Application and platform security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.
Top Stories
-
News
14 Nov 2024
Infoblox: 800,000 domains vulnerable to hijacking attack
While the 'Sitting Ducks' attack vector continues to pose a problem, Infoblox says domain registrars, DNS providers and government bodies remain inactive. Continue Reading
-
News
12 Nov 2024
Microsoft halts 2 zero-days on November Patch Tuesday
The company addressed 88 vulnerabilities, including an Exchange Server spoofing flaw and a significant number of SQL Server bugs, this month. Continue Reading
-
Tip
14 Nov 2017
How social engineering attacks have embraced online personas
Discover the extent to which attackers will go to plan social engineering attacks. Nick Lewis explains how the progression of threats is changing how we monitor social media. Continue Reading
-
Answer
10 Nov 2017
VMware AppDefense: How will it address endpoint security?
VMware announced AppDefense, its latest effort to help improve endpoint security. Matt Pascucci explains how AppDefense addresses applications in vSphere environments. Continue Reading
-
Tip
09 Nov 2017
Why threat models are crucial for secure software development
Threat modeling is an important component of the secure software development process. Steve Lipner of SafeCode explains how threat models benefit software security. Continue Reading
-
Answer
09 Nov 2017
Killer discovery: What does a new Intel kill switch mean for users?
Cybersecurity company Positive Technologies recently discovered an Intel kill switch in the vendor's Management Engine. Learn more about this kill switch with expert Matt Pascucci. Continue Reading
-
News
08 Nov 2017
Android KRACK flaw patched in latest security update
The latest security release from Google patched the Android KRACK vulnerability affecting Wi-Fi's WPA2 protocol, but update confusion leaves users unsure if they are safe. Continue Reading
-
News
07 Nov 2017
Fake WhatsApp app downloaded 1 million times
A fake WhatsApp app bypassed Google's Play Store checks and was downloaded 1 million times, but one expert said Google's store is still the safest place to get apps. Continue Reading
-
Tip
26 Oct 2017
Windows XP patches: Did Microsoft make the right decision?
Microsoft had to make several tradeoffs when developing patches for Windows XP. Expert Nick Lewis explains what these tradeoffs were and how enterprises should respond. Continue Reading
-
News
20 Oct 2017
Google Play bug bounty hunts RCE vulnerabilities
A Google Play bug bounty program, run by Google and HackerOne, asks testers to hunt for remote code execution vulnerabilities in some of the top Android apps. Continue Reading
-
Tip
19 Oct 2017
How app libraries share user data, even without permission
A new study shows how app libraries can share data among apps, even without permission. Michael Cobb explains how library collusion works and what users can do about it. Continue Reading
-
Answer
17 Oct 2017
How did an ImageMagick vulnerability endanger Yahoo servers?
An ImageMagick vulnerability known as Yahoobleed could give hackers access to Yahoo servers. Expert Michael Cobb explains the flaw and how Yahoo handled the situation. Continue Reading
-
Tip
17 Oct 2017
Analyzing the flaws of Adobe's HTTP security headers
A recent patching issue with Flash drew attention to shortcomings with Adobe's HTTP security headers. Judith Myerson discusses the importance of HTTP header security. Continue Reading
-
News
13 Oct 2017
Equifax website hack blamed on drive-by download attack
Security researchers find drive-by download attacks affecting both Equifax and TransUnion, but Equifax claims systems were not compromised in the website hack. Continue Reading
-
Answer
12 Oct 2017
How can hackers use subtitle files to control endpoint devices?
New media player vulnerabilities have been exposed that enable hackers to use subtitle files to control devices. Expert Judith Myerson explains how this happens. Continue Reading
-
News
11 Oct 2017
October 2017 Patch Tuesday includes Windows zero-day fix
The top priority for Microsoft's October 2017 Patch Tuesday goes to a Windows zero-day vulnerability, but IT should also beware of two publicly disclosed flaws. Continue Reading
-
Answer
11 Oct 2017
Foxit Reader vulnerabilities: What can be done to mitigate them?
Two critical, zero-day Foxit Reader vulnerabilities haven't been patched and pose a threat to enterprises. Judith Myerson explains the vulnerabilities and how to mitigate them. Continue Reading
-
Tip
11 Oct 2017
Addressing web server vulnerabilities below the application layer
Web application security is crucial, but enterprises also need to look below that layer for weaknesses. Kevin Beaver explains how to look for common web server vulnerabilities. Continue Reading
-
News
11 Oct 2017
Windows 10 patching could make older systems vulnerable
Microsoft's practice of automatic Windows 10 patching could be uncovering vulnerabilities in older systems that can be exploited by attackers, Google researchers said. Continue Reading
-
Answer
05 Oct 2017
Flash's end of life: How should security teams prepare?
Adobe Flash's end of life is coming, and it includes an incremental removal method, allotting security teams enough time to adjust. Matt Pascucci explains how changes can be made. Continue Reading
-
News
05 Oct 2017
Yahoo data breach found to affect all 3 billion users
Newly uncovered information indicated that all 3 billion users were affected by the 2013 Yahoo data breach, but Oath claimed passwords and credit card info was safe. Continue Reading
-
Tip
05 Oct 2017
How the Docker REST API can be turned against enterprises
Security researchers discovered how threat actors can use the Docker REST API for remote code execution attacks. Michael Cobb explains this threat to Docker containers. Continue Reading
-
Opinion
02 Oct 2017
Building a secure operating system with Roger R. Schell
The 'father' of the Orange Book has first-hand knowledge of the standards required for classified computer systems and the issues with subversion. Continue Reading
-
Answer
02 Oct 2017
How can peer group analysis address malicious apps?
Google is using machine learning and peer group analysis to protect against malicious Android apps in the Google Play Store. Matt Pascucci explains how this works. Continue Reading
- 28 Sep 2017
-
Answer
25 Sep 2017
How does a Magento Community Edition flaw allow remote attacks?
As the Magento Community Edition suffers a new zero-day vulnerability, expert Nick Lewis explains how it's being exploited and how to mitigate the cross-site request forgery flaw. Continue Reading
-
Answer
22 Sep 2017
Application containers: What are the major risks?
NIST recently issued guidance on mitigating the security risks of application containers. Expert Judith Myerson outlines some of the risks and fixes highlighted in the guide. Continue Reading
-
Answer
20 Sep 2017
How can the Jenkins vulnerabilities in plug-ins be mitigated?
A wave of Jenkins vulnerabilities related to plug-ins were recently discovered. Expert Judith Myerson explains the flaws and how enterprises should mitigate them. Continue Reading
-
Answer
18 Sep 2017
Are long URLs better for security than short URLs?
Shortened URLs are weak on security and easy for attackers to inject with malware. Expert Judith Myerson discusses how long URLs are more secure, despite the inconvenience. Continue Reading
-
News
15 Sep 2017
Apache Struts vulnerability blamed for Equifax data breach
Equifax has confirmed an unpatched critical Apache Struts vulnerability was exploited in the breach that compromised the personal data of 143 million U.S. citizens. Continue Reading
-
Answer
14 Sep 2017
How can users detect dangerous open ports in mobile apps?
Some malicious apps can hijack smartphones and expose those devices with open ports. Expert Michael Cobb explains how this happens and how users can protect themselves. Continue Reading
-
Tip
14 Sep 2017
The HTML5 vulnerabilities enterprises need to know
Adobe Flash's end of life is coming, but there are some HTML5 vulnerabilities enterprises should be aware of before making the switch. Expert Judith Myerson outlines the risks. Continue Reading
-
Tip
11 Sep 2017
After Stuxnet: Windows Shell flaw still most abused years later
A Windows Shell flaw used by the Stuxnet worm continues to pose problems years after it was patched. Nick Lewis explains how the flaw exposes enterprise security shortcomings. Continue Reading
-
Tip
05 Sep 2017
Why DevOps security must be on infosecs' priority list
In the rush to implement DevOps, security is too often overlooked. But DevSecOps is essential in these hack-filled days. Learn how to add security to software development. Continue Reading
-
Feature
01 Sep 2017
HTTPS interception gets a bad rap; now what?
Should products intercept Transport Layer Security connections to gain visibility into network traffic? A new study by researchers and U.S.-CERT warn against it. Continue Reading
-
Opinion
01 Sep 2017
A damaging spring of internet worms and poor performance
Security is a hot topic for media outlets that report on stock markets as companies founder on corporate earnings. The financial fallout of global malware is a call to action. Continue Reading
-
Guide
30 Aug 2017
How to craft an application security strategy that's airtight
A solid application security strategy today must include varieties like cloud apps and mobile. Learn how to set application security policies and practices that keep hackers out. Continue Reading
- 28 Aug 2017
- 28 Aug 2017
-
News
24 Aug 2017
Google Chrome Enterprise adds management options
The Google Chrome Enterprise offering officially allows organizations to manage Google Play Store apps, extensions, Microsoft Active Directory and integrate VMware on Chromebooks. Continue Reading
-
Blog Post
23 Aug 2017
Project Treble is another attempt at faster Android updates
Google has historically had a problem with getting mobile device manufacturers to push out Android updates, which has left hundreds of millions in the Android ecosystem at risk. Google hopes that ... Continue Reading
-
News
21 Aug 2017
iPhone Secure Enclave firmware encryption key leaked
Experts and Apple say despite the leak of the iPhone Secure Enclave Processor encryption key that can be used to decrypt firmware code, user data and biometric information are still safe. Continue Reading
-
Answer
18 Aug 2017
Why is the patched Apache Struts vulnerability still being exploited?
An Apache Struts vulnerability is still being exploited, even though it has already been patched. Expert Nick Lewis explains why the Struts platform still carries risk for users. Continue Reading
-
News
18 Aug 2017
Hijacked Chrome extensions infect millions of users
News roundup: Hackers leveraged eight hijacked Chrome extensions to attack 4.8 million browser users. Plus, Cloudflare stopped protecting a neo-Nazi website from DDoS attacks, and more. Continue Reading
-
Answer
18 Aug 2017
Stopping EternalBlue: Can the next Windows 10 update help?
The upcoming Windows update, Redstone 3, will patch the vulnerability that enables EternalBlue exploits. Expert Judith Myerson discusses protection methods to use until the update. Continue Reading
-
Tip
17 Aug 2017
Common web application login security weaknesses and how to fix them
Flawed web application login security can leave an enterprise vulnerable to attacks. Expert Kevin Beaver reviews the most common mistakes and how to fix them. Continue Reading
-
News
15 Aug 2017
Mobile data theft a risk from shared app libraries
Researchers claim malicious actors could commit mobile data theft by using shared third-party libraries and abusing elevated privileges that the permissions granted. Continue Reading
-
Tip
15 Aug 2017
Security teams must embrace DevOps practices or get left behind
DevOps practices can help improve enterprise security. Frank Kim of the SANS Institute explains how infosec teams can embrace them. Continue Reading
-
News
11 Aug 2017
Microsoft antivirus policy changes under Kaspersky pressure
Microsoft antivirus policy changes for Windows 10 Fall Creators Update in order to avoid further action in an antitrust case brought by Kaspersky. Continue Reading
-
News
11 Aug 2017
How threat actors weaponized Mia Ash for a social media attack
Dell SecureWorks researchers detected suspicious activity on social media accounts of Mia Ash. When they dug deeper, they discovered a new, complex social engineering attack. Continue Reading
-
Tip
10 Aug 2017
Applying a hacker mindset to application security
It can be beneficial to think like a black hat. Expert Kevin Beaver explains why enterprise security teams should apply a hacker mindset to their work and how it can help. Continue Reading
-
News
09 Aug 2017
Windows 10 Linux subsystem gets first patches
Microsoft's August 2017 Patch Tuesday brought the first Windows 10 Linux subsystem patches, just as a new version of the Linux subsystem is released for Windows Server. Continue Reading
-
Answer
08 Aug 2017
How did a Moodle security vulnerability enable remote code execution?
A series of logic flaws in Moodle enabled attackers to remotely execute code on servers. Expert Michael Cobb explains how the Moodle security vulnerability can be exploited. Continue Reading
-
News
03 Aug 2017
Symantec Website Security, certificate authority business sold to DigiCert
DigiCert agrees to buy majority stake in Symantec Website Security just days after Google releases an April 2018 distrust date for Symantec certificates. Continue Reading
-
Answer
03 Aug 2017
How is the Samba vulnerability different from EternalBlue?
A recently discovered Samba vulnerability bears a striking resemblance to the notorious Windows exploit EternalBlue. Expert Matthew Pascucci compares the two vulnerabilities. Continue Reading
-
Answer
01 Aug 2017
How can OSS-Fuzz and other vulnerability scanners help developers?
Google's OSS-Fuzz is an open source vulnerability scanner. Expert Matthew Pascucci looks at how developers can take advantage of this tool and others like it. Continue Reading
-
News
28 Jul 2017
Adobe's Flash end of life scheduled, finally, for 2020
News roundup: Adobe announced that Flash end of life will happen by the end of 2020. Plus, Microsoft expands its bug bounty program, the 2017 Pwnie Awards winners, and more. Continue Reading
-
Answer
26 Jul 2017
How are FTP injection attacks carried out on Java and Python?
Vulnerabilities in Java and Python have opened them up to possible FTP injections. Expert Nick Lewis explains how enterprises can mitigate these attacks. Continue Reading
-
Feature
25 Jul 2017
Federal Cloud Computing
In this excerpt from chapter three of Federal Cloud Computing, author Matthew Metheny discusses open source software and its use in the U.S. federal government. Continue Reading
-
News
19 Jul 2017
Symantec agrees to transfer certificate issuance to third party
Symantec has agreed to a plan that would transfer its certificate issuance and validation operations to as-yet-unnamed third-party partner starting Dec. 1. Continue Reading
-
News
14 Jul 2017
Google tackles Android app privacy with machine learning
Google will use machine learning and automated peer review scans to improve Android app privacy and limit app permissions overreach. Continue Reading
-
Tip
13 Jul 2017
How to detect preinstalled malware in custom servers
Preinstalled malware was reportedly found by Apple in its custom servers. Expert Nick Lewis explains how enterprises can protect themselves from encountering similar issues. Continue Reading
-
News
12 Jul 2017
Windows NTLM vulnerabilties addressed in July 2017 Patch Tuesday
Client-side security takes the forefront in Microsoft's July 2017 Patch Tuesday, which includes a fix for legacy Windows NTLM authentication processes. Continue Reading
-
Answer
12 Jul 2017
What made iOS apps handling sensitive data vulnerable to MitM attacks?
A researcher discovered 76 iOS apps containing sensitive user data that were vulnerable to man-in-the-middle attacks. Expert Michael Cobb explains how developers can prevent this. Continue Reading
-
Answer
11 Jul 2017
Ticketbleed flaw: How can SSL session identities be protected?
The Ticketbleed flaw in F5 Networks' BIG-IP appliances leaks uninitialized memory and SSL session identities. Expert Michael Cobb explains how enterprises can mitigate it. Continue Reading
-
News
11 Jul 2017
Android Samba app from Google only uses broken SMBv1
Experts said the new Android Samba app from Google supported only unsafe SMBv1 despite susceptibility to WannaCry exploits and unclear demand from users. Continue Reading
-
Answer
10 Jul 2017
WordPress REST API flaw: How did it lead to widespread attacks?
A REST API endpoint vulnerability enabled attacks on 1.5 million sites running WordPress. Expert Michael Cobb explains how this vulnerability works and how to prevent attacks. Continue Reading
-
Answer
07 Jul 2017
How are hackers using Unicode domains for spoofing attacks?
A proof of concept showed that hackers can use Unicode domains to make phishing sites look legitimate. Expert Matthew Pascucci explains how this spoofing attack works. Continue Reading
-
Answer
05 Jul 2017
What are the challenges of migrating to HTTPS from HTTP?
Migrating to HTTPS from HTTP is a good idea for security, but the process can be a challenge. Expert Matthew Pascucci explains how to make it easier for enterprises. Continue Reading
-
Buyer's Guide
28 Jun 2017
Select the best patch management software for your company
Patch management software enables businesses to prioritize and automatically update systems so that their assets remain secure. See which best fits your infosec strategy. Continue Reading
-
News
27 Jun 2017
Windows Defender bug could allow full-system takeover
A newly disclosed Windows Defender bug, which could allow an attacker to fully take over a target system and create admin accounts, marks yet another major antivirus vulnerability. Continue Reading
-
Feature
27 Jun 2017
Patch management tool comparison: What are the best products?
With so many different vendors in the market, it isn't easy to pick the right patch management tool. Read this product comparison to see which is best for your company. Continue Reading
-
Answer
16 Jun 2017
Why do HTTPS interception tools weaken TLS security?
HTTPS interception tools help protect websites, but they can also hurt TLS security. Expert Judith Myerson explains how this works and what enterprises can do about it. Continue Reading
-
News
15 Jun 2017
Microsoft to disable SMBv1 by default in fall Windows updates
Microsoft claims recent WannaCry attacks did not influence the decision to disable SMBv1 by default in the next major Windows updates. Continue Reading
-
News
14 Jun 2017
More Windows XP fixes in June Patch Tuesday release
Microsoft's June 2017 Patch Tuesday saw another set of Windows XP fixes released in order to secure systems against leaked NSA cyberweapons. Continue Reading
-
Answer
14 Jun 2017
How can DevOps application lifecycle management protect digital keys?
Better DevOps application lifecycle management can help protect cryptographic and digital keys. Expert Judith Myerson explains the right approaches to secure DevOps. Continue Reading
-
News
14 Jun 2017
Symantec CA remediation plan faces more delays
The battle over Symantec CA operations continues as the antivirus vendor pushes back against a consensus remediation proposal from the web browser community. Continue Reading
-
Tip
12 Jun 2017
To secure Office 365, take advantage of controls Microsoft offers
Securing Office 365 properly requires addressing upfront any specific risks of a particular environment and taking advantage of the many security controls Microsoft offers. Continue Reading
-
Tip
12 Jun 2017
Office 365 security features: As good as it gets?
Online and application security is never perfect, but Office 365 security features come close. Here's an overview of how Microsoft installed security in its popular suite. Continue Reading
-
Tip
12 Jun 2017
Address Office 365 security concerns while enjoying its benefits
Office 365 security concerns should worry you but not dampen your enthusiasm for the platform's potential benefits for your business. Here's what you need to consider upfront. Continue Reading
-
Feature
12 Jun 2017
Know why patch management tools are required in the IT infrastructure
Regulations, efficiency and protection are the main drivers for purchasing patch management tools. See why automated patch management is a requirement for most businesses. Continue Reading
-
News
08 Jun 2017
Researchers port EternalBlue exploit to Windows 10
The EternalBlue exploit behind the WannaCry ransomware attacks has been successfully ported to an older version of Windows 10, but newer versions of the OS are protected. Continue Reading
-
Answer
06 Jun 2017
Adobe Acrobat Chrome extension: What are the risks?
An Adobe Acrobat extension was automatically installed onto users' Chrome browsers during an update. Expert Michael Cobb explains the problems that existed with the extension. Continue Reading
-
Tip
06 Jun 2017
How mobile application assessments can boost enterprise security
Mobile application assessments can help enterprises decide which apps to allow, improving security. Christopher Crowley of the SANS Institute discusses how to use app assessments. Continue Reading
-
Answer
05 Jun 2017
Cisco WebEx extension flaw: How does the patch fall short?
Cisco's WebEx extension flaw was patched to prevent remote code execution from all but WebEx sites. Expert Michael Cobb explains how this flaw could still introduce risk to users. Continue Reading
-
Answer
31 May 2017
Why is patching telecom infrastructures such a challenge?
Patching telecom infrastructures presents many challenges. Expert Matthew Pascucci explains those challenges and what can be done to make sure the systems get patched anyway. Continue Reading
-
Answer
30 May 2017
Domain validation certificates: What are the security issues?
Let's Encrypt domain validation certificates had some security issues. Expert Matthew Pascucci explains how DV certificates work and what the issues were. Continue Reading
-
News
26 May 2017
Samba vulnerability brings WannaCry fears to Linux/Unix
A widespread Samba vulnerability has raised the possibility of attacks similar to WannaCry hitting Linux and Unix systems, but mitigation options are available. Continue Reading
-
Podcast
25 May 2017
Risk & Repeat: Microsoft slams NSA over EternalBlue
In this week's Risk & Repeat podcast, SearchSecurity editors discuss Microsoft's sharp criticism of the NSA over the EternalBlue Windows vulnerability and WannaCry ransomware. Continue Reading
-
Podcast
23 May 2017
Risk & Repeat: WannaCry ransomware worm shakes tech industry
In this week's Risk & Repeat podcast, SearchSecurity editors look at the devastation caused by the WannaCry ransomware worm and discuss how it could have been prevented. Continue Reading
-
News
19 May 2017
Google Play Protect looks to bolster Android app security
News roundup: The new Google Play Protect system aims to improve Android app security. Plus, Google Cloud IoT Core adds layer of device security, and more. Continue Reading
-
Tip
17 May 2017
What the end of hot patching mobile apps means for enterprise security
Apple now restricts mobile app developers from using hot patching, as the technique can change app behavior after it is reviewed. Expert Kevin Beaver goes over enterprise concerns. Continue Reading
-
News
12 May 2017
Cisco vulnerability from WikiLeaks' Vault 7 dump finally patched
News roundup: A Cisco vulnerability disclosed in the Vault 7 dump finally has a patch. Plus, Google's fuzzing bot finds over 1,000 bugs in five months, Comey dismissed and more. Continue Reading
-
Podcast
11 May 2017
Risk & Repeat: Critical Windows bug triggers disclosure debate
This week's Risk & Repeat podcast looks at how a simple tweet about a Windows bug from Project Zero researcher Tavis Ormandy sparked a debate about vulnerability disclosure. Continue Reading
-
Feature
11 May 2017
Timeline: Symantec certificate authority improprieties
Timeline: Follow along as Google and Mozilla raise issues with Symantec certificate authority actions, and then attempt to return trust to the CA giant. Continue Reading
-
News
10 May 2017
Windows zero days squashed in May 2017 Patch Tuesday
Microsoft's May 2017 Patch Tuesday fixed multiple Windows zero-day vulnerabilities, two of which have reportedly been exploited by groups linked to Russia. Continue Reading
-
News
09 May 2017
Microsoft out-of-band patch hits the day before Patch Tuesday
The evening before Patch Tuesday, Microsoft released an emergency out-of-band patch for a dangerous Windows flaw teased by the Google Project Zero team just days earlier. Continue Reading
-
Tip
09 May 2017
How to identify and address overlooked web security vulnerabilities
Certain web security vulnerabilities evade detection due to oversight or carelessness. Expert Kevin Beaver discusses the top overlooked issues and how to address them. Continue Reading
-
News
05 May 2017
TLS client authentication ensures secure IoT connection
The TLS client authentication protocol has been part of the security standard for years, but it's just now coming into its own in certifying secure IoT connections. Continue Reading
-
Answer
03 May 2017
Same-origin policy: How did Adobe Flash Player's implementation fail?
The same-origin security feature in Adobe Flash Player was implemented incorrectly, allowing local attackers to spy on users. Expert Michael Cobb explains how this flaw occurred. Continue Reading
-
Feature
27 Apr 2017
Introduction to Social Media Investigation: A Hands-on Approach
In this excerpt from chapter four of Introduction to Social Media Investigation: A Hands-on Approach, author Jennifer Golbeck discusses privacy controls on social media. Continue Reading
-
News
25 Apr 2017
Symantec certificate authority issues, answered
Google and Mozilla weigh the proper response to Symantec certificate authority issues, as the CA giant prepares an alternative proposal for reinstating trust. Continue Reading
