Application and platform security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.
Top Stories
-
News
28 Feb 2025
Microsoft targets AI deepfake cybercrime network in lawsuit
Microsoft alleges that defendants used stolen Azure OpenAI API keys and special software to bypass content guardrails and generate illicit AI deepfakes for payment. Continue Reading
-
Tip
28 Feb 2025
Why and how to create Azure service principals
Service principals are a convenient and secure way to protect Azure resources. Follow this step-by-step guide to create a service principal that defends vital Azure workloads. Continue Reading
-
News
15 Feb 2018
Intel bug bounty programs widened after Meltdown and Spectre
Intel's bug bounty program expanded its scope and rewards for bugs across all Intel products, and the company added a new program for side-channel flaws like Meltdown and Spectre. Continue Reading
-
Tip
15 Feb 2018
Embedded application security: Inside OWASP's best practices
OWASP released a draft of new guidelines for creating secure code within embedded software. Expert Judith Myerson discusses best practices, pitfalls to avoid and auditing tools. Continue Reading
-
News
14 Feb 2018
Microsoft: Windows Analytics can detect Meltdown and Spectre exposure
Microsoft says Meltdown and Spectre vulnerabilities are now being tracked by Windows Analytics, which shows users the update status for CPU microcode and OS patches. Continue Reading
-
News
13 Feb 2018
Critical Broadcom flaws discovered in Lenovo ThinkPads
Two critical flaws in Broadcom Wi-Fi chips disclosed last year were thought to affect only Apple and Android devices, but Lenovo now says ThinkPad models are vulnerable, too. Continue Reading
-
Answer
12 Feb 2018
How did a Microsoft Equation Editor flaw put systems at risk?
A stack buffer overflow vulnerability in Microsoft Equation Editor may have put enterprises at risk of compromise. Expert Judith Myerson explains what went wrong. Continue Reading
-
News
09 Feb 2018
Apple's confidential iBoot source code leaked online
News roundup: Apple's highly protected iBoot source code was leaked online. Plus, the U.S. Consumer Financial Protection Bureau stops its Equifax breach investigation, and more. Continue Reading
-
Tip
07 Feb 2018
Dynamic application security testing, honeypots hunt malware
Stealth is an attacker's best friend, especially when it comes to sneaking malware past the firewall. Learn about some trusty tools that can stop malware in its tracks. Continue Reading
-
News
07 Feb 2018
Grammarly vulnerability exposed user documents
A Grammarly vulnerability in its browser extension authentication could have exposed users' sensitive documents if the popular spelling and grammar checker were left unpatched. Continue Reading
-
Tip
06 Feb 2018
How to manage application security risks and shortcomings
A lack of proper testing, communication and insight into best practices all contribute to application security shortcomings. Kevin Beaver explains how to manage the risks. Continue Reading
-
Podcast
05 Feb 2018
Risk & Repeat: Meltdown and Spectre mitigation efforts stumble
In this week's Risk & Repeat podcast, SearchSecurity editors discuss the Meltdown and Spectre mitigations efforts and why they're struggling with bad updates and miscommunication. Continue Reading
-
Answer
01 Feb 2018
Katyusha Scanner: How does it work via a Telegram account?
The Katyusha Scanner is based on the open source penetration test scanner Arachni. However, it has been modified to work through Telegram accounts. Nick Lewis explains how it works. Continue Reading
-
News
31 Jan 2018
Google got faster pulling bad Android apps from Play Store
Google claims it is faster than ever at removing or rejecting bad Android apps from the Play Store before anyone has a chance to install the troublesome app. Continue Reading
-
News
30 Jan 2018
Microsoft rushes Spectre patch to disable Intel's broken update
Microsoft was forced to release an out-of-band Spectre patch designed not to mitigate the vulnerability but to protect users from Intel's broken fix. Continue Reading
-
News
26 Jan 2018
Intel Spectre vulnerability memo raises questions of OEM disclosures
Intel first learned of the Spectre vulnerabilities on June 1, but a confidential document shows the chipmaker didn't inform OEM partners until almost six months later. Continue Reading
-
Tip
25 Jan 2018
How are middleboxes affecting the TLS 1.3 release date?
Despite fixing important security problems, the official TLS 1.3 release date keeps getting pushed back, in part due to failures in middlebox implementations. Continue Reading
-
News
23 Jan 2018
Gemalto Sentinel flaws could lead to ICS attacks
Security researchers found 14 vulnerabilities in Gemalto Sentinel hardware tokens, which could allow dangerous ICS attacks, including full-system takeover. Continue Reading
-
News
23 Jan 2018
Intel Meltdown patches pulled with little explanation
Intel claims it has determined why the Spectre and Meltdown patches caused issues on some chips. The vendor is working on a fix and suggests users don't patch for now. Continue Reading
-
Answer
18 Jan 2018
Public key pinning: Why is Google switching to a new approach?
After introducing HTTP Public Key Pinning to the internet two years ago, the upcoming Chrome will replace it with the Expect-CT header. Matt Pascucci explains the switch. Continue Reading
-
Tip
18 Jan 2018
How HTTP security headers can defend enterprise systems
HTTP security headers that have the right configurations can be used as defense methods against cyberattacks. Expert Judith Myerson outlines how to use headers this way. Continue Reading
-
News
17 Jan 2018
Skygofree Android spyware is a powerful surveillance tool
A new Android spyware tool called Skygofree was described as one of the most powerful surveillance tools and can even capture encrypted messages from WhatsApp. Continue Reading
-
Answer
15 Jan 2018
Canvas fingerprinting: How does it compromise security?
Mozilla recently decided to pull the HTML canvas element from the Firefox browser. Learn from expert Matt Pascucci what this means for the security and privacy of users. Continue Reading
-
News
12 Jan 2018
Intel Meltdown patch causes issues with Broadwell and Haswell
Customers reported the firmware Intel Meltdown patch caused reboot issues on Broadwell and Haswell chipsets, leading to a patch review by Intel. Continue Reading
-
News
10 Jan 2018
Spectre patches highlight January 2018 Patch Tuesday
Microsoft's January 2018 Patch Tuesday brings Meltdown and Spectre patches to users, except those on AMD chipsets or those with incompatible antivirus. Continue Reading
-
Tip
09 Jan 2018
Mobile app risks: Five things enterprises should consider
Just like any other risk in the enterprise, mobile app risks need to be a top priority. Join Kevin Beaver as he explains the dangers that unsecure mobile apps pose. Continue Reading
-
Answer
05 Jan 2018
Unknown apps: How does Android Oreo control installation?
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver explains what this change means. Continue Reading
-
Answer
04 Jan 2018
Android bootloader: How does it work and what is the risk?
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk these vulnerabilities present. Continue Reading
-
Answer
03 Jan 2018
How should undocumented features in software be addressed?
Kaspersky Lab recently discovered an undocumented feature in Microsoft Word. Expert Kevin Beaver explains the risks and what to do if you come across one of these software flaws. Continue Reading
-
News
02 Jan 2018
IOHIDeous is a macOS zero-day for the new year
A newly discovered macOS zero-day flaw, called IOHIDeous, affects all versions of Apple's desktop operating system and can allow for full-system compromise. Continue Reading
-
Answer
29 Dec 2017
Can a decentralized open source community properly address security?
SearchSecurity talks with UC Berkeley Professor Steven Weber about the open source community, the security challenges facing it and the prospect of software liability. Continue Reading
-
News
29 Dec 2017
Browser login managers allow tracking scripts to steal credentials
News roundup: Login managers enable the exposure of user credentials in over 1,000 websites. Plus, Mozilla patched a critical vulnerability in Thunderbird, and more. Continue Reading
-
Answer
21 Dec 2017
Antimalware software: How can Windows 10 disable it?
Kaspersky Lab recently accused Windows 10 of acting as an antivirus block to third-party antimalware software. Discover how your software is being blocked and how this can be fixed. Continue Reading
-
News
19 Dec 2017
Flawed Keeper password manager preinstalled on Windows 10
Google Project Zero's Tavis Ormandy discovered a flaw in the Keeper password manager browser extension that could allow attackers to steal credentials. Continue Reading
-
Answer
18 Dec 2017
Zusy malware: Are your PowerPoint files at risk?
Several spam campaigns were discovered after a malicious PowerPoint file was exposed. Learn how Zusy malware is delivered upon hovering over hypertext and how files can be saved. Continue Reading
-
News
13 Dec 2017
Return of Bleichenbacher: ROBOT attack means trouble for TLS
A team of security researchers discovered many vendors' TLS implementations are vulnerable to the Bleichenbacher oracle attack, which was first discovered 19 years ago. Continue Reading
-
Tip
12 Dec 2017
How to manage HTTP response headers for IIS, Nginx and Apache
HTTP response header configuration files on servers need to be set up properly to secure sensitive data. Expert Judith Myerson outlines how to do this on different types of servers. Continue Reading
-
News
08 Dec 2017
Emergency Microsoft patch out for Malware Protection Engine
A critical vulnerability found in the Windows Malware Protection Engine required an emergency Microsoft patch, but one expert said Microsoft hasn't handled the announcement well. Continue Reading
-
Blog Post
07 Dec 2017
OWASP Top Ten: Surviving in the cyber wilderness
The latest version of the OWASP Top Ten web application risks is much like previous versions, and that's not a bad thing at all. Continue Reading
-
Answer
06 Dec 2017
How can Windows digital signature check be defeated?
A security researcher discovered that editing two registry keys can alter a Windows digital signature check. Matt Pascucci explains what that means for digital signatures. Continue Reading
-
News
05 Dec 2017
Keyboard data leak exposes millions of personal records
A keyboard data leak by mobile developer Ai.type exposed millions of personal records through misconfigured MongoDB database settings. Continue Reading
-
News
05 Dec 2017
Apple High Sierra patch undone by macOS update
Apple released a High Sierra patch to fix a serious macOS authentication vulnerability discovered last week, but users could accidentally undo the patch with a routine OS update. Continue Reading
-
Answer
01 Dec 2017
How does the GhostHook attack bypass Microsoft PatchGuard?
A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well as how the attack works. Continue Reading
-
News
29 Nov 2017
Serious macOS flaw in High Sierra allows attackers to log in as root
An Apple macOS flaw in High Sierra could allow an attacker to bypass any authentication dialog, including signing in to a system as a full root user. Continue Reading
-
Feature
28 Nov 2017
Thor's OS Xodus
In this excerpt from chapter one of Thor's OS Xodus, author Timothy "Thor" Mullen discusses OS X, privacy, and online safety. Continue Reading
-
Answer
27 Nov 2017
How does the Stack Clash vulnerability target Unix-based OSes?
A privilege escalation vulnerability known as Stack Clash affects Unix-based OSes. Expert Michael Cobb explains the flaw and how to protect systems from being exploited. Continue Reading
-
Tip
21 Nov 2017
How to add HTTP security headers to various types of servers
Expert Judith Myerson outlines the different types of HTTP security headers and how to add them to different servers, including Apache, Ngnix and Microsoft IIS Manager. Continue Reading
-
Feature
16 Nov 2017
With continuous security, SecDevOps deconstructs CI/CD
Nothing is set in stone when an organization follows a DevOps methodology -- a DevOps security model pushes developers and ops to constantly retune, slow down and speed up. Continue Reading
-
Tip
16 Nov 2017
How security controls affect web security assessment results
Network security controls are a blessing and a curse as they help an organization's IT environment, yet hinder web security assessment results. Kevin Beaver explains how they work. Continue Reading
-
Answer
14 Nov 2017
HTTP Strict Transport Security: What are the security benefits?
Google's use of HTTP Strict Transport Security aims to improve web browsing security. Expert Judith Myerson explains how HSTS can make the internet more secure. Continue Reading
-
Tip
14 Nov 2017
How social engineering attacks have embraced online personas
Discover the extent to which attackers will go to plan social engineering attacks. Nick Lewis explains how the progression of threats is changing how we monitor social media. Continue Reading
-
Answer
10 Nov 2017
VMware AppDefense: How will it address endpoint security?
VMware announced AppDefense, its latest effort to help improve endpoint security. Matt Pascucci explains how AppDefense addresses applications in vSphere environments. Continue Reading
-
Tip
09 Nov 2017
Why threat models are crucial for secure software development
Threat modeling is an important component of the secure software development process. Steve Lipner of SafeCode explains how threat models benefit software security. Continue Reading
-
Answer
09 Nov 2017
Killer discovery: What does a new Intel kill switch mean for users?
Cybersecurity company Positive Technologies recently discovered an Intel kill switch in the vendor's Management Engine. Learn more about this kill switch with expert Matt Pascucci. Continue Reading
-
News
08 Nov 2017
Android KRACK flaw patched in latest security update
The latest security release from Google patched the Android KRACK vulnerability affecting Wi-Fi's WPA2 protocol, but update confusion leaves users unsure if they are safe. Continue Reading
-
News
07 Nov 2017
Fake WhatsApp app downloaded 1 million times
A fake WhatsApp app bypassed Google's Play Store checks and was downloaded 1 million times, but one expert said Google's store is still the safest place to get apps. Continue Reading
-
Tip
26 Oct 2017
Windows XP patches: Did Microsoft make the right decision?
Microsoft had to make several tradeoffs when developing patches for Windows XP. Expert Nick Lewis explains what these tradeoffs were and how enterprises should respond. Continue Reading
-
News
20 Oct 2017
Google Play bug bounty hunts RCE vulnerabilities
A Google Play bug bounty program, run by Google and HackerOne, asks testers to hunt for remote code execution vulnerabilities in some of the top Android apps. Continue Reading
-
Tip
19 Oct 2017
How app libraries share user data, even without permission
A new study shows how app libraries can share data among apps, even without permission. Michael Cobb explains how library collusion works and what users can do about it. Continue Reading
-
Answer
17 Oct 2017
How did an ImageMagick vulnerability endanger Yahoo servers?
An ImageMagick vulnerability known as Yahoobleed could give hackers access to Yahoo servers. Expert Michael Cobb explains the flaw and how Yahoo handled the situation. Continue Reading
-
Tip
17 Oct 2017
Analyzing the flaws of Adobe's HTTP security headers
A recent patching issue with Flash drew attention to shortcomings with Adobe's HTTP security headers. Judith Myerson discusses the importance of HTTP header security. Continue Reading
-
News
13 Oct 2017
Equifax website hack blamed on drive-by download attack
Security researchers find drive-by download attacks affecting both Equifax and TransUnion, but Equifax claims systems were not compromised in the website hack. Continue Reading
-
Answer
12 Oct 2017
How can hackers use subtitle files to control endpoint devices?
New media player vulnerabilities have been exposed that enable hackers to use subtitle files to control devices. Expert Judith Myerson explains how this happens. Continue Reading
-
News
11 Oct 2017
October 2017 Patch Tuesday includes Windows zero-day fix
The top priority for Microsoft's October 2017 Patch Tuesday goes to a Windows zero-day vulnerability, but IT should also beware of two publicly disclosed flaws. Continue Reading
-
Answer
11 Oct 2017
Foxit Reader vulnerabilities: What can be done to mitigate them?
Two critical, zero-day Foxit Reader vulnerabilities haven't been patched and pose a threat to enterprises. Judith Myerson explains the vulnerabilities and how to mitigate them. Continue Reading
-
Tip
11 Oct 2017
Addressing web server vulnerabilities below the application layer
Web application security is crucial, but enterprises also need to look below that layer for weaknesses. Kevin Beaver explains how to look for common web server vulnerabilities. Continue Reading
-
News
11 Oct 2017
Windows 10 patching could make older systems vulnerable
Microsoft's practice of automatic Windows 10 patching could be uncovering vulnerabilities in older systems that can be exploited by attackers, Google researchers said. Continue Reading
-
Answer
05 Oct 2017
Flash's end of life: How should security teams prepare?
Adobe Flash's end of life is coming, and it includes an incremental removal method, allotting security teams enough time to adjust. Matt Pascucci explains how changes can be made. Continue Reading
-
News
05 Oct 2017
Yahoo data breach found to affect all 3 billion users
Newly uncovered information indicated that all 3 billion users were affected by the 2013 Yahoo data breach, but Oath claimed passwords and credit card info was safe. Continue Reading
-
Tip
05 Oct 2017
How the Docker REST API can be turned against enterprises
Security researchers discovered how threat actors can use the Docker REST API for remote code execution attacks. Michael Cobb explains this threat to Docker containers. Continue Reading
-
Answer
02 Oct 2017
How can peer group analysis address malicious apps?
Google is using machine learning and peer group analysis to protect against malicious Android apps in the Google Play Store. Matt Pascucci explains how this works. Continue Reading
- 28 Sep 2017
-
Answer
25 Sep 2017
How does a Magento Community Edition flaw allow remote attacks?
As the Magento Community Edition suffers a new zero-day vulnerability, expert Nick Lewis explains how it's being exploited and how to mitigate the cross-site request forgery flaw. Continue Reading
-
Answer
22 Sep 2017
Application containers: What are the major risks?
NIST recently issued guidance on mitigating the security risks of application containers. Expert Judith Myerson outlines some of the risks and fixes highlighted in the guide. Continue Reading
-
Answer
20 Sep 2017
How can the Jenkins vulnerabilities in plug-ins be mitigated?
A wave of Jenkins vulnerabilities related to plug-ins were recently discovered. Expert Judith Myerson explains the flaws and how enterprises should mitigate them. Continue Reading
-
Answer
18 Sep 2017
Are long URLs better for security than short URLs?
Shortened URLs are weak on security and easy for attackers to inject with malware. Expert Judith Myerson discusses how long URLs are more secure, despite the inconvenience. Continue Reading
-
News
15 Sep 2017
Apache Struts vulnerability blamed for Equifax data breach
Equifax has confirmed an unpatched critical Apache Struts vulnerability was exploited in the breach that compromised the personal data of 143 million U.S. citizens. Continue Reading
-
Answer
14 Sep 2017
How can users detect dangerous open ports in mobile apps?
Some malicious apps can hijack smartphones and expose those devices with open ports. Expert Michael Cobb explains how this happens and how users can protect themselves. Continue Reading
-
Tip
14 Sep 2017
The HTML5 vulnerabilities enterprises need to know
Adobe Flash's end of life is coming, but there are some HTML5 vulnerabilities enterprises should be aware of before making the switch. Expert Judith Myerson outlines the risks. Continue Reading
-
Tip
11 Sep 2017
After Stuxnet: Windows Shell flaw still most abused years later
A Windows Shell flaw used by the Stuxnet worm continues to pose problems years after it was patched. Nick Lewis explains how the flaw exposes enterprise security shortcomings. Continue Reading
-
Tip
05 Sep 2017
Why DevOps security must be on infosecs' priority list
In the rush to implement DevOps, security is too often overlooked. But DevSecOps is essential in these hack-filled days. Learn how to add security to software development. Continue Reading
-
Feature
01 Sep 2017
HTTPS interception gets a bad rap; now what?
Should products intercept Transport Layer Security connections to gain visibility into network traffic? A new study by researchers and U.S.-CERT warn against it. Continue Reading
-
Opinion
01 Sep 2017
A damaging spring of internet worms and poor performance
Security is a hot topic for media outlets that report on stock markets as companies founder on corporate earnings. The financial fallout of global malware is a call to action. Continue Reading
-
Guide
30 Aug 2017
How to craft an application security strategy that's airtight
A solid application security strategy today must include varieties like cloud apps and mobile. Learn how to set application security policies and practices that keep hackers out. Continue Reading
- 28 Aug 2017
- 28 Aug 2017
-
News
24 Aug 2017
Google Chrome Enterprise adds management options
The Google Chrome Enterprise offering officially allows organizations to manage Google Play Store apps, extensions, Microsoft Active Directory and integrate VMware on Chromebooks. Continue Reading
-
Blog Post
23 Aug 2017
Project Treble is another attempt at faster Android updates
Google has historically had a problem with getting mobile device manufacturers to push out Android updates, which has left hundreds of millions in the Android ecosystem at risk. Google hopes that ... Continue Reading
-
News
21 Aug 2017
iPhone Secure Enclave firmware encryption key leaked
Experts and Apple say despite the leak of the iPhone Secure Enclave Processor encryption key that can be used to decrypt firmware code, user data and biometric information are still safe. Continue Reading
-
Answer
18 Aug 2017
Why is the patched Apache Struts vulnerability still being exploited?
An Apache Struts vulnerability is still being exploited, even though it has already been patched. Expert Nick Lewis explains why the Struts platform still carries risk for users. Continue Reading
-
News
18 Aug 2017
Hijacked Chrome extensions infect millions of users
News roundup: Hackers leveraged eight hijacked Chrome extensions to attack 4.8 million browser users. Plus, Cloudflare stopped protecting a neo-Nazi website from DDoS attacks, and more. Continue Reading
-
Answer
18 Aug 2017
Stopping EternalBlue: Can the next Windows 10 update help?
The upcoming Windows update, Redstone 3, will patch the vulnerability that enables EternalBlue exploits. Expert Judith Myerson discusses protection methods to use until the update. Continue Reading
-
Tip
17 Aug 2017
Common web application login security weaknesses and how to fix them
Flawed web application login security can leave an enterprise vulnerable to attacks. Expert Kevin Beaver reviews the most common mistakes and how to fix them. Continue Reading
-
News
15 Aug 2017
Mobile data theft a risk from shared app libraries
Researchers claim malicious actors could commit mobile data theft by using shared third-party libraries and abusing elevated privileges that the permissions granted. Continue Reading
-
Tip
15 Aug 2017
Security teams must embrace DevOps practices or get left behind
DevOps practices can help improve enterprise security. Frank Kim of the SANS Institute explains how infosec teams can embrace them. Continue Reading
-
News
11 Aug 2017
Microsoft antivirus policy changes under Kaspersky pressure
Microsoft antivirus policy changes for Windows 10 Fall Creators Update in order to avoid further action in an antitrust case brought by Kaspersky. Continue Reading
-
Tip
10 Aug 2017
Applying a hacker mindset to application security
It can be beneficial to think like a black hat. Expert Kevin Beaver explains why enterprise security teams should apply a hacker mindset to their work and how it can help. Continue Reading
-
News
09 Aug 2017
Windows 10 Linux subsystem gets first patches
Microsoft's August 2017 Patch Tuesday brought the first Windows 10 Linux subsystem patches, just as a new version of the Linux subsystem is released for Windows Server. Continue Reading
-
Answer
08 Aug 2017
How did a Moodle security vulnerability enable remote code execution?
A series of logic flaws in Moodle enabled attackers to remotely execute code on servers. Expert Michael Cobb explains how the Moodle security vulnerability can be exploited. Continue Reading
-
News
03 Aug 2017
Symantec Website Security, certificate authority business sold to DigiCert
DigiCert agrees to buy majority stake in Symantec Website Security just days after Google releases an April 2018 distrust date for Symantec certificates. Continue Reading
-
Answer
03 Aug 2017
How is the Samba vulnerability different from EternalBlue?
A recently discovered Samba vulnerability bears a striking resemblance to the notorious Windows exploit EternalBlue. Expert Matthew Pascucci compares the two vulnerabilities. Continue Reading
-
Answer
01 Aug 2017
How can OSS-Fuzz and other vulnerability scanners help developers?
Google's OSS-Fuzz is an open source vulnerability scanner. Expert Matthew Pascucci looks at how developers can take advantage of this tool and others like it. Continue Reading
