The SolarWinds digital supply chain attack began by compromising the “heart” of the CI/CD pipeline and successfully changing application code. It highlighted the major challenges organizations face in securing their applications across the software development lifecycle and is driving increased attention at the highest levels of enterprise and government. In fact, Reuters recently reported that the Biden administration […]

Today, rapid digitalization has placed a significant burden on software developers supporting remote business operations. Developers are facing continuous pressure to push out software at high velocity. As a result, security is continuously overlooked, as it doesn’t fit into existing development workflows. The way we build software is increasingly automated and integrated. CI/CD pipelines have […]

The fundamentals of a formal, effective application security plan should start with business objectives, tools, processes and most of all, data, with the primary driver for securing applications focused on protecting data. While it is important to surgically address the insecurities in a mission-critical application, it is equally important to continuously upskill the development and […]

DEVSECOPS Enough about culture and on to DevSecOps. What kind of culture allows it to thrive? An important aspect is having a better understanding of the motivators of and detractors in each element. I won’t review those here because they are covered well in this article: https://www.stackrox.com/post/2021/02/devops-vs-devsecops-heres-how-they-fit-together/ But I will say that this topic brings to mind […]

A research from Secure Code Warrior has revealed an attitudinal shift in the software development industry, with organizations bucking traditional practices for DevOps and Secure DevOps. The global survey of professional developers and their managers found 70% of organizations recognize the importance of secure coding practices, with results indicating an industry-wide shift from reaction to […]

The Spectre vulnerability, which stems from vulnerabilities at the CPU design level, has been known for over 3 years now. What’s so interesting about this PoC is that its feasibility for leaking the end-user’s data has now been proven for web applications, meaning that it’s no longer just theoretical. The vulnerability in affected CPUs has […]

Remember XcodeGhost? It was a pirated and malware-tainted version of Apple’s XCode development app that worked in a devious way. You may be wondering, as we did back in 2015, why anyone would download and use a pirated version of Xcode.app when the official version is available as a free download anyway. Nevertheless, this redistributed version of Xcode […]

AI and ML technologies have made great strides in helping organizations with cybersecurity, as well as with other tasks like chatbots that help with customer service. Cybercriminals have also made great strides in using AI and ML for fraud. “Today, fraud can happen without stealing someone else’s identity because fraudsters can create ‘synthetic identities’ with […]

“Application security was traditionally very low on CISOs’ priority list but, as the attacks targeting applications increase in frequency, it’s getting more attention,” Eugene Dzihanau, Senior Director of Technology Solutions at EPAM Systems, told Help Net Security. “The application layer is quickly becoming more exposed to the outside world, drastically increasing the attack surface. Applications are […]

If you’ve ever used the Python programming language, or installed software written in Python, you’ve probably used PyPI, even if you didn’t realize it at the time. PyPI is short for the Python Package Index, and it currently contains just under 300,000 open source add-on modules (290,614 of them when we checked [2021-03-07T00:10Z]). You can download and […]

Penetration Testing is a method that many companies follow in order to minimize their security breaches. This is a controlled way of hiring a professional who will try to hack your system and show you the loopholes that you should fix. Before doing a penetration test, it is mandatory to have an agreement that will […]

As just one symptom, 83 percent of the Top 30 U.S. retailers have vulnerabilities which pose an “imminent” cyber-threat, including Amazon, Costco, Kroger and Walmart. 2020 is shaping up to be a banner year for software vulnerabilities, leaving security professionals drowning in a veritable sea of patching, reporting and looming attacks, many of which they […]

The newly published Building Security in Maturity Model provides the software security basics organizations should cover to keep up with their peers. As application security methodology and best practices have evolved over more than a decade, the Building Security in Maturity Model (BSIMM) has been there each year to track how organizations are making progress. BSIMM11, […]

There are growing concerns around the number of businesses vulnerable to cyberattacks due to hackers’ ability to bypass their WAF. Source: 40% of security pros say half of cyberattacks bypass their WAF – Help Net Security Sorry About your WAF – Modern WAF Bypass Techniques Download a Security Risk Assessment Steps paper! Subscribe to DISC […]

There is a considerable demand for data-centric projects, that is why companies have quickly opened their data to their ecosystem through REST or SOAP APIs. Source: API Security and Hackers: What’s the Need? … Download a Security Risk Assessment Checklist paper! Subscribe to DISC InfoSec blog by Email

10 Most Critical API Security Risks [2019] – OWASP Foundation Advanced Web Application Scanning with OWASP Zed Attack Proxy (ZAP) Web Application Security and OWASP – Top 10 Security Flaws Ethical Hacking 101: Web App Penetration Testing Subscribe to DISC InfoSec blog by Email