Application and platform security

Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.

Top Stories

Tip 01 Jun 2023
Low-code/no-code use cases for security

Low-code/no-code development approaches have their fair share of security issues, but that doesn't mean they can't be used to benefit the security industry, too. Continue Reading
News 01 Jun 2023
Mitiga warns free Google Drive license lacks logging visibility

The ability to view logs is critical for enterprises to detect and attribute malicious activity. Mitiga said the Google Drive issue allows data exfiltration without a trace. Continue Reading

Answer 06 Nov 2018

How does the public Venmo API pose a threat for users?

The public Venmo API setting puts users at risk by providing detailed insight into their transactions and personal lives. Expert Michael Cobb discusses the risks of public APIs. Continue Reading
Tip 06 Nov 2018

How testing perspectives helps find application security flaws

Application security testing requires users to test from all the right perspectives. Discover testing techniques that help find application security flaws with expert Kevin Beaver. Continue Reading
News 05 Nov 2018

As PHP v5 nears its end, enterprises face serious threats

The majority of websites still use the outdated PHP v5, according to recent data, causing concern over the fact that it will stop receiving security support at the end of the year. Continue Reading
Tip 31 Oct 2018

What Microsoft's InPrivate Desktop feature could mean for enterprises

Microsoft's secretive, potential new feature InPrivate Desktop could give security teams access to disposable sandboxes. Expert Ed Moyle explains how the feature could work. Continue Reading
Blog Post 26 Oct 2018

Google sets Android security updates rules but enforcement is unclear

The vendor requirements for Android are a strange and mysterious thing but a new leak claims Google has added language to force manufacturers to push more regular Android security updates. ... Continue Reading
News 26 Oct 2018

WebExec vulnerability leaves Webex open to insider attacks

A remote code execution flaw in Cisco Webex -- called WebExec -- could be an easy vector for insider attacks, and the researchers who found it say it's easier to exploit than detect. Continue Reading
Answer 26 Oct 2018

How was Kea DHCP v1.4.0 affected by a security advisory?

Kea, an open source DHCP server, was issued a medium security advisory for a flaw that causes memory leakage in version 1.4.0. Discover the workarounds with Judith Myerson. Continue Reading
Answer 25 Oct 2018

Does pcAnywhere put election management systems at risk?

ES&S admitted it installed the insecure remote access program pcAnywhere on election management systems. Learn what pcAnywhere is and what this risk means for election systems. Continue Reading
Answer 24 Oct 2018

Siemens Siclock: How do threat actors exploit these devices?

Siemens disclosed six Siclock flaws that were found within its central plant clocks. Discover why three flaws have been rated critical and how threat actors can exploit devices. Continue Reading
Answer 23 Oct 2018

How do newly found flaws affect robot controllers?

Several vulnerabilities were found in controllers made by Universal Robots. Discover what these controllers are used for and how threat actors can exploit these vulnerabilities. Continue Reading
News 22 Oct 2018

Zero-day jQuery plugin vulnerability exploited for 3 years

A zero-day in jQuery File Upload could affect thousands of projects because the jQuery plugin vulnerability has existed for eight years and actively exploited for at least three years. Continue Reading
Answer 19 Oct 2018

Removable storage devices: Why are companies banning them?

IBM banned removable storage devices to encourage employees to use the company's internal file-sharing system. Learn how a ban like this can improve enterprise security. Continue Reading
Answer 16 Oct 2018

How does the APT attack Double Kill work in Office documents?

The Qihoo 360 Core Security team found a Microsoft vulnerability -- named Double Kill -- that affects applications via Office documents. Learn how this is possible with Nick Lewis. Continue Reading
Blog Post 15 Oct 2018

Mystery around Trend Micro apps still lingers one month later

The mystery around the Trend Micro apps that were removed from the Mac App Store continues despite Trend Micro's numerous updates on the matter. Continue Reading
News 12 Oct 2018

Mozilla delays distrust of Symantec TLS certificates, Google doesn't

Mozilla delays plans to distrust Symantec TLS certificates in Firefox because despite more than one year's notice, approximately 13,000 websites still use the insecure certificates. Continue Reading
Answer 12 Oct 2018

How does Apple's Quick Look endanger user privacy?

Apple's Quick Look feature previews thumbnails that are not encrypted. Learn how this poses a security threat to enterprises from expert Michael Cobb. Continue Reading
News 11 Oct 2018

Paul Vixie wants to stop malicious domains before they're created

Farsight Security's Paul Vixie says his company's new research into domain name lifespans and causes of death shows the need for new policies and action to curb malicious domains. Continue Reading
Tip 10 Oct 2018

The time to consider SIEM as a service has arrived

Now even your SIEM comes in the as-a-service model. Assess whether it's time to consider outsourcing this fundamental tool in your defense lineup. Continue Reading
News 10 Oct 2018

Google security audit begets product changes, German probe

A Google security audit uncovered a glitch in Google Plus that exposed data from nearly 500,000 accounts, causing the company to shutter the social network and spur a German data protection probe. Continue Reading
Tip 09 Oct 2018

Picking the right focus for web application security testing

Deciding which web applications on which to focus application security testing is a challenging task. Read this list of considerations to ensure you're addressing the right areas. Continue Reading
Answer 08 Oct 2018

How does TLBleed abuse the Hyper-Threading feature in Intel chips?

TLBleed exploits Intel's HTT feature to leak data via side-channel attacks. Learn about how TLBleed obtains sensitive memory information from expert Michael Cobb. Continue Reading
Answer 05 Oct 2018

How does FacexWorm malware use Facebook Messenger to spread?

Researchers at Trend Micro found a new strain of malware -- dubbed FacexWorm -- that targets users via a malicious Chrome extension. Discover how this attack works with Nick Lewis. Continue Reading
Answer 01 Oct 2018

SamSam ransomware: How is this version different from others?

Sophos recently discovered a SamSam extortion code that performs company-wide attacks using a range of vulnerability exploits. Discover how this version differs from past variants. Continue Reading
News 28 Sep 2018

UN exposes sensitive data on public Trello boards

News roundup: The U.N. accidentally exposed credentials on public Trello boards. Plus, Uber is set to pay $148 million settlement following its 2016 data breach cover-up, and more. Continue Reading
Answer 28 Sep 2018

How can live chat widgets leak personal employee data?

Project Insecurity researchers found live chat software leaking personal employee data. Learn how attackers can use this leaked information and data to hurt organizations. Continue Reading
News 27 Sep 2018

Congressional websites need to work on TLS

Congressional websites may not always have the best security, according to Joshua Franklin. Although, senators may be better at website security than House representatives. Continue Reading
News 27 Sep 2018

Election website security a mess for states and candidates alike

Joshua Franklin has been researching election website security for congressional candidates, and he found a lot of misconfigurations on official pages and other sites meant to confuse voters. Continue Reading
Tip 27 Sep 2018

Why communication is critical for web security management

Conveying the importance of web security to management can be difficult for many security professionals. Kevin Beaver explains how to best communicate with the enterprise. Continue Reading
News 26 Sep 2018

Controversial Chrome login feature to be partially rolled back

Google will modify the next version of Chrome in an attempt to appease critics of the browser's cookie retention functionality and automatic Chrome login feature. Continue Reading
News 26 Sep 2018

Browser Reaper POC exploit crashes Mozilla Firefox

A security researcher developed a proof-of-concept attack on Firefox, called Browser Reaper, which can crash or freeze the browser. But he gave Mozilla short notice of the flaw. Continue Reading
News 25 Sep 2018

Google Chrome sign-in changes cause confusion and concern

Google Chrome sign-in changes are being criticized by experts, and poor communication from Google has led to more confusion about user privacy and consent. Continue Reading
News 25 Sep 2018

Hardcoded credentials continue to bedevil Cisco

Cisco hit by yet another new hardcoded credentials flaw, the latest in a long line of such flaws since last year, this time in its video surveillance manager appliance. Continue Reading
Answer 24 Sep 2018

GoScanSSH: How does this malware work and differ from others?

A group of malware was discovered targeting public SSH servers. However, it avoided certain IP addresses. Discover how this is possible and how the malware works with Nick Lewis. Continue Reading
Podcast 20 Sep 2018

Risk & Repeat: Trend Micro apps land in hot water

In this week's Risk & Repeat podcast, SearchSecurity editors discuss Trend Micro's Mac apps, which have come under fire for questionable data collection features. Continue Reading
Answer 20 Sep 2018

Secure encrypted virtualization: How is this technology exploited?

Researchers claim to have found a new attack against VMs that affects SEV technology. Expert Judith Myerson explains what this attack is and how it can be exploited. Continue Reading
News 18 Sep 2018

WannaMine cryptojacker targets unpatched EternalBlue flaw

Unpatched systems are still being targeted by the WannaMine cryptojacker, despite warnings and global cyberattacks using the EternalBlue exploit leaked from the NSA. Continue Reading
Answer 13 Sep 2018

How does Telegram malware bypass end-to-end encryption?

A Telegram malware called Telegrab targets Telegram's desktop instant messaging service to collect and exfiltrate cache data. Expert Michael Cobb explains how Telegrab works. Continue Reading
News 12 Sep 2018

Microsoft patches Windows ALPC flaw exploited in the wild

Microsoft's September 2018 Patch Tuesday release included a fix for the Windows ALPC vulnerability that was exploited in the wild for about two weeks before being patched. Continue Reading
Tip 12 Sep 2018

SaaS platform security: The challenges of cloud network security

Organizations have the necessary tools to protect data stored and processed in IaaS platforms. Learn why SaaS platform security remains a challenge from expert Rob Shapland. Continue Reading
Answer 11 Sep 2018

What issues can arise from hardware debug exception flaws?

Misinterpretation of Intel's System Programming Guide resulted in a hardware debug exception vulnerability. Expert Michael Cobb explains how attackers can gain unauthorized access. Continue Reading
News 07 Sep 2018

Misconfigured Tor sites leave public IP addresses exposed

The anonymity of Tor is once again under scrutiny, as a researcher finds misconfigured Tor sites can expose the public IP address connected to a dark web site. Continue Reading
Podcast 06 Sep 2018

Risk & Repeat: Fortnite flaw disclosure enrages Epic Games

In this week's Risk & Repeat podcast, SearchSecurity editors discuss the dispute between Google and Epic Games over a newly disclosed flaw in the Android version of Fortnite. Continue Reading
Answer 06 Sep 2018

IonCube malware: Who do these malicious files put at risk?

Malicious files posing as legitimate ionCube files were recently found by WordPress and Joomla admins. Learn how the ionCube malware works with expert Nick Lewis. Continue Reading
News 31 Aug 2018

Another patched Apache Struts vulnerability exploited

News roundup: A new Apache Struts vulnerability was exploited in the wild mere days after it was patched. Plus, Facebook removes app over privacy concerns and more. Continue Reading
News 29 Aug 2018

Windows 10 zero-day disclosed on Twitter, no fix in sight

Security researcher SandboxEscaper released proof-of-concept code for a Windows 10 zero-day on Twitter, but Microsoft has no details for a potential patch. Continue Reading
Tip 29 Aug 2018

How to monitor and detect a cloud API vulnerability

A REST API vulnerability in Salesforce's Marketing Cloud service put users at risk of data disclosure. Learn how to detect cloud API vulnerabilities from expert Rob Shapland. Continue Reading
News 28 Aug 2018

Fortnite vulnerability on Android causes disclosure tension

Epic Games patched a Fortnite vulnerability in its Android installer, but Google's disclosure policy comes under fire once again as Epic Games' founder called the disclosure 'irresponsible.' Continue Reading
Answer 27 Aug 2018

How does Google's new detection model find bad Android apps?

Malicious apps have been a consistent problem for the Google Play Store, so a new detection model has been released to help clean it up. Learn how this system works with Nick Lewis. Continue Reading
Answer 23 Aug 2018

How can a 13-year-old configuration flaw affect SAP systems?

Cybersecurity vendor Onapsis found a 13-year-old flaw that affects nine out of 10 SAP NetWeaver systems. Learn how the flaw affects SAP systems with expert Judith Myerson. Continue Reading
Tip 21 Aug 2018

How new cybersecurity problems emerge from fake news

As fake news continues to emerge, new cybersecurity challenges for IT professionals arise. Learn why we should continue to care about cyber propaganda and what we can do. Continue Reading
News 17 Aug 2018

Intel disclosed Spectre-like L1TF vulnerabilities

News roundup: Intel disclosed L1TF vulnerabilities with similarities to Spectre, but with a focus on data. Plus, the NIST Small Business Cybersecurity Act is now a law, and more. Continue Reading
News 16 Aug 2018

Finalized TLS 1.3 update has been published at last

The finalized TLS 1.3 update has been published after a four-year process. The new protocol promises to be faster and more secure than its predecessor, TLS 1.2. Continue Reading
News 10 Aug 2018

Web cache poisoning attacks demonstrated on major websites, platforms

PortSwigger's James Kettle doesn't believe web cache poisoning is theoretical and to prove it, he demonstrated several attacks on major websites and platforms at Black Hat 2018. Continue Reading
News 10 Aug 2018

WhatsApp vulnerabilities let hackers alter messages

News roundup: New WhatsApp vulnerabilities enabled hackers to alter messages sent in the app. Plus, the PGA was hit with a ransomware attack, and more. Continue Reading
Tip 09 Aug 2018

How criticality analysis benefits from an entropy engineer

NIST published 'Criticality Analysis Process Model: Prioritizing Systems and Components' to guide organizations when prioritizing systems. Discover the key processes with Judith Myerson. Continue Reading
News 06 Aug 2018

BGP hijacking attacks target payment systems

Researchers discovered a wave of BGP hijacking attacks aimed at DNS servers related to payment-processing systems in an apparent effort to steal money from unsuspecting users. Continue Reading
Answer 06 Aug 2018

Microsoft's NTFS flaw: What are the potential consequences?

A security researcher exposed an NTFS flaw that Microsoft deliberately hasn't patched. Expert Michael Cobb explains how the bug works and why it isn't being treated as severe. Continue Reading
Opinion 01 Aug 2018

Tom Van Vleck on the Multics operating system, security decisions

Time-sharing systems got a lot right from a security standpoint. "We aimed toward a completely lights-out, 'no chance for mistakes' interface," says the security researcher. Continue Reading
Quiz 31 Jul 2018

Test your knowledge of secure software architecture

Domain 4 of the CCSP exam covers the fundamentals of cloud application security. Take this practice quiz to see how well you've absorbed key concepts and vocabulary. Continue Reading
27 Jul 2018

Tom Van Vleck on the Multics operating system, security decisions

Continue Reading
Answer 25 Jul 2018

How is Apple iOS 11 affected by a QR code vulnerability?

A QR code vulnerability was recently discovered in the Apple iOS 11 camera app. Learn how an attacker could exploit it and how to avoid the issue with Judith Myerson. Continue Reading
Answer 24 Jul 2018

Bouncy Castle keystore: How are files vulnerable to brute force?

BKS files are being exposed to hash collisions, enabling hackers to use brute force attacks against C# and Java applications. Learn how this occurs and possible solutions with Judith Myerson. Continue Reading
Answer 23 Jul 2018

How did a Navarino Infinity flaw expose unauthenticated scripts?

Navarino Infinity, a satellite communication system, found and fixed a flaw that exposed an unauthenticated script. Discover what threats this flaw enabled with Judith Myerson. Continue Reading
News 20 Jul 2018

Critical Cisco vulnerabilities patched in Policy Suite

News roundup: Critical Cisco vulnerabilities in Policy Suite products were patched this week. Plus, Venmo's API is set to public, exposing a trove of customer data, and more. Continue Reading
News 20 Jul 2018

SaaS activity alerts can mitigate manual misconfigurations

SaaS activity management is becoming more important for infosec teams to combat issues of insider theft and unintentional exposure of sensitive data, BetterCloud's David Politis says. Continue Reading
Answer 20 Jul 2018

Trojan.AndroidOS.Loapi: What is this jack-of-all-trades malware?

Kaspersky researchers found a new Android malware that can physically harm phones. Learn how this works and the steps to mitigate the attack with expert Nick Lewis. Continue Reading
Feature 19 Jul 2018

Port Cybersecurity

In this excerpt from chapter 3 of Port Cybersecurity, author Nineta Polemi discusses Security of Ports' Critical Information Infrastructures. Continue Reading
Answer 18 Jul 2018

Digimine bot: How does social media influence cryptojacking?

Facebook Messenger is being used to reach more victims with a cryptojacking bot that Trend Micro researchers named Digimine. Learn how this bot works with expert Nick Lewis. Continue Reading
Answer 17 Jul 2018

Spider ransomware: How do ransomware attacks differ?

Spider ransomware has been found spreading malicious files via a phishing campaign that gives victims a 96-hour deadline. Learn how this attack is similar to past attacks with Nick Lewis. Continue Reading
Feature 16 Jul 2018

Seeking the Truth from Mobile Evidence

In this excerpt from chapter 19 of Seeking the Truth from Mobile Evidence, author John Bair discusses Android user enabled security in terms of passwords and gestures. Continue Reading
Answer 16 Jul 2018

Android vulnerability: How can users mitigate Janus malware?

The Janus vulnerability was found injecting malicious code into reputable Android apps. Once injected, users' endpoints become infected. Learn how to prevent this with expert Nick Lewis. Continue Reading
News 13 Jul 2018

Chrome site isolation arrives to mitigate Spectre attacks

In an effort to mitigate the risk of Spectre attacks, Google Chrome site isolation has been enabled for 99% of browser users to minimize the data that could be gleaned by an attacker. Continue Reading
Tip 12 Jul 2018

How to stop malicious browser add-ons from taking root

Researchers at Malwarebytes discovered several new browser extension threats. Discover how to avoid and properly removed malicious add-ons with expert Nick Lewis. Continue Reading
Answer 10 Jul 2018

What effect does GDPR have on the WHOIS database?

With GDPR in effect, ICANN proposed redacting information from the WHOIS database. Expert Michael Cobb discusses what this could mean for the domain database. Continue Reading
Tip 10 Jul 2018

Common security oversights within an AWS environment

There's often an assumption that AWS systems can't be tested, as they're hosted in the cloud; however, this is not the case. Discover common security oversights in AWS environments. Continue Reading
Answer 09 Jul 2018

How did an old, unpatched Firefox bug expose master passwords?

A Firefox bug went undetected for nine years. Expert Michael Cobb explains how it enabled attackers to access the browser's master password and what's being done to mitigate it. Continue Reading
Tip 05 Jul 2018

How cyber resiliency is achieved via NIST's 14-step approach

Improving cyber resiliency helps organizations manage risk. Discover the 14 techniques NIST has identified to help achieve cyber resiliency with expert Judith Myerson. Continue Reading
News 29 Jun 2018

WebAssembly updates may cancel out Meltdown and Spectre fixes

News roundup: Upcoming WebAssembly updates may undo the Meltdown and Spectre mitigations. Plus, FireEye denied claims it 'hacked back' China, and more. Continue Reading
News 29 Jun 2018

Have I Been Pwned integration comes to Firefox and 1Password

With new Have I Been Pwned integration, Firefox and 1Password users will be able to learn if their email addresses have been compromised in any known data breaches. Continue Reading
Answer 29 Jun 2018

Microsoft CredSSP: How was it exploited by CVE-2018-0886?

The CVE-2018-0886 vulnerability found within Microsoft's CredSSP was recently patched. Discover what this vulnerability is and how it affects the CredSSP protocol with Judith Myerson. Continue Reading
News 25 Jun 2018

Container orchestration systems at risk by being web-accessible

Security researchers found tens of thousands of container orchestration systems accessible via the web, which in itself puts those dashboards at risk of attack. Continue Reading
Answer 25 Jun 2018

How did the Panera Bread website expose customers?

Panera Bread website users were put at risk after a security researcher discovered a vulnerability relating to a lack of authentication for their publicly available API endpoint. Continue Reading
News 14 Jun 2018

Security Servicing Commitment clarifies Microsoft patch policy

Microsoft's unspoken patch management policy has been codified in the new Security Servicing Commitment, which outlines what flaws will be patched monthly and which will be in Windows updates. Continue Reading
News 13 Jun 2018

Spectre v4 fix and Windows DNS patch in June Patch Tuesday

A Windows DNS patch for both desktops and servers headlines Microsoft's June 2018 Patch Tuesday, but the release also includes mitigations for Spectre v4 and more. Continue Reading
Tip 12 Jun 2018

Application security programs: Establishing reasonable requirements

Creating security program requirements can be a challenging task, especially with application security. In this tip, Kevin Beaver shares several ways to create an effective program. Continue Reading
Answer 12 Jun 2018

Fake WhatsApp app: How can counterfeit apps be avoided?

After a fake WhatsApp app was discovered in the Google Play Store, users are questioning what can be done to avoid counterfeit apps. Learn several techniques with Nick Lewis. Continue Reading
News 08 Jun 2018

Apple plans to disable Facebook web tracking capabilities

News roundup: Apple wants to protect its users from Facebook web tracking with the next version of Safari. Plus, genealogy website MyHeritage suffers data breach, and more. Continue Reading
Answer 08 Jun 2018

How can domain generation algorithms be used to bypass ad blockers?

An ad network used domain generation algorithms to bypass ad blockers and launch cryptomining malware. Expert Michael Cobb explains how and the best way to prevent these attacks. Continue Reading
News 06 Jun 2018

Apple iOS 12 USB Restricted Mode to foil thieves, law enforcement

A rumored security feature, USB Restricted Mode, is making its premiere in Apple's iOS 12 and will protect users from brute-force passcode attacks by thieves and law enforcement alike. Continue Reading
News 05 Jun 2018

Research claims 'widespread' Google Groups misconfiguration troubles

Researchers from Kenna Security claim a Google Groups misconfiguration has exposed sensitive data for many organizations, but it is unclear just how widespread the issue might be. Continue Reading
Answer 05 Jun 2018

What risks do untrusted certificates pose to enterprises?

Researchers found that untrusted certificates are still used on many major websites. Expert Michael Cobb discusses the security risks of sticking with these certificates. Continue Reading
News 01 Jun 2018

Yokogawa Stardom vulnerability leaves hardcoded creds in ICS controllers

A Yokogawa Stardom vulnerability leaves industrial control systems in critical infrastructure around the world at risk because of hardcoded credentials in the software. Continue Reading
Tip 31 May 2018

How layered security can help and hinder application security

The growth of technology includes the growth of layered security. Join expert Kevin Beaver as he explains the pros and cons of layered defenses for application security. Continue Reading
Answer 30 May 2018

How are Linear eMerge E3 systems vulnerable to attacks?

ICS-CERT issued a warning about a new vulnerability in Nortek Linear eMerge E3 products. Discover what this vulnerability is and how it affects access control for enterprises. Continue Reading
Answer 28 May 2018

How did Strava's Global Heatmap disclose sensitive U.S. info?

Fitness tracking app Strava released its Global Heatmap that unknowingly disclosed routes of U.S. soldiers. Discover how this happened and how geolocation data can be blocked. Continue Reading
News 10 May 2018

Android P security improves authentication trust and data privacy

Android P security features, which were previewed at Google I/O, include notable improvements for data privacy and encryption and preventing malicious apps from spying on users. Continue Reading
News 04 May 2018

Remote Android Rowhammer attack possible, but scope limited

A new Android Rowhammer PoC proves an attack is possible, but an expert said the limited scope of affected devices and feasibility of performing the attack lessens the danger. Continue Reading
News 04 May 2018

Facebook APIs used by tens of thousands of malicious apps

News roundup: Researchers find tens of thousands of malicious apps use Facebook APIs and can access user data. Plus, AWS threatens to suspend Signal's use of the platform, and more. Continue Reading
News 04 May 2018

AMD patches in testing with ecosystem partners

The timeline for the AMD patches promised to fix chipset flaws disclosed in March is being criticized, but AMD said the patches are being tested by partners and are still on track. Continue Reading
News 04 May 2018

Twitter bug exposes passwords of all 336 million users

On none other than World Password Day, a Twitter bug was announced that led to the passwords of all 336 million users being stored in plaintext in an internal log. Continue Reading