Malice in the metaverse: Fighting known cyber threats on a new frontier
A version of this article appeared in Infosecurity Magazine. It has been updated and syndicated here.
A few years ago, we talked a lot about how cybersecurity is the Wild West, and there was a desperate need for more people to care about it in general, not to mention the very real risk to life that many cyberattacks could pose.
Fast-forward to 2023, and it’s pleasing to see that some progress has been made, especially at the government level of many influential nations. For us, however, the journey towards truly secure code and safer software is one without end. The advent of the digital darling of the moment - the metaverse - adds a vast new attack surface for both code-level vulnerabilities and social engineering.
And we’re simply not prepared for battle on this new playing field that thrives on smoke and mirrors.
Mixed reality comes with intensified risk
Despite its current status as Flavor of the Month, the concept of the metaverse has existed for a long time. The online platform Second Life has been around since 2003, servicing a loyal niche with a fully customizable online universe where users’ avatars interact via voice and text chat, games can be played, and companies like Adidas offer official virtual stores. On the pure gaming side, massively multiplayer online (MMO) games like Fortnite and World of Warcraft deliver expansive worlds to their players, and are increasingly dependent on microtransactions, or, forking out real money for virtual items. Fortnite alone made $4.3 billion in microtransaction revenue in its first two years in the market.
It’s very clear that not only is the metaverse concept here to stay, but it is also about to get a Mark Zuckerberg-sized push into the mainstream. This is an exciting evolution of the internet - or at least social media and some e-commerce - as we know it, but the opportunity for cyberattacks and damaging exploits is mind-boggling.
The metaverse attack surface is far-reaching, extending well beyond web-based software, APIs, and payment gateways. The peripheral elements of VR headsets and accessories also pose a threat to core data, with the onboard software in those devices a very convenient red carpet to paydirt if they are vulnerable.
Security researchers from Rutgers University revealed “Face-Mic” earlier this year, the first study of its kind examining how voice command features on virtual reality headsets could lead to serious privacy breaches, known as “eavesdropping attacks.” The work is fascinating, showing that threat actors could potentially use some virtual reality (AR/VR) headsets with built-in motion sensors to record speech-associated facial gestures, leading to the potential theft of sensitive information communicated via voice-activated controls, including credit card information and passwords. The root cause of the issue appears to be a lack of user authentication. With the accelerometer and gyroscope not requiring any permission to access, intricate facial movements, bone-borne vibrations, and airborne vibrations could be recorded and used to deduce everything from banking PINs to highly restricted healthcare records, depending on the patterns of the user.
In the metaverse, every movement you make is a data point, and if access to it is possible through lax software security, the incentive for attackers to try their luck is enormous.
Smart contracts face smart(er) adversaries
The meta-economy demands decentralization, dematerialization, flexibility, and of course, security without compromise. Right now, there are growing metaverse microeconomies in various cryptocurrency communities, like Shiba Inu. In order to buy virtual real estate and other intangible products, smart contracts stored on the blockchain are utilized.
Mention “blockchain”, and most average people (with a little tech savvy) understand it as a secure and anonymous system for what is considered to be the future of digital currency. There’s a little problem with that, however: no online fortress is impenetrable, and those smart contracts are no exception. They are essentially little programs, and they can be hacked.
Smart contracts are susceptible to exploitation thanks to a few fairly common vulnerabilities, namely integer overflow and underflow, replay attacks, and the (very damaging) blockchain-centric bug leading to reentrancy attacks, the latter of which can lead to a user being drained of their stored crypto balance. All of these attacks are made possible by poor coding patterns leading to exploitable vulnerabilities, and insecure design fundamentals.
This technology will only become more widely used, yet, as it stands today, we are going to struggle to find enough security-aware developers to ensure a secure, failsafe metaverse. Organizations must understand the magnitude of their metaverse participation, particularly if data and currency are at stake… and it’s difficult to imagine a scenario where this wouldn’t be the case.
It’s an unregulated environment, and you’re (still) the product
Just as we have seen in movies, TV, Second Life, and videogames, a metaverse environment allows us to be whoever we want. In a virtual world, the possibilities are only limited by your imagination, and that flexibility is a huge drawcard for users. However, the downside is that on the planned scale of something like Meta, it’s simply too vast and decentralized to police in a way that would render it air-tight from a security perspective. Scams will be inevitable, and skilled criminals will have even more to work with from a social engineering perspective.
Sensitive user data is the new gold, and the metaverse has the potential to be the richest and most complete source of data we have seen to date, providing projected adoption goes as planned. While it can be assumed that metaverse-related software builds will adhere to current regulatory standards and compliance measures, these will need updates that are fit to support a rapidly expanding digital universe and its economy. Core to this will be organizations taking responsibility for the security of their contributions to the metaverse, with a level of in-house security maturity that ensures every person working on the software is thinking about and implementing security at every step in their process, especially the development cohort.
Why secure coding will be crucial to the success of the metaverse
As fun as it may be to galavant across a lawless digital dimension, represented by an avatar that is everything you wish you could be in the real world, we must never forget that a human being is behind every “character”. And when real people’s data and finances are at stake, it’s very far removed from a game.
In cybersecurity, we are well aware that mistakes have consequences that can be truly devastating, and the integrity of every component of the metaverse cannot be an afterthought if widespread adoption and consumer trust are to come to fruition.
Organizations can start planning now by doing a realistic assessment of their security maturity, placing emphasis on uplifting the security skills of the developers actively working on software. As we can see from the Rutgers University study, access control is just one potent vulnerability that can lead to a widespread data leak, and security-aware developers would be far better placed to navigate these problems as code is written, and well before they enter committed code.
Resting on the excuse of the cybersecurity skills shortage isn’t going to wash after a major metaverse data breach, and we have the tools in front of us to not just do the best we can, but actively uplift software security standards for good. Now is the time to invest in training the architects of the metaverse, and reap the benefits of a virtual reimagination of products and services as we know them.
The advent of the digital darling of the moment - the metaverse - adds a vast new attack surface for both code-level vulnerabilities and social engineering. And we’re simply not prepared for battle on this new playing field that thrives on smoke and mirrors.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
A version of this article appeared in Infosecurity Magazine. It has been updated and syndicated here.
A few years ago, we talked a lot about how cybersecurity is the Wild West, and there was a desperate need for more people to care about it in general, not to mention the very real risk to life that many cyberattacks could pose.
Fast-forward to 2023, and it’s pleasing to see that some progress has been made, especially at the government level of many influential nations. For us, however, the journey towards truly secure code and safer software is one without end. The advent of the digital darling of the moment - the metaverse - adds a vast new attack surface for both code-level vulnerabilities and social engineering.
And we’re simply not prepared for battle on this new playing field that thrives on smoke and mirrors.
Mixed reality comes with intensified risk
Despite its current status as Flavor of the Month, the concept of the metaverse has existed for a long time. The online platform Second Life has been around since 2003, servicing a loyal niche with a fully customizable online universe where users’ avatars interact via voice and text chat, games can be played, and companies like Adidas offer official virtual stores. On the pure gaming side, massively multiplayer online (MMO) games like Fortnite and World of Warcraft deliver expansive worlds to their players, and are increasingly dependent on microtransactions, or, forking out real money for virtual items. Fortnite alone made $4.3 billion in microtransaction revenue in its first two years in the market.
It’s very clear that not only is the metaverse concept here to stay, but it is also about to get a Mark Zuckerberg-sized push into the mainstream. This is an exciting evolution of the internet - or at least social media and some e-commerce - as we know it, but the opportunity for cyberattacks and damaging exploits is mind-boggling.
The metaverse attack surface is far-reaching, extending well beyond web-based software, APIs, and payment gateways. The peripheral elements of VR headsets and accessories also pose a threat to core data, with the onboard software in those devices a very convenient red carpet to paydirt if they are vulnerable.
Security researchers from Rutgers University revealed “Face-Mic” earlier this year, the first study of its kind examining how voice command features on virtual reality headsets could lead to serious privacy breaches, known as “eavesdropping attacks.” The work is fascinating, showing that threat actors could potentially use some virtual reality (AR/VR) headsets with built-in motion sensors to record speech-associated facial gestures, leading to the potential theft of sensitive information communicated via voice-activated controls, including credit card information and passwords. The root cause of the issue appears to be a lack of user authentication. With the accelerometer and gyroscope not requiring any permission to access, intricate facial movements, bone-borne vibrations, and airborne vibrations could be recorded and used to deduce everything from banking PINs to highly restricted healthcare records, depending on the patterns of the user.
In the metaverse, every movement you make is a data point, and if access to it is possible through lax software security, the incentive for attackers to try their luck is enormous.
Smart contracts face smart(er) adversaries
The meta-economy demands decentralization, dematerialization, flexibility, and of course, security without compromise. Right now, there are growing metaverse microeconomies in various cryptocurrency communities, like Shiba Inu. In order to buy virtual real estate and other intangible products, smart contracts stored on the blockchain are utilized.
Mention “blockchain”, and most average people (with a little tech savvy) understand it as a secure and anonymous system for what is considered to be the future of digital currency. There’s a little problem with that, however: no online fortress is impenetrable, and those smart contracts are no exception. They are essentially little programs, and they can be hacked.
Smart contracts are susceptible to exploitation thanks to a few fairly common vulnerabilities, namely integer overflow and underflow, replay attacks, and the (very damaging) blockchain-centric bug leading to reentrancy attacks, the latter of which can lead to a user being drained of their stored crypto balance. All of these attacks are made possible by poor coding patterns leading to exploitable vulnerabilities, and insecure design fundamentals.
This technology will only become more widely used, yet, as it stands today, we are going to struggle to find enough security-aware developers to ensure a secure, failsafe metaverse. Organizations must understand the magnitude of their metaverse participation, particularly if data and currency are at stake… and it’s difficult to imagine a scenario where this wouldn’t be the case.
It’s an unregulated environment, and you’re (still) the product
Just as we have seen in movies, TV, Second Life, and videogames, a metaverse environment allows us to be whoever we want. In a virtual world, the possibilities are only limited by your imagination, and that flexibility is a huge drawcard for users. However, the downside is that on the planned scale of something like Meta, it’s simply too vast and decentralized to police in a way that would render it air-tight from a security perspective. Scams will be inevitable, and skilled criminals will have even more to work with from a social engineering perspective.
Sensitive user data is the new gold, and the metaverse has the potential to be the richest and most complete source of data we have seen to date, providing projected adoption goes as planned. While it can be assumed that metaverse-related software builds will adhere to current regulatory standards and compliance measures, these will need updates that are fit to support a rapidly expanding digital universe and its economy. Core to this will be organizations taking responsibility for the security of their contributions to the metaverse, with a level of in-house security maturity that ensures every person working on the software is thinking about and implementing security at every step in their process, especially the development cohort.
Why secure coding will be crucial to the success of the metaverse
As fun as it may be to galavant across a lawless digital dimension, represented by an avatar that is everything you wish you could be in the real world, we must never forget that a human being is behind every “character”. And when real people’s data and finances are at stake, it’s very far removed from a game.
In cybersecurity, we are well aware that mistakes have consequences that can be truly devastating, and the integrity of every component of the metaverse cannot be an afterthought if widespread adoption and consumer trust are to come to fruition.
Organizations can start planning now by doing a realistic assessment of their security maturity, placing emphasis on uplifting the security skills of the developers actively working on software. As we can see from the Rutgers University study, access control is just one potent vulnerability that can lead to a widespread data leak, and security-aware developers would be far better placed to navigate these problems as code is written, and well before they enter committed code.
Resting on the excuse of the cybersecurity skills shortage isn’t going to wash after a major metaverse data breach, and we have the tools in front of us to not just do the best we can, but actively uplift software security standards for good. Now is the time to invest in training the architects of the metaverse, and reap the benefits of a virtual reimagination of products and services as we know them.
A version of this article appeared in Infosecurity Magazine. It has been updated and syndicated here.
A few years ago, we talked a lot about how cybersecurity is the Wild West, and there was a desperate need for more people to care about it in general, not to mention the very real risk to life that many cyberattacks could pose.
Fast-forward to 2023, and it’s pleasing to see that some progress has been made, especially at the government level of many influential nations. For us, however, the journey towards truly secure code and safer software is one without end. The advent of the digital darling of the moment - the metaverse - adds a vast new attack surface for both code-level vulnerabilities and social engineering.
And we’re simply not prepared for battle on this new playing field that thrives on smoke and mirrors.
Mixed reality comes with intensified risk
Despite its current status as Flavor of the Month, the concept of the metaverse has existed for a long time. The online platform Second Life has been around since 2003, servicing a loyal niche with a fully customizable online universe where users’ avatars interact via voice and text chat, games can be played, and companies like Adidas offer official virtual stores. On the pure gaming side, massively multiplayer online (MMO) games like Fortnite and World of Warcraft deliver expansive worlds to their players, and are increasingly dependent on microtransactions, or, forking out real money for virtual items. Fortnite alone made $4.3 billion in microtransaction revenue in its first two years in the market.
It’s very clear that not only is the metaverse concept here to stay, but it is also about to get a Mark Zuckerberg-sized push into the mainstream. This is an exciting evolution of the internet - or at least social media and some e-commerce - as we know it, but the opportunity for cyberattacks and damaging exploits is mind-boggling.
The metaverse attack surface is far-reaching, extending well beyond web-based software, APIs, and payment gateways. The peripheral elements of VR headsets and accessories also pose a threat to core data, with the onboard software in those devices a very convenient red carpet to paydirt if they are vulnerable.
Security researchers from Rutgers University revealed “Face-Mic” earlier this year, the first study of its kind examining how voice command features on virtual reality headsets could lead to serious privacy breaches, known as “eavesdropping attacks.” The work is fascinating, showing that threat actors could potentially use some virtual reality (AR/VR) headsets with built-in motion sensors to record speech-associated facial gestures, leading to the potential theft of sensitive information communicated via voice-activated controls, including credit card information and passwords. The root cause of the issue appears to be a lack of user authentication. With the accelerometer and gyroscope not requiring any permission to access, intricate facial movements, bone-borne vibrations, and airborne vibrations could be recorded and used to deduce everything from banking PINs to highly restricted healthcare records, depending on the patterns of the user.
In the metaverse, every movement you make is a data point, and if access to it is possible through lax software security, the incentive for attackers to try their luck is enormous.
Smart contracts face smart(er) adversaries
The meta-economy demands decentralization, dematerialization, flexibility, and of course, security without compromise. Right now, there are growing metaverse microeconomies in various cryptocurrency communities, like Shiba Inu. In order to buy virtual real estate and other intangible products, smart contracts stored on the blockchain are utilized.
Mention “blockchain”, and most average people (with a little tech savvy) understand it as a secure and anonymous system for what is considered to be the future of digital currency. There’s a little problem with that, however: no online fortress is impenetrable, and those smart contracts are no exception. They are essentially little programs, and they can be hacked.
Smart contracts are susceptible to exploitation thanks to a few fairly common vulnerabilities, namely integer overflow and underflow, replay attacks, and the (very damaging) blockchain-centric bug leading to reentrancy attacks, the latter of which can lead to a user being drained of their stored crypto balance. All of these attacks are made possible by poor coding patterns leading to exploitable vulnerabilities, and insecure design fundamentals.
This technology will only become more widely used, yet, as it stands today, we are going to struggle to find enough security-aware developers to ensure a secure, failsafe metaverse. Organizations must understand the magnitude of their metaverse participation, particularly if data and currency are at stake… and it’s difficult to imagine a scenario where this wouldn’t be the case.
It’s an unregulated environment, and you’re (still) the product
Just as we have seen in movies, TV, Second Life, and videogames, a metaverse environment allows us to be whoever we want. In a virtual world, the possibilities are only limited by your imagination, and that flexibility is a huge drawcard for users. However, the downside is that on the planned scale of something like Meta, it’s simply too vast and decentralized to police in a way that would render it air-tight from a security perspective. Scams will be inevitable, and skilled criminals will have even more to work with from a social engineering perspective.
Sensitive user data is the new gold, and the metaverse has the potential to be the richest and most complete source of data we have seen to date, providing projected adoption goes as planned. While it can be assumed that metaverse-related software builds will adhere to current regulatory standards and compliance measures, these will need updates that are fit to support a rapidly expanding digital universe and its economy. Core to this will be organizations taking responsibility for the security of their contributions to the metaverse, with a level of in-house security maturity that ensures every person working on the software is thinking about and implementing security at every step in their process, especially the development cohort.
Why secure coding will be crucial to the success of the metaverse
As fun as it may be to galavant across a lawless digital dimension, represented by an avatar that is everything you wish you could be in the real world, we must never forget that a human being is behind every “character”. And when real people’s data and finances are at stake, it’s very far removed from a game.
In cybersecurity, we are well aware that mistakes have consequences that can be truly devastating, and the integrity of every component of the metaverse cannot be an afterthought if widespread adoption and consumer trust are to come to fruition.
Organizations can start planning now by doing a realistic assessment of their security maturity, placing emphasis on uplifting the security skills of the developers actively working on software. As we can see from the Rutgers University study, access control is just one potent vulnerability that can lead to a widespread data leak, and security-aware developers would be far better placed to navigate these problems as code is written, and well before they enter committed code.
Resting on the excuse of the cybersecurity skills shortage isn’t going to wash after a major metaverse data breach, and we have the tools in front of us to not just do the best we can, but actively uplift software security standards for good. Now is the time to invest in training the architects of the metaverse, and reap the benefits of a virtual reimagination of products and services as we know them.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
A version of this article appeared in Infosecurity Magazine. It has been updated and syndicated here.
A few years ago, we talked a lot about how cybersecurity is the Wild West, and there was a desperate need for more people to care about it in general, not to mention the very real risk to life that many cyberattacks could pose.
Fast-forward to 2023, and it’s pleasing to see that some progress has been made, especially at the government level of many influential nations. For us, however, the journey towards truly secure code and safer software is one without end. The advent of the digital darling of the moment - the metaverse - adds a vast new attack surface for both code-level vulnerabilities and social engineering.
And we’re simply not prepared for battle on this new playing field that thrives on smoke and mirrors.
Mixed reality comes with intensified risk
Despite its current status as Flavor of the Month, the concept of the metaverse has existed for a long time. The online platform Second Life has been around since 2003, servicing a loyal niche with a fully customizable online universe where users’ avatars interact via voice and text chat, games can be played, and companies like Adidas offer official virtual stores. On the pure gaming side, massively multiplayer online (MMO) games like Fortnite and World of Warcraft deliver expansive worlds to their players, and are increasingly dependent on microtransactions, or, forking out real money for virtual items. Fortnite alone made $4.3 billion in microtransaction revenue in its first two years in the market.
It’s very clear that not only is the metaverse concept here to stay, but it is also about to get a Mark Zuckerberg-sized push into the mainstream. This is an exciting evolution of the internet - or at least social media and some e-commerce - as we know it, but the opportunity for cyberattacks and damaging exploits is mind-boggling.
The metaverse attack surface is far-reaching, extending well beyond web-based software, APIs, and payment gateways. The peripheral elements of VR headsets and accessories also pose a threat to core data, with the onboard software in those devices a very convenient red carpet to paydirt if they are vulnerable.
Security researchers from Rutgers University revealed “Face-Mic” earlier this year, the first study of its kind examining how voice command features on virtual reality headsets could lead to serious privacy breaches, known as “eavesdropping attacks.” The work is fascinating, showing that threat actors could potentially use some virtual reality (AR/VR) headsets with built-in motion sensors to record speech-associated facial gestures, leading to the potential theft of sensitive information communicated via voice-activated controls, including credit card information and passwords. The root cause of the issue appears to be a lack of user authentication. With the accelerometer and gyroscope not requiring any permission to access, intricate facial movements, bone-borne vibrations, and airborne vibrations could be recorded and used to deduce everything from banking PINs to highly restricted healthcare records, depending on the patterns of the user.
In the metaverse, every movement you make is a data point, and if access to it is possible through lax software security, the incentive for attackers to try their luck is enormous.
Smart contracts face smart(er) adversaries
The meta-economy demands decentralization, dematerialization, flexibility, and of course, security without compromise. Right now, there are growing metaverse microeconomies in various cryptocurrency communities, like Shiba Inu. In order to buy virtual real estate and other intangible products, smart contracts stored on the blockchain are utilized.
Mention “blockchain”, and most average people (with a little tech savvy) understand it as a secure and anonymous system for what is considered to be the future of digital currency. There’s a little problem with that, however: no online fortress is impenetrable, and those smart contracts are no exception. They are essentially little programs, and they can be hacked.
Smart contracts are susceptible to exploitation thanks to a few fairly common vulnerabilities, namely integer overflow and underflow, replay attacks, and the (very damaging) blockchain-centric bug leading to reentrancy attacks, the latter of which can lead to a user being drained of their stored crypto balance. All of these attacks are made possible by poor coding patterns leading to exploitable vulnerabilities, and insecure design fundamentals.
This technology will only become more widely used, yet, as it stands today, we are going to struggle to find enough security-aware developers to ensure a secure, failsafe metaverse. Organizations must understand the magnitude of their metaverse participation, particularly if data and currency are at stake… and it’s difficult to imagine a scenario where this wouldn’t be the case.
It’s an unregulated environment, and you’re (still) the product
Just as we have seen in movies, TV, Second Life, and videogames, a metaverse environment allows us to be whoever we want. In a virtual world, the possibilities are only limited by your imagination, and that flexibility is a huge drawcard for users. However, the downside is that on the planned scale of something like Meta, it’s simply too vast and decentralized to police in a way that would render it air-tight from a security perspective. Scams will be inevitable, and skilled criminals will have even more to work with from a social engineering perspective.
Sensitive user data is the new gold, and the metaverse has the potential to be the richest and most complete source of data we have seen to date, providing projected adoption goes as planned. While it can be assumed that metaverse-related software builds will adhere to current regulatory standards and compliance measures, these will need updates that are fit to support a rapidly expanding digital universe and its economy. Core to this will be organizations taking responsibility for the security of their contributions to the metaverse, with a level of in-house security maturity that ensures every person working on the software is thinking about and implementing security at every step in their process, especially the development cohort.
Why secure coding will be crucial to the success of the metaverse
As fun as it may be to galavant across a lawless digital dimension, represented by an avatar that is everything you wish you could be in the real world, we must never forget that a human being is behind every “character”. And when real people’s data and finances are at stake, it’s very far removed from a game.
In cybersecurity, we are well aware that mistakes have consequences that can be truly devastating, and the integrity of every component of the metaverse cannot be an afterthought if widespread adoption and consumer trust are to come to fruition.
Organizations can start planning now by doing a realistic assessment of their security maturity, placing emphasis on uplifting the security skills of the developers actively working on software. As we can see from the Rutgers University study, access control is just one potent vulnerability that can lead to a widespread data leak, and security-aware developers would be far better placed to navigate these problems as code is written, and well before they enter committed code.
Resting on the excuse of the cybersecurity skills shortage isn’t going to wash after a major metaverse data breach, and we have the tools in front of us to not just do the best we can, but actively uplift software security standards for good. Now is the time to invest in training the architects of the metaverse, and reap the benefits of a virtual reimagination of products and services as we know them.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Resources to get you started
10 Key Predictions: Secure Code Warrior on AI & Secure-by-Design’s Influence in 2025
Organizations are facing tough decisions on AI usage to support long-term productivity, sustainability, and security ROI. It’s become clear to us over the last few years that AI will never fully replace the role of the developer. From AI + developer partnerships to the increasing pressures (and confusion) around Secure-by-Design expectations, let’s take a closer look at what we can expect over the next year.
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.