Tag: vulnerability management
The Cloud Security Alliance has released its list of top cloud threats for 2024. Plus, CISA and the FBI published a guide for determining if a software product was built “secure by design.” Meanwhile, find out how AI can transform offensive security. And the latest on the Royal ransomware gang, the CIS Benchmarks and TikTok’s…
Read More
In the event that you have a WAF in place and are hacked (likely, in the scenario where you have implemented the solution in monitoring/listen-only mode), the collection of the post data will be your primary evidence source that indicates how your application was exploited. This information is critical in your investigation and remediation…
Read MoreLike many of my peers, I marvel at the amazing ways the cloud has changed our lives and how we work. At the same time, I’ve lost untold hours of sleep worrying about the security risks this transformation creates. As a CISO, I spend a big chunk of every day planning for, evaluating, and…
Read MoreAutomation Risks There are a number of container and automation frameworks out there that seek to make scale as effortless as the click of a mouse. Some of them are rising quickly due to the excitement over containers, like Mesos and Kubernetes. Others have been around for a while—think Puppet, Chef, VMware, Cisco, and OpenStack.…
Read MoreThe essence of this attack is van Beek’s Microsoft Exchange Autodiscover vulnerability. In a September 2016 interview with The Register, van Beek said, “I recently discovered that most, if not all, Microsoft Exchange clients (eg, Outlook, iPhone mail app, Android mail app, Blackberry Mail App) are more than happy to provide a user’s password in plain…
Read MoreIf Shakespeare were alive today (and blogging), he might have written about the latest vulnerability to sweep the Internet by pointing out: Hath not the cloud interfaces, code, logic, data? Accessed with the same protocols, exploited with the same weapons, subject to the same vulnerabilities, mitigated by the same solutions, patched by the same methods…
Read More“Managing” vulnerabilities is an endless effort that is only truly noticed when it fails. More often than not, the constant debate over which vulnerabilities get prioritized for remediation is decided based on likelihood of exploit, followed by impact, and level of effort to fix. The typical result is that low- and medium-grade vulnerabilities get de-prioritized—in…
Read MoreI was chatting recently with a coworker who had just returned from a DevOpsy-focused conference. She mentioned she had met a woman whose entire role was focused on finding “lost” cloud instances (that is, virtual servers running in a public or private cloud network). Her entire job is just to find those instances and get…
Read MoreIt seems earthshaking vulnerabilities are released weekly that leave vendors and system administrators scrambling to remediate. So, where are all these vulnerabilities coming from? A simple search on the National Vulnerability Database shows over 3,300 new vulnerabilities released in just the past 3 months.1 Granted that many of these vulnerabilities are esoteric and limited to…
Read MoreFigure 1: Bug types across valid submissions shows a decline in low value bug types such as clickjacking, and steady submissions in XSS and mobile bugs. XSS, SQLi, and CSRF are among the OWASP “Top Ten”, with reams of documentation, tutorials, code samples, and tools capable of discovering these bugs before applications are introduced to the wild. One…
Read More