Archive for the ‘App Security’ Category

Don’t Let ‘Perfect’ Be the Enemy of a Good AppSec Program

These five suggestions provide a great place to start building a scalable and affordable program for creating secure apps. Some security programs need to have the absolute highest possible level of security assurance for the systems and the data they protect. They need to be as close to perfect as they can be. Examples of […]

Leave a Comment

How to manage the intersection of Java, security and DevOps at a low complexity cost

In this Help Net Security video above, Erik Costlow, Senior Director of Product Management at Azul, talks about Java centric vulnerabilities and the headache they have become for developers everywhere. He touches on the need for putting security back into DevOps and how developers can better navigate vulnerabilities that are taking up all of their efforts and keeping […]

Leave a Comment

Software Bill of Material and Vulnerability Management Blind Spots

Software Bill of Material and Vulnerability Management Blind Spots Open source software is everywhere (which is not a bad thing in itself). However, many buyers don’t have inventory of open source components included in software products they are buying. Business even fail in keeping tack of open source components used in internally developed applications. As […]

Leave a Comment

GitHub blighted by “researcher” who created thousands of malicious projects

Just over a year ago, we wrote about a “cybersecurity researcher” who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI. This person went by the curious nickname of Remind Supply Chain Risks, and the packages had project names that were generally similar to well-known projects, presumably in the hope that some of them would […]

Leave a Comment

DUCKTAIL operation targets Facebook’s Business and Ad accounts

Researchers uncovered an ongoing operation, codenamed DUCKTAIL that targets Facebook Business and Ad Accounts. Researchers from WithSecure (formerly F-Secure Business) have discovered an ongoing operation, named DUCKTAIL, that targets individuals and organizations that operate on Facebook’s Business and Ads platform. Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to […]

Leave a Comment

Microsoft published exploit code for a macOS App sandbox escape flaw

Microsoft publicly disclosed technical details for an access issue vulnerability, tracked as CVE-2022-26706, that resides in the macOS App Sandbox. “Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system.” reads the post published by Microsoft. Microsoft reported the issue to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft […]

Leave a Comment

Red TIM Research discovers a Command Injection with a 9,8 score on Resi

During the bug hunting activity, Red Team Research (RTR) detected 2 zero-day bugs on GEMINI-NET, a RESI Informatica solution. It’s been detected an OS Command Injection, which has been identified from NIST as a Critical one, its score is 9,8.  This vulnerability comes from a failure to check the parameters sent as inputs into the […]

Leave a Comment

Poisoned Python and PHP packages purloin passwords for AWS access

A keen-eyed researcher at SANS recently wrote about a new and rather specific sort of supply chain attack against open-source software modules in Python and PHP. Following on-line discussions about a suspicious public Python module, Yee Ching Tok noted that a package called ctx in the popular PyPi repository had suddenly received an “update”, despite not otherwise being touched […]

Leave a Comment

Do You Need to Rethink AppSec With 5G?

It’s not quite everywhere yet, but 5G connectivity is growing rapidly. That’s a great thing for remote workers and anyone depending on a fast connection, but what kind of impact will 5G have on application security? “The explosion of 5G is only going to put more pressure on teams to harden their application security practice,” said Mark […]

Leave a Comment

Trans-Atlantic Data Privacy Framework’s Impact on AppSec

Earlier this year, the White House announced that it is working with the European Union on a Trans-Atlantic Data Privacy Framework. According to a White House statement, this framework will “reestablish an important legal mechanism for transfers of EU personal data to the United States. The United States has committed to implement new safeguards to ensure […]

Leave a Comment

Burp Suite overview

Burpsuite, the proxy-based tool used to evaluate the security of web-based applications and do hands-on testing developed by PortSwigger. It is one of the most popular penetration testing and vulnerability finder tools and is often used for checking web application security. Web App Security 👇 Please Follow our LI page…

Leave a Comment

Take a dev-centric approach to cloud-native AppSec testing

While some applications are still being built on a monolithic (all-in-one) architecture – i.e., all components in a single code base, on a single server, connected to the internet – an increasing number of them is now based on the microservices architecture, with each application microservice a self-contained functionality, “housed” in a container managed by […]

Leave a Comment

OWASP Vulnerability Management Guide

Owasp A Complete Guide Front End Web Developer Cert

Leave a Comment

App security by design

Securing DevOps: Security in the Cloud

Leave a Comment

Crooks bypass a Microsoft Office patch for CVE-2021-40444 to spread Formbook malware

Cybercriminals have found a way to bypass the patch for a recent Microsoft Office vulnerability tracked as CVE-2021-40444 (CVSS score of 8.8). The bad news is that threat actors are using it to distribute the Formbook malware. The CVE-2021-40444 is a remote code execution security flaw that affected the MSHTML file format. the security defect can be […]

Leave a Comment

Serious Security: OpenSSL fixes “error conflation” bugs – how mixing up mistakes can lead to trouble

OpenSSL publishes updates Well, in case you missed it, the renowned OpenSSL cryptographic toolkit – a free and open source software product that we’re guessing is installed somewhere between one and three orders of magnitude more widely than Log4J – also published updates this week. OpenSSL 1.1.1m replaces 1.1.1l (those last characters are M-for-Mike and L-for-Lima), and OpenSSL 3.0.1 replaces 3.0.0. In case you […]

Leave a Comment

While attackers begin exploiting a second Log4j flaw, a third one emerges

Experts warn that threat actors are actively attempting to exploit a second bug disclosed in the popular Log4j logging library. American web infrastructure and website security company Cloudflare warns that threat actors are actively attempting to exploit a second vulnerability, tracked as CVE-2021-45046, disclosed in the Log4j library. The CVE-2021-45046 received a CVSS score of 3.7 and affects Log4j […]

Leave a Comment

Google fixed the 17th zero-day in Chrome since the start of the year

Google released security updates to address five vulnerabilities in the Chrome web browser, including a high-severity zero-day flaw, tracked as CVE-2021-4102, exploited in the wild. The CVE-2021-4102 flaw is a use-after-free issue in the V8 JavaScript and WebAssembly engine, its exploitation could lead to the execution of arbitrary code or data corruption. “Google is aware of reports that an exploit for CVE-2021-4102 […]

Leave a Comment

Cisco Survey Surfaces Legacy Infrastructure Security Challenges

A global survey of 5,123 active IT, security and privacy professionals conducted by YouGov on behalf of Cisco found well over a third of organizations (39%) are relying on what they consider to be outdated security technologies. Overall, the survey found organizations that upgrade IT and security technologies quarterly are about 30% more likely to excel at […]

Leave a Comment

Improper Neutralization of CRLF Sequences in Java Applications

CRLF Injection Let’s try to understand what CRLF injection is. In response to an HTTP request from a web browser, a web server sends a response, which contains both the HTTP headers and the actual content of the website. There is a special combination of characters that separates the HTTP headers from the HTML response […]

Leave a Comment