious actors could inject untrusted HTML into Duo's responses, potentially redirecting users to phishing sites or executing harmful scripts. In some cases, hidden prompts could instruct Duo to exfiltrate private source code to attacker-controlled servers. ADVERTISEMENT Omer Mayraz, a senior security researcher at Legit Security, emphasized the severity of the vulnerability. 'Duo analyzes the entire context of the page, including comments, descriptions, and the source code—making it vulnerable to injected instructions hidden anywhere in that context,' he explained. This comprehensive analysis capability, while beneficial for development, inadvertently expanded the attack surface. The researchers demonstrated that attackers could further obfuscate malicious prompts using techniques like Base16 encoding, Unicode smuggling, and rendering text in white to evade detection. These methods made it challenging for developers and security tools to identify and mitigate the embedded threats. Prompt injection, particularly in AI systems, has been recognized as a significant security concern. The Open Worldwide Application Security Project ranked it as a top risk in its 2025 OWASP Top 10 for LLM Applications report. Unlike direct prompt injection, where attackers input malicious commands directly, indirect prompt injection involves embedding harmful instructions within content that the AI processes, making it harder to detect and prevent. Following responsible disclosure on February 12, 2025, GitLab addressed the vulnerabilities. The company implemented foundational prompt guardrails, including structured prompts, enforced context boundaries, and filtering tools, to reduce the risk of such attacks. However, GitLab acknowledged that while these measures mitigate risks, they do not eliminate all vulnerabilities, especially against sophisticated attacks.
Business Wire
22-05-2025
- Business
- Business Wire
Kovr.ai and Second Front Systems Partner to Transform Government Software Accreditation and Deployment
WASHINGTON--(BUSINESS WIRE)-- the only AI-native cyber compliance automation platform provider, and Second Front Systems (2F), a public-benefit software company focused on delivering mission-critical government solutions, today announced a first-of-its-kind partnership to deliver a joint solution to accelerate the accreditation and deployment of secure software to government agencies and their technology partners. The partnership combines advanced AI-native compliance automation with the 2F Suite—Second Front's industry leading platform for building, securing, and deploying software in government environments—to create a unified path to achieving an Authority to Operate (ATO). "ATOs don't need to be so painful," said Andrew Black, CEO and co-founder, "By partnering with Second Front, we're delivering the speed, scale, and automation today's tech leaders need to navigate cyber compliance. Together, we're ensuring security and compliance are no longer just checkboxes, they're a strategic advantage." The joint solution transforms traditionally manual accreditation workflows by combining AI-driven compliance automation with a secure, scalable DevSecOps foundation. It automates the creation of compliance artifacts, continuously monitors system data, and streamlines evidence generation—eliminating hand-offs and accelerating delivery to authorized government environments. This dramatically reduces the time, cost, and complexity of achieving and maintaining software accreditation across the public sector. "Our mission has always been to accelerate the delivery of mission-critical technology to the U.S. government,' said Tyler Sweatt, CEO of Second Front. "This partnership with represents a quantum leap in our ability to help both agencies and technology providers navigate the compliance labyrinth and put powerful new capabilities into the hands of those who serve our nation." The joint solution will be available to federal, state, and local government agencies as well as technology companies seeking to serve the public sector starting June 2025, with early access programs beginning immediately for select partners. For more information about this partnership or to schedule a demonstration, visit About reinvents cyber compliance automation with the only AI-native platform designed for cloud and hybrid systems to meet the demands of organizations in highly regulated industries. Unlike expensive consultants and brittle tools retrofitted from lightweight security standards, uses real-time, code-driven intelligence to automate the most complex frameworks like FedRAMP and CMMC. As compliance and security risks grow, is the force multiplier that empowers organizations to easily navigate change and be ATO ready in as little as 15 minutes. To learn more about visit About Second Front Systems Second Front Systems (2F) securely fast-tracks government access to software-as-a-service (SaaS) applications to help build a safer tomorrow. The 2F Suite is the only fully integrated platform that empowers you to build, secure, extend, and observe your software, and get it accredited for deployment in regulated environments with ease. With roots in U.S. Government service, this public-benefit, venture-backed software company is trusted by Government agencies and leading software providers, to empower them to succeed in their contributions to global security. For more information, visit
Business Insider
20-05-2025
- Business
- Business Insider
GitLab achieves FedRAMP Moderate authorization
GitLab (GTLB) 'announced it has achieved Authority to Operate status at the Moderate impact level from the Federal Risk and Authorization Management Program, FedRAMP, for GitLab Dedicated for Government under the sponsorship of the General Services Administration. FedRAMP provides a standardized approach to adopting secure and compliant cloud products and services across the federal government. GitLab completed a thorough assessment process with adherence to stringent criteria, including implementing necessary security controls, regular audits, and continuous monitoring. GitLab Dedicated for Government, now FedRAMP authorized, delivers a powerful DevSecOps platform with data residency, isolation, and private networking to help meet critical security and compliance requirements.' Confident Investing Starts Here:
