Exciting News! Palo Alto Networks Has Announced Intent to Acquire Protect AI Learn more Platform Platform Products Guardian AI Model Security with Zero Compromises Recon Scalable Red Teaming for AI Layer Runtime Security for Tomorrow’s AI Open Source ModelScan LLM Guard Secure by Design Evolving…

Speedrunners are Vulnerability Researchers - Zetier Home Capabilities Careers Blog Speedrunners are vulnerability researchers, they just don't know it yet February 26, 2025 a Senior Cyber Engineer Thousands of video game enthusiasts are developing experience in the cybersecurity industry by…

Introduction A few weeks back I found myself in the Semgrep slack channel trying to find out whether the extensive effort I had put into developing a set of custom security vulnerability detections as part of my work for one of my main clients was about to go out the window. The reason was Semgrep’s…

Blog Origins In the last year or two, I have increasingly used the term “CVE farming” in conversations and LinkedIn posts [1]. This has led a few people to ask what it meant and I gave a very cliff notes version of the answer. I started taking notes for this blog a while back expecting for the…

TL;DR: We’re launching Opengrep, a fork of SemgrepCS, in response to its open-source clampdown. Last month, Semgrep announced major changes to its OSS project—strategically timed for a Friday, of course ;) Since 2017, Semgrep has been a cornerstone of the open-source security community, offering a…

Fortinet Confirms Exploitation Of ‘Critical’ Vulnerability In FortiOS, FortiProxy HOME ▸ news ▸ security ▸ 2025 ▸ Fortinet Confirms Exploitation Of ‘Critical’ Vulnerability In FortiOS, FortiProxy SecurityJanuary 14, 2025, 1:06 PM EST The confirmation comes after Arctic Wolf researchers said that…

We have discovered multiple security vulnerabilities in the Azure Health Bot service, a patient-facing chatbot that handles medical information. The vulnerabilities, if exploited, could allow access to sensitive infrastructure and confidential medical data. All vulnerabilities have been fixed…

The Wiretap is your weekly digest of cybersecurity, internet privacy and surveillance news. To get it in your inbox, subscribe here. (Photo by Kenny Holston-Pool/Getty Images) Getty Images In late October, a week before the presidential election, Kamala Harris’ cybersecurity team called Apple…

Today, Ivanti warned customers about a new maximum-severity authentication bypass vulnerability in its Cloud Services Appliance (CSA) solution. The security flaw (tracked as CVE-2024-11639 and reported by CrowdStrike's Advanced Research Team) enables remote attackers to gain administrative…

By Paweł Płatek In the race to secure cloud applications, AWS Nitro Enclaves have emerged as a powerful tool for isolating sensitive workloads. But with great power comes great responsibility—and potential security pitfalls. As pioneers in confidential computing security, we at Trail of Bits have…

By Matt Schwager and Travis Peters We are publishing another set of custom Semgrep rules, bringing our total number of public rules to 115. This blog post will briefly cover the new rules, then explore two Semgrep features in depth: regex mode (especially how it compares against generic mode), and…

By Boyan Milanov We’ve developed a new hybrid machine learning (ML) model exploitation technique called Sleepy Pickle that takes advantage of the pervasive and notoriously insecure Pickle file format used to package and distribute ML models. Sleepy pickle goes beyond previous exploit techniques that…

By Matt Schwager and Sam Alws We are publishing a set of 30 custom Semgrep rules for Ansible playbooks, Java/Kotlin code, shell scripts, and Docker Compose configuration files. These rules were created and used to audit for common security vulnerabilities in the listed technologies. This new release…

By Dominik Klemba and Dominik Czarnota This post will guide you through using AddressSanitizer (ASan), a compiler plugin that helps developers detect memory issues in code that can lead to remote code execution attacks (such as WannaCry or this WebP implementation bug). ASan inserts checks around…

By Matt Schwager Trail of Bits is excited to introduce Ruzzy, a coverage-guided fuzzer for pure Ruby code and Ruby C extensions. Fuzzing helps find bugs in software that processes untrusted input. In pure Ruby, these bugs may result in unexpected exceptions that could lead to denial of service, and…

By Artur Cygan Fuzzing—one of the most successful techniques for finding security bugs, consistently featured in articles and industry conferences—has become so popular that you may think most important software has already been extensively fuzzed. But that’s not always the case. In this blog post,…

Robert Lemos, Contributing WriterDecember 18, 2023 5 Min Read Source: Zakharchuk via Shutterstock When videoconferencing service Zoom searched for a better way to assign a severity to vulnerabilities found during bug bounty programs, the company's security team could not find a suitable approach:…

Microsoft is overhauling its security processes after a series of high-profile attacks in recent years. Security is now Microsoft’s “top priority,” the company outlined today in response to ongoing questions about its security practices and the US Cyber Safety Review Board’s labeling of Microsoft’s…

Forty percent of cyber teams have not reported a cyber incident out of fear of losing their jobs, a new report has shown. This signifies a serious underreporting of cyber breaches globally, cybersecurity company VikingCloud says. VikingCloud’s research – The 2024 Threat Landscape Report: Cyber…

Amazon has confirmed that employee data was compromised after a “security event” at a third-party vendor. In a statement given to TechCrunch on Monday, Amazon spokesperson Adam Montgomery confirmed that employee information had been involved in a data breach. “Amazon and AWS systems remain secure,…

It's patch time for Firefox fans as Mozilla issues a security advisory for a critical code execution vulnerability in the browser. Mozilla said CVE-2024-9680 is a use-after-free issue in Animation timelines – the pane within the Firefox browser's Page Inspector that depicts how a given element's…

A CrowdStrike senior executive apologized for causing a global software outage that ground the operations of hospitals, airports, payment systems and personal computers around the world to a halt in July. Adam Meyers, senior vice-president for counter-adversary operations at CrowdStrike, testified…

On Tuesday, Sept. 10, we hosted the Windows Endpoint Security Ecosystem Summit. This forum brought together a diverse group of endpoint security vendors and government officials from the U.S. and Europe to discuss strategies for improving resiliency and protecting our mutual customers’ critical…

We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda…

Planned Parenthood of Montana's chief exec says the org is responding to a cyber-attack on its systems, and has drafted in federal law enforcement and infosec professionals to help investigate and rebuild its IT environment. This comes as ransomware crew RansomHub boasted it had broken into the…

A new variant of the ongoing sextortion email scams is now targeting spouses, saying that their husband or wife is cheating on them, with links to the alleged proof. In sextortion emails, scammers pretend to have hacked your computer to steal images or videos of you performing sexual acts and demand…

The Justice Department is suing the Georgia Institute of Technology and an affiliate company, claiming they failed to meet the cybersecurity standards required for obtaining Pentagon contracts. The U.S. government had earlier joined a whistleblower suit brought by current and former members of…

Chinese government-backed hackers have penetrated deep into U.S. internet service providers in recent months to spy on their users, according to people familiar with the ongoing American response and private security researchers. The unusually aggressive and sophisticated attacks include access to…

Telegram CEO Pavel Durov arrested at French airport 25 August 2024 Thomas Mackintosh & Will VernonBBC News Getty Images Pavel Durov founded Telegram in 2013 Telegram chief executive Pavel Durov has been arrested by French police at an airport north of Paris. Mr Durov was detained after his private…

Tech Analysis: Addressing Claims About Falcon Sensor Vulnerability August 07, 2024 | | Executive Viewpoint CrowdStrike is aware of inaccurate reporting and false claims about the security of the Falcon sensor. This blog sets the record straight by providing customers with accurate technical…

Google's flagship Pixel smartphone line touts security as a centerpiece feature, offering guaranteed software updates for seven years and running stock Android that's meant to be free of third-party add-ons and bloatware. On Thursday, though, researchers from the mobile device security firm iVerify…

On Friday DEF CON security pulled Dmitry Grinberg, a person responsible for much of the code running on this year’s electronic conference badge, off stage while he was originally scheduled to talk about the badge’s creation. The move came as Grinberg and the company responsible for manufacturing the…

July 31 (Reuters) - CrowdStrike (CRWD.O), opens new tab has been sued by shareholders who said the cybersecurity company defrauded them by concealing how its inadequate software testing could cause th

The Heritage Foundation’s nearly 1,000-page Project 2025 report is what the conservative DC-based think tank hails as a game plan for Donald Trump to follow in running the US government if he wins in November. Among the thirty-four authors of the document, more than half are appointees and staff…

Stu Sjouwerman 23 Jul Incident Report Summary: Insider Threat First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems. This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with…