Application and platform security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.
Top Stories
-
News
28 Feb 2025
Microsoft targets AI deepfake cybercrime network in lawsuit
Microsoft alleges that defendants used stolen Azure OpenAI API keys and special software to bypass content guardrails and generate illicit AI deepfakes for payment. Continue Reading
-
Tip
28 Feb 2025
Why and how to create Azure service principals
Service principals are a convenient and secure way to protect Azure resources. Follow this step-by-step guide to create a service principal that defends vital Azure workloads. Continue Reading
-
Feature
18 Sep 2020
Security for SaaS applications starts with collaboration
Following established best practices helps enterprises facilitate collaboration and communication through SaaS applications while simultaneously ensuing secure SaaS use. Continue Reading
-
News
17 Sep 2020
Maze ransomware gang uses VMs to evade detection
A Sophos investigation into a Maze ransomware attack revealed that threat actors borrowed an attack technique pioneered by Ragnar Locker operators earlier this year. Continue Reading
-
Tip
15 Sep 2020
3 steps to secure codebase updates, prevent vulnerabilities
Codebase updates are critical, but what about when they introduce vulnerabilities? These three steps will help app developers secure codebase updates and keep their apps safe. Continue Reading
-
News
25 Aug 2020
'Meow' attacks top 25,000 exposed databases, services
One month after the notorious 'meow' attacks were first detected, the threat to misconfigured databases exposed on the internet shows little sign of slowing down. Continue Reading
-
News
18 Aug 2020
Apache Struts vulnerabilities allow remote code execution, DoS
The Apache Software Foundation issued security advisories last week for two Apache Struts vulnerabilities that were originally patched but not fully disclosed last fall. Continue Reading
-
Feature
18 Aug 2020
'Secure by Design' principles include failures, exceptions
Using design principles with built-in security, along with properly defining exceptions, can help developers not only build safe code, but do so while meeting deadlines. Continue Reading
-
Feature
18 Aug 2020
Exception handling best practices call for secure code design
Making software secure by design requires tremendous consideration about how failures are handled. Learn more from these exception handling examples. Continue Reading
-
News
12 Aug 2020
Kaspersky reveals 2 Windows zero-days from failed attack
Kaspersky prevented an attack against a South Korean company back in May that used two zero-day vulnerabilities. One, arguably the more dangerous, focused on Internet Explorer. Continue Reading
-
News
07 Aug 2020
10 years after Stuxnet, new zero-days discovered
A decade after Stuxnet, SafeBreach Labs researchers discovered new zero-day vulnerabilities connected to the threat, which they unveiled at Black Hat USA 2020. Continue Reading
-
News
07 Aug 2020
Not just politics: Disinformation campaigns hit enterprises, too
In her Black Hat USA 2020 keynote, Renée DiResta of the Stanford Internet Observatory explains how nation-state hackers have launched 'reputational attacks' against enterprises. Continue Reading
-
Opinion
03 Aug 2020
The case for cybersecurity by design in application software
Security must be part of IT from the start and then continue through the entire product lifecycle -- design, build, release and maintenance. Consumers now demand it. Continue Reading
-
Tip
03 Aug 2020
How to shift from DevOps to DevSecOps
A successful DevSecOps rollout requires software developers to be equipped with the proper security skills and tools. Learn how to transition smoothly from DevOps to DevSecOps. Continue Reading
- 03 Aug 2020
-
Tip
31 Jul 2020
How to mitigate an HTTP request smuggling vulnerability
Exploiting an HTTP request smuggling vulnerability can result in the inadvertent execution of unauthorized HTTP requests. Learn how to defend web environments from this attack. Continue Reading
-
News
30 Jul 2020
'Meow' attacks continue, thousands of databases deleted
More than one week later, the mysterious attacks on insecure databases on ElasticSearch, MongoDB and others have not only persisted but grown, with no explanation. Continue Reading
-
News
23 Jul 2020
'Meow' attacks wipe more than 1,000 exposed databases
A new threat has hit more than 1,000 unsecured databases on ElasticSearch, MongoDB and other platforms, destroying data and replacing files with a single word: meow. Continue Reading
-
News
17 Jul 2020
'SigRed' alert: Experts urge action on Windows DNS vulnerability
Experts are urging organizations to take immediate action on SigRed, a 17-year-old Windows DNS server vulnerability discovered by Check Point Research and patched by Microsoft. Continue Reading
-
News
15 Jul 2020
Attackers find new way to exploit Docker APIs
Aqua Security released research detailing a new tactic where the attacker exploits a misconfigured Docker API port in order to build and run a malicious container image on the host. Continue Reading
-
News
06 Jul 2020
Critical F5 Networks vulnerability under attack
A critical remote code execution vulnerability that was disclosed and patched just days ago is already being exploited by threat actors. Continue Reading
-
News
01 Jul 2020
Microsoft fixes Windows Codecs flaws with emergency patches
Microsoft addressed two vulnerabilities, one rated critical and the other rated important, after being alerted by a researcher with Trend Micro's Zero Day Initiative. Continue Reading
-
News
25 Jun 2020
Open source vulnerabilities down 20% in 2019
Snyk recently released its fourth annual 'State of Open Source Security' report, which analyzed open source statistics, vulnerability trends and security culture. Continue Reading
-
News
08 Jun 2020
CISA warns Microsoft SMB v3 vulnerability is under attack
CISA issued an alert Friday about attacks on a Microsoft Server Message Block v3 vulnerability and a proof-of-concept code that exploits the flaw in unpatched systems. Continue Reading
-
Tip
08 Jun 2020
Benefits of open source container vulnerability scanning
Containers have revolutionized app development but pose many security challenges. Uncover how container vulnerability scanning can help and why to consider open source tools. Continue Reading
-
News
02 Jun 2020
VMware vulnerability enables takeover of cloud infrastructure
A new vulnerability in VMware Cloud Director allowed any user to obtain control of any virtual machine on a public or private cloud, according to ethical hacking firm Citadelo. Continue Reading
-
News
28 May 2020
Supply chain attack hits 26 open source projects on GitHub
Threat actors conducted an unprecedented supply chain attack by using malware known as Octopus Scanner to create backdoors in open source projects, which were uploaded to GitHub. Continue Reading
-
Feature
20 May 2020
IT and security teams collide as companies work from home
The new world of remote work has given rise to IT and security teams working more closely than ever before. They need to come together to provide excellent UX and security. Continue Reading
-
Quiz
20 May 2020
Use these CCSK practice questions to prep for the exam
Virtualization and container security are key topics in the Certificate of Cloud Security Knowledge credential. Test your knowledge with these CCSK practice questions. Continue Reading
-
News
07 May 2020
Advanced Computer Software leak exposes nearly 200 law firms
Researchers at cybersecurity vendor TurgenSec discovered an exposed database owned by Advanced Computer Software that contained legal documents with data from 190 law firms. Continue Reading
-
News
06 May 2020
GitHub security features tackle data exposures, vulnerabilities
In in effort to curb accidental data exposures in repositories, GitHub unveiled a new 'secret' scanning tool that examines public and private code repositories for sensitive data. Continue Reading
-
Feature
05 May 2020
The what, why and how of the Spring Security architecture
Like any framework, Spring Security requires writing less code to implement the desired functionality. Learn how to implement the Spring Security architecture in this book excerpt. Continue Reading
-
Feature
05 May 2020
Why developers need to know the Spring Security framework
The Spring Security framework is a reliable way for Java developers to secure applications. However, proper implementation is critical to prevent the most common vulnerabilities. Continue Reading
-
Tip
29 Apr 2020
SSL certificate best practices for 2020 and beyond
SSL/TLS security is continuously improving, and there are steps site owners should take to ensure the safety of their SSL certificates, websites and users. Read on to learn more. Continue Reading
-
News
16 Apr 2020
TPG Capital combines 3 vendors to form Digital.ai
Private equity firm TPG Capital combined three acquisitions -- CollabNet VersionOne, XebiaLabs and Arxan Technologies -- to create the new DevSecOps-focused vendor. Continue Reading
-
Opinion
14 Apr 2020
Bot management drives ethical data use, curbs image scraping
Bot management tools can help enterprises combat bad bots, prevent web and image scraping, and ensure ethical data use -- all while maintaining a positive end-user experience. Continue Reading
-
Podcast
09 Apr 2020
Risk & Repeat: Are Zoom security fears overblown?
This week's Risk & Repeat podcast looks at the backlash against Zoom over security and privacy concerns and asks whether there's been an overreaction. Continue Reading
-
News
06 Apr 2020
Zoom takes new security measures to counter 'Zoombombing'
Zoom has implemented two key security and privacy measures in order to counter 'Zoombombing.' One enables passwords in meetings by default, while the second creates waiting rooms. Continue Reading
-
Podcast
02 Apr 2020
Risk & Repeat: Zoom security comes under fire
This week's Risk & Repeat podcast looks at several security issues Zoom faced over the last week, which led to questions about the company's privacy and security practices. Continue Reading
-
News
02 Apr 2020
Zoom zero-day vulnerabilities patched a day after disclosure
An ex-NSA hacker reported two zero-day vulnerabilities on his blog Wednesday. One of them can give an attacker control of a user's webcam and microphone. Zoom fixed both flaws quickly. Continue Reading
-
Tip
30 Mar 2020
Best practices for threat modeling service mesh, microservices
In microservices and service mesh environments, communications don't follow static paths. As such, security teams must update their application threat modeling methods. Continue Reading
-
Tip
25 Mar 2020
How to prevent buffer overflow attacks
Read up on types of buffer overflow attacks, and learn secure coding best practices that prevent such vulnerabilities, as well as post-deployment steps to keep apps and websites safe. Continue Reading
-
News
11 Mar 2020
Microsoft discloses wormable SMBv3 flaw without a patch
Microsoft disclosed a new remote code execution vulnerability associated with the Microsoft Server Message Block 3.1.1 (SMBv3) protocol, but there's currently no patch available. Continue Reading
-
Tip
27 Feb 2020
How to use TODO comments for secure software development
Don't let security be a software development burden. Learn app developer tricks, such as using TODO comments, to ensure security controls make it from development to production. Continue Reading
-
Feature
27 Feb 2020
Windows IIS server hardening checklist
Use this handy Windows IIS server hardening checklist on the job to ensure your IIS server is deployed safely and stays secure in use. Continue Reading
-
Feature
26 Feb 2020
Security testing web applications and systems in the modern enterprise
Security testing web apps with little budget and poor documentation is difficult. Ric Messier discusses building a security testing lab in the DevSecOps, cloud and automation age. Continue Reading
-
Feature
26 Feb 2020
Software security testing and software stress testing basics
In this excerpt from Ric Messier's book, learn why software security testing and stress testing are critical components of an enterprise infosec program. Continue Reading
-
Opinion
26 Feb 2020
RSA 2020 day 1: Windows 10X & secured core PCs; Hysolate updates; LastPass passwordless login
Security-focused conferences are my time to shine--and geek out on the latest in security news. Continue Reading
-
Answer
06 Feb 2020
How to combat the top 5 enterprise social media risks in business
Learn how social networking sites compound the insider threat risk, and explore how to mitigate the threat with policy, training and technology. Continue Reading
-
News
24 Jan 2020
Citrix patches vulnerability as ransomware attacks emerge
Citrix rolls out more patches ahead of schedule for CVE-2019-19781, a directory traversal vulnerability that affects Citrix ADC, Gateway and SD-WAN WANOP products. Continue Reading
-
Tip
21 Jan 2020
Lyft's open source asset tracking tool simplifies security
Security teams need information and context about data in order to keep it safe. Learn how Cartography, Lyft's open source asset tracking tool, creates highly comprehensive maps. Continue Reading
-
News
15 Jan 2020
NSA reports flaw in Windows cryptography core
Microsoft patched a critical vulnerability in how Windows validates cryptographic certificates that could lead to dangerous attacks, according to experts, and was originally reported by the NSA. Continue Reading
-
Feature
14 Jan 2020
5 application security threats and how to prevent them
The most widely known application security threats are sometimes the most common exploits. Here is a list of the top app threats and their appropriate security responses. Continue Reading
-
News
13 Jan 2020
Signal Sciences: Enterprises still overlooking web app security
Signal Sciences co-founder and CEO Andrew Peterson explains why web application security often gets shortchanged and what his next-gen WAF company is doing to change that. Continue Reading
-
Answer
13 Jan 2020
7 TCP/IP vulnerabilities and how to prevent them
While many TCP/IP security issues are in the protocol suite's implementation, there are some vulnerabilities in the underlying protocols to be aware of. Continue Reading
-
News
13 Dec 2019
Google expands multiple Chrome password protection features
Chrome's updated, built-in protections are intended to help users protect their passwords and data against malware, data breaches and phishing sites, according to the company. Continue Reading
-
Feature
11 Dec 2019
Ideal DevSecOps strategy requires the right staff and tools
Sometimes viewed as an obstacle to speedy software rollout, the DevSecOps model helps security teams drive innovation in development. Learn how to build a DevSecOps strategy. Continue Reading
-
News
02 Dec 2019
Exposed Firebase databases hidden by Google search
A security researcher found that Google's search engine hides results for misconfigured Firebase databases that are publicly accessible on the internet. Continue Reading
-
News
13 Nov 2019
ZombieLoad v2 disclosed, affects newest Intel chips
Researchers disclosed another variant of the ZombieLoad side-channel attack that affects the newest Intel processors, and also discovered a flaw in the original ZombieLoad patch. Continue Reading
-
Tip
12 Nov 2019
How container adoption affects container security
Scalability and efficiency make container adoption an attractive option for enterprises today. Learn how containerization has evolved and grown since the release of Docker 1.0 five years ago. Continue Reading
-
News
06 Nov 2019
Firefox bug is enabling attackers to freeze out users
A recently reported bug in Firefox allows spammed authentication dialogs to lock users out of their browsers and it is under attack in the wild, despite previous efforts to patch. Continue Reading
-
News
01 Nov 2019
Threat Stack Application Security Monitoring adds Python support
Now supporting both Python and Node.js, Application Security Monitoring can identify risk throughout the software development lifecycle for both third-party and native code. Continue Reading
-
News
31 Oct 2019
Adsterra still connected to malvertising campaign, despite denials
Despite a pledge of "zero tolerance" for malicious activity, ad network Adsterra was found to be once again connecting with the Master134 malvertising campaign. Continue Reading
-
Feature
18 Oct 2019
DevSecOps model requires security get out of its comfort zone
Shifting from DevOps to DevSecOps isn't always easy, with the transition requiring changes to culture, processes and people. Here's how security can help lead the charge. Continue Reading
-
News
11 Oct 2019
Palo Alto Networks launches new version of Demisto SOAR platform
New features to the Demisto platform include a customizable user interface, threat intelligence, database scaling and a mobile app providing chat support and updates for users. Continue Reading
-
News
09 Oct 2019
Twitter 2FA data 'inadvertently' used for advertising
Twitter used two-factor authentication information, including email addresses and phone numbers, to target ads for an unknown number of people over an unknown period of time. Continue Reading
-
Feature
07 Oct 2019
To secure DevOps, break culture and tooling barriers
The importance of secure DevOps initiatives can't be denied, but building security into DevOps isn't easy. Explore what needs to change and how those changes can be achieved. Continue Reading
-
Feature
07 Oct 2019
The 3 pillars of a DevSecOps model
In this excerpt from Chapter 1 of Securing DevOps: Security in the Cloud, author Julien Vehent describes three principles critical to the DevSecOps model. Continue Reading
-
Tip
04 Oct 2019
Virtual network security measures to thwart access threats
Virtual networks add a layer of complexity to the real networks below them. Follow these three virtual network security measures to prevent complexity from creating issues. Continue Reading
-
News
24 Sep 2019
Cloudflare battles malicious bots with 'fight mode'
Cloudflare takes its first steps in keeping malicious bots from attacking customers by using complex challenges to waste a bot's CPU resources in an attempt to disincentivize more bots. Continue Reading
-
Tip
19 Sep 2019
How to encrypt and secure a website using HTTPS
The web is moving to HTTPS. Find out how to encrypt websites using HTTPS to stop eavesdroppers from snooping around sensitive and restricted web data. Continue Reading
-
Tip
12 Sep 2019
What it takes to be a DevSecOps engineer
To address security early in the application development process, DevSecOps requires a litany of skills and technology literacy. Learn what it takes to be a DevSecOps engineer. Continue Reading
-
News
10 Sep 2019
Gigamon launches platform to improve application visibility
Application Metadata Intelligence identifies network performance, application performance, operational technology communications and security and threat detection. Continue Reading
-
Tip
27 Aug 2019
Complexity requires new cloud-based patch management strategies
Patch management for cloud creates new challenges than traditional in-house programs. Expert Dave Shackleford presents patch management best practices for providers and consumers alike. Continue Reading
-
News
23 Aug 2019
DARPA unveils first SSITH prototype to mitigate hardware flaws
DARPA is still in the early prototype stages of its SSITH program, but the aim is to develop an open source chip able to block hardware attacks and reduce the need for software patches. Continue Reading
-
Answer
23 Aug 2019
What's the best way to prevent XSS attacks?
To prevent cross-site scripting attacks, software developers must validate user input and encode output. Review characters to filter out, as well as sources and sinks to avoid. Continue Reading
-
Answer
20 Aug 2019
Why is patch management important?
Borderless networks present new challenges for security pros. Andrew Froehlich explains how this trend makes patch management even more important. Continue Reading
-
Opinion
20 Aug 2019
How does Menlo Security’s remote browser compare in an ever more crowded space?
There are now many remote browser isolation options available, from both desktop virtualization vendors and security vendors. Menlo just got a $75 million round of funding—so, how does it compare? Continue Reading
-
Tip
16 Aug 2019
DevOps security checklist requires proper integration
There are a lot of moving parts to adding security into a DevOps environment. Using application testing DevOps security tools are key to the equation. Continue Reading
-
Feature
08 Aug 2019
CEO on collaboration tool security, insider threats, skills gap
Michael Coates, CEO and co-founder of cloud collaboration security platform Altitude Networks, speaks to industry trends and his transition from CISO to CEO. Continue Reading
-
News
07 Aug 2019
Black Hat 2019 keynote: Software teams must own security
In the keynote for Black Hat 2019, Square's Dino Dai Zovi emphasizes security as a collaborative effort by all software teams that relies on communication, automation and feedback. Continue Reading
-
Tip
05 Aug 2019
How to start building a DevSecOps model
To help transition to a DevSecOps model to protect enterprises, security teams need to identify key stakeholders, provide examples of specific company security events and work toward creating crossover teams. Continue Reading
-
News
17 Jul 2019
BlueKeep blues: More than 800,000 systems still unpatched
Despite alerts from Microsoft and the U.S. government, more than 800,000 online systems have yet to patch the Windows RDP vulnerability two months after it was disclosed. Continue Reading
-
News
17 Jul 2019
E-commerce platforms used for domain spoofing against Best Buy
Despite efforts to flag spoofed domains imitating Best Buy, the sites are still active on e-commerce platforms like Shopify and GearLaunch, which have not taken them down. Continue Reading
-
News
12 Jul 2019
Zoom vulnerability reveals privacy issues for users
Companies and users around the world were impacted by a Zoom conferencing software flaw that could allow threat actors to forcibly join a video call without interaction. Continue Reading
-
News
20 Jun 2019
Gartner: Application security programs coming up short
At the 2019 Gartner Security and Risk Management Summit, experts discussed how enterprise application security efforts are falling short and what can be done about it. Continue Reading
-
News
19 Jun 2019
BlueKeep warnings having little effect on Windows patching
DHS issued the latest security advisory for BlueKeep, but it's unclear whether the repeated warnings are being heeded by organizations that have vulnerable systems on the internet. Continue Reading
-
Answer
19 Jun 2019
How can developers avoid a Git repository security risk?
Learn how managing web development content with the popular version control system can be risky without taking action to avoid these basic Git repository security risks. Continue Reading
-
News
31 May 2019
Docker vulnerability with no patch could allow root access
A security researcher disclosed a Docker bug that could allow an attacker to gain root-level access to a system. Docker signed off on the disclosure, despite a fix not yet being available. Continue Reading
-
News
29 May 2019
Hackers scan for MySQL ransomware targets
A security researcher found that malicious actors have been scanning database servers for MySQL ransomware targets running on Windows, but mitigation should be relatively easy. Continue Reading
-
Report
24 May 2019
Using virtual appliances for offload is a key encryption strategy
Using a virtual appliance to process traffic is a key encryption strategy enterprises can use to improve throughput. The results are striking Continue Reading
-
News
24 May 2019
Barracuda Advanced Bot Protection safeguards web applications
Advanced Bot Protection is a cloud-hosted platform that defends against automated threats using AI. It is available as both a web application firewall (WAF) and WAF as a service. Continue Reading
-
News
15 May 2019
WannaCry infections continue to spread 2 years later
Two years after the initial wave of WannaCry attacks, security researchers said the ransomware continues to spread to vulnerable devices even though it's not encrypting data. Continue Reading
-
Blog Post
09 May 2019
Google focuses more on steering the Android ship than righting it
Google's security and privacy upgrades to Android are mostly forward-thinking changes, readying for a future that is inevitable but unclear, rather than ways to improve security today. Continue Reading
-
News
06 May 2019
Cisco SSH vulnerability sparks debate over backdoors
Cisco released a patch for a critical vulnerability in Nexus 9000 switches that could allow a remote attacker to gain root access because of the use of a default SSH key pair. Continue Reading
-
Guide
03 May 2019
How to manage application security best practices and risks
The reality of application security risks requires software developers to be mindful of testing, tools and best practices to improve user experience and information security. Continue Reading
-
News
01 May 2019
DHS patching directive brings shorter deadlines
A new DHS directive placed new deadlines on patching critical vulnerabilities for federal agencies and experts are divided on whether the timelines are reasonable and realistic. Continue Reading
-
News
30 Apr 2019
A recent history of Facebook security and privacy issues
Since the start of 2018, Facebook has had a seemingly constant cascade of security issues and privacy scandals. Here's a look back at the social media giant's most serious issues. Continue Reading
-
Tip
26 Apr 2019
How to improve application security testing when it falls short
Application security testing is a critical component of enterprise security. Find out what steps you can take to make sure your testing procedures fit the bill. Continue Reading
-
News
16 Apr 2019
Microsoft disputes Outlook data breach report
Microsoft warned Outlook users who may have had data compromised in an attack using customer support login credentials to access account information over the course of months. Continue Reading
-
News
04 Apr 2019
Pipdig WordPress plugin accused of DDoS attacks and backdoors
Pipdig, a blog theme and plugin company, was accused of using obfuscated code to gain backdoor access to customer blogs and launch low-scale DDoS attacks on rivals. Continue Reading
-
News
03 Apr 2019
Proof-of-concept Magento exploit used in attacks
Experts are urging users to patch after a proof-of-concept Magento exploit was picked up by malicious actors and used in attempted attacks on e-commerce websites. Continue Reading
