Published inStarting Up Security · 7 min read· Oct 9, 2023 -- The Exploit Prediction Scoring system (EPSS) is great. You might like it, too, if you deal with large amounts of vulnerabilities. The Hand
Discord continues to be a breeding ground for malicious activity by hackers and now APT groups, with it commonly used to distribute malware, exfiltrate data, and targeted by threat actors to steal aut
Enlarge Miragec/Getty Images Google has been caught hosting a malicious ad so convincing that there’s a decent chance it has managed to trick some of the more security-savvy users who encountered it.
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by the Cyber Initiative at the Hewlett Foundation and this week's edition is brought
In 2021, I performed a security audit of The Squid Caching Proxy. Squid is by far the most well known open-source forwarding HTTP proxy, and is used in many contexts, like corporations that want to fi
PROGRAM DESCRIPTION The Microsoft AI bounty program invites security researchers from across the globe to discover vulnerabilities in the new, innovative, Microsoft Copilot. Qualified submissions are
So I did it again. Proving I’m the most incompetent Security Hero EVER, I committed eight different access keys to a public GitHub repository for eight different AWS Accounts. What is fascinating is t
In association with the release of curl 8.4.0, we publish a security advisory and all the details for CVE-2023-38545. This problem is the worst security problem found in curl in a long time. We set it
Hundreds of GitHub repositories have been targeted by a threat actor masked as the GitHub platform’s Dependabot feature to install password-stealing malware. The threat actor targeted website projects
The 10 Biggest Cyber Security Trends In 2024 Everyone Must Be Ready For Now Adobe Stock By the end of the coming year, the cost of cyber attacks on the global economy is predicted to top $10.5 trillio
Burp Suite Enterprise Edition is now available in our secure Cloud – Learn more Articles James Kettle Director of Research @albinowax Published: 14 June 2023 at 13:09 UTC Updated: 14 June 2023 at 13:1
In an email, a Microsoft representative said the engineer’s account was compromised using “token-stealing malware” but didn’t elaborate on how it got installed, if other corporate accounts were hacked
UPDATE: Microsoft performed a comprehensive technical investigation into the acquisition of the Microsoft account consumer signing key, including how it was used to access enterprise email. Our techni
A series of unfortunate and cascading mistakes allowed a China-backed hacking group to steal one of the keys to Microsoft’s email kingdom that granted near unfettered access to U.S. government inboxes
March 12, 2024 update As part of our continued commitment to transparency and trust outlined in Microsoft’s Secure Future Initiative, we are providing further information as it relates to our ongoing
Unless you’re doing continuous or quarterly budgeting, which some organizations do, then you’ll no doubt be getting ready for the long haul of the annual budget process to seek the resources you need
IT giant Ivanti is advising some customers to make changes to dodge a new zero-day vulnerability affecting one of its products. On Monday, the company warned of a bug in its Sentry security product th
How often when you use an ATM, payment terminal, or gas pump do you wonder “Is my card information safe?” I know I ask myself that every time I swipe or insert my card. Research by FICO shows that mor
BlogannouncementsWhy We Hack Purple and I are joining Semgrep announcements Why I'm choosing Semgrep, and what the future will hold for the AppSec Community. Subscribe to our blog Share When I started
By Jay Jacobs“Infosec twitter” has been used to describe the vibrant, active and often enthusiastic community of security practitioners working in and around the industry. It’s been a source of insigh
Photo: Suzanne Cordeiro/Getty Images More than three years after Russian hackers compromised SolarWinds and embedded a backdoor in its premier software product, the Securities and Exchange Commission
By Florian Noeding, Principal Security Architect Published inAdobe Tech Blog · 6 min read· Jun 22, 2023 -- In order to remediate security vulnerabilities efficiently, they should be identified and mit
The catch-phrase "shift left" has reached peak assimilation in the application security ethos as security pundits, DevOps strategists, app sec pros, and plenty of promoters of the concept have grabbed
This article is cross posted to LinkedIn here for comments and discussions. With my newfound passion to root out security myths and look for facts based on data, lots of things are catching my eye. Th
We run a newsletter that is sent roughly once a week, with additional commentary, news about our upcoming open-source projects, and things happening at the company. You can signup at www.crashoverride
This article is cross posted on LinkedIn for comments and discussion . The vast majority of developers don’t care about security. That’s a fact in my opinion, and it has been the same since I started
The developer used information it had gathered about a prevelant third-party cheating software to catch and punish players using it red-handed. Image: Valve Over 40,000 Dota 2 accounts have been perma
It is frustrating for cybersecurity vendors when conferences attain the status of “must attend.” They are extremely expensive to exhibit at and the ROI is often difficult to measure. In my experience
The University of Zurich, Switzerland’s largest university, announced on Friday it was the target of a “serious cyberattack,” which comes amid a wave of hacks targeting German-speaking institutions. T
This article is cross posted here on LinkedIn for discussion and comments. In the CSO interviews , I explained that we heard from CSO’s that they want less tools not more. I also explained that we hea
In the old days, security teams were all about protecting the code, written ‘in house’, that powered the features of their software. The dawn of SAST. We called it appsec. Along came open source, and
Published 26 January Share page About sharing Image source, DoJ Image caption, Deputy Attorney General Lisa O Monaco described the operation as a 21st Century cyber stakeout By Joe Tidy Cyber reporter
This article is crossposted to LinkedIn here for comments and discussions. Ever since I started OWASP and it suddenly took off, I have been fascinated by what makes some things rise up. In recent year
Edit Article 03/03/2023 In this article The original immutable laws of security (v2 updated below) identified key technical truths that busted prevalent security myths of those times. In that spirit,
Canada’s aviation system was briefly hit with a computer outage just hours after issues with the same system forced the United States’ Federal Aviation Administration to bring air traffic to a standst
Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories. The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at w
Breaking RSA with a Quantum Computer A group of Chinese researchers have just published a paper claiming that they can—although they have not yet done so—break 2048-bit RSA. This is something to take
I don’t think I can resist making the analogy. It’s just too obvious, and the chance for witty humor and snarky commentary is just too great of a draw for my reptilian brain. If you haven’t seen the m