TryHackMe | TryHackMe at Just Eat HQ: The Power of Hands-On Learning

TryHackMe at Just Eat HQ: The Power of Hands-On LearningStaying ahead of potential attacks requires more than foundational knowledge — it demands practical, adaptable skills. This was the central theme of a recent talk by Jordan Pelling, TryHackMe’s Enterprise Customer Success Manager, at the Just Eat UK Headquarters!Jordan’s talk, tailored for a room full of developers, engineers, and security…

View On WordPress

WIP

i’m drawing mutuals ocs over on bsky & also having a raffle, so yknow if you’re over there..

Open-Source Alternatives Amid Semgrep Licensing Controversy

New Post has been published on https://thedigitalinsider.com/open-source-alternatives-amid-semgrep-licensing-controversy/

Open-Source Alternatives Amid Semgrep Licensing Controversy

The security community witnessed a seismic shift in January 2025, as rival companies united to launch Opengrep—a fork of static application security testing tool, Semgrep. Once celebrated for its community-driven open-source ethos, Semgrep ignited controversy when it altered its licensing model in December 2024. These licensing changes restricted the use of contributed rules in commercial products and shifted key features behind a paywall.

Semgrep became an essential tool for developers worldwide due to its ability to detect vulnerabilities across multiple programming languages. However, the company’s decision risks stifling innovation in an area vital to modern cybersecurity.

Amid the controversy, DevSecOps startup DeepSource launched Globstar, a new open-source toolkit for code security. Built from scratch and released under the MIT license, Globstar says it aims to provide unrestricted commercial and full public access to its code.

“Through Globstar, we are offering a fresh approach to custom static analysis, designed with the needs of security teams in mind. It emerged from an internal framework we had developed for threat detection,” Sanket Saurav, co-founder and CEO of DeepSource, told me. “Semgrep is already in capable hands, and our goal was to take a distinct path. We see ourselves not as a replacement, but an alternative who brings a new perspective to the space.”

The company has raised a total of $7.7M in funding and is currently being backed by Y-Combinator investors.

Developed utilizing the Go programming language and integrated with Tree-sitter, Globstar supports over 20 programming languages. The toolkit features an intuitive YAML interface for creating custom security checkers and an advanced Go interface for complex, cross-file analysis.

“When a project is forked, it often takes a different trajectory—but when constrained to building on top of an existing product, innovation can be limited,” said Sanket. “We created a system that simplifies the process of writing custom code checkers.”

Business Necessity Versus Open-Source Preservation

On Dec. 13, 2024, Semgrep revamped its licensing model to restrict third-party use of contributed rules in competing commercial products without authorization. Moreover, the company rebranded its open-source version to “Semgrep CE” (Community Edition). Semgrep claims that its licensing changes are essential to protect intellectual property and ensure sustainable revenue. The company contends that restricting commercial use helps curb unauthorized repackaging and supports long-term innovation.

“When engineers write code to solve a problem, static analysis examines the code without execution, identifying patterns and potential issues early in the development process. Semgrep is a respected player in this space, and I hold them in high regard,” said Sanket. “However, their shift in licensing for commercial users reflects a broader reality: VC-backed companies must balance open-source principles with sustainable business models.”

He notes that while the change didn’t directly impact end users, it raises an ongoing debate about whether open source should remain entirely unrestricted or evolve to ensure long-term viability.

On January 2025, 10 DevSec firms including Aikido Security, Arnica, Amplify Security, Endor Labs, Jit, Kodem, Legit Security, Mobb and Orca Security—formed a consortium to launch Opengrep. Traditionally fierce competitors, the new consortium directly plans to challenge Semgrep’s decision to limit functionality in favor of commercial gain. In a blog post, Endor Labs stated that static code analysis is “too important to restrict”.

However, it’s not yet clear if Opengrep merely repackages legacy code rather than offering a completely new solution.

The Rise of Open-Source Alternatives 

DeepSource recognized a growing need among developers for a tool that does not inherit legacy constraints. “Enterprise customers don’t want to juggle multiple tools—it creates integration challenges and drives demand for an all-in-one solution,” explained Sanket. “Static analysis plays a crucial role in understanding code architecture, which is why we’ve positioned ourselves as a unified platform.”

However, DeepSource’s Globstar is not alone, several static code analysis alternatives have gained traction following the Semgrep licensing controversy. For instance, SonarQube is a code analysis platform that offers both a free Community Edition and paid versions, for static code analysis, integration support and metrics tracking. Likewise, ShellCheck is another alternative specifically used for analyzing shell scripts, and aids developers in catching scripting errors that could later lead to major bugs or inefficiencies. It flags commands or syntax that may not be portable across different shell environments. Due to its ease of use—ability to run from the command line and easily integrate into CI/CD pipelines, ShellCheck has become an increasingly popular choice.

While Opengrep seeks to preserve a legacy tool’s open roots, other alternatives like SonarQube, Globstar and ShellCheck also offer a fresh, forward-thinking solution. As the open-source debate unfolds, developers and enterprises face pivotal choices that may redefine the landscape of code analysis.

DevSec Relationship Status: It’s Complicated (But Fixable) 

http://securitytc.com/TJ9qxH

XOR DDos

A rendering of the XOR DDoS Trojan Horse. This malware sample was captured by honeypot servers operated by @glitchtextiles owner and @yearoftheglitch creator, @phillipstearns.

Currently available on Kickstarter:

https://www.kickstarter.com/projects/phillipstearns/the-honeypot-collection-by-glitch-textiles

Ships October 1st, 2019

O’ith’i-rihak (computer virus)

Is DevSecOps Solutions on verge to replace the SOC?

Information security activities are always integral to the Security Operations Center (SOC). The SOC team usually analyzes and monitors the security systems in an organization. Protecting the business from unprecedented security breaches is the end goal of a SOC professional; they make it happen by identifying, discovering, analyzing, and responding to cybersecurity threats. DevSecOps Solutions cloud have a significant impact on how SOCs operate in 2023.

SOC comprises administrators, security engineers, and security analysts, and they collaborate with IT operations and internal development teams to ensure security breaches are at bay. SOC does come with several challenges while protecting the organization’s assets from unprecedented cyber threats, ensuring that all systems in IT infrastructure, such as the systems and networks, have protection throughout the year. Read more: https://cloudzenix.com/is-devsecops-solutions-on-verge-to-replace-the-soc/

Veracode Releases Enhanced API Scanning to tackle fastest growing cyber attack vector.

90% of web applications contain exposed APIs, making them more vulnerable to attacks from cyber criminals.

https://secure-devs.net/veracode-releases-enhanced-api-scanning-to-tackle-fastest-growing-cyber-attack-vector/

Using GitHub Protected Branches to Make SOC 2 Audits Suck Less #devops #devsecops #github #hackernoon-top-story https://t.co/OlQHfzDzPl http://twitter.com/iandroideu1/status/1235528129973649411

Using GitHub Protected Branches to Make SOC 2 Audits Suck Less #devops #devsecops #github #hackernoon-top-story https://t.co/OlQHfzDzPl

— iAndroid.eu (@iandroideu1) March 5, 2020

Building collaboration b/w #AppSec & development teams is key to a rewarding #DevSecOps program. @seccodewarrior asked experts how they have found collaboration success & results were: ✅ understanding ✅ appreciation ✅ tangible Read about it: https://t.co/x9DnPyBxsm #devsec https://t.co/P81AVBPTHg (via Twitter http://twitter.com/TheHackersNews/status/1262784924878282756)

O Que é Ransomware e como se proteger contra cyber extorção e sequestro de dados

O que é Ransomware

Ransomware é um tipo de software malicioso que usa criptografia para impedir o acesso aos arquivos do computador infectado. Para voltar a acessar normalmente os dados do computador que foi alvo desse ataque, os atacantes pedem o pagamento de um determinado valor para o resgate dos dados, como acontece em um sequestro.

O Uso de um Ransomware nos recentes ataques do Anonymous contra a Anatel e o Ministério Público.

Um Ransomware foi usado últimos e mais recentes ataques do coletivo hacktivista Anonymous, como o ataque a Anatel em protesto contra as franquias de dados na internet banda larga fixa e o ataque ao Ministério público. Foi divulgado na página do Anonymous no Facebook que foi usado um Ransomware para criptografar e sequestrar dados de vários computadores.

Nesse caso, ao invés de dinheiro, foram pedidas soluções sobre os problemas que estão sendo questionados pelos consumidores de serviços de internet atualmente.

Como pode ocorrer a infecção por um Ransomware

A forma pela qual o seu computador pode ser infectado por esse tipo malware não é muito diferente das formas de infecção por Virus, Cavalos de Troia ou Spywares. É comum a infecção ocorrer através do download de arquivos infectados, acesso a sites maliciosos, ataques de Phishing Scam ou invasões.

Como se proteger contra esse tipo de ataque e minimizar os possíveis prejuízos caso isso aconteça

Em computadores com Windows, não se esqueça de manter um Antivirus instalado e atualizado, alem de manter o firewall do sistema ativo.

A única proteção realmente definitiva para se proteger contra os perigosos ataques de sequestro de dados através dos malwares conhecidos como Ransomware é realizar backups com muita frequência ou sempre que houver alterações importantes e significativas nos dados armazenados no computador. Dessa forma, caso o computador seja infectado por esse tipo de programa malicioso, basta reinstalar o sistema e recuperar o backup anterior, evitando assim ficar na mão dos invasores e ter que pagar o valor que eles pedirem pela senha de acesso para recuperar os dados.

O que fazer quando você já foi vítima de um ataque com Ransomware e não tem backup

A opção mas simples, obvia e fácil de resolver esse problema é pagar o valor que for pedido e fazer o backup da próxima vez para evitar que isso aconteça.

Outra opção é procurar a delegacia de crimes cibernéticos, no entanto, nem sempre é possível obter ajuda porque muitas vezes o atacante pode estar em outro país.

A terceira e mais difícil e demorada opção é tentar descriptografar os dados.

Esse artigo que eu encontrei na internet mostra como fazer isso, mas nem sempre é possível quebrar a criptografia de um Ransomware.

https://telegra.ph/O-Que-%C3%A9-Ransomware-e-como-se-proteger-contra-cyber-extor%C3%A7%C3%A3o-e-sequestro-de-dados-12-26

Analista de Segurança da Informação - DevSec

Analista de Segurança da Informação – DevSec

É um prazer recebê-lo em nosso site Empregar Brasil – Rio de Janeiro!     COMO TRABALHAMOS Algumas vagas de Empregos são encontradas na OLX, Empregos Google ou Empregos Brasil. Caso alguma vaga esteja errada ou não condiga com a realidade, fale conosco. Nós entraremos em contato com a empresa através de e-mail para confirmar a veracidade da vaga. Atuamos nas principais cidades de nosso…

View On WordPress

DevSecOps – A Trusty Sidekick to Your DevOps-Superhero

heise-Angebot: Konferenz: heise devSec nimmt Vortrag zur aktuellen OWASP Top 10 ins Programm

Passend zur frisch veröffentlichten Liste der Sicherheitsrisiken für Webanwendungen widmet sich einer der 24 Vorträge nächste Woche der OWASP Top 10 2021. Read more www.heise.de/news/…... www.digital-dynasty.net/de/blogs/team-blogs/…

http://www.digital-dynasty.net/de/blogs/team-blogs/35021-heise-angebot-konferenz-heise-devsec-nimmt-vortrag-zur-aktuellen-owasp-top-10-ins-programm.html