Application and platform security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.
Top Stories
-
Tip
01 Jun 2023
Low-code/no-code use cases for security
Low-code/no-code development approaches have their fair share of security issues, but that doesn't mean they can't be used to benefit the security industry, too. Continue Reading
-
News
01 Jun 2023
Mitiga warns free Google Drive license lacks logging visibility
The ability to view logs is critical for enterprises to detect and attribute malicious activity. Mitiga said the Google Drive issue allows data exfiltration without a trace. Continue Reading
-
News
13 Jul 2021
Why patching vulnerabilities is still a problem, and how to fix it
Patching is still a struggle for many organizations, and challenges include limited resources, technical debt, decentralized infrastructure and much more. Continue Reading
-
Feature
30 Jun 2021
Common Linux vulnerabilities admins need to detect and fix
Server admins need to prepare for a variety of common Linux vulnerabilities, from software and hardware vulnerabilities to employee-created ones and even digital espionage. Continue Reading
-
Feature
30 Jun 2021
How to implement Linux security best practices
When setting up security for a company's infrastructure, admins need to focus on backups, patch management and regular vulnerability scans. Continue Reading
-
News
24 Jun 2021
Atlassian moves to lock down accounts from takeover bugs
Check Point Research uncovered a set of flaws that, if chained together, would have enabled attackers to hijack accounts with single sign-on enabled. Continue Reading
-
News
24 Jun 2021
Dell BIOSConnect flaws affect 30 million devices
Eclypsium researchers discovered vulnerabilities that, if exploited, can allow remote code execution in a pre-boot environment for 128 different Dell products. Continue Reading
-
News
15 Jun 2021
Apple issues patches for two more WebKit zero-days
Apple said both WebKit zero-days, which affect older iOS devices, have reportedly been exploited in the wild, but further details about the threat activity are unknown. Continue Reading
-
Feature
27 May 2021
Apiiro wins RSA Conference Innovation Sandbox Contest
Apiiro's automated Code Risk Platform analyzes enterprise software for material changes that can lead to security vulnerabilities, data exposures and compliance risks. Continue Reading
-
Answer
13 May 2021
What's the difference between sandboxes vs. containers?
Understanding the differences between sandboxes vs. containers for security can help companies determine which best suits their particular use cases. Continue Reading
-
Tip
13 May 2021
Container vs. VM security: Which is better?
Security professionals often compare containers vs. VMs when determining whether virtualization or containerization is better for their company's security strategy. Continue Reading
-
News
06 May 2021
Popular mobile apps leaking AWS keys, exposing user data
Security researchers at CloudSek discovered approximately 40 popular mobile apps contained hardcoded API secret keys, putting both user information and corporate data at risk. Continue Reading
-
Feature
29 Apr 2021
Learn how to mitigate container security issues
The more companies embrace application containerization, the more they need to know about container security issues and attack prevention methods. Continue Reading
-
Feature
29 Apr 2021
Adopting containers and preventing container security risks
When it comes to container security risks, organizations often worry about container escapes, but as expert Liz Rice explains, they should focus on prevention and patching. Continue Reading
-
Feature
27 Apr 2021
Applying web application reconnaissance to offensive hacking
Learn how to apply web application reconnaissance fundamentals to improve both offensive and defensive hacking skills in an excerpt of 'Web Application Security' by Andrew Hoffman. Continue Reading
-
Feature
27 Apr 2021
Collaboration is key to a secure web application architecture
Author Andrew Hoffman explains the importance of a secure web application architecture and how to achieve it through collaboration between software and security engineers. Continue Reading
-
News
21 Apr 2021
Hackers exploit 3 SonicWall zero-day vulnerabilities
SonicWall patched the zero-day vulnerabilities earlier this month, but the security vendor didn't disclose they were being exploited until Tuesday. Continue Reading
-
News
13 Apr 2021
NSA finds new Exchange Server vulnerabilities
Microsoft said it has not seen the new Exchange Server vulnerabilities being used in attacks against customers, but customers are still advised to patch immediately. Continue Reading
-
News
13 Apr 2021
McAfee: PowerShell threats grew 208% in Q4 2020
McAfee's latest threat report showed a sharp increase in PowerShell threats between Q3 and Q4 2020, in part due to malware known as Donoff and a rise in ransomware detections. Continue Reading
-
News
25 Mar 2021
Black Kingdom ransomware foiled through Mega password change
The Black Kingdom ransomware targeting Exchange servers uses an unusual encryption key method that was foiled due to a password being changed at cloud storage service Mega. Continue Reading
-
News
23 Mar 2021
'Black Kingdom' ransomware impacting Exchange servers
Both ransomware and scareware variants of Black Kingdom have been reported in attacks against vulnerable Exchange servers, but the reason for this remains unclear. Continue Reading
-
News
16 Mar 2021
RiskIQ: 69,548 Microsoft Exchange servers still vulnerable
Security intelligence vendor RiskIQ found that 69,548 servers remained unpatched as of Sunday and are vulnerable to attacks, with nearly 17,000 servers located in the U.S. Continue Reading
-
News
08 Mar 2021
Microsoft releases tools as Exchange Server attacks increase
Microsoft said it's seen increased Exchange Server attacks, as well as more threat actors beyond the Chinese state-sponsored Hafnium group conducting attacks. Continue Reading
-
News
03 Mar 2021
Microsoft Exchange Server zero-days exploited in the wild
Both the Cybersecurity and Infrastructure Security Agency and National Security Agency advise patching the Exchange Server zero-days immediately. Continue Reading
-
Feature
22 Feb 2021
Why developers should consider automated threat modeling
Traditional threat modeling is hard. Can automated threat modeling make development and security teams' lives easier? Continue Reading
-
Feature
22 Feb 2021
Introducing development teams to threat modeling in SDLC
Enterprises can improve their security posture by educating development teams on threat modeling so they can work alongside security teams and everyone knows a common language. Continue Reading
-
News
10 Feb 2021
Researcher used open source supply chain to breach tech giants
Security researcher Alex Birsan breached several major tech companies, including Microsoft and Apple, through a novel technique that manipulated open source supply chains. Continue Reading
-
News
02 Feb 2021
How a social engineering campaign fooled infosec researchers
Impersonation tactics in social engineering attacks have become so elaborate that even highly aware members of the infosec community can fall victim to them. Continue Reading
-
Tip
22 Jan 2021
5 PaaS security best practices to safeguard the application layer
Underlying APIs, language choice and cybersecurity features can vary widely across PaaS providers. But these five security best practices can help in almost any PaaS scenario. Continue Reading
-
Tip
12 Jan 2021
6 SaaS security best practices to protect applications
Use these SaaS security best practices to ensure your users' and organization's SaaS use stays as protected as the rest of your enterprise applications. Continue Reading
-
Quiz
22 Dec 2020
Quiz: Web application security threats and vulnerabilities
Applications are still the biggest attack vector for malicious actors -- can you protect them? Test your knowledge with this web application security quiz. Continue Reading
-
Guest Post
08 Dec 2020
5 myths about putting security into CI/CD pipelines
Companies looking to introduce security testing earlier into software development must look past myths and understand what to realistically expect before creating their strategy. Continue Reading
-
News
08 Dec 2020
Forescout reports 33 new TCP/IP vulnerabilities
The lack of consistent updates (and the open source nature of the stacks) make the Amnesia:33 vulnerabilities difficult to fix as well as make it difficult to comprehend the full impact. Continue Reading
-
News
08 Dec 2020
Salesforce advised users to skip Chrome browser updates
Salesforce recommended users dealing with mixed content issues to skip Chrome upgrades or roll back to older versions of the browser, but the vendor later removed those steps. Continue Reading
-
Tip
24 Nov 2020
Weighing remote browser isolation benefits and drawbacks
Remote browser isolation benefits end-user experience and an organization's network security. Compare the pros, cons and cost challenges before investing in the zero-trust approach. Continue Reading
-
Tip
17 Nov 2020
Choosing between proxy vs. API CASB deployment modes
Curious how to choose the right CASB deployment mode for your organization? Before you buy, compare how proxy vs. API CASB architectures work to secure SaaS applications. Continue Reading
-
Feature
15 Oct 2020
The Ghidra Book interview with co-author Kara Nance
Ghidra has had a huge impact on the reverse-engineering community. Kara Nance, co-author of The Ghidra Book, discusses this impact as the open source tool has evolved. Continue Reading
-
Feature
29 Sep 2020
Oversee apps with these 3 application security testing tools
Unsecured applications can have dire consequences for enterprises. Discover how top app security testing tools on the market today protect apps and enhance developer productivity. Continue Reading
-
News
24 Sep 2020
Microsoft detects Netlogon vulnerability exploitation in the wild
While Microsoft released a patch last month for the Netlogon flaw, the company said it detected threat actors using exploits for the critical vulnerability. Continue Reading
-
Feature
18 Sep 2020
Security for SaaS applications starts with collaboration
Following established best practices helps enterprises facilitate collaboration and communication through SaaS applications while simultaneously ensuing secure SaaS use. Continue Reading
-
News
17 Sep 2020
Maze ransomware gang uses VMs to evade detection
A Sophos investigation into a Maze ransomware attack revealed that threat actors borrowed an attack technique pioneered by Ragnar Locker operators earlier this year. Continue Reading
-
Tip
15 Sep 2020
3 steps to secure codebase updates, prevent vulnerabilities
Codebase updates are critical, but what about when they introduce vulnerabilities? These three steps will help app developers secure codebase updates and keep their apps safe. Continue Reading
-
News
25 Aug 2020
'Meow' attacks top 25,000 exposed databases, services
One month after the notorious 'meow' attacks were first detected, the threat to misconfigured databases exposed on the internet shows little sign of slowing down. Continue Reading
-
News
18 Aug 2020
Apache Struts vulnerabilities allow remote code execution, DoS
The Apache Software Foundation issued security advisories last week for two Apache Struts vulnerabilities that were originally patched but not fully disclosed last fall. Continue Reading
-
Feature
18 Aug 2020
'Secure by Design' principles include failures, exceptions
Using design principles with built-in security, along with properly defining exceptions, can help developers not only build safe code, but do so while meeting deadlines. Continue Reading
-
Feature
18 Aug 2020
Exception handling best practices call for secure code design
Making software secure by design requires tremendous consideration about how failures are handled. Learn more from these exception handling examples. Continue Reading
-
News
12 Aug 2020
Kaspersky reveals 2 Windows zero-days from failed attack
Kaspersky prevented an attack against a South Korean company back in May that used two zero-day vulnerabilities. One, arguably the more dangerous, focused on Internet Explorer. Continue Reading
-
News
07 Aug 2020
10 years after Stuxnet, new zero-days discovered
A decade after Stuxnet, SafeBreach Labs researchers discovered new zero-day vulnerabilities connected to the threat, which they unveiled at Black Hat USA 2020. Continue Reading
-
News
07 Aug 2020
Not just politics: Disinformation campaigns hit enterprises, too
In her Black Hat USA 2020 keynote, Renée DiResta of the Stanford Internet Observatory explains how nation-state hackers have launched 'reputational attacks' against enterprises. Continue Reading
-
Tip
03 Aug 2020
How to shift from DevOps to DevSecOps
A successful DevSecOps rollout requires software developers to be equipped with the proper security skills and tools. Learn how to transition smoothly from DevOps to DevSecOps. Continue Reading
-
Opinion
03 Aug 2020
The case for cybersecurity by design in application software
Security must be part of IT from the start and then continue through the entire product lifecycle -- design, build, release and maintenance. Consumers now demand it. Continue Reading
- 03 Aug 2020
-
Tip
31 Jul 2020
How to mitigate an HTTP request smuggling vulnerability
Exploiting an HTTP request smuggling vulnerability can result in the inadvertent execution of unauthorized HTTP requests. Learn how to defend web environments from this attack. Continue Reading
-
News
30 Jul 2020
'Meow' attacks continue, thousands of databases deleted
More than one week later, the mysterious attacks on insecure databases on ElasticSearch, MongoDB and others have not only persisted but grown, with no explanation. Continue Reading
-
News
23 Jul 2020
'Meow' attacks wipe more than 1,000 exposed databases
A new threat has hit more than 1,000 unsecured databases on ElasticSearch, MongoDB and other platforms, destroying data and replacing files with a single word: meow. Continue Reading
-
News
17 Jul 2020
'SigRed' alert: Experts urge action on Windows DNS vulnerability
Experts are urging organizations to take immediate action on SigRed, a 17-year-old Windows DNS server vulnerability discovered by Check Point Research and patched by Microsoft. Continue Reading
-
News
15 Jul 2020
Attackers find new way to exploit Docker APIs
Aqua Security released research detailing a new tactic where the attacker exploits a misconfigured Docker API port in order to build and run a malicious container image on the host. Continue Reading
-
News
06 Jul 2020
Critical F5 Networks vulnerability under attack
A critical remote code execution vulnerability that was disclosed and patched just days ago is already being exploited by threat actors. Continue Reading
-
News
01 Jul 2020
Microsoft fixes Windows Codecs flaws with emergency patches
Microsoft addressed two vulnerabilities, one rated critical and the other rated important, after being alerted by a researcher with Trend Micro's Zero Day Initiative. Continue Reading
-
News
25 Jun 2020
Open source vulnerabilities down 20% in 2019
Snyk recently released its fourth annual 'State of Open Source Security' report, which analyzed open source statistics, vulnerability trends and security culture. Continue Reading
-
News
08 Jun 2020
CISA warns Microsoft SMB v3 vulnerability is under attack
CISA issued an alert Friday about attacks on a Microsoft Server Message Block v3 vulnerability and a proof-of-concept code that exploits the flaw in unpatched systems. Continue Reading
-
Tip
08 Jun 2020
Benefits of open source container vulnerability scanning
Containers have revolutionized app development but pose many security challenges. Uncover how container vulnerability scanning can help and why to consider open source tools. Continue Reading
-
News
02 Jun 2020
VMware vulnerability enables takeover of cloud infrastructure
A new vulnerability in VMware Cloud Director allowed any user to obtain control of any virtual machine on a public or private cloud, according to ethical hacking firm Citadelo. Continue Reading
-
News
28 May 2020
Supply chain attack hits 26 open source projects on GitHub
Threat actors conducted an unprecedented supply chain attack by using malware known as Octopus Scanner to create backdoors in open source projects, which were uploaded to GitHub. Continue Reading
-
Feature
20 May 2020
IT and security teams collide as companies work from home
The new world of remote work has given rise to IT and security teams working more closely than ever before. They need to come together to provide excellent UX and security. Continue Reading
-
Quiz
20 May 2020
Use these CCSK practice questions to prep for the exam
Virtualization and container security are key topics in the Certificate of Cloud Security Knowledge credential. Test your knowledge with these CCSK practice questions. Continue Reading
-
News
07 May 2020
Advanced Computer Software leak exposes nearly 200 law firms
Researchers at cybersecurity vendor TurgenSec discovered an exposed database owned by Advanced Computer Software that contained legal documents with data from 190 law firms. Continue Reading
-
News
06 May 2020
GitHub security features tackle data exposures, vulnerabilities
In in effort to curb accidental data exposures in repositories, GitHub unveiled a new 'secret' scanning tool that examines public and private code repositories for sensitive data. Continue Reading
-
Feature
05 May 2020
The what, why and how of the Spring Security architecture
Like any framework, Spring Security requires writing less code to implement the desired functionality. Learn how to implement the Spring Security architecture in this book excerpt. Continue Reading
-
Feature
05 May 2020
Why developers need to know the Spring Security framework
The Spring Security framework is a reliable way for Java developers to secure applications. However, proper implementation is critical to prevent the most common vulnerabilities. Continue Reading
-
Tip
29 Apr 2020
SSL certificate best practices for 2020 and beyond
SSL/TLS security is continuously improving, and there are steps site owners should take to ensure the safety of their SSL certificates, websites and users. Read on to learn more. Continue Reading
-
News
16 Apr 2020
TPG Capital combines 3 vendors to form Digital.ai
Private equity firm TPG Capital combined three acquisitions -- CollabNet VersionOne, XebiaLabs and Arxan Technologies -- to create the new DevSecOps-focused vendor. Continue Reading
-
Opinion
14 Apr 2020
Bot management drives ethical data use, curbs image scraping
Bot management tools can help enterprises combat bad bots, prevent web and image scraping, and ensure ethical data use -- all while maintaining a positive end-user experience. Continue Reading
-
Podcast
09 Apr 2020
Risk & Repeat: Are Zoom security fears overblown?
This week's Risk & Repeat podcast looks at the backlash against Zoom over security and privacy concerns and asks whether there's been an overreaction. Continue Reading
-
News
06 Apr 2020
Zoom takes new security measures to counter 'Zoombombing'
Zoom has implemented two key security and privacy measures in order to counter 'Zoombombing.' One enables passwords in meetings by default, while the second creates waiting rooms. Continue Reading
-
Podcast
02 Apr 2020
Risk & Repeat: Zoom security comes under fire
This week's Risk & Repeat podcast looks at several security issues Zoom faced over the last week, which led to questions about the company's privacy and security practices. Continue Reading
-
News
02 Apr 2020
Zoom zero-day vulnerabilities patched a day after disclosure
An ex-NSA hacker reported two zero-day vulnerabilities on his blog Wednesday. One of them can give an attacker control of a user's webcam and microphone. Zoom fixed both flaws quickly. Continue Reading
-
Tip
30 Mar 2020
Best practices for threat modeling service mesh, microservices
In microservices and service mesh environments, communications don't follow static paths. As such, security teams must update their application threat modeling methods. Continue Reading
-
Tip
25 Mar 2020
How to prevent buffer overflow attacks
Read up on types of buffer overflow attacks, and learn secure coding best practices that prevent such vulnerabilities, as well as post-deployment steps to keep apps and websites safe. Continue Reading
-
News
11 Mar 2020
Microsoft discloses wormable SMBv3 flaw without a patch
Microsoft disclosed a new remote code execution vulnerability associated with the Microsoft Server Message Block 3.1.1 (SMBv3) protocol, but there's currently no patch available. Continue Reading
-
Tip
27 Feb 2020
How to use TODO comments for secure software development
Don't let security be a software development burden. Learn app developer tricks, such as using TODO comments, to ensure security controls make it from development to production. Continue Reading
-
Feature
27 Feb 2020
Windows IIS server hardening checklist
Use this handy Windows IIS server hardening checklist on the job to ensure your IIS server is deployed safely and stays secure in use. Continue Reading
-
Feature
26 Feb 2020
Security testing web applications and systems in the modern enterprise
Security testing web apps with little budget and poor documentation is difficult. Ric Messier discusses building a security testing lab in the DevSecOps, cloud and automation age. Continue Reading
-
Feature
26 Feb 2020
Software security testing and software stress testing basics
In this excerpt from Ric Messier's book, learn why software security testing and stress testing are critical components of an enterprise infosec program. Continue Reading
-
Opinion
26 Feb 2020
RSA 2020 day 1: Windows 10X & secured core PCs; Hysolate updates; LastPass passwordless login
Security-focused conferences are my time to shine--and geek out on the latest in security news. Continue Reading
-
Answer
06 Feb 2020
How to combat the top 5 enterprise social media risks in business
Learn how social networking sites compound the insider threat risk, and explore how to mitigate the threat with policy, training and technology. Continue Reading
-
News
24 Jan 2020
Citrix patches vulnerability as ransomware attacks emerge
Citrix rolls out more patches ahead of schedule for CVE-2019-19781, a directory traversal vulnerability that affects Citrix ADC, Gateway and SD-WAN WANOP products. Continue Reading
-
Tip
21 Jan 2020
Lyft's open source asset tracking tool simplifies security
Security teams need information and context about data in order to keep it safe. Learn how Cartography, Lyft's open source asset tracking tool, creates highly comprehensive maps. Continue Reading
-
News
15 Jan 2020
NSA reports flaw in Windows cryptography core
Microsoft patched a critical vulnerability in how Windows validates cryptographic certificates that could lead to dangerous attacks, according to experts, and was originally reported by the NSA. Continue Reading
-
Feature
14 Jan 2020
5 application security threats and how to prevent them
The most widely known application security threats are sometimes the most common exploits. Here is a list of the top app threats and their appropriate security responses. Continue Reading
-
News
13 Jan 2020
Signal Sciences: Enterprises still overlooking web app security
Signal Sciences co-founder and CEO Andrew Peterson explains why web application security often gets shortchanged and what his next-gen WAF company is doing to change that. Continue Reading
-
Answer
13 Jan 2020
7 TCP/IP vulnerabilities and how to prevent them
While many TCP/IP security issues are in the protocol suite's implementation, there are some vulnerabilities in the underlying protocols to be aware of. Continue Reading
-
News
13 Dec 2019
Google expands multiple Chrome password protection features
Chrome's updated, built-in protections are intended to help users protect their passwords and data against malware, data breaches and phishing sites, according to the company. Continue Reading
-
Feature
11 Dec 2019
Ideal DevSecOps strategy requires the right staff and tools
Sometimes viewed as an obstacle to speedy software rollout, the DevSecOps model helps security teams drive innovation in development. Learn how to build a DevSecOps strategy. Continue Reading
-
News
02 Dec 2019
Exposed Firebase databases hidden by Google search
A security researcher found that Google's search engine hides results for misconfigured Firebase databases that are publicly accessible on the internet. Continue Reading
-
News
13 Nov 2019
ZombieLoad v2 disclosed, affects newest Intel chips
Researchers disclosed another variant of the ZombieLoad side-channel attack that affects the newest Intel processors, and also discovered a flaw in the original ZombieLoad patch. Continue Reading
-
Tip
12 Nov 2019
How container adoption affects container security
Scalability and efficiency make container adoption an attractive option for enterprises today. Learn how containerization has evolved and grown since the release of Docker 1.0 five years ago. Continue Reading
-
News
06 Nov 2019
Firefox bug is enabling attackers to freeze out users
A recently reported bug in Firefox allows spammed authentication dialogs to lock users out of their browsers and it is under attack in the wild, despite previous efforts to patch. Continue Reading
-
News
01 Nov 2019
Threat Stack Application Security Monitoring adds Python support
Now supporting both Python and Node.js, Application Security Monitoring can identify risk throughout the software development lifecycle for both third-party and native code. Continue Reading
-
News
31 Oct 2019
Adsterra still connected to malvertising campaign, despite denials
Despite a pledge of "zero tolerance" for malicious activity, ad network Adsterra was found to be once again connecting with the Master134 malvertising campaign. Continue Reading
-
Feature
18 Oct 2019
DevSecOps model requires security get out of its comfort zone
Shifting from DevOps to DevSecOps isn't always easy, with the transition requiring changes to culture, processes and people. Here's how security can help lead the charge. Continue Reading
-
News
11 Oct 2019
Palo Alto Networks launches new version of Demisto SOAR platform
New features to the Demisto platform include a customizable user interface, threat intelligence, database scaling and a mobile app providing chat support and updates for users. Continue Reading