Application and platform security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.
Top Stories
-
News
24 Jan 2025
AMD processor vulnerability inadvertently leaked early
The flaw was revealed when hardware manufacturer Asus published a patch for an 'AMD Microcode Signature Verification Vulnerability' to a gaming motherboard update page. Continue Reading
-
News
23 Jan 2025
Eclypsium finds security issues in Palo Alto Networks NGFWs
Eclypsium researchers stressed how essential supply chain security is as threat actors increasingly target and exploit vulnerabilities in firewalls, VPNs and other edge devices. Continue Reading
-
Answer
25 Jul 2018
How is Apple iOS 11 affected by a QR code vulnerability?
A QR code vulnerability was recently discovered in the Apple iOS 11 camera app. Learn how an attacker could exploit it and how to avoid the issue with Judith Myerson. Continue Reading
-
Answer
24 Jul 2018
Bouncy Castle keystore: How are files vulnerable to brute force?
BKS files are being exposed to hash collisions, enabling hackers to use brute force attacks against C# and Java applications. Learn how this occurs and possible solutions with Judith Myerson. Continue Reading
-
Answer
23 Jul 2018
How did a Navarino Infinity flaw expose unauthenticated scripts?
Navarino Infinity, a satellite communication system, found and fixed a flaw that exposed an unauthenticated script. Discover what threats this flaw enabled with Judith Myerson. Continue Reading
-
News
20 Jul 2018
Critical Cisco vulnerabilities patched in Policy Suite
News roundup: Critical Cisco vulnerabilities in Policy Suite products were patched this week. Plus, Venmo's API is set to public, exposing a trove of customer data, and more. Continue Reading
-
News
20 Jul 2018
SaaS activity alerts can mitigate manual misconfigurations
SaaS activity management is becoming more important for infosec teams to combat issues of insider theft and unintentional exposure of sensitive data, BetterCloud's David Politis says. Continue Reading
-
Answer
20 Jul 2018
Trojan.AndroidOS.Loapi: What is this jack-of-all-trades malware?
Kaspersky researchers found a new Android malware that can physically harm phones. Learn how this works and the steps to mitigate the attack with expert Nick Lewis. Continue Reading
-
Feature
19 Jul 2018
Port Cybersecurity
In this excerpt from chapter 3 of Port Cybersecurity, author Nineta Polemi discusses Security of Ports' Critical Information Infrastructures. Continue Reading
-
Answer
18 Jul 2018
Digimine bot: How does social media influence cryptojacking?
Facebook Messenger is being used to reach more victims with a cryptojacking bot that Trend Micro researchers named Digimine. Learn how this bot works with expert Nick Lewis. Continue Reading
-
Answer
17 Jul 2018
Spider ransomware: How do ransomware attacks differ?
Spider ransomware has been found spreading malicious files via a phishing campaign that gives victims a 96-hour deadline. Learn how this attack is similar to past attacks with Nick Lewis. Continue Reading
-
Feature
16 Jul 2018
Seeking the Truth from Mobile Evidence
In this excerpt from chapter 19 of Seeking the Truth from Mobile Evidence, author John Bair discusses Android user enabled security in terms of passwords and gestures. Continue Reading
-
Answer
16 Jul 2018
Android vulnerability: How can users mitigate Janus malware?
The Janus vulnerability was found injecting malicious code into reputable Android apps. Once injected, users' endpoints become infected. Learn how to prevent this with expert Nick Lewis. Continue Reading
-
News
13 Jul 2018
Chrome site isolation arrives to mitigate Spectre attacks
In an effort to mitigate the risk of Spectre attacks, Google Chrome site isolation has been enabled for 99% of browser users to minimize the data that could be gleaned by an attacker. Continue Reading
-
Tip
12 Jul 2018
How to stop malicious browser add-ons from taking root
Researchers at Malwarebytes discovered several new browser extension threats. Discover how to avoid and properly removed malicious add-ons with expert Nick Lewis. Continue Reading
-
Answer
10 Jul 2018
What effect does GDPR have on the WHOIS database?
With GDPR in effect, ICANN proposed redacting information from the WHOIS database. Expert Michael Cobb discusses what this could mean for the domain database. Continue Reading
-
Tip
10 Jul 2018
Common security oversights within an AWS environment
There's often an assumption that AWS systems can't be tested, as they're hosted in the cloud; however, this is not the case. Discover common security oversights in AWS environments. Continue Reading
-
Answer
09 Jul 2018
How did an old, unpatched Firefox bug expose master passwords?
A Firefox bug went undetected for nine years. Expert Michael Cobb explains how it enabled attackers to access the browser's master password and what's being done to mitigate it. Continue Reading
-
Tip
05 Jul 2018
How cyber resiliency is achieved via NIST's 14-step approach
Improving cyber resiliency helps organizations manage risk. Discover the 14 techniques NIST has identified to help achieve cyber resiliency with expert Judith Myerson. Continue Reading
-
News
29 Jun 2018
WebAssembly updates may cancel out Meltdown and Spectre fixes
News roundup: Upcoming WebAssembly updates may undo the Meltdown and Spectre mitigations. Plus, FireEye denied claims it 'hacked back' China, and more. Continue Reading
-
News
29 Jun 2018
Have I Been Pwned integration comes to Firefox and 1Password
With new Have I Been Pwned integration, Firefox and 1Password users will be able to learn if their email addresses have been compromised in any known data breaches. Continue Reading
-
Answer
29 Jun 2018
Microsoft CredSSP: How was it exploited by CVE-2018-0886?
The CVE-2018-0886 vulnerability found within Microsoft's CredSSP was recently patched. Discover what this vulnerability is and how it affects the CredSSP protocol with Judith Myerson. Continue Reading
-
News
25 Jun 2018
Container orchestration systems at risk by being web-accessible
Security researchers found tens of thousands of container orchestration systems accessible via the web, which in itself puts those dashboards at risk of attack. Continue Reading
-
Answer
25 Jun 2018
How did the Panera Bread website expose customers?
Panera Bread website users were put at risk after a security researcher discovered a vulnerability relating to a lack of authentication for their publicly available API endpoint. Continue Reading
-
News
14 Jun 2018
Security Servicing Commitment clarifies Microsoft patch policy
Microsoft's unspoken patch management policy has been codified in the new Security Servicing Commitment, which outlines what flaws will be patched monthly and which will be in Windows updates. Continue Reading
-
News
13 Jun 2018
Spectre v4 fix and Windows DNS patch in June Patch Tuesday
A Windows DNS patch for both desktops and servers headlines Microsoft's June 2018 Patch Tuesday, but the release also includes mitigations for Spectre v4 and more. Continue Reading
-
Tip
12 Jun 2018
Application security programs: Establishing reasonable requirements
Creating security program requirements can be a challenging task, especially with application security. In this tip, Kevin Beaver shares several ways to create an effective program. Continue Reading
-
Answer
12 Jun 2018
Fake WhatsApp app: How can counterfeit apps be avoided?
After a fake WhatsApp app was discovered in the Google Play Store, users are questioning what can be done to avoid counterfeit apps. Learn several techniques with Nick Lewis. Continue Reading
-
News
08 Jun 2018
Apple plans to disable Facebook web tracking capabilities
News roundup: Apple wants to protect its users from Facebook web tracking with the next version of Safari. Plus, genealogy website MyHeritage suffers data breach, and more. Continue Reading
-
Answer
08 Jun 2018
How can domain generation algorithms be used to bypass ad blockers?
An ad network used domain generation algorithms to bypass ad blockers and launch cryptomining malware. Expert Michael Cobb explains how and the best way to prevent these attacks. Continue Reading
-
News
06 Jun 2018
Apple iOS 12 USB Restricted Mode to foil thieves, law enforcement
A rumored security feature, USB Restricted Mode, is making its premiere in Apple's iOS 12 and will protect users from brute-force passcode attacks by thieves and law enforcement alike. Continue Reading
-
News
05 Jun 2018
Research claims 'widespread' Google Groups misconfiguration troubles
Researchers from Kenna Security claim a Google Groups misconfiguration has exposed sensitive data for many organizations, but it is unclear just how widespread the issue might be. Continue Reading
-
Answer
05 Jun 2018
What risks do untrusted certificates pose to enterprises?
Researchers found that untrusted certificates are still used on many major websites. Expert Michael Cobb discusses the security risks of sticking with these certificates. Continue Reading
-
News
01 Jun 2018
Yokogawa Stardom vulnerability leaves hardcoded creds in ICS controllers
A Yokogawa Stardom vulnerability leaves industrial control systems in critical infrastructure around the world at risk because of hardcoded credentials in the software. Continue Reading
-
Tip
31 May 2018
How layered security can help and hinder application security
The growth of technology includes the growth of layered security. Join expert Kevin Beaver as he explains the pros and cons of layered defenses for application security. Continue Reading
-
Answer
30 May 2018
How are Linear eMerge E3 systems vulnerable to attacks?
ICS-CERT issued a warning about a new vulnerability in Nortek Linear eMerge E3 products. Discover what this vulnerability is and how it affects access control for enterprises. Continue Reading
-
Answer
28 May 2018
How did Strava's Global Heatmap disclose sensitive U.S. info?
Fitness tracking app Strava released its Global Heatmap that unknowingly disclosed routes of U.S. soldiers. Discover how this happened and how geolocation data can be blocked. Continue Reading
-
News
10 May 2018
Android P security improves authentication trust and data privacy
Android P security features, which were previewed at Google I/O, include notable improvements for data privacy and encryption and preventing malicious apps from spying on users. Continue Reading
-
News
04 May 2018
Remote Android Rowhammer attack possible, but scope limited
A new Android Rowhammer PoC proves an attack is possible, but an expert said the limited scope of affected devices and feasibility of performing the attack lessens the danger. Continue Reading
-
News
04 May 2018
Facebook APIs used by tens of thousands of malicious apps
News roundup: Researchers find tens of thousands of malicious apps use Facebook APIs and can access user data. Plus, AWS threatens to suspend Signal's use of the platform, and more. Continue Reading
-
News
04 May 2018
AMD patches in testing with ecosystem partners
The timeline for the AMD patches promised to fix chipset flaws disclosed in March is being criticized, but AMD said the patches are being tested by partners and are still on track. Continue Reading
-
News
04 May 2018
Twitter bug exposes passwords of all 336 million users
On none other than World Password Day, a Twitter bug was announced that led to the passwords of all 336 million users being stored in plaintext in an internal log. Continue Reading
-
Answer
01 May 2018
How did an Electron framework flaw put Slack at risk?
An Electron framework flaw put users of Slack, Skype and other big apps at risk. Expert Michael Cobb explains how this remote code execution flaw works and how to prevent it. Continue Reading
-
News
30 Apr 2018
Attackers seek Oracle WebLogic vulnerability after faulty patch
The combination of a broken Oracle WebLogic vulnerability and available proof-of-concept exploit code has led threat actors to search for any servers that are at risk. Continue Reading
-
News
25 Apr 2018
Rachel Tobac: Social engineering attacks need real-world 2FA
Rachel Tobac discusses how to train employees to avoid social engineering attacks and how individuals can keep themselves safe with awareness and by being 'politely paranoid.' Continue Reading
-
News
18 Apr 2018
IBM's new AI toolbox is designed to protect AI systems
IBM has made a new open source AI toolbox that's designed to provide practical defenses for real-world AI systems based on how threat actors can attack AI models. Continue Reading
-
News
06 Apr 2018
Microsoft created Windows Defender flaw by breaking UnRAR code
Microsoft's poor coding when forking and modifying open source UnRAR code introduced a critical Windows Defender flaw that could allow an attacker full system rights. Continue Reading
-
News
05 Apr 2018
Intel's Spectre microcode patch not coming for older chips
No Spectre microcode patches will be coming for older Intel processors, but the newest generation of Intel CPUs will have mitigations built in when they ship later this year. Continue Reading
-
Tip
05 Apr 2018
How a Blizzard DNS rebinding flaw put millions of gamers at risk
A Blizzard DNS rebinding flaw could have put users of its online PC games at risk of attack. Expert Michael Cobb explains how a DNS rebinding attack works and what to do about it. Continue Reading
-
News
03 Apr 2018
Cloudflare 1.1.1.1 DNS promises more private web browsing
Cloudflare promises its new 1.1.1.1 DNS service is faster and enables better privacy for web browsing than competing offerings, but it's unclear how different its service will be. Continue Reading
-
News
30 Mar 2018
Kaspersky KLara malware hunter now open source
Kaspersky's KLara tool has been made open source in an effort to help security professionals search related malware samples more easily and efficiently with distributed Yara rules. Continue Reading
-
News
30 Mar 2018
OIG report on San Bernardino iPhone case criticizes FBI
A new government report claims poor communication was to blame for the FBI's court case being filed against Apple despite a San Bernardino iPhone unlock method being almost ready at the time. Continue Reading
-
Answer
29 Mar 2018
How are logic devices like WAGO PFC200 used by hackers?
The Department of Homeland Security warned of a vulnerability affecting WAGO PFC200 logic devices. Discover how this flaw enables threat actors with expert Judith Myerson. Continue Reading
-
News
28 Mar 2018
Windows Meltdown patches open up more severe issue
A security researcher discovered the recent Windows Meltdown patches may fix the Intel flaws, but also introduced a more severe vulnerability in some versions of Windows. Continue Reading
-
Answer
28 Mar 2018
Zyklon malware: What Microsoft Office flaws does it exploit?
Zyklon malware targets three previously patched Microsoft Office vulnerabilities. Learn how attackers can access passwords and cryptocurrency wallet data with expert Judith Myerson. Continue Reading
-
News
27 Mar 2018
TLS 1.3 update is finalized with encryption upgrade
The IETF approves the TLS 1.3 encryption protocol upgrade after four years and 28 versions; improvements include better security and performance, as well as middlebox support. Continue Reading
-
Answer
26 Mar 2018
Intel AMT flaw: How are corporate endpoints put at risk?
A recent flaw in Intel's Advanced Management Technology enables hackers to gain access to endpoint devices. Discover how this flaw can be mitigated with expert Judith Myerson. Continue Reading
-
News
23 Mar 2018
AMD patches for Ryzen chip flaws due 'in the coming weeks'
AMD patches are in the works for the Ryzen and EPYC chip flaws announced without the normal disclosure, but CTS Labs continues to stress the severity of the issues. Continue Reading
-
Feature
22 Mar 2018
SAP CSO Justin Somaini on using blockchain for security
Blockchain has generated both hype and skepticism, but SAP CSO Justin Somaini believes the technology has applications for security that can improve open source software. Continue Reading
-
News
21 Mar 2018
Firefox bug exposes passwords to brute force -- for nine years
A Firefox bug exposing the browser's master password to a simple brute force attack against inadequate SHA-1 hashing is still on the books after nearly nine years. Continue Reading
-
Tip
20 Mar 2018
Secure DevOps: Inside the five lifecycle phases
Secure DevOps and cloud computing are altering the design, build, deployment and operation of online systems. Learn more from Eric Johnson and Frank Kim of the SANS Institute. Continue Reading
-
Tip
16 Mar 2018
Addressing vulnerable web systems that are often overlooked
Web security vulnerability scanners often focus on large applications within the enterprise. However, there are plenty of overlooked web systems that contain hidden flaws. Continue Reading
-
Answer
14 Mar 2018
Internet Explorer bug: How does it expose address bar info?
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL tracking with Nick Lewis. Continue Reading
-
Tip
13 Mar 2018
Software security training: Perspectives on best practices
Software development training with an emphasis on secure coding can improve enterprise security postures. Steve Lipner of SafeCode discusses different ways to get the job done. Continue Reading
-
Answer
09 Mar 2018
How can improper certificate pinning be stopped by the Spinner tool?
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the Spinner tool. Continue Reading
-
Answer
08 Mar 2018
How does a WPAD attack work and how can it be prevented?
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how to bolster WPAD security. Continue Reading
-
News
07 Mar 2018
McAfee cloud security platform expands to Microsoft Azure
In its first move following the acquisition of cloud access security broker Skyhigh Networks, McAfee extended its cloud security platform to Microsoft Azure customers. Continue Reading
-
Tip
06 Mar 2018
Patch management programs: Who should run them?
Patch management is a crucial part of enterprise security defenses, but should security teams be in charge of it? Charles Kao explains how to make patching programs successful. Continue Reading
-
Answer
06 Mar 2018
How does Tizi spyware affect Android apps?
Android apps affected by Tizi spyware were found in the Google Play Store by Google's Play Protect team. Expert Michael Cobb reviews the threat and how it was fixed. Continue Reading
-
Tip
05 Mar 2018
Automated patch management and the challenges from IoT
From creating an inventory to scanning for IoT vulnerabilities, learn the key steps to take when it comes to automating patch management in your company. Continue Reading
-
Answer
05 Mar 2018
The Keeper browser extension flaw: How can users stay secure?
The Keeper browser extension had a vulnerability that highlighted security issues with password managers. Expert Michael Cobb looks at how to avoid security flaws in these tools. Continue Reading
-
Answer
02 Mar 2018
VMs per host: What are the risks of multiple connections?
While there are no set rules, there are some security recommendations when it comes to virtual machines running on one host. Learn the best practices with expert Matt Pascucci. Continue Reading
-
Tip
01 Mar 2018
Why the Bleichenbacher attack is still around
The Bleichenbacher attack got a new name after 20 years. Expert Michael Cobb reviews the ROBOT attack and discusses why it's still active this long after it emerged. Continue Reading
-
Answer
23 Feb 2018
How did OurMine hackers use DNS poisoning to attack WikiLeaks?
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from expert Nick Lewis. Continue Reading
-
Tip
22 Feb 2018
Web vulnerability scanners: What you won't learn from vendors
Web security flaws are a serious issue that web vulnerability scanners can manage. Discover your best fit scanner as expert Kevin Beaver shares tips that vendors won't tell you. Continue Reading
-
News
21 Feb 2018
Google discloses Microsoft Edge vulnerability without a patch
Google's Project Zero publicly published an Edge browser vulnerability after the 90-day disclosure deadline expired, and Microsoft has yet to patch the flaw. Continue Reading
-
Answer
20 Feb 2018
GD library: How did it open the Junos OS to attacks?
The GD library used in the Junos operating system has opened Junos up to attacks. Nick Lewis explains how it happened and what it means for companies using open source software. Continue Reading
-
Video
19 Feb 2018
Where does security fit into SDLC phases?
In each phase of the software development life cycle, there is an opportunity for infosec pros to add value. Learn more in this video with expert Adam Gordon. Continue Reading
-
Answer
19 Feb 2018
Antivirus tools: Are two programs better than one?
Antivirus software is crucial to your device's security. However, less is often more, especially when considering a secondary free antivirus program. Nick Lewis explains why. Continue Reading
-
News
15 Feb 2018
Intel bug bounty programs widened after Meltdown and Spectre
Intel's bug bounty program expanded its scope and rewards for bugs across all Intel products, and the company added a new program for side-channel flaws like Meltdown and Spectre. Continue Reading
-
Tip
15 Feb 2018
Embedded application security: Inside OWASP's best practices
OWASP released a draft of new guidelines for creating secure code within embedded software. Expert Judith Myerson discusses best practices, pitfalls to avoid and auditing tools. Continue Reading
-
News
14 Feb 2018
Microsoft: Windows Analytics can detect Meltdown and Spectre exposure
Microsoft says Meltdown and Spectre vulnerabilities are now being tracked by Windows Analytics, which shows users the update status for CPU microcode and OS patches. Continue Reading
-
News
13 Feb 2018
Critical Broadcom flaws discovered in Lenovo ThinkPads
Two critical flaws in Broadcom Wi-Fi chips disclosed last year were thought to affect only Apple and Android devices, but Lenovo now says ThinkPad models are vulnerable, too. Continue Reading
-
Answer
12 Feb 2018
How did a Microsoft Equation Editor flaw put systems at risk?
A stack buffer overflow vulnerability in Microsoft Equation Editor may have put enterprises at risk of compromise. Expert Judith Myerson explains what went wrong. Continue Reading
-
News
09 Feb 2018
Apple's confidential iBoot source code leaked online
News roundup: Apple's highly protected iBoot source code was leaked online. Plus, the U.S. Consumer Financial Protection Bureau stops its Equifax breach investigation, and more. Continue Reading
-
Tip
07 Feb 2018
Dynamic application security testing, honeypots hunt malware
Stealth is an attacker's best friend, especially when it comes to sneaking malware past the firewall. Learn about some trusty tools that can stop malware in its tracks. Continue Reading
-
News
07 Feb 2018
Grammarly vulnerability exposed user documents
A Grammarly vulnerability in its browser extension authentication could have exposed users' sensitive documents if the popular spelling and grammar checker were left unpatched. Continue Reading
-
Tip
06 Feb 2018
How to manage application security risks and shortcomings
A lack of proper testing, communication and insight into best practices all contribute to application security shortcomings. Kevin Beaver explains how to manage the risks. Continue Reading
-
Podcast
05 Feb 2018
Risk & Repeat: Meltdown and Spectre mitigation efforts stumble
In this week's Risk & Repeat podcast, SearchSecurity editors discuss the Meltdown and Spectre mitigations efforts and why they're struggling with bad updates and miscommunication. Continue Reading
-
Answer
01 Feb 2018
Katyusha Scanner: How does it work via a Telegram account?
The Katyusha Scanner is based on the open source penetration test scanner Arachni. However, it has been modified to work through Telegram accounts. Nick Lewis explains how it works. Continue Reading
-
News
31 Jan 2018
Google got faster pulling bad Android apps from Play Store
Google claims it is faster than ever at removing or rejecting bad Android apps from the Play Store before anyone has a chance to install the troublesome app. Continue Reading
-
News
30 Jan 2018
Microsoft rushes Spectre patch to disable Intel's broken update
Microsoft was forced to release an out-of-band Spectre patch designed not to mitigate the vulnerability but to protect users from Intel's broken fix. Continue Reading
-
News
26 Jan 2018
Intel Spectre vulnerability memo raises questions of OEM disclosures
Intel first learned of the Spectre vulnerabilities on June 1, but a confidential document shows the chipmaker didn't inform OEM partners until almost six months later. Continue Reading
-
Tip
25 Jan 2018
How are middleboxes affecting the TLS 1.3 release date?
Despite fixing important security problems, the official TLS 1.3 release date keeps getting pushed back, in part due to failures in middlebox implementations. Continue Reading
-
News
23 Jan 2018
Gemalto Sentinel flaws could lead to ICS attacks
Security researchers found 14 vulnerabilities in Gemalto Sentinel hardware tokens, which could allow dangerous ICS attacks, including full-system takeover. Continue Reading
-
News
23 Jan 2018
Intel Meltdown patches pulled with little explanation
Intel claims it has determined why the Spectre and Meltdown patches caused issues on some chips. The vendor is working on a fix and suggests users don't patch for now. Continue Reading
-
Answer
18 Jan 2018
Public key pinning: Why is Google switching to a new approach?
After introducing HTTP Public Key Pinning to the internet two years ago, the upcoming Chrome will replace it with the Expect-CT header. Matt Pascucci explains the switch. Continue Reading
-
Tip
18 Jan 2018
How HTTP security headers can defend enterprise systems
HTTP security headers that have the right configurations can be used as defense methods against cyberattacks. Expert Judith Myerson outlines how to use headers this way. Continue Reading
-
News
17 Jan 2018
Skygofree Android spyware is a powerful surveillance tool
A new Android spyware tool called Skygofree was described as one of the most powerful surveillance tools and can even capture encrypted messages from WhatsApp. Continue Reading
-
Answer
15 Jan 2018
Canvas fingerprinting: How does it compromise security?
Mozilla recently decided to pull the HTML canvas element from the Firefox browser. Learn from expert Matt Pascucci what this means for the security and privacy of users. Continue Reading
-
News
12 Jan 2018
Intel Meltdown patch causes issues with Broadwell and Haswell
Customers reported the firmware Intel Meltdown patch caused reboot issues on Broadwell and Haswell chipsets, leading to a patch review by Intel. Continue Reading
-
News
10 Jan 2018
Spectre patches highlight January 2018 Patch Tuesday
Microsoft's January 2018 Patch Tuesday brings Meltdown and Spectre patches to users, except those on AMD chipsets or those with incompatible antivirus. Continue Reading