Application and platform security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.
Top Stories
-
News
09 Apr 2025
Exploited Windows zero-day addressed on April Patch Tuesday
Microsoft delivers fixes for 121 vulnerabilities with 11 rated critical this month. Admins will have extra mitigation work to correct three flaws. Continue Reading
-
Tip
04 Apr 2025
Generative AI security best practices to mitigate risks
When tackling AI security issues, enterprises should minimize shadow IT risks, establish an AI governance council and train employees on the proper use of AI tools. Continue Reading
- 28 Aug 2017
- 28 Aug 2017
-
News
24 Aug 2017
Google Chrome Enterprise adds management options
The Google Chrome Enterprise offering officially allows organizations to manage Google Play Store apps, extensions, Microsoft Active Directory and integrate VMware on Chromebooks. Continue Reading
-
Blog Post
23 Aug 2017
Project Treble is another attempt at faster Android updates
Google has historically had a problem with getting mobile device manufacturers to push out Android updates, which has left hundreds of millions in the Android ecosystem at risk. Google hopes that ... Continue Reading
-
News
21 Aug 2017
iPhone Secure Enclave firmware encryption key leaked
Experts and Apple say despite the leak of the iPhone Secure Enclave Processor encryption key that can be used to decrypt firmware code, user data and biometric information are still safe. Continue Reading
-
Answer
18 Aug 2017
Why is the patched Apache Struts vulnerability still being exploited?
An Apache Struts vulnerability is still being exploited, even though it has already been patched. Expert Nick Lewis explains why the Struts platform still carries risk for users. Continue Reading
-
News
18 Aug 2017
Hijacked Chrome extensions infect millions of users
News roundup: Hackers leveraged eight hijacked Chrome extensions to attack 4.8 million browser users. Plus, Cloudflare stopped protecting a neo-Nazi website from DDoS attacks, and more. Continue Reading
-
Answer
18 Aug 2017
Stopping EternalBlue: Can the next Windows 10 update help?
The upcoming Windows update, Redstone 3, will patch the vulnerability that enables EternalBlue exploits. Expert Judith Myerson discusses protection methods to use until the update. Continue Reading
-
Tip
17 Aug 2017
Common web application login security weaknesses and how to fix them
Flawed web application login security can leave an enterprise vulnerable to attacks. Expert Kevin Beaver reviews the most common mistakes and how to fix them. Continue Reading
-
News
15 Aug 2017
Mobile data theft a risk from shared app libraries
Researchers claim malicious actors could commit mobile data theft by using shared third-party libraries and abusing elevated privileges that the permissions granted. Continue Reading
-
Tip
15 Aug 2017
Security teams must embrace DevOps practices or get left behind
DevOps practices can help improve enterprise security. Frank Kim of the SANS Institute explains how infosec teams can embrace them. Continue Reading
-
News
11 Aug 2017
Microsoft antivirus policy changes under Kaspersky pressure
Microsoft antivirus policy changes for Windows 10 Fall Creators Update in order to avoid further action in an antitrust case brought by Kaspersky. Continue Reading
-
Tip
10 Aug 2017
Applying a hacker mindset to application security
It can be beneficial to think like a black hat. Expert Kevin Beaver explains why enterprise security teams should apply a hacker mindset to their work and how it can help. Continue Reading
-
News
09 Aug 2017
Windows 10 Linux subsystem gets first patches
Microsoft's August 2017 Patch Tuesday brought the first Windows 10 Linux subsystem patches, just as a new version of the Linux subsystem is released for Windows Server. Continue Reading
-
Answer
08 Aug 2017
How did a Moodle security vulnerability enable remote code execution?
A series of logic flaws in Moodle enabled attackers to remotely execute code on servers. Expert Michael Cobb explains how the Moodle security vulnerability can be exploited. Continue Reading
-
News
03 Aug 2017
Symantec Website Security, certificate authority business sold to DigiCert
DigiCert agrees to buy majority stake in Symantec Website Security just days after Google releases an April 2018 distrust date for Symantec certificates. Continue Reading
-
Answer
03 Aug 2017
How is the Samba vulnerability different from EternalBlue?
A recently discovered Samba vulnerability bears a striking resemblance to the notorious Windows exploit EternalBlue. Expert Matthew Pascucci compares the two vulnerabilities. Continue Reading
-
Answer
01 Aug 2017
How can OSS-Fuzz and other vulnerability scanners help developers?
Google's OSS-Fuzz is an open source vulnerability scanner. Expert Matthew Pascucci looks at how developers can take advantage of this tool and others like it. Continue Reading
-
News
28 Jul 2017
Adobe's Flash end of life scheduled, finally, for 2020
News roundup: Adobe announced that Flash end of life will happen by the end of 2020. Plus, Microsoft expands its bug bounty program, the 2017 Pwnie Awards winners, and more. Continue Reading
-
Answer
26 Jul 2017
How are FTP injection attacks carried out on Java and Python?
Vulnerabilities in Java and Python have opened them up to possible FTP injections. Expert Nick Lewis explains how enterprises can mitigate these attacks. Continue Reading
-
Feature
25 Jul 2017
Federal Cloud Computing
In this excerpt from chapter three of Federal Cloud Computing, author Matthew Metheny discusses open source software and its use in the U.S. federal government. Continue Reading
-
News
19 Jul 2017
Symantec agrees to transfer certificate issuance to third party
Symantec has agreed to a plan that would transfer its certificate issuance and validation operations to as-yet-unnamed third-party partner starting Dec. 1. Continue Reading
-
News
14 Jul 2017
Google tackles Android app privacy with machine learning
Google will use machine learning and automated peer review scans to improve Android app privacy and limit app permissions overreach. Continue Reading
-
Tip
13 Jul 2017
How to detect preinstalled malware in custom servers
Preinstalled malware was reportedly found by Apple in its custom servers. Expert Nick Lewis explains how enterprises can protect themselves from encountering similar issues. Continue Reading
-
News
12 Jul 2017
Windows NTLM vulnerabilties addressed in July 2017 Patch Tuesday
Client-side security takes the forefront in Microsoft's July 2017 Patch Tuesday, which includes a fix for legacy Windows NTLM authentication processes. Continue Reading
-
Answer
12 Jul 2017
What made iOS apps handling sensitive data vulnerable to MitM attacks?
A researcher discovered 76 iOS apps containing sensitive user data that were vulnerable to man-in-the-middle attacks. Expert Michael Cobb explains how developers can prevent this. Continue Reading
-
News
11 Jul 2017
Android Samba app from Google only uses broken SMBv1
Experts said the new Android Samba app from Google supported only unsafe SMBv1 despite susceptibility to WannaCry exploits and unclear demand from users. Continue Reading
-
Answer
10 Jul 2017
WordPress REST API flaw: How did it lead to widespread attacks?
A REST API endpoint vulnerability enabled attacks on 1.5 million sites running WordPress. Expert Michael Cobb explains how this vulnerability works and how to prevent attacks. Continue Reading
-
Answer
07 Jul 2017
How are hackers using Unicode domains for spoofing attacks?
A proof of concept showed that hackers can use Unicode domains to make phishing sites look legitimate. Expert Matthew Pascucci explains how this spoofing attack works. Continue Reading
-
Buyer's Guide
28 Jun 2017
Select the best patch management software for your company
Patch management software enables businesses to prioritize and automatically update systems so that their assets remain secure. See which best fits your infosec strategy. Continue Reading
-
News
27 Jun 2017
Windows Defender bug could allow full-system takeover
A newly disclosed Windows Defender bug, which could allow an attacker to fully take over a target system and create admin accounts, marks yet another major antivirus vulnerability. Continue Reading
-
Feature
27 Jun 2017
Patch management tool comparison: What are the best products?
With so many different vendors in the market, it isn't easy to pick the right patch management tool. Read this product comparison to see which is best for your company. Continue Reading
-
Answer
16 Jun 2017
Why do HTTPS interception tools weaken TLS security?
HTTPS interception tools help protect websites, but they can also hurt TLS security. Expert Judith Myerson explains how this works and what enterprises can do about it. Continue Reading
-
News
15 Jun 2017
Microsoft to disable SMBv1 by default in fall Windows updates
Microsoft claims recent WannaCry attacks did not influence the decision to disable SMBv1 by default in the next major Windows updates. Continue Reading
-
News
14 Jun 2017
More Windows XP fixes in June Patch Tuesday release
Microsoft's June 2017 Patch Tuesday saw another set of Windows XP fixes released in order to secure systems against leaked NSA cyberweapons. Continue Reading
-
Answer
14 Jun 2017
How can DevOps application lifecycle management protect digital keys?
Better DevOps application lifecycle management can help protect cryptographic and digital keys. Expert Judith Myerson explains the right approaches to secure DevOps. Continue Reading
-
News
14 Jun 2017
Symantec CA remediation plan faces more delays
The battle over Symantec CA operations continues as the antivirus vendor pushes back against a consensus remediation proposal from the web browser community. Continue Reading
-
Tip
12 Jun 2017
To secure Office 365, take advantage of controls Microsoft offers
Securing Office 365 properly requires addressing upfront any specific risks of a particular environment and taking advantage of the many security controls Microsoft offers. Continue Reading
-
Tip
12 Jun 2017
Office 365 security features: As good as it gets?
Online and application security is never perfect, but Office 365 security features come close. Here's an overview of how Microsoft installed security in its popular suite. Continue Reading
-
Tip
12 Jun 2017
Address Office 365 security concerns while enjoying its benefits
Office 365 security concerns should worry you but not dampen your enthusiasm for the platform's potential benefits for your business. Here's what you need to consider upfront. Continue Reading
-
Feature
12 Jun 2017
Know why patch management tools are required in the IT infrastructure
Regulations, efficiency and protection are the main drivers for purchasing patch management tools. See why automated patch management is a requirement for most businesses. Continue Reading
-
News
08 Jun 2017
Researchers port EternalBlue exploit to Windows 10
The EternalBlue exploit behind the WannaCry ransomware attacks has been successfully ported to an older version of Windows 10, but newer versions of the OS are protected. Continue Reading
-
Answer
06 Jun 2017
Adobe Acrobat Chrome extension: What are the risks?
An Adobe Acrobat extension was automatically installed onto users' Chrome browsers during an update. Expert Michael Cobb explains the problems that existed with the extension. Continue Reading
-
Tip
06 Jun 2017
How mobile application assessments can boost enterprise security
Mobile application assessments can help enterprises decide which apps to allow, improving security. Christopher Crowley of the SANS Institute discusses how to use app assessments. Continue Reading
-
Answer
05 Jun 2017
Cisco WebEx extension flaw: How does the patch fall short?
Cisco's WebEx extension flaw was patched to prevent remote code execution from all but WebEx sites. Expert Michael Cobb explains how this flaw could still introduce risk to users. Continue Reading
-
Answer
31 May 2017
Why is patching telecom infrastructures such a challenge?
Patching telecom infrastructures presents many challenges. Expert Matthew Pascucci explains those challenges and what can be done to make sure the systems get patched anyway. Continue Reading
-
Answer
30 May 2017
Domain validation certificates: What are the security issues?
Let's Encrypt domain validation certificates had some security issues. Expert Matthew Pascucci explains how DV certificates work and what the issues were. Continue Reading
-
News
26 May 2017
Samba vulnerability brings WannaCry fears to Linux/Unix
A widespread Samba vulnerability has raised the possibility of attacks similar to WannaCry hitting Linux and Unix systems, but mitigation options are available. Continue Reading
-
Podcast
25 May 2017
Risk & Repeat: Microsoft slams NSA over EternalBlue
In this week's Risk & Repeat podcast, SearchSecurity editors discuss Microsoft's sharp criticism of the NSA over the EternalBlue Windows vulnerability and WannaCry ransomware. Continue Reading
-
Podcast
23 May 2017
Risk & Repeat: WannaCry ransomware worm shakes tech industry
In this week's Risk & Repeat podcast, SearchSecurity editors look at the devastation caused by the WannaCry ransomware worm and discuss how it could have been prevented. Continue Reading
-
News
19 May 2017
Google Play Protect looks to bolster Android app security
News roundup: The new Google Play Protect system aims to improve Android app security. Plus, Google Cloud IoT Core adds layer of device security, and more. Continue Reading
-
Tip
17 May 2017
What the end of hot patching mobile apps means for enterprise security
Apple now restricts mobile app developers from using hot patching, as the technique can change app behavior after it is reviewed. Expert Kevin Beaver goes over enterprise concerns. Continue Reading
-
News
12 May 2017
Cisco vulnerability from WikiLeaks' Vault 7 dump finally patched
News roundup: A Cisco vulnerability disclosed in the Vault 7 dump finally has a patch. Plus, Google's fuzzing bot finds over 1,000 bugs in five months, Comey dismissed and more. Continue Reading
-
Podcast
11 May 2017
Risk & Repeat: Critical Windows bug triggers disclosure debate
This week's Risk & Repeat podcast looks at how a simple tweet about a Windows bug from Project Zero researcher Tavis Ormandy sparked a debate about vulnerability disclosure. Continue Reading
-
Feature
11 May 2017
Timeline: Symantec certificate authority improprieties
Timeline: Follow along as Google and Mozilla raise issues with Symantec certificate authority actions, and then attempt to return trust to the CA giant. Continue Reading
-
News
10 May 2017
Windows zero days squashed in May 2017 Patch Tuesday
Microsoft's May 2017 Patch Tuesday fixed multiple Windows zero-day vulnerabilities, two of which have reportedly been exploited by groups linked to Russia. Continue Reading
-
News
09 May 2017
Microsoft out-of-band patch hits the day before Patch Tuesday
The evening before Patch Tuesday, Microsoft released an emergency out-of-band patch for a dangerous Windows flaw teased by the Google Project Zero team just days earlier. Continue Reading
-
Tip
09 May 2017
How to identify and address overlooked web security vulnerabilities
Certain web security vulnerabilities evade detection due to oversight or carelessness. Expert Kevin Beaver discusses the top overlooked issues and how to address them. Continue Reading
-
News
05 May 2017
TLS client authentication ensures secure IoT connection
The TLS client authentication protocol has been part of the security standard for years, but it's just now coming into its own in certifying secure IoT connections. Continue Reading
-
Answer
03 May 2017
Same-origin policy: How did Adobe Flash Player's implementation fail?
The same-origin security feature in Adobe Flash Player was implemented incorrectly, allowing local attackers to spy on users. Expert Michael Cobb explains how this flaw occurred. Continue Reading
-
News
25 Apr 2017
Symantec certificate authority issues, answered
Google and Mozilla weigh the proper response to Symantec certificate authority issues, as the CA giant prepares an alternative proposal for reinstating trust. Continue Reading
-
Answer
25 Apr 2017
How can enterprises stop the Flip Feng Shui exploit from hijacking VMs?
The Flip Feng Shui attack can target virtual machines. Expert Judith Myerson explains the exploit and describes how to prevent it from hijacking enterprise VMs. Continue Reading
-
News
21 Apr 2017
Stuxnet worm flaw still the most exploited after seven years
Security researchers say the vulnerability behind the infamous Stuxnet worm is still the most exploited in the world, seven years after being patched. Continue Reading
-
News
20 Apr 2017
Oracle patches Apache Struts exploits, Equation Group vulnerability
There were 299 Oracle patches in the April Critical Patch Update, including a fix for the Apache Struts exploits found in the wild and a vulnerability from the Equation Group dump. Continue Reading
-
Answer
19 Apr 2017
How does Nemucod malware get spread through Facebook Messenger?
The Nemucod downloader malware is being spread through Facebook Messenger disguised as an image file. Expert Nick Lewis explains the available protections against this attack. Continue Reading
-
News
12 Apr 2017
Symantec CA woes debated by browser community
Compliance with CA/B Forum Baseline Requirements was debated after Symantec CA posted responses to 14 issues raised by Mozilla developers. Continue Reading
-
News
12 Apr 2017
Security Update Guide brings growing pains to Patch Tuesday
Microsoft fundamentally changes how IT pros will consume Patch Tuesday releases with the Security Update Guide and brings fixes for an actively exploited Word zero-day. Continue Reading
-
Tip
07 Apr 2017
Preparing enterprise systems for the scriptless Linux exploit
The scriptless Linux exploit deviates from usual methods that security tools recognize as attacks. Expert Nick Lewis explains how the exploit works and how to prevent it. Continue Reading
-
Answer
07 Apr 2017
How have ARM TrustZone flaws affected Android encryption?
Android encryption on devices using Qualcomm chips can be broken due to two vulnerabilities. Expert Michael Cobb explains how these flaws affect encryption. Continue Reading
-
Tip
05 Apr 2017
Totally automatic: Improve DevOps and security in three key steps
Concerned about DevOps security? Learn three key steps to embedding security into the software development process, including how to improve automation. Continue Reading
-
News
31 Mar 2017
HTTPS traffic has yet to surpass HTTP traffic, Fortinet study shows
News roundup: HTTPS traffic has yet to surge, despite its security benefits, according to a report. Plus, the latest in the Apple extortion; a Mirai attack lasted 54 hours; and more. Continue Reading
-
News
30 Mar 2017
Google's Project Zero Prize uncovers zero Android remote exploits
After six months, Google's Project Zero Prize competition uncovered zero Android remote exploits: no bugs, no prizes, no entries. Continue Reading
-
News
29 Mar 2017
Potential SSL API flaw could reveal private keys
A researcher claims to have found Symantec SSL API issues with extremely dangerous consequences, but a lack of evidence causes confusion. Continue Reading
-
Answer
28 Mar 2017
How can users tell if Windows SMB v1 is on their systems?
US-CERT encouraged users to use newer versions of Windows SMB, since version one is out of date. Expert Matthew Pascucci explains how to tell if SMB v1 is on your systems. Continue Reading
-
News
24 Mar 2017
Google considers options on Symantec certificate authority 'failures'
Symantec certificate authority cries foul, as Google considers severe options following the company allegedly misissuing as many as 30,000 digital certificates. Continue Reading
-
News
23 Mar 2017
DV certificates abused, but policing may not be possible
Research shows DV certificates can be a prime target for phishing and malware operators, but experts are unsure how certificate authorities should deal with the issue. Continue Reading
-
News
17 Mar 2017
Yahoo fallout: Minted authentication cookies raise concerns
Although minting authentication cookies is not widely understood, the Yahoo hacker indictments has brought it to the forefront and shown it can be very dangerous. Continue Reading
-
News
14 Mar 2017
Nine critical Windows security bulletins in Patch Tuesday
After its cancelled February Patch Tuesday, Microsoft's March 2017 Patch Tuesday includes nine critical Windows security bulletins targeting remote code execution flaws. Continue Reading
-
News
14 Mar 2017
Android ransomware and more pre-installed on devices
Security researchers found Android ransomware and malware pre-installed on popular devices, putting users at risk for information theft, tracking and more. Continue Reading
-
Answer
08 Mar 2017
How can attacks bypass ASLR protection on Intel chips?
An Intel chip flaw lets attackers bypass ASLR protection on most operating systems. Expert Michael Cobb explains the vulnerability and how to prevent attacks. Continue Reading
-
News
06 Mar 2017
FBI chooses to protect Tor vulnerability and dismiss child porn case
The Department of Justice dropped a child pornography case in order to avoid disclosing a Tor vulnerability; dozens more cases potentially affected. Continue Reading
-
News
03 Mar 2017
Slack hack threatened to expose user account data and messages
News roundup: A researcher discovers a Slack hack through stolen tokens. Plus, another WordPress flaw puts 1 million users at risk; Necurs botnet does DDoS now; and more. Continue Reading
-
Answer
02 Mar 2017
What should enterprises know about how a stored XSS exploit works?
A stored XSS exploit can be damaging to enterprises that aren't fully protected. Expert Matthew Pascucci explains what stored XSS attacks are and how to defend against them. Continue Reading
-
News
28 Feb 2017
Edge and IE vulnerability disclosed by Project Zero
Google Project Zero's 90-day disclosure policy bites Microsoft again, as a zero-day Edge and IE vulnerability is made public before a patch is available. Continue Reading
-
News
24 Feb 2017
Project Zero discovers Cloudflare bug leaking sensitive customer data
The Cloudflare bug in CDN is fixed after causing sensitive customer data to leak. Google Project Zero discovered the flaw, and users were warned to change passwords. Continue Reading
-
News
21 Feb 2017
Google discloses Windows vulnerability after canceled Patch Tuesday
Google Project Zero discloses a Windows vulnerability that passed the 90-day deadline. And it comes soon after Microsoft canceled its Patch Tuesday release. Continue Reading
-
News
17 Feb 2017
Microsoft Patch Tuesday February release delayed by a month
News roundup: Microsoft Patch Tuesday was canceled in February without a clear reason. Plus, APT28 is linked to new Mac malware; Lazarus targets more banks and more. Continue Reading
-
News
10 Feb 2017
Is the Ticketbleed flaw the new Heartbleed vulnerability?
News roundup: F5 virtual server flaw, dubbed Ticketbleed, is similar to Heartbleed. Plus, DHS is considering requiring social media passwords on visa applications, and more. Continue Reading
-
Podcast
08 Feb 2017
Risk & Repeat: Pentagon cybersecurity under fire
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss Pentagon cybersecurity amid reports of misconfigured servers at the U.S. Department of Defense. Continue Reading
-
Tip
07 Feb 2017
How Windows hardening techniques can improve Windows 10
Windows 10 may be the most secure Windows ever, but expert Ed Tittel explains how to use Windows hardening techniques to make systems even more secure. Continue Reading
-
News
07 Feb 2017
SQL Slammer worm makes a comeback 14 years later
The SQL Slammer worm returned to take down systems that have been left unpatched for the past 14 years, but experts are unsure if the attacks will continue. Continue Reading
-
News
03 Feb 2017
Microsoft delays Windows zero-day patch; researcher drops exploit code
Microsoft decided to delay a Windows zero-day patch by two months, prompting the researcher who found it to post the proof-of-concept exploit code. Continue Reading
-
News
26 Jan 2017
More than 200 vulnerabilities found in Trend Micro security products
Researchers uncovered more than 200 vulnerabilities across Trend Micro products, but experts said the company brand won't take a hit. Continue Reading
-
Podcast
25 Jan 2017
Risk & Repeat: Windows SMB warning raises questions, concerns
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the Shadow Brokers' alleged exploit for Windows SMB and what it means for both enterprises and Microsoft. Continue Reading
-
News
25 Jan 2017
Project Zero finds Cisco WebEx vulnerability in browser extensions
A critical Cisco WebEx vulnerability in the service's browser extensions was discovered and patched, though some disagree the patch goes far enough to protect against attack. Continue Reading
-
News
19 Jan 2017
Windows 10 security tackles exploits, while Windows 7 gets a warning
As Microsoft touted its Windows 10 security features defeating unpatched zero-day vulnerabilities, it also warned customers about security issues with Windows 7. Continue Reading
-
News
19 Jan 2017
US-CERT reminds users that Windows SMB v1 needs to die
Experts say US-CERT is taking advantage of a potential -- but unverified -- vulnerability in Windows SMB v1 to remind enterprise users the outdated service should be disabled. Continue Reading
-
News
10 Jan 2017
January Patch Tuesday sparse before Windows security updates change
Microsoft offers up a meager January 2017 Patch Tuesday release before bigger changes planned for Windows security update announcements, which are set to take effect in February. Continue Reading
-
News
04 Jan 2017
SSL certificate validation flaw discovered in Kaspersky AV software
Google Project Zero discovers more antivirus vulnerabilities. This time, the issues are with how Kaspersky Lab handles SSL certificate validation and CA root certificates. Continue Reading
-
Answer
04 Jan 2017
How does a Linux vulnerability allow attacks on TCP communications?
A Linux vulnerability that affects 80% of Android devices allows for attacks on TCP communications and remote code execution. Expert Michael Cobb explains how to mitigate these risks. Continue Reading
