Application and platform security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.
Top Stories
-
News
26 Nov 2024
Russian hackers exploit Firefox, Windows zero-days in wild
RomCom threat actors chain two Firefox and Windows zero-day vulnerabilities together in order to execute arbitrary code in vulnerable Mozilla browsers. Continue Reading
-
News
22 Nov 2024
Volexity details Russia's novel 'Nearest Neighbor Attack'
The security company warned that the new attack style highlights the importance of securing Wi-Fi networks, implementing MFA and patching known vulnerabilities. Continue Reading
-
News
10 May 2017
Windows zero days squashed in May 2017 Patch Tuesday
Microsoft's May 2017 Patch Tuesday fixed multiple Windows zero-day vulnerabilities, two of which have reportedly been exploited by groups linked to Russia. Continue Reading
-
News
09 May 2017
Microsoft out-of-band patch hits the day before Patch Tuesday
The evening before Patch Tuesday, Microsoft released an emergency out-of-band patch for a dangerous Windows flaw teased by the Google Project Zero team just days earlier. Continue Reading
-
Tip
09 May 2017
How to identify and address overlooked web security vulnerabilities
Certain web security vulnerabilities evade detection due to oversight or carelessness. Expert Kevin Beaver discusses the top overlooked issues and how to address them. Continue Reading
-
News
05 May 2017
TLS client authentication ensures secure IoT connection
The TLS client authentication protocol has been part of the security standard for years, but it's just now coming into its own in certifying secure IoT connections. Continue Reading
-
Answer
03 May 2017
Same-origin policy: How did Adobe Flash Player's implementation fail?
The same-origin security feature in Adobe Flash Player was implemented incorrectly, allowing local attackers to spy on users. Expert Michael Cobb explains how this flaw occurred. Continue Reading
-
Feature
27 Apr 2017
Introduction to Social Media Investigation: A Hands-on Approach
In this excerpt from chapter four of Introduction to Social Media Investigation: A Hands-on Approach, author Jennifer Golbeck discusses privacy controls on social media. Continue Reading
-
News
25 Apr 2017
Symantec certificate authority issues, answered
Google and Mozilla weigh the proper response to Symantec certificate authority issues, as the CA giant prepares an alternative proposal for reinstating trust. Continue Reading
-
Answer
25 Apr 2017
How can enterprises stop the Flip Feng Shui exploit from hijacking VMs?
The Flip Feng Shui attack can target virtual machines. Expert Judith Myerson explains the exploit and describes how to prevent it from hijacking enterprise VMs. Continue Reading
-
News
21 Apr 2017
Stuxnet worm flaw still the most exploited after seven years
Security researchers say the vulnerability behind the infamous Stuxnet worm is still the most exploited in the world, seven years after being patched. Continue Reading
-
News
20 Apr 2017
Oracle patches Apache Struts exploits, Equation Group vulnerability
There were 299 Oracle patches in the April Critical Patch Update, including a fix for the Apache Struts exploits found in the wild and a vulnerability from the Equation Group dump. Continue Reading
-
Answer
19 Apr 2017
How does Nemucod malware get spread through Facebook Messenger?
The Nemucod downloader malware is being spread through Facebook Messenger disguised as an image file. Expert Nick Lewis explains the available protections against this attack. Continue Reading
-
News
12 Apr 2017
Symantec CA woes debated by browser community
Compliance with CA/B Forum Baseline Requirements was debated after Symantec CA posted responses to 14 issues raised by Mozilla developers. Continue Reading
-
News
12 Apr 2017
Security Update Guide brings growing pains to Patch Tuesday
Microsoft fundamentally changes how IT pros will consume Patch Tuesday releases with the Security Update Guide and brings fixes for an actively exploited Word zero-day. Continue Reading
-
Tip
07 Apr 2017
Preparing enterprise systems for the scriptless Linux exploit
The scriptless Linux exploit deviates from usual methods that security tools recognize as attacks. Expert Nick Lewis explains how the exploit works and how to prevent it. Continue Reading
-
Answer
07 Apr 2017
How have ARM TrustZone flaws affected Android encryption?
Android encryption on devices using Qualcomm chips can be broken due to two vulnerabilities. Expert Michael Cobb explains how these flaws affect encryption. Continue Reading
-
Tip
05 Apr 2017
Totally automatic: Improve DevOps and security in three key steps
Concerned about DevOps security? Learn three key steps to embedding security into the software development process, including how to improve automation. Continue Reading
-
News
31 Mar 2017
HTTPS traffic has yet to surpass HTTP traffic, Fortinet study shows
News roundup: HTTPS traffic has yet to surge, despite its security benefits, according to a report. Plus, the latest in the Apple extortion; a Mirai attack lasted 54 hours; and more. Continue Reading
-
News
30 Mar 2017
Google's Project Zero Prize uncovers zero Android remote exploits
After six months, Google's Project Zero Prize competition uncovered zero Android remote exploits: no bugs, no prizes, no entries. Continue Reading
-
News
29 Mar 2017
Potential SSL API flaw could reveal private keys
A researcher claims to have found Symantec SSL API issues with extremely dangerous consequences, but a lack of evidence causes confusion. Continue Reading
-
Answer
28 Mar 2017
How can users tell if Windows SMB v1 is on their systems?
US-CERT encouraged users to use newer versions of Windows SMB, since version one is out of date. Expert Matthew Pascucci explains how to tell if SMB v1 is on your systems. Continue Reading
-
News
24 Mar 2017
Google considers options on Symantec certificate authority 'failures'
Symantec certificate authority cries foul, as Google considers severe options following the company allegedly misissuing as many as 30,000 digital certificates. Continue Reading
-
News
23 Mar 2017
DV certificates abused, but policing may not be possible
Research shows DV certificates can be a prime target for phishing and malware operators, but experts are unsure how certificate authorities should deal with the issue. Continue Reading
-
News
17 Mar 2017
Yahoo fallout: Minted authentication cookies raise concerns
Although minting authentication cookies is not widely understood, the Yahoo hacker indictments has brought it to the forefront and shown it can be very dangerous. Continue Reading
-
News
14 Mar 2017
Nine critical Windows security bulletins in Patch Tuesday
After its cancelled February Patch Tuesday, Microsoft's March 2017 Patch Tuesday includes nine critical Windows security bulletins targeting remote code execution flaws. Continue Reading
-
News
14 Mar 2017
Android ransomware and more pre-installed on devices
Security researchers found Android ransomware and malware pre-installed on popular devices, putting users at risk for information theft, tracking and more. Continue Reading
-
Answer
08 Mar 2017
How can attacks bypass ASLR protection on Intel chips?
An Intel chip flaw lets attackers bypass ASLR protection on most operating systems. Expert Michael Cobb explains the vulnerability and how to prevent attacks. Continue Reading
-
News
06 Mar 2017
FBI chooses to protect Tor vulnerability and dismiss child porn case
The Department of Justice dropped a child pornography case in order to avoid disclosing a Tor vulnerability; dozens more cases potentially affected. Continue Reading
-
News
03 Mar 2017
Slack hack threatened to expose user account data and messages
News roundup: A researcher discovers a Slack hack through stolen tokens. Plus, another WordPress flaw puts 1 million users at risk; Necurs botnet does DDoS now; and more. Continue Reading
-
Answer
02 Mar 2017
What should enterprises know about how a stored XSS exploit works?
A stored XSS exploit can be damaging to enterprises that aren't fully protected. Expert Matthew Pascucci explains what stored XSS attacks are and how to defend against them. Continue Reading
-
News
28 Feb 2017
Edge and IE vulnerability disclosed by Project Zero
Google Project Zero's 90-day disclosure policy bites Microsoft again, as a zero-day Edge and IE vulnerability is made public before a patch is available. Continue Reading
-
News
24 Feb 2017
Project Zero discovers Cloudflare bug leaking sensitive customer data
The Cloudflare bug in CDN is fixed after causing sensitive customer data to leak. Google Project Zero discovered the flaw, and users were warned to change passwords. Continue Reading
-
News
21 Feb 2017
Google discloses Windows vulnerability after canceled Patch Tuesday
Google Project Zero discloses a Windows vulnerability that passed the 90-day deadline. And it comes soon after Microsoft canceled its Patch Tuesday release. Continue Reading
-
News
17 Feb 2017
Microsoft Patch Tuesday February release delayed by a month
News roundup: Microsoft Patch Tuesday was canceled in February without a clear reason. Plus, APT28 is linked to new Mac malware; Lazarus targets more banks and more. Continue Reading
-
News
10 Feb 2017
Is the Ticketbleed flaw the new Heartbleed vulnerability?
News roundup: F5 virtual server flaw, dubbed Ticketbleed, is similar to Heartbleed. Plus, DHS is considering requiring social media passwords on visa applications, and more. Continue Reading
-
Podcast
08 Feb 2017
Risk & Repeat: Pentagon cybersecurity under fire
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss Pentagon cybersecurity amid reports of misconfigured servers at the U.S. Department of Defense. Continue Reading
-
Tip
07 Feb 2017
How Windows hardening techniques can improve Windows 10
Windows 10 may be the most secure Windows ever, but expert Ed Tittel explains how to use Windows hardening techniques to make systems even more secure. Continue Reading
-
News
07 Feb 2017
SQL Slammer worm makes a comeback 14 years later
The SQL Slammer worm returned to take down systems that have been left unpatched for the past 14 years, but experts are unsure if the attacks will continue. Continue Reading
-
News
03 Feb 2017
Microsoft delays Windows zero-day patch; researcher drops exploit code
Microsoft decided to delay a Windows zero-day patch by two months, prompting the researcher who found it to post the proof-of-concept exploit code. Continue Reading
-
News
26 Jan 2017
More than 200 vulnerabilities found in Trend Micro security products
Researchers uncovered more than 200 vulnerabilities across Trend Micro products, but experts said the company brand won't take a hit. Continue Reading
-
Podcast
25 Jan 2017
Risk & Repeat: Windows SMB warning raises questions, concerns
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the Shadow Brokers' alleged exploit for Windows SMB and what it means for both enterprises and Microsoft. Continue Reading
-
News
25 Jan 2017
Project Zero finds Cisco WebEx vulnerability in browser extensions
A critical Cisco WebEx vulnerability in the service's browser extensions was discovered and patched, though some disagree the patch goes far enough to protect against attack. Continue Reading
-
News
19 Jan 2017
Windows 10 security tackles exploits, while Windows 7 gets a warning
As Microsoft touted its Windows 10 security features defeating unpatched zero-day vulnerabilities, it also warned customers about security issues with Windows 7. Continue Reading
-
News
19 Jan 2017
US-CERT reminds users that Windows SMB v1 needs to die
Experts say US-CERT is taking advantage of a potential -- but unverified -- vulnerability in Windows SMB v1 to remind enterprise users the outdated service should be disabled. Continue Reading
-
News
10 Jan 2017
January Patch Tuesday sparse before Windows security updates change
Microsoft offers up a meager January 2017 Patch Tuesday release before bigger changes planned for Windows security update announcements, which are set to take effect in February. Continue Reading
-
News
04 Jan 2017
SSL certificate validation flaw discovered in Kaspersky AV software
Google Project Zero discovers more antivirus vulnerabilities. This time, the issues are with how Kaspersky Lab handles SSL certificate validation and CA root certificates. Continue Reading
-
Answer
04 Jan 2017
How does a Linux vulnerability allow attacks on TCP communications?
A Linux vulnerability that affects 80% of Android devices allows for attacks on TCP communications and remote code execution. Expert Michael Cobb explains how to mitigate these risks. Continue Reading
-
News
03 Jan 2017
Decades-old bug in the libpng open source graphics library patched
A low-severity vulnerability dating back to 1995 in libpng, the official reference library implementation for PNG, may have enabled remote DoS attacks. Continue Reading
-
Feature
30 Dec 2016
Hacking Web Intelligence
In this excerpt from chapter 8 of Hacking Web Intelligence, authors Sudhanshu Chauhan and Nutan Panda discuss how to be anonymous on the internet using proxy. Continue Reading
-
News
16 Dec 2016
Vulnerable websites make up half of the internet's top sites
News roundup: A report finds nearly half the internet is filled with vulnerable websites. Plus, SWIFT confirms more hacks, Amit Yoran steps down from RSA and more. Continue Reading
-
Feature
29 Nov 2016
DNS Security: Defending the Domain Name System
In this excerpt from chapter two of DNS Security: Defending the Domain Name System, authors Allan Liska and Geoffrey Stowe discuss why DNS security is important. Continue Reading
-
Tip
02 Sep 2016
Planning for an IPv6 attack: DDoS, neighbor discovery threats and more
An IPv6 DDoS attacks are imminent, and your network security tools may not be configured for it. Expert Michael Cobb explains how enterprises can prepare its defenses. Continue Reading
-
Feature
25 Jul 2016
How to start building an enterprise application security program
Building an effective application security program can be daunting. Sean Martin talks with experts about the best first steps enterprises should take. Continue Reading
-
Blog Post
21 Jul 2016
Environment variables: Should they be considered harmful?
In the wake of the httpoxy vulnerability, should environment variables be considered harmful? Perhaps, but they are just so useful. Continue Reading
-
News
26 May 2016
Retiring obsolete SHA-1 and RC4 cryptographic algorithms, SSLv3 protocol
Microsoft speeds deprecation of SHA-1, Google dropping support for RC4, SSLv3, as web software publishers approach end of life for obsolete cryptographic algorithms and protocols. Continue Reading
-
News
06 May 2016
Commercial code riddled with open source vulnerabilities
Roundup: Customers, vendors both unaware of unpatched open source vulnerabilities in commercial software. Plus OpenSSL patches, warrantless wiretaps and more. Continue Reading
-
Answer
21 Apr 2016
How does the banking Trojan Dyreza exploit Windows 10?
A variant of banking Trojan Dyreza has begun to target Windows 10. Expert Nick Lewis explains the new attack functionalities, and Windows 10 and user vulnerabilities. Continue Reading
-
Tip
21 Apr 2016
Breaking down the DROWN attack and SSLv2 vulnerability
A DROWN attack can occur through more than a third of all HTTPS connections. Expert Michael Cobb explains how DROWN enables man-in-the-middle attacks and mitigation steps to take. Continue Reading
-
Answer
01 Mar 2016
Outdated apps: What are the best ways to address them?
Dead and outdated apps can pose serious security risks for enterprises. Expert Nick Lewis explains how to find and remove dead apps before they become a problem. Continue Reading
-
News
29 Jan 2016
OpenSSL patch fixes encryption flaw and strengthens Logjam defense
A new OpenSSL patch fixes a severe encryption flaw and strengthens the protocol against the Logjam vulnerability. Continue Reading
-
News
28 Jan 2016
Oracle closing an attack vector by deprecating the Java browser plug-in
Oracle announced plans to deprecate the Java browser plug-in, a noted attack vector, though the choice was not entirely its own. Continue Reading
-
Tip
11 Jan 2016
Microsoft Device Guard tackles Windows 10 malware
A new Microsoft security feature takes aim at Windows 10 malware. Expert Michael Cobb explains what enterprises should know about Device Guard. Continue Reading
-
Answer
30 Dec 2015
Should the RC4 cipher still be used in enterprises?
A newly discovered attack can break the RC4 cipher and decrypt user cookies. Expert Michael Cobb explains the attack and the relevance of RC4 in enterprises today. Continue Reading
-
Answer
28 Dec 2015
How can software transplants fix bad code?
Copying and pasting bad code into an application is a big problem for developers, but software transplants can help. Expert Michael Cobb explains the technology. Continue Reading
-
Answer
16 Nov 2015
Can Google's Chrome extension policy improve Web security?
The updated Chrome extension policy allows users and developers to only install extensions from the Chrome Web Store. Learn how this affects security and enterprise apps. Continue Reading
-
Feature
04 Nov 2015
Comparing the top Web fraud detection systems
Expert Ed Tittel explores the features of the top Web fraud detection systems and compares critical purchasing criteria. Continue Reading
-
Answer
14 Oct 2015
How should enterprises manage social media compliance incidents?
Social media compliance incidents in financial institutions are on the rise. Here are the most common violations and how to avoid them in the future. Continue Reading
-
Tip
06 Oct 2015
How to perform a forensic acquisition of a virtual machine disk
Virtualization expert Paul Henry provides a step-by-step guide to imaging a virtual machine disk (*flat.vmdk) in a forensically sound manner. Continue Reading
-
Opinion
05 Oct 2015
Can white-box cryptography save your apps?
With the Internet of Things, software-based secure elements could hold the key. Continue Reading
-
Opinion
01 Oct 2015
McGraw: Seven myths of software security best practices
According to expert Gary McGraw, you're not helping yourself by believing the things -- all seven of them -- you've heard about secure software development. Continue Reading
-
Feature
15 Sep 2015
Comparing the best Web application firewalls in the industry
Expert Brad Causey compares the best Web application firewalls on the market across three types of product types: cloud, integrated and appliance. Continue Reading
-
Answer
09 Sep 2015
Should the Netdump flaw deter enterprise ODL SDN use?
The benefits of the ODL SDN platform are promising, but what about the recent Netdump flaw it experienced? Expert Kevin Beaver discusses why you may not want to pass on OpenDayligh just yet. Continue Reading
-
Feature
20 Aug 2015
Introduction to Web fraud detection systems
Expert Ed Tittel explores the purpose of Web fraud detection systems and services, which are designed to reduce the risks inherent in electronic payments and e-commerce. Continue Reading
-
News
20 May 2015
Google changes Chrome extension policy amid security concerns
Google's new Chrome extension policy mandates that all users and developers must install web browser extensions from the Chrome Web Store. Continue Reading
-
News
07 May 2015
Malware detection tool tackles medical device security
WattsUpDoc, an embedded system security tool used to detect malware in medical devices, is now in beta testing at two major U.S. hospitals. Continue Reading
-
Feature
17 Mar 2015
Four questions to ask before buying a Web application firewall
Web application firewalls are complex products. Expert Brad Causey explains the key criteria enterprises need to consider before investing in a WAF product. Continue Reading
-
Feature
19 Feb 2015
Business-use scenarios for a Web application firewall deployment
Web application firewalls can be a critical security layer for many companies. Expert Brad Causey explains when and how to deploy a WAF in the enterprise. Continue Reading
-
Feature
17 Feb 2015
Introduction to Web application firewalls in the enterprise
Expert Brad Causey takes a close look at Web application firewalls, explains how WAF technology can prevent Internet-based attacks from known and unknown applications threats, and offers advice on WAF management and deployment. Continue Reading
-
Feature
15 Dec 2014
The Basics of Information Security
In this excerpt of The Basics of Information Security, author Jason Andress outlines methods for improving operating systems security. Continue Reading
-
Answer
01 Dec 2014
Can setting a cache-control header improve application data security?
Application security expert Michael Cobb reviews the cache-control header codes that can help prevent a Web application from storing sensitive data. Continue Reading
-
Answer
01 Dec 2014
Are LibreSSL and BoringSSL safe OpenSSL alternatives?
Since the revelation of the Heartbleed flaw, OpenSSL security has been put into question. Expert Michael Cobb discusses whether LibreSSL and BoringSSL could serve as OpenSSL alternatives. Continue Reading
-
Answer
19 Nov 2014
How can vishing attacks be prevented?
Enterprise threats expert Nick Lewis explains what vishing attacks are and offers best practices for defending against them. Continue Reading
-
Feature
29 Sep 2014
Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides
In this excerpt of Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides, the authors explain how to discover and extract malware from a Linux system. Continue Reading
-
Definition
23 Jun 2014
address space layout randomization (ASLR)
Address space layout randomization (ASLR) is a memory-protection process for operating systems (OSes) that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory. Continue Reading
-
Feature
21 Apr 2014
Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace
This is an excerpt from the book Investigating Internet Crimes: An Introduction to Solving Crimes in Cyberspace by Todd G. Shipley and Art Bowker. Continue Reading
-
Feature
31 Mar 2014
Linux Malware Incident Response
In this excerpt from Linux Malware Incident Response, authors Cameron Malin, Eoghan Casey and James Aquilina discuss volatile data collection methodology, steps and preservation. Continue Reading
-
Feature
17 Mar 2014
Social Media Security
In this excerpt from Social Media Security, author Michael Cross offers a number of strategies to help ensure social media security. Continue Reading
-
Feature
03 Feb 2014
Tor networks: Stop employees from touring the deep Web
Are employees using Tor to view blocked Web sites, or mining Bitcoins on corporate resources? Sinister or not, it needs to stop. Continue Reading
-
Answer
12 Mar 2013
Bing security: Is search engine poisoning a problem for Bing users?
Is Microsoft's Bing search engine more susceptible to search engine poisoning than Google? Expert Michael Cobb discusses Bing security. Continue Reading
-
Quiz
18 Jan 2013
Quiz: Why SSL certificate security matters
In this five-question quiz, evaluate your knowledge of our Security School lesson on why SSL certificate security is important. Continue Reading
-
Opinion
17 Jan 2013
Thirteen principles to ensure enterprise system security
Designing sound enterprise system security is possible by following Gary McGraw's 13 principles, many of which have held true for decades. Continue Reading
-
News
07 Dec 2012
Twelve common software security activities to lift your program
Software security expert Gary McGraw explains the processes commonly found in highly successful software security programs. Continue Reading
-
Opinion
09 Apr 2012
Gary McGraw on software security assurance: Build it in, build it right
If the field of computer security is to be fixed, the only hope we have is building security in, says software security expert Gary McGraw. Continue Reading
-
Answer
31 Aug 2011
How to mitigate the risk of a TOCTTOU attack
Are TOCTTOU attacks, exploiting time-of-check-to-time-of-use race conditions, a threat to your enterprise file systems? Expert Michael Cobb discusses the dangers and how to mitigate them. Continue Reading
-
Tip
11 Mar 2011
Securing a multi-tenant environment
Learn some of the key elements for secure multi-tenancy. Continue Reading
-
Definition
11 Feb 2011
BIOS rootkit attack
A BIOS-level rootkit attack, also known as a persistent BIOS attack, is an exploit in which the BIOS is flashed (updated) with malicious code. A BIOS rootkit is programming that enables remote administration. Continue Reading
-
Definition
10 Feb 2011
BIOS rootkit
A BIOS-level rootkit is programming that exists in a system's memory hardware to enable remote administration. Because the rootkit lives in the computer’s BIOS (basic input/output system), it persists not only through attempts to reflash the BIOS but also through hard drive erasure or replacement. Continue Reading
-
Tip
03 Feb 2011
The hypervisor security patch management process
Enterprises using virtualization must include hypervisor patching in their patch management process. Robbie Higgins explains why. Continue Reading
-
Definition
24 Sep 2010
alternate data stream (ADS)
An alternate data stream (ADS) is a feature of Windows New Technology File System (NTFS) that contains metadata for locating a specific file by author or title. Continue Reading
-
Tip
30 Jul 2010
How to avoid attacks that exploit a Web browser vulnerability
Beyond patching, Tom Chmielarski explains what you'll need to do to avoid application exploits caused by Web browser vulnerabilities. Continue Reading
-
Answer
05 Jul 2010
Why it's important to turn on DEP and ASLR Windows security features
In the quest for application security, many developers are disabling or incorrectly implementing two important Windows security features. In this expert response, Michael Cobb explains why ASLR and DEP should always be turned on. Continue Reading