Application and platform security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.
Top Stories
-
Tip
16 Dec 2024
7 DevSecOps tools to secure each step of the SDLC
DevSecOps tools come in many shapes and sizes, helping organizations do everything from discovering software vulnerabilities to preventing software supply chain data breaches. Continue Reading
-
News
12 Dec 2024
Aqua Security warns of significant risks in Prometheus stack
The cloud security vendor called on Prometheus to provide users with additional safeguards to protect against misconfigurations discovered in the open source monitoring tool. Continue Reading
-
News
13 Dec 2017
Return of Bleichenbacher: ROBOT attack means trouble for TLS
A team of security researchers discovered many vendors' TLS implementations are vulnerable to the Bleichenbacher oracle attack, which was first discovered 19 years ago. Continue Reading
-
Tip
12 Dec 2017
How to manage HTTP response headers for IIS, Nginx and Apache
HTTP response header configuration files on servers need to be set up properly to secure sensitive data. Expert Judith Myerson outlines how to do this on different types of servers. Continue Reading
-
News
08 Dec 2017
Emergency Microsoft patch out for Malware Protection Engine
A critical vulnerability found in the Windows Malware Protection Engine required an emergency Microsoft patch, but one expert said Microsoft hasn't handled the announcement well. Continue Reading
-
Blog Post
07 Dec 2017
OWASP Top Ten: Surviving in the cyber wilderness
The latest version of the OWASP Top Ten web application risks is much like previous versions, and that's not a bad thing at all. Continue Reading
-
Answer
06 Dec 2017
How can Windows digital signature check be defeated?
A security researcher discovered that editing two registry keys can alter a Windows digital signature check. Matt Pascucci explains what that means for digital signatures. Continue Reading
-
News
05 Dec 2017
Keyboard data leak exposes millions of personal records
A keyboard data leak by mobile developer Ai.type exposed millions of personal records through misconfigured MongoDB database settings. Continue Reading
-
News
05 Dec 2017
Apple High Sierra patch undone by macOS update
Apple released a High Sierra patch to fix a serious macOS authentication vulnerability discovered last week, but users could accidentally undo the patch with a routine OS update. Continue Reading
-
Answer
01 Dec 2017
How does the GhostHook attack bypass Microsoft PatchGuard?
A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well as how the attack works. Continue Reading
-
News
29 Nov 2017
Serious macOS flaw in High Sierra allows attackers to log in as root
An Apple macOS flaw in High Sierra could allow an attacker to bypass any authentication dialog, including signing in to a system as a full root user. Continue Reading
-
Feature
28 Nov 2017
Thor's OS Xodus
In this excerpt from chapter one of Thor's OS Xodus, author Timothy "Thor" Mullen discusses OS X, privacy, and online safety. Continue Reading
-
Feature
27 Nov 2017
Security for applications: What tools and principles work?
Better app security requires both designing security in and protecting it from without. Learn how to work it from both angles and what tools you'll need for the job. Continue Reading
-
Answer
27 Nov 2017
How does the Stack Clash vulnerability target Unix-based OSes?
A privilege escalation vulnerability known as Stack Clash affects Unix-based OSes. Expert Michael Cobb explains the flaw and how to protect systems from being exploited. Continue Reading
-
Tip
21 Nov 2017
How to add HTTP security headers to various types of servers
Expert Judith Myerson outlines the different types of HTTP security headers and how to add them to different servers, including Apache, Ngnix and Microsoft IIS Manager. Continue Reading
-
Feature
16 Nov 2017
With continuous security, SecDevOps deconstructs CI/CD
Nothing is set in stone when an organization follows a DevOps methodology -- a DevOps security model pushes developers and ops to constantly retune, slow down and speed up. Continue Reading
-
Tip
16 Nov 2017
How security controls affect web security assessment results
Network security controls are a blessing and a curse as they help an organization's IT environment, yet hinder web security assessment results. Kevin Beaver explains how they work. Continue Reading
-
Answer
14 Nov 2017
HTTP Strict Transport Security: What are the security benefits?
Google's use of HTTP Strict Transport Security aims to improve web browsing security. Expert Judith Myerson explains how HSTS can make the internet more secure. Continue Reading
-
Tip
14 Nov 2017
How social engineering attacks have embraced online personas
Discover the extent to which attackers will go to plan social engineering attacks. Nick Lewis explains how the progression of threats is changing how we monitor social media. Continue Reading
-
Answer
10 Nov 2017
VMware AppDefense: How will it address endpoint security?
VMware announced AppDefense, its latest effort to help improve endpoint security. Matt Pascucci explains how AppDefense addresses applications in vSphere environments. Continue Reading
-
Tip
09 Nov 2017
Why threat models are crucial for secure software development
Threat modeling is an important component of the secure software development process. Steve Lipner of SafeCode explains how threat models benefit software security. Continue Reading
-
Answer
09 Nov 2017
Killer discovery: What does a new Intel kill switch mean for users?
Cybersecurity company Positive Technologies recently discovered an Intel kill switch in the vendor's Management Engine. Learn more about this kill switch with expert Matt Pascucci. Continue Reading
-
News
08 Nov 2017
Android KRACK flaw patched in latest security update
The latest security release from Google patched the Android KRACK vulnerability affecting Wi-Fi's WPA2 protocol, but update confusion leaves users unsure if they are safe. Continue Reading
-
News
07 Nov 2017
Fake WhatsApp app downloaded 1 million times
A fake WhatsApp app bypassed Google's Play Store checks and was downloaded 1 million times, but one expert said Google's store is still the safest place to get apps. Continue Reading
-
Tip
26 Oct 2017
Windows XP patches: Did Microsoft make the right decision?
Microsoft had to make several tradeoffs when developing patches for Windows XP. Expert Nick Lewis explains what these tradeoffs were and how enterprises should respond. Continue Reading
-
News
20 Oct 2017
Google Play bug bounty hunts RCE vulnerabilities
A Google Play bug bounty program, run by Google and HackerOne, asks testers to hunt for remote code execution vulnerabilities in some of the top Android apps. Continue Reading
-
Tip
19 Oct 2017
How app libraries share user data, even without permission
A new study shows how app libraries can share data among apps, even without permission. Michael Cobb explains how library collusion works and what users can do about it. Continue Reading
-
Answer
17 Oct 2017
How did an ImageMagick vulnerability endanger Yahoo servers?
An ImageMagick vulnerability known as Yahoobleed could give hackers access to Yahoo servers. Expert Michael Cobb explains the flaw and how Yahoo handled the situation. Continue Reading
-
Tip
17 Oct 2017
Analyzing the flaws of Adobe's HTTP security headers
A recent patching issue with Flash drew attention to shortcomings with Adobe's HTTP security headers. Judith Myerson discusses the importance of HTTP header security. Continue Reading
-
News
13 Oct 2017
Equifax website hack blamed on drive-by download attack
Security researchers find drive-by download attacks affecting both Equifax and TransUnion, but Equifax claims systems were not compromised in the website hack. Continue Reading
-
Answer
12 Oct 2017
How can hackers use subtitle files to control endpoint devices?
New media player vulnerabilities have been exposed that enable hackers to use subtitle files to control devices. Expert Judith Myerson explains how this happens. Continue Reading
-
News
11 Oct 2017
October 2017 Patch Tuesday includes Windows zero-day fix
The top priority for Microsoft's October 2017 Patch Tuesday goes to a Windows zero-day vulnerability, but IT should also beware of two publicly disclosed flaws. Continue Reading
-
Answer
11 Oct 2017
Foxit Reader vulnerabilities: What can be done to mitigate them?
Two critical, zero-day Foxit Reader vulnerabilities haven't been patched and pose a threat to enterprises. Judith Myerson explains the vulnerabilities and how to mitigate them. Continue Reading
-
Tip
11 Oct 2017
Addressing web server vulnerabilities below the application layer
Web application security is crucial, but enterprises also need to look below that layer for weaknesses. Kevin Beaver explains how to look for common web server vulnerabilities. Continue Reading
-
News
11 Oct 2017
Windows 10 patching could make older systems vulnerable
Microsoft's practice of automatic Windows 10 patching could be uncovering vulnerabilities in older systems that can be exploited by attackers, Google researchers said. Continue Reading
-
Answer
05 Oct 2017
Flash's end of life: How should security teams prepare?
Adobe Flash's end of life is coming, and it includes an incremental removal method, allotting security teams enough time to adjust. Matt Pascucci explains how changes can be made. Continue Reading
-
News
05 Oct 2017
Yahoo data breach found to affect all 3 billion users
Newly uncovered information indicated that all 3 billion users were affected by the 2013 Yahoo data breach, but Oath claimed passwords and credit card info was safe. Continue Reading
-
Tip
05 Oct 2017
How the Docker REST API can be turned against enterprises
Security researchers discovered how threat actors can use the Docker REST API for remote code execution attacks. Michael Cobb explains this threat to Docker containers. Continue Reading
-
Opinion
02 Oct 2017
Building a secure operating system with Roger R. Schell
The 'father' of the Orange Book has first-hand knowledge of the standards required for classified computer systems and the issues with subversion. Continue Reading
-
Answer
02 Oct 2017
How can peer group analysis address malicious apps?
Google is using machine learning and peer group analysis to protect against malicious Android apps in the Google Play Store. Matt Pascucci explains how this works. Continue Reading
- 28 Sep 2017
-
Answer
25 Sep 2017
How does a Magento Community Edition flaw allow remote attacks?
As the Magento Community Edition suffers a new zero-day vulnerability, expert Nick Lewis explains how it's being exploited and how to mitigate the cross-site request forgery flaw. Continue Reading
-
Answer
22 Sep 2017
Application containers: What are the major risks?
NIST recently issued guidance on mitigating the security risks of application containers. Expert Judith Myerson outlines some of the risks and fixes highlighted in the guide. Continue Reading
-
Answer
20 Sep 2017
How can the Jenkins vulnerabilities in plug-ins be mitigated?
A wave of Jenkins vulnerabilities related to plug-ins were recently discovered. Expert Judith Myerson explains the flaws and how enterprises should mitigate them. Continue Reading
-
Answer
18 Sep 2017
Are long URLs better for security than short URLs?
Shortened URLs are weak on security and easy for attackers to inject with malware. Expert Judith Myerson discusses how long URLs are more secure, despite the inconvenience. Continue Reading
-
News
15 Sep 2017
Apache Struts vulnerability blamed for Equifax data breach
Equifax has confirmed an unpatched critical Apache Struts vulnerability was exploited in the breach that compromised the personal data of 143 million U.S. citizens. Continue Reading
-
Answer
14 Sep 2017
How can users detect dangerous open ports in mobile apps?
Some malicious apps can hijack smartphones and expose those devices with open ports. Expert Michael Cobb explains how this happens and how users can protect themselves. Continue Reading
-
Tip
14 Sep 2017
The HTML5 vulnerabilities enterprises need to know
Adobe Flash's end of life is coming, but there are some HTML5 vulnerabilities enterprises should be aware of before making the switch. Expert Judith Myerson outlines the risks. Continue Reading
-
Tip
11 Sep 2017
After Stuxnet: Windows Shell flaw still most abused years later
A Windows Shell flaw used by the Stuxnet worm continues to pose problems years after it was patched. Nick Lewis explains how the flaw exposes enterprise security shortcomings. Continue Reading
-
Tip
05 Sep 2017
Why DevOps security must be on infosecs' priority list
In the rush to implement DevOps, security is too often overlooked. But DevSecOps is essential in these hack-filled days. Learn how to add security to software development. Continue Reading
-
Feature
01 Sep 2017
HTTPS interception gets a bad rap; now what?
Should products intercept Transport Layer Security connections to gain visibility into network traffic? A new study by researchers and U.S.-CERT warn against it. Continue Reading
-
Opinion
01 Sep 2017
A damaging spring of internet worms and poor performance
Security is a hot topic for media outlets that report on stock markets as companies founder on corporate earnings. The financial fallout of global malware is a call to action. Continue Reading
-
Guide
30 Aug 2017
How to craft an application security strategy that's airtight
A solid application security strategy today must include varieties like cloud apps and mobile. Learn how to set application security policies and practices that keep hackers out. Continue Reading
- 28 Aug 2017
- 28 Aug 2017
-
News
24 Aug 2017
Google Chrome Enterprise adds management options
The Google Chrome Enterprise offering officially allows organizations to manage Google Play Store apps, extensions, Microsoft Active Directory and integrate VMware on Chromebooks. Continue Reading
-
Blog Post
23 Aug 2017
Project Treble is another attempt at faster Android updates
Google has historically had a problem with getting mobile device manufacturers to push out Android updates, which has left hundreds of millions in the Android ecosystem at risk. Google hopes that ... Continue Reading
-
News
21 Aug 2017
iPhone Secure Enclave firmware encryption key leaked
Experts and Apple say despite the leak of the iPhone Secure Enclave Processor encryption key that can be used to decrypt firmware code, user data and biometric information are still safe. Continue Reading
-
Answer
18 Aug 2017
Why is the patched Apache Struts vulnerability still being exploited?
An Apache Struts vulnerability is still being exploited, even though it has already been patched. Expert Nick Lewis explains why the Struts platform still carries risk for users. Continue Reading
-
News
18 Aug 2017
Hijacked Chrome extensions infect millions of users
News roundup: Hackers leveraged eight hijacked Chrome extensions to attack 4.8 million browser users. Plus, Cloudflare stopped protecting a neo-Nazi website from DDoS attacks, and more. Continue Reading
-
Answer
18 Aug 2017
Stopping EternalBlue: Can the next Windows 10 update help?
The upcoming Windows update, Redstone 3, will patch the vulnerability that enables EternalBlue exploits. Expert Judith Myerson discusses protection methods to use until the update. Continue Reading
-
Tip
17 Aug 2017
Common web application login security weaknesses and how to fix them
Flawed web application login security can leave an enterprise vulnerable to attacks. Expert Kevin Beaver reviews the most common mistakes and how to fix them. Continue Reading
-
News
15 Aug 2017
Mobile data theft a risk from shared app libraries
Researchers claim malicious actors could commit mobile data theft by using shared third-party libraries and abusing elevated privileges that the permissions granted. Continue Reading
-
Tip
15 Aug 2017
Security teams must embrace DevOps practices or get left behind
DevOps practices can help improve enterprise security. Frank Kim of the SANS Institute explains how infosec teams can embrace them. Continue Reading
-
News
11 Aug 2017
Microsoft antivirus policy changes under Kaspersky pressure
Microsoft antivirus policy changes for Windows 10 Fall Creators Update in order to avoid further action in an antitrust case brought by Kaspersky. Continue Reading
-
News
11 Aug 2017
How threat actors weaponized Mia Ash for a social media attack
Dell SecureWorks researchers detected suspicious activity on social media accounts of Mia Ash. When they dug deeper, they discovered a new, complex social engineering attack. Continue Reading
-
Tip
10 Aug 2017
Applying a hacker mindset to application security
It can be beneficial to think like a black hat. Expert Kevin Beaver explains why enterprise security teams should apply a hacker mindset to their work and how it can help. Continue Reading
-
News
09 Aug 2017
Windows 10 Linux subsystem gets first patches
Microsoft's August 2017 Patch Tuesday brought the first Windows 10 Linux subsystem patches, just as a new version of the Linux subsystem is released for Windows Server. Continue Reading
-
Answer
08 Aug 2017
How did a Moodle security vulnerability enable remote code execution?
A series of logic flaws in Moodle enabled attackers to remotely execute code on servers. Expert Michael Cobb explains how the Moodle security vulnerability can be exploited. Continue Reading
-
News
03 Aug 2017
Symantec Website Security, certificate authority business sold to DigiCert
DigiCert agrees to buy majority stake in Symantec Website Security just days after Google releases an April 2018 distrust date for Symantec certificates. Continue Reading
-
Answer
03 Aug 2017
How is the Samba vulnerability different from EternalBlue?
A recently discovered Samba vulnerability bears a striking resemblance to the notorious Windows exploit EternalBlue. Expert Matthew Pascucci compares the two vulnerabilities. Continue Reading
-
Answer
01 Aug 2017
How can OSS-Fuzz and other vulnerability scanners help developers?
Google's OSS-Fuzz is an open source vulnerability scanner. Expert Matthew Pascucci looks at how developers can take advantage of this tool and others like it. Continue Reading
-
News
28 Jul 2017
Adobe's Flash end of life scheduled, finally, for 2020
News roundup: Adobe announced that Flash end of life will happen by the end of 2020. Plus, Microsoft expands its bug bounty program, the 2017 Pwnie Awards winners, and more. Continue Reading
-
Answer
26 Jul 2017
How are FTP injection attacks carried out on Java and Python?
Vulnerabilities in Java and Python have opened them up to possible FTP injections. Expert Nick Lewis explains how enterprises can mitigate these attacks. Continue Reading
-
Feature
25 Jul 2017
Federal Cloud Computing
In this excerpt from chapter three of Federal Cloud Computing, author Matthew Metheny discusses open source software and its use in the U.S. federal government. Continue Reading
-
News
19 Jul 2017
Symantec agrees to transfer certificate issuance to third party
Symantec has agreed to a plan that would transfer its certificate issuance and validation operations to as-yet-unnamed third-party partner starting Dec. 1. Continue Reading
-
News
14 Jul 2017
Google tackles Android app privacy with machine learning
Google will use machine learning and automated peer review scans to improve Android app privacy and limit app permissions overreach. Continue Reading
-
Tip
13 Jul 2017
How to detect preinstalled malware in custom servers
Preinstalled malware was reportedly found by Apple in its custom servers. Expert Nick Lewis explains how enterprises can protect themselves from encountering similar issues. Continue Reading
-
News
12 Jul 2017
Windows NTLM vulnerabilties addressed in July 2017 Patch Tuesday
Client-side security takes the forefront in Microsoft's July 2017 Patch Tuesday, which includes a fix for legacy Windows NTLM authentication processes. Continue Reading
-
Answer
12 Jul 2017
What made iOS apps handling sensitive data vulnerable to MitM attacks?
A researcher discovered 76 iOS apps containing sensitive user data that were vulnerable to man-in-the-middle attacks. Expert Michael Cobb explains how developers can prevent this. Continue Reading
-
Answer
11 Jul 2017
Ticketbleed flaw: How can SSL session identities be protected?
The Ticketbleed flaw in F5 Networks' BIG-IP appliances leaks uninitialized memory and SSL session identities. Expert Michael Cobb explains how enterprises can mitigate it. Continue Reading
-
News
11 Jul 2017
Android Samba app from Google only uses broken SMBv1
Experts said the new Android Samba app from Google supported only unsafe SMBv1 despite susceptibility to WannaCry exploits and unclear demand from users. Continue Reading
-
Answer
10 Jul 2017
WordPress REST API flaw: How did it lead to widespread attacks?
A REST API endpoint vulnerability enabled attacks on 1.5 million sites running WordPress. Expert Michael Cobb explains how this vulnerability works and how to prevent attacks. Continue Reading
-
Answer
07 Jul 2017
How are hackers using Unicode domains for spoofing attacks?
A proof of concept showed that hackers can use Unicode domains to make phishing sites look legitimate. Expert Matthew Pascucci explains how this spoofing attack works. Continue Reading
-
Answer
05 Jul 2017
What are the challenges of migrating to HTTPS from HTTP?
Migrating to HTTPS from HTTP is a good idea for security, but the process can be a challenge. Expert Matthew Pascucci explains how to make it easier for enterprises. Continue Reading
-
Buyer's Guide
28 Jun 2017
Select the best patch management software for your company
Patch management software enables businesses to prioritize and automatically update systems so that their assets remain secure. See which best fits your infosec strategy. Continue Reading
-
News
27 Jun 2017
Windows Defender bug could allow full-system takeover
A newly disclosed Windows Defender bug, which could allow an attacker to fully take over a target system and create admin accounts, marks yet another major antivirus vulnerability. Continue Reading
-
Feature
27 Jun 2017
Patch management tool comparison: What are the best products?
With so many different vendors in the market, it isn't easy to pick the right patch management tool. Read this product comparison to see which is best for your company. Continue Reading
-
Answer
16 Jun 2017
Why do HTTPS interception tools weaken TLS security?
HTTPS interception tools help protect websites, but they can also hurt TLS security. Expert Judith Myerson explains how this works and what enterprises can do about it. Continue Reading
-
News
15 Jun 2017
Microsoft to disable SMBv1 by default in fall Windows updates
Microsoft claims recent WannaCry attacks did not influence the decision to disable SMBv1 by default in the next major Windows updates. Continue Reading
-
News
14 Jun 2017
More Windows XP fixes in June Patch Tuesday release
Microsoft's June 2017 Patch Tuesday saw another set of Windows XP fixes released in order to secure systems against leaked NSA cyberweapons. Continue Reading
-
Answer
14 Jun 2017
How can DevOps application lifecycle management protect digital keys?
Better DevOps application lifecycle management can help protect cryptographic and digital keys. Expert Judith Myerson explains the right approaches to secure DevOps. Continue Reading
-
News
14 Jun 2017
Symantec CA remediation plan faces more delays
The battle over Symantec CA operations continues as the antivirus vendor pushes back against a consensus remediation proposal from the web browser community. Continue Reading
-
Tip
12 Jun 2017
To secure Office 365, take advantage of controls Microsoft offers
Securing Office 365 properly requires addressing upfront any specific risks of a particular environment and taking advantage of the many security controls Microsoft offers. Continue Reading
-
Tip
12 Jun 2017
Office 365 security features: As good as it gets?
Online and application security is never perfect, but Office 365 security features come close. Here's an overview of how Microsoft installed security in its popular suite. Continue Reading
-
Tip
12 Jun 2017
Address Office 365 security concerns while enjoying its benefits
Office 365 security concerns should worry you but not dampen your enthusiasm for the platform's potential benefits for your business. Here's what you need to consider upfront. Continue Reading
-
Feature
12 Jun 2017
Know why patch management tools are required in the IT infrastructure
Regulations, efficiency and protection are the main drivers for purchasing patch management tools. See why automated patch management is a requirement for most businesses. Continue Reading
-
News
08 Jun 2017
Researchers port EternalBlue exploit to Windows 10
The EternalBlue exploit behind the WannaCry ransomware attacks has been successfully ported to an older version of Windows 10, but newer versions of the OS are protected. Continue Reading
-
Answer
06 Jun 2017
Adobe Acrobat Chrome extension: What are the risks?
An Adobe Acrobat extension was automatically installed onto users' Chrome browsers during an update. Expert Michael Cobb explains the problems that existed with the extension. Continue Reading
-
Tip
06 Jun 2017
How mobile application assessments can boost enterprise security
Mobile application assessments can help enterprises decide which apps to allow, improving security. Christopher Crowley of the SANS Institute discusses how to use app assessments. Continue Reading
-
Answer
05 Jun 2017
Cisco WebEx extension flaw: How does the patch fall short?
Cisco's WebEx extension flaw was patched to prevent remote code execution from all but WebEx sites. Expert Michael Cobb explains how this flaw could still introduce risk to users. Continue Reading
-
Answer
31 May 2017
Why is patching telecom infrastructures such a challenge?
Patching telecom infrastructures presents many challenges. Expert Matthew Pascucci explains those challenges and what can be done to make sure the systems get patched anyway. Continue Reading
