Application and platform security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.
Top Stories
-
Tip
01 Jun 2023
Low-code/no-code use cases for security
Low-code/no-code development approaches have their fair share of security issues, but that doesn't mean they can't be used to benefit the security industry, too. Continue Reading
-
News
01 Jun 2023
Mitiga warns free Google Drive license lacks logging visibility
The ability to view logs is critical for enterprises to detect and attribute malicious activity. Mitiga said the Google Drive issue allows data exfiltration without a trace. Continue Reading
-
Answer
11 Oct 2017
Foxit Reader vulnerabilities: What can be done to mitigate them?
Two critical, zero-day Foxit Reader vulnerabilities haven't been patched and pose a threat to enterprises. Judith Myerson explains the vulnerabilities and how to mitigate them. Continue Reading
-
Tip
11 Oct 2017
Addressing web server vulnerabilities below the application layer
Web application security is crucial, but enterprises also need to look below that layer for weaknesses. Kevin Beaver explains how to look for common web server vulnerabilities. Continue Reading
-
News
11 Oct 2017
Windows 10 patching could make older systems vulnerable
Microsoft's practice of automatic Windows 10 patching could be uncovering vulnerabilities in older systems that can be exploited by attackers, Google researchers said. Continue Reading
-
Answer
05 Oct 2017
Flash's end of life: How should security teams prepare?
Adobe Flash's end of life is coming, and it includes an incremental removal method, allotting security teams enough time to adjust. Matt Pascucci explains how changes can be made. Continue Reading
-
News
05 Oct 2017
Yahoo data breach found to affect all 3 billion users
Newly uncovered information indicated that all 3 billion users were affected by the 2013 Yahoo data breach, but Oath claimed passwords and credit card info was safe. Continue Reading
-
Tip
05 Oct 2017
How the Docker REST API can be turned against enterprises
Security researchers discovered how threat actors can use the Docker REST API for remote code execution attacks. Michael Cobb explains this threat to Docker containers. Continue Reading
-
Opinion
02 Oct 2017
Building a secure operating system with Roger R. Schell
The 'father' of the Orange Book has first-hand knowledge of the standards required for classified computer systems and the issues with subversion. Continue Reading
-
Answer
02 Oct 2017
How can peer group analysis address malicious apps?
Google is using machine learning and peer group analysis to protect against malicious Android apps in the Google Play Store. Matt Pascucci explains how this works. Continue Reading
- 28 Sep 2017
-
Answer
25 Sep 2017
How does a Magento Community Edition flaw allow remote attacks?
As the Magento Community Edition suffers a new zero-day vulnerability, expert Nick Lewis explains how it's being exploited and how to mitigate the cross-site request forgery flaw. Continue Reading
-
Answer
22 Sep 2017
Application containers: What are the major risks?
NIST recently issued guidance on mitigating the security risks of application containers. Expert Judith Myerson outlines some of the risks and fixes highlighted in the guide. Continue Reading
-
Answer
20 Sep 2017
How can the Jenkins vulnerabilities in plug-ins be mitigated?
A wave of Jenkins vulnerabilities related to plug-ins were recently discovered. Expert Judith Myerson explains the flaws and how enterprises should mitigate them. Continue Reading
-
Answer
18 Sep 2017
Are long URLs better for security than short URLs?
Shortened URLs are weak on security and easy for attackers to inject with malware. Expert Judith Myerson discusses how long URLs are more secure, despite the inconvenience. Continue Reading
-
News
15 Sep 2017
Apache Struts vulnerability blamed for Equifax data breach
Equifax has confirmed an unpatched critical Apache Struts vulnerability was exploited in the breach that compromised the personal data of 143 million U.S. citizens. Continue Reading
-
Answer
14 Sep 2017
How can users detect dangerous open ports in mobile apps?
Some malicious apps can hijack smartphones and expose those devices with open ports. Expert Michael Cobb explains how this happens and how users can protect themselves. Continue Reading
-
Tip
14 Sep 2017
The HTML5 vulnerabilities enterprises need to know
Adobe Flash's end of life is coming, but there are some HTML5 vulnerabilities enterprises should be aware of before making the switch. Expert Judith Myerson outlines the risks. Continue Reading
-
Tip
11 Sep 2017
After Stuxnet: Windows Shell flaw still most abused years later
A Windows Shell flaw used by the Stuxnet worm continues to pose problems years after it was patched. Nick Lewis explains how the flaw exposes enterprise security shortcomings. Continue Reading
-
Tip
05 Sep 2017
Why DevOps security must be on infosecs' priority list
In the rush to implement DevOps, security is too often overlooked. But DevSecOps is essential in these hack-filled days. Learn how to add security to software development. Continue Reading
-
Feature
01 Sep 2017
HTTPS interception gets a bad rap; now what?
Should products intercept Transport Layer Security connections to gain visibility into network traffic? A new study by researchers and U.S.-CERT warn against it. Continue Reading
-
Opinion
01 Sep 2017
A damaging spring of internet worms and poor performance
Security is a hot topic for media outlets that report on stock markets as companies founder on corporate earnings. The financial fallout of global malware is a call to action. Continue Reading
-
Guide
30 Aug 2017
How to craft an application security strategy that's airtight
A solid application security strategy today must include varieties like cloud apps and mobile. Learn how to set application security policies and practices that keep hackers out. Continue Reading
- 28 Aug 2017
- 28 Aug 2017
-
News
24 Aug 2017
Google Chrome Enterprise adds management options
The Google Chrome Enterprise offering officially allows organizations to manage Google Play Store apps, extensions, Microsoft Active Directory and integrate VMware on Chromebooks. Continue Reading
-
Blog Post
23 Aug 2017
Project Treble is another attempt at faster Android updates
Google has historically had a problem with getting mobile device manufacturers to push out Android updates, which has left hundreds of millions in the Android ecosystem at risk. Google hopes that ... Continue Reading
-
News
21 Aug 2017
iPhone Secure Enclave firmware encryption key leaked
Experts and Apple say despite the leak of the iPhone Secure Enclave Processor encryption key that can be used to decrypt firmware code, user data and biometric information are still safe. Continue Reading
-
Answer
18 Aug 2017
Why is the patched Apache Struts vulnerability still being exploited?
An Apache Struts vulnerability is still being exploited, even though it has already been patched. Expert Nick Lewis explains why the Struts platform still carries risk for users. Continue Reading
-
News
18 Aug 2017
Hijacked Chrome extensions infect millions of users
News roundup: Hackers leveraged eight hijacked Chrome extensions to attack 4.8 million browser users. Plus, Cloudflare stopped protecting a neo-Nazi website from DDoS attacks, and more. Continue Reading
-
Answer
18 Aug 2017
Stopping EternalBlue: Can the next Windows 10 update help?
The upcoming Windows update, Redstone 3, will patch the vulnerability that enables EternalBlue exploits. Expert Judith Myerson discusses protection methods to use until the update. Continue Reading
-
Tip
17 Aug 2017
Common web application login security weaknesses and how to fix them
Flawed web application login security can leave an enterprise vulnerable to attacks. Expert Kevin Beaver reviews the most common mistakes and how to fix them. Continue Reading
-
News
15 Aug 2017
Mobile data theft a risk from shared app libraries
Researchers claim malicious actors could commit mobile data theft by using shared third-party libraries and abusing elevated privileges that the permissions granted. Continue Reading
-
Tip
15 Aug 2017
Security teams must embrace DevOps practices or get left behind
DevOps practices can help improve enterprise security. Frank Kim of the SANS Institute explains how infosec teams can embrace them. Continue Reading
-
News
11 Aug 2017
Microsoft antivirus policy changes under Kaspersky pressure
Microsoft antivirus policy changes for Windows 10 Fall Creators Update in order to avoid further action in an antitrust case brought by Kaspersky. Continue Reading
-
News
11 Aug 2017
How threat actors weaponized Mia Ash for a social media attack
Dell SecureWorks researchers detected suspicious activity on social media accounts of Mia Ash. When they dug deeper, they discovered a new, complex social engineering attack. Continue Reading
-
Tip
10 Aug 2017
Applying a hacker mindset to application security
It can be beneficial to think like a black hat. Expert Kevin Beaver explains why enterprise security teams should apply a hacker mindset to their work and how it can help. Continue Reading
-
News
09 Aug 2017
Windows 10 Linux subsystem gets first patches
Microsoft's August 2017 Patch Tuesday brought the first Windows 10 Linux subsystem patches, just as a new version of the Linux subsystem is released for Windows Server. Continue Reading
-
Answer
08 Aug 2017
How did a Moodle security vulnerability enable remote code execution?
A series of logic flaws in Moodle enabled attackers to remotely execute code on servers. Expert Michael Cobb explains how the Moodle security vulnerability can be exploited. Continue Reading
-
News
03 Aug 2017
Symantec Website Security, certificate authority business sold to DigiCert
DigiCert agrees to buy majority stake in Symantec Website Security just days after Google releases an April 2018 distrust date for Symantec certificates. Continue Reading
-
Answer
03 Aug 2017
How is the Samba vulnerability different from EternalBlue?
A recently discovered Samba vulnerability bears a striking resemblance to the notorious Windows exploit EternalBlue. Expert Matthew Pascucci compares the two vulnerabilities. Continue Reading
-
Answer
01 Aug 2017
How can OSS-Fuzz and other vulnerability scanners help developers?
Google's OSS-Fuzz is an open source vulnerability scanner. Expert Matthew Pascucci looks at how developers can take advantage of this tool and others like it. Continue Reading
-
News
28 Jul 2017
Adobe's Flash end of life scheduled, finally, for 2020
News roundup: Adobe announced that Flash end of life will happen by the end of 2020. Plus, Microsoft expands its bug bounty program, the 2017 Pwnie Awards winners, and more. Continue Reading
-
Answer
26 Jul 2017
How are FTP injection attacks carried out on Java and Python?
Vulnerabilities in Java and Python have opened them up to possible FTP injections. Expert Nick Lewis explains how enterprises can mitigate these attacks. Continue Reading
-
Feature
25 Jul 2017
Federal Cloud Computing
In this excerpt from chapter three of Federal Cloud Computing, author Matthew Metheny discusses open source software and its use in the U.S. federal government. Continue Reading
-
News
19 Jul 2017
Symantec agrees to transfer certificate issuance to third party
Symantec has agreed to a plan that would transfer its certificate issuance and validation operations to as-yet-unnamed third-party partner starting Dec. 1. Continue Reading
-
News
14 Jul 2017
Google tackles Android app privacy with machine learning
Google will use machine learning and automated peer review scans to improve Android app privacy and limit app permissions overreach. Continue Reading
-
Tip
13 Jul 2017
How to detect preinstalled malware in custom servers
Preinstalled malware was reportedly found by Apple in its custom servers. Expert Nick Lewis explains how enterprises can protect themselves from encountering similar issues. Continue Reading
-
News
12 Jul 2017
Windows NTLM vulnerabilties addressed in July 2017 Patch Tuesday
Client-side security takes the forefront in Microsoft's July 2017 Patch Tuesday, which includes a fix for legacy Windows NTLM authentication processes. Continue Reading
-
Answer
12 Jul 2017
What made iOS apps handling sensitive data vulnerable to MitM attacks?
A researcher discovered 76 iOS apps containing sensitive user data that were vulnerable to man-in-the-middle attacks. Expert Michael Cobb explains how developers can prevent this. Continue Reading
-
Answer
11 Jul 2017
Ticketbleed flaw: How can SSL session identities be protected?
The Ticketbleed flaw in F5 Networks' BIG-IP appliances leaks uninitialized memory and SSL session identities. Expert Michael Cobb explains how enterprises can mitigate it. Continue Reading
-
News
11 Jul 2017
Android Samba app from Google only uses broken SMBv1
Experts said the new Android Samba app from Google supported only unsafe SMBv1 despite susceptibility to WannaCry exploits and unclear demand from users. Continue Reading
-
Answer
10 Jul 2017
WordPress REST API flaw: How did it lead to widespread attacks?
A REST API endpoint vulnerability enabled attacks on 1.5 million sites running WordPress. Expert Michael Cobb explains how this vulnerability works and how to prevent attacks. Continue Reading
-
Answer
07 Jul 2017
How are hackers using Unicode domains for spoofing attacks?
A proof of concept showed that hackers can use Unicode domains to make phishing sites look legitimate. Expert Matthew Pascucci explains how this spoofing attack works. Continue Reading
-
Answer
05 Jul 2017
What are the challenges of migrating to HTTPS from HTTP?
Migrating to HTTPS from HTTP is a good idea for security, but the process can be a challenge. Expert Matthew Pascucci explains how to make it easier for enterprises. Continue Reading
-
Buyer's Guide
28 Jun 2017
Select the best patch management software for your company
Patch management software enables businesses to prioritize and automatically update systems so that their assets remain secure. See which best fits your infosec strategy. Continue Reading
-
News
27 Jun 2017
Windows Defender bug could allow full-system takeover
A newly disclosed Windows Defender bug, which could allow an attacker to fully take over a target system and create admin accounts, marks yet another major antivirus vulnerability. Continue Reading
-
Feature
27 Jun 2017
Patch management tool comparison: What are the best products?
With so many different vendors in the market, it isn't easy to pick the right patch management tool. Read this product comparison to see which is best for your company. Continue Reading
-
Answer
16 Jun 2017
Why do HTTPS interception tools weaken TLS security?
HTTPS interception tools help protect websites, but they can also hurt TLS security. Expert Judith Myerson explains how this works and what enterprises can do about it. Continue Reading
-
News
15 Jun 2017
Microsoft to disable SMBv1 by default in fall Windows updates
Microsoft claims recent WannaCry attacks did not influence the decision to disable SMBv1 by default in the next major Windows updates. Continue Reading
-
News
14 Jun 2017
More Windows XP fixes in June Patch Tuesday release
Microsoft's June 2017 Patch Tuesday saw another set of Windows XP fixes released in order to secure systems against leaked NSA cyberweapons. Continue Reading
-
Answer
14 Jun 2017
How can DevOps application lifecycle management protect digital keys?
Better DevOps application lifecycle management can help protect cryptographic and digital keys. Expert Judith Myerson explains the right approaches to secure DevOps. Continue Reading
-
News
14 Jun 2017
Symantec CA remediation plan faces more delays
The battle over Symantec CA operations continues as the antivirus vendor pushes back against a consensus remediation proposal from the web browser community. Continue Reading
-
Tip
12 Jun 2017
To secure Office 365, take advantage of controls Microsoft offers
Securing Office 365 properly requires addressing upfront any specific risks of a particular environment and taking advantage of the many security controls Microsoft offers. Continue Reading
-
Tip
12 Jun 2017
Office 365 security features: As good as it gets?
Online and application security is never perfect, but Office 365 security features come close. Here's an overview of how Microsoft installed security in its popular suite. Continue Reading
-
Tip
12 Jun 2017
Address Office 365 security concerns while enjoying its benefits
Office 365 security concerns should worry you but not dampen your enthusiasm for the platform's potential benefits for your business. Here's what you need to consider upfront. Continue Reading
-
Feature
12 Jun 2017
Know why patch management tools are required in the IT infrastructure
Regulations, efficiency and protection are the main drivers for purchasing patch management tools. See why automated patch management is a requirement for most businesses. Continue Reading
-
News
08 Jun 2017
Researchers port EternalBlue exploit to Windows 10
The EternalBlue exploit behind the WannaCry ransomware attacks has been successfully ported to an older version of Windows 10, but newer versions of the OS are protected. Continue Reading
-
Answer
06 Jun 2017
Adobe Acrobat Chrome extension: What are the risks?
An Adobe Acrobat extension was automatically installed onto users' Chrome browsers during an update. Expert Michael Cobb explains the problems that existed with the extension. Continue Reading
-
Tip
06 Jun 2017
How mobile application assessments can boost enterprise security
Mobile application assessments can help enterprises decide which apps to allow, improving security. Christopher Crowley of the SANS Institute discusses how to use app assessments. Continue Reading
-
Answer
05 Jun 2017
Cisco WebEx extension flaw: How does the patch fall short?
Cisco's WebEx extension flaw was patched to prevent remote code execution from all but WebEx sites. Expert Michael Cobb explains how this flaw could still introduce risk to users. Continue Reading
-
Answer
31 May 2017
Why is patching telecom infrastructures such a challenge?
Patching telecom infrastructures presents many challenges. Expert Matthew Pascucci explains those challenges and what can be done to make sure the systems get patched anyway. Continue Reading
-
Answer
30 May 2017
Domain validation certificates: What are the security issues?
Let's Encrypt domain validation certificates had some security issues. Expert Matthew Pascucci explains how DV certificates work and what the issues were. Continue Reading
-
News
26 May 2017
Samba vulnerability brings WannaCry fears to Linux/Unix
A widespread Samba vulnerability has raised the possibility of attacks similar to WannaCry hitting Linux and Unix systems, but mitigation options are available. Continue Reading
-
Podcast
25 May 2017
Risk & Repeat: Microsoft slams NSA over EternalBlue
In this week's Risk & Repeat podcast, SearchSecurity editors discuss Microsoft's sharp criticism of the NSA over the EternalBlue Windows vulnerability and WannaCry ransomware. Continue Reading
-
Podcast
23 May 2017
Risk & Repeat: WannaCry ransomware worm shakes tech industry
In this week's Risk & Repeat podcast, SearchSecurity editors look at the devastation caused by the WannaCry ransomware worm and discuss how it could have been prevented. Continue Reading
-
News
19 May 2017
Google Play Protect looks to bolster Android app security
News roundup: The new Google Play Protect system aims to improve Android app security. Plus, Google Cloud IoT Core adds layer of device security, and more. Continue Reading
-
Tip
17 May 2017
What the end of hot patching mobile apps means for enterprise security
Apple now restricts mobile app developers from using hot patching, as the technique can change app behavior after it is reviewed. Expert Kevin Beaver goes over enterprise concerns. Continue Reading
-
News
12 May 2017
Cisco vulnerability from WikiLeaks' Vault 7 dump finally patched
News roundup: A Cisco vulnerability disclosed in the Vault 7 dump finally has a patch. Plus, Google's fuzzing bot finds over 1,000 bugs in five months, Comey dismissed and more. Continue Reading
-
Podcast
11 May 2017
Risk & Repeat: Critical Windows bug triggers disclosure debate
This week's Risk & Repeat podcast looks at how a simple tweet about a Windows bug from Project Zero researcher Tavis Ormandy sparked a debate about vulnerability disclosure. Continue Reading
-
Feature
11 May 2017
Timeline: Symantec certificate authority improprieties
Timeline: Follow along as Google and Mozilla raise issues with Symantec certificate authority actions, and then attempt to return trust to the CA giant. Continue Reading
-
News
10 May 2017
Windows zero days squashed in May 2017 Patch Tuesday
Microsoft's May 2017 Patch Tuesday fixed multiple Windows zero-day vulnerabilities, two of which have reportedly been exploited by groups linked to Russia. Continue Reading
-
News
09 May 2017
Microsoft out-of-band patch hits the day before Patch Tuesday
The evening before Patch Tuesday, Microsoft released an emergency out-of-band patch for a dangerous Windows flaw teased by the Google Project Zero team just days earlier. Continue Reading
-
Tip
09 May 2017
How to identify and address overlooked web security vulnerabilities
Certain web security vulnerabilities evade detection due to oversight or carelessness. Expert Kevin Beaver discusses the top overlooked issues and how to address them. Continue Reading
-
News
05 May 2017
TLS client authentication ensures secure IoT connection
The TLS client authentication protocol has been part of the security standard for years, but it's just now coming into its own in certifying secure IoT connections. Continue Reading
-
Answer
03 May 2017
Same-origin policy: How did Adobe Flash Player's implementation fail?
The same-origin security feature in Adobe Flash Player was implemented incorrectly, allowing local attackers to spy on users. Expert Michael Cobb explains how this flaw occurred. Continue Reading
-
Feature
27 Apr 2017
Introduction to Social Media Investigation: A Hands-on Approach
In this excerpt from chapter four of Introduction to Social Media Investigation: A Hands-on Approach, author Jennifer Golbeck discusses privacy controls on social media. Continue Reading
-
News
25 Apr 2017
Symantec certificate authority issues, answered
Google and Mozilla weigh the proper response to Symantec certificate authority issues, as the CA giant prepares an alternative proposal for reinstating trust. Continue Reading
-
Answer
25 Apr 2017
How can enterprises stop the Flip Feng Shui exploit from hijacking VMs?
The Flip Feng Shui attack can target virtual machines. Expert Judith Myerson explains the exploit and describes how to prevent it from hijacking enterprise VMs. Continue Reading
-
News
21 Apr 2017
Stuxnet worm flaw still the most exploited after seven years
Security researchers say the vulnerability behind the infamous Stuxnet worm is still the most exploited in the world, seven years after being patched. Continue Reading
-
News
20 Apr 2017
Oracle patches Apache Struts exploits, Equation Group vulnerability
There were 299 Oracle patches in the April Critical Patch Update, including a fix for the Apache Struts exploits found in the wild and a vulnerability from the Equation Group dump. Continue Reading
-
Answer
19 Apr 2017
How does Nemucod malware get spread through Facebook Messenger?
The Nemucod downloader malware is being spread through Facebook Messenger disguised as an image file. Expert Nick Lewis explains the available protections against this attack. Continue Reading
-
News
12 Apr 2017
Symantec CA woes debated by browser community
Compliance with CA/B Forum Baseline Requirements was debated after Symantec CA posted responses to 14 issues raised by Mozilla developers. Continue Reading
-
News
12 Apr 2017
Security Update Guide brings growing pains to Patch Tuesday
Microsoft fundamentally changes how IT pros will consume Patch Tuesday releases with the Security Update Guide and brings fixes for an actively exploited Word zero-day. Continue Reading
-
Tip
07 Apr 2017
Preparing enterprise systems for the scriptless Linux exploit
The scriptless Linux exploit deviates from usual methods that security tools recognize as attacks. Expert Nick Lewis explains how the exploit works and how to prevent it. Continue Reading
-
Answer
07 Apr 2017
How have ARM TrustZone flaws affected Android encryption?
Android encryption on devices using Qualcomm chips can be broken due to two vulnerabilities. Expert Michael Cobb explains how these flaws affect encryption. Continue Reading
-
Tip
05 Apr 2017
Totally automatic: Improve DevOps and security in three key steps
Concerned about DevOps security? Learn three key steps to embedding security into the software development process, including how to improve automation. Continue Reading
-
News
31 Mar 2017
HTTPS traffic has yet to surpass HTTP traffic, Fortinet study shows
News roundup: HTTPS traffic has yet to surge, despite its security benefits, according to a report. Plus, the latest in the Apple extortion; a Mirai attack lasted 54 hours; and more. Continue Reading
-
News
30 Mar 2017
Google's Project Zero Prize uncovers zero Android remote exploits
After six months, Google's Project Zero Prize competition uncovered zero Android remote exploits: no bugs, no prizes, no entries. Continue Reading
-
News
29 Mar 2017
Potential SSL API flaw could reveal private keys
A researcher claims to have found Symantec SSL API issues with extremely dangerous consequences, but a lack of evidence causes confusion. Continue Reading
-
Answer
28 Mar 2017
How can users tell if Windows SMB v1 is on their systems?
US-CERT encouraged users to use newer versions of Windows SMB, since version one is out of date. Expert Matthew Pascucci explains how to tell if SMB v1 is on your systems. Continue Reading
-
News
24 Mar 2017
Google considers options on Symantec certificate authority 'failures'
Symantec certificate authority cries foul, as Google considers severe options following the company allegedly misissuing as many as 30,000 digital certificates. Continue Reading