Application and platform security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about applications attacks, secure software development, patch management, OS security, virtualization, open source security, API security, web app and server security and more.
Top Stories
-
News
28 Feb 2025
Microsoft targets AI deepfake cybercrime network in lawsuit
Microsoft alleges that defendants used stolen Azure OpenAI API keys and special software to bypass content guardrails and generate illicit AI deepfakes for payment. Continue Reading
-
Tip
28 Feb 2025
Why and how to create Azure service principals
Service principals are a convenient and secure way to protect Azure resources. Follow this step-by-step guide to create a service principal that defends vital Azure workloads. Continue Reading
-
Tip
28 Mar 2019
4 steps to ensure virtual machine security in cloud computing
Enterprises are now operating in a cloud-virtual world. Understanding four steps to ensure virtual machine security in cloud computing environments is crucial. Continue Reading
-
Feature
28 Mar 2019
Symantec Web Security Service vs. Zscaler Internet Access
Learn how cloud-based secure web gateway products Symantec Web Security Service and Zscaler Internet Access compare when it comes to features, benefits, pricing and support. Continue Reading
-
News
28 Mar 2019
Ghidra update squashes serious bugs in NSA reverse-engineering tool
The NSA answered lingering questions around what kind of support it would provide for Ghidra after releasing the tool as open source with a patch that fixed serious bugs. Continue Reading
-
Feature
27 Mar 2019
6 questions to ask before evaluating secure web gateways
Learn which six questions can help an organization identify its web security and business needs and its readiness to implement a secure web gateway. Continue Reading
-
News
19 Mar 2019
Critical WinRAR bug exploited in targeted attacks
A critical WinRAR bug that was exposed after 19 years is already being exploited in targeted attacks in the Middle East and United States, despite the availability of patch. Continue Reading
-
Tip
19 Mar 2019
5 common web application vulnerabilities and how to avoid them
Common web application vulnerabilities continue to confound enterprises. Here's how to defend against them and stop enabling exploits. Continue Reading
-
News
15 Mar 2019
Despite reservations about NSA's Ghidra, experts see value
The NSA's reverse-engineering tool, Ghidra, was released to the public and despite some initial concerns experts are generally bullish on the prospects for the free software. Continue Reading
-
News
08 Mar 2019
Battling misinformation focus of Facebook, Twitter execs' talk
Facebook and Twitter executives say finding a pattern of malicious activity is more effective in identifying bad actors on sites than looking at the misleading information itself. Continue Reading
-
News
06 Mar 2019
NSA releases Ghidra open source reverse-engineering tool
The National Security Agency launched its highly anticipated reverse-engineering tool, Ghidra. The free software offers features found in high-end commercial products. Continue Reading
-
Tip
04 Mar 2019
The developer's role in application security strategy
Developers often pay lip service about being integral to application security, but they usually don't consider vulnerabilities until much too late in the dev process. Continue Reading
-
News
01 Mar 2019
Coinhive shutdown imminent after troubled cryptomining past
The Coinhive cryptominer is scheduled to be shut down following a troubled history and experts don't think the company gave the full story as to why the shutdown is happening. Continue Reading
-
Tutorial
01 Mar 2019
Mimikatz tutorial: How it hacks Windows passwords, credentials
In this Mimikatz tutorial, learn about the password and credential dumping program, where you can acquire it and how easy it makes it to compromise system passwords. Continue Reading
-
News
28 Feb 2019
Cisco patches persistent Webex vulnerability for a third time
After two previous attempts, Cisco has issued a third patch for a persistent flaw in its Webex platform, which allows privilege escalation attacks on systems running the software. Continue Reading
-
News
27 Feb 2019
MarioNet attack exploits HTML5 to create botnets
Researchers created a new browser-based attack, called MarioNet, that exploits an HTML5 API and can create botnets even after a browser tab is closed or a target navigates away. Continue Reading
-
News
25 Feb 2019
WinRAR bug found and patched after 19 years
A WinRAR bug that affects every version of the app over the past 19 years was discovered and patched. But it's unclear if the millions of the app's users will get the needed fix. Continue Reading
-
Tip
21 Feb 2019
Weighing the cost of mitigating Spectre variant 2
Fixes for the Spectre variant 2 vulnerability affect system performance, so some in the tech sector wonder whether they're worth it. Expert Michael Cobb examines that question. Continue Reading
-
Answer
18 Feb 2019
Should I use GitHub's new private repositories?
Is GitHub's new private repositories service robust enough to serve the needs of enterprises? Nick Lewis examines what works -- and what doesn't. Continue Reading
-
News
15 Feb 2019
Google Play security improved by targeting repeat offenders
Google this week attributed security improvements in Google Play to both automated processes and human reviewers. The improvements include stopping bad apps from being published. Continue Reading
-
Answer
15 Feb 2019
How do trusted app stores release and disclose patches?
A flaw was found in the Android installer for Fortnite and was patched within 24 hours. Learn how such a quick turnaround affects mobile app security with expert Nick Lewis. Continue Reading
-
Answer
14 Feb 2019
How can credential stuffing attacks be detected?
Credential stuffing attacks can put companies that offer online membership programs, as well as their customers, at risk. Find out how to proactively manage the threat. Continue Reading
-
News
13 Feb 2019
Dunkin' security alert warns of new credential-stuffing attacks
Dunkin' sent a security alert to customers warning of potentially malicious access of accounts due to the second credential stuffing attack in less than three months. Continue Reading
-
Answer
13 Feb 2019
How did Browser Reaper cause browsers to crash?
A Mozilla vulnerability duplicated in the Browser Reaper set of DoS proofs of concept caused Chrome, Firefox and Safari to crash. Learn why and how this occurred. Continue Reading
-
News
12 Feb 2019
MongoDB security head addresses database exposures
Davi Ottenheimer, MongoDB's head of product security, discusses his company's efforts to prevent accidental database exposures and why so many misconfigurations occur. Continue Reading
-
Tip
12 Feb 2019
Vet third-party apps to reduce supply chain threats
Enterprises are more vulnerable than ever before to supply chain threats from third-party apps and modules. Last fall's compromised NPM package is one cautionary tale. Continue Reading
-
Tip
11 Feb 2019
5-step checklist for web application security testing
This five-step approach to web application security testing with documented results will help keep your organization's applications free of flaws. Continue Reading
-
News
08 Feb 2019
Apple releases FaceTime patch and iOS zero-day fixes
New bug fix releases for both iOS and macOS include the anticipated FaceTime patch for the serious eavesdropping flaw in group chats as well as fixes for two iOS zero-days. Continue Reading
-
Tip
07 Feb 2019
More Ghostscript vulnerabilities, more PostScript problems
Researchers keep finding PostScript interpreter bugs. Find out how a new Ghostscript vulnerability enables remote code execution against web services and Linux desktop users. Continue Reading
-
Tip
07 Feb 2019
The security implications of serverless cloud computing
Cloudflare Workers is new for serverless cloud computing and introduces benefits and drawbacks for security professionals. Expert Ed Moyle discusses the security side of serverless. Continue Reading
-
Tip
06 Feb 2019
How to create a more effective application security program
To mitigate software-related security risks, fine-tune your application security program to get the right people involved, document your standards and manage your weak points. Continue Reading
-
News
01 Feb 2019
Google planning warnings for lookalike URLs in Chrome
Google is planning to add warnings on lookalike URLs in an ongoing effort to ensure internet users experience useful and clear warnings while using the Chrome browser. Continue Reading
-
News
31 Jan 2019
Facebook and Google exploit Enterprise Certificate loophole on iOS
Both Facebook and Google were found to be exploiting a loophole in Apple's Developer Enterprise Program for iOS with apps used to gather data on users who installed them. Continue Reading
-
Tip
31 Jan 2019
Steps to improve an application environment and fix flaws
Eliminating application security flaws from an enterprise's server can be a complex task. Learn steps to take in order to improve application security with expert Kevin Beaver. Continue Reading
-
Answer
25 Jan 2019
What are the best ways to prevent a SIM swapping attack?
SIM swapping is on the rise as the use of mobile devices increases. Discover what SIM swaps are, how they work and how they can be mitigated. Continue Reading
-
Answer
23 Jan 2019
How does cross-site tracking increase security risks?
Mozilla's Firefox 63 automatically blocks tracking cookies and other site data from cross-site tracking. Learn what this is and what the benefits of blocking it are with Nick Lewis. Continue Reading
-
Answer
22 Jan 2019
How can attacks bypass Windows Driver Signature Enforcement?
Security researchers demonstrated how a new fileless attack technique can bypass a Windows kernel protection feature at Black Hat 2018. Find out how the technique works. Continue Reading
-
News
10 Jan 2019
UnCAPTCHA attack updated to bypass spoken phrases
Researchers updated their unCAPTCHA proof of concept to be more efficient in bypassing audio CAPTCHAs and be able to handle spoken phrases and not just strings of numbers. Continue Reading
-
News
08 Jan 2019
NSA to release GHIDRA open source reverse engineering tool
The National Security Agency plans to release an open source version of its GHIDRA reverse engineering tool during RSA Conference in March, but details about the tool are scarce. Continue Reading
-
Tip
02 Jan 2019
The pros and cons of proxy-based security in the cloud
Is proxy-based security in the cloud right for you? Expert Ed Moyle looks at the benefits and drawbacks of using proxies for Office 365 and other cloud platforms. Continue Reading
-
News
27 Dec 2018
NPM security to use automated tools to boost community alerts
Adam Baldwin, director of security for NPM, talks chains of trust and new NPM security initiatives that will bring automated alerts to help highlight potentially malicious activity. Continue Reading
-
News
21 Dec 2018
Microsoft patches Internet Explorer zero-day bug under attack
News roundup: Microsoft issues an emergency patch for an Internet Explorer bug exploited in the wild. Plus, authorities indict three individuals for 'stresser' services, and more. Continue Reading
-
News
20 Dec 2018
Twitter bugs expose user data and direct messages
Two Twitter bugs led to questions about the platform's user privacy and security, while the company said one of the bugs opened the door to possible state-sponsored attacks. Continue Reading
-
Answer
18 Dec 2018
How Big Star Labs was able to use data collecting apps
The ad-blocking vendor AdGuard found browser extensions and apps from Big Star Labs collecting browser history data. Discover how this was accomplished with Nick Lewis. Continue Reading
-
Tip
18 Dec 2018
How to ensure your enterprise doesn't have compromised hardware
Enterprise protections are crucial in order to guarantee the safety of your hardware. Discover best practices to guard your enterprise's hardware with Nick Lewis. Continue Reading
-
News
13 Dec 2018
Project Zero finds Logitech Options app critically flawed
Tavis Ormandy of Google's Project Zero discovered a serious authentication vulnerability in Logitech's Options application, but the peripheral device maker has yet to address the flaw. Continue Reading
-
Answer
13 Dec 2018
Why is preloading HTTP Strict Transport Security risky?
Despite being designed to improve security, infosec experts have warned against preloading the HSTS protocol. Learn about the risks of preloaded HSTS with Judith Myerson. Continue Reading
-
Answer
12 Dec 2018
Faxploit: How can sending a fax compromise a network?
Check Point researchers found a fax machine attack allowing attackers to access scanned documents. Discover how this is possible and how users can avoid falling victim. Continue Reading
-
News
11 Dec 2018
Second Google+ data exposure leads to earlier service shutdown
Another Google Plus data exposure -- this time potentially affecting more than 52 million users -- will cause the service to be shut down four months earlier than scheduled. Continue Reading
-
Tip
11 Dec 2018
How the SHA-3 competition declared a winning hash function
NIST tested competing hash functions over a period of five years for the SHA-3 algorithm competition. Learn the details of what they discovered from Judith Myerson. Continue Reading
-
News
07 Dec 2018
Facebook app permissions skirted rules to gather call logs
New email messages revealed that Facebook app permissions were carefully implemented to avoid alerting users to the fact that the Android app was gathering call log and SMS data. Continue Reading
-
Answer
07 Dec 2018
How did WhatsApp vulnerabilities get around encryption?
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work and how to prevent them. Continue Reading
-
Answer
06 Dec 2018
How can users remove Google location tracking completely?
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking entirely with expert Michael Cobb. Continue Reading
-
Answer
05 Dec 2018
How does TLS 1.3 differ from TLS 1.2?
Compared to TLS 1.2, TLS 1.3 saw improvements in security, performance and privacy. Learn how TLS 1.3 eliminated vulnerabilities using cryptographic algorithms. Continue Reading
-
Answer
04 Dec 2018
How do L1TF vulnerabilities compare to Spectre?
Foreshadow, a set of newly discovered L1TF vulnerabilities, exploits Intel processors via side-channel attacks. Learn about L1TF and its variations from expert Michael Cobb. Continue Reading
-
Tip
04 Dec 2018
Testing applications in production vs. non-production benefits
To ensure proper application security testing, production and non-production systems should both be tested. In this tip, expert Kevin Beaver weighs the pros and cons. Continue Reading
-
Opinion
03 Dec 2018
Marcus Ranum: Systems administration is in the 'crosshairs'
After years of spirited debates and top-notch interviews, columnist Marcus Ranum is signing (sounding?) off with some final thoughts on the future of security. Continue Reading
- 03 Dec 2018
-
News
28 Nov 2018
Compromised NPM package highlights open source trouble
A compromised NPM package targeted a popular bitcoin wallet with cryptocurrency-stealing code and experts say the issue highlights the lack of a chain of trust in open source software. Continue Reading
-
Answer
20 Nov 2018
How container security tools affect overall system security
Container security continues to be a pressing issue as containers and hosts are being used more frequently. Learn how to keep your enterprise safe with Matt Pascucci. Continue Reading
-
News
16 Nov 2018
Firefox Monitor offers breach alerts on visited websites
The promised integration with Have I Been Pwned is expanding in Firefox Monitor with new breach alerts when a user visits a recently compromised website. Continue Reading
-
Tip
15 Nov 2018
How to configure browsers to avoid web cache poisoning
Web cache poisoning poses a serious threat to web browser security. Learn how hackers can exploit unkeyed inputs for malicious use with expert Michael Cobb. Continue Reading
-
Answer
12 Nov 2018
How does new MacOS malware target users through chat?
New malware targets cryptocurrency investors through MacOS and chat platforms were recently discovered. Learn how OSX.Dummy malware works and what users can do to spot the attack. Continue Reading
-
Tip
08 Nov 2018
Why entropy sources should be added to mobile application vetting
NIST's 'Vetting the Security of Mobile Applications' draft discusses four key areas of general requirements. Learn how further improvements to the vetting process could be made. Continue Reading
-
Answer
06 Nov 2018
How does the public Venmo API pose a threat for users?
The public Venmo API setting puts users at risk by providing detailed insight into their transactions and personal lives. Expert Michael Cobb discusses the risks of public APIs. Continue Reading
-
Tip
06 Nov 2018
How testing perspectives helps find application security flaws
Application security testing requires users to test from all the right perspectives. Discover testing techniques that help find application security flaws with expert Kevin Beaver. Continue Reading
-
News
05 Nov 2018
As PHP v5 nears its end, enterprises face serious threats
The majority of websites still use the outdated PHP v5, according to recent data, causing concern over the fact that it will stop receiving security support at the end of the year. Continue Reading
-
Tip
31 Oct 2018
What Microsoft's InPrivate Desktop feature could mean for enterprises
Microsoft's secretive, potential new feature InPrivate Desktop could give security teams access to disposable sandboxes. Expert Ed Moyle explains how the feature could work. Continue Reading
-
Blog Post
26 Oct 2018
Google sets Android security updates rules but enforcement is unclear
The vendor requirements for Android are a strange and mysterious thing but a new leak claims Google has added language to force manufacturers to push more regular Android security updates. ... Continue Reading
-
News
26 Oct 2018
WebExec vulnerability leaves Webex open to insider attacks
A remote code execution flaw in Cisco Webex -- called WebExec -- could be an easy vector for insider attacks, and the researchers who found it say it's easier to exploit than detect. Continue Reading
-
Answer
26 Oct 2018
How was Kea DHCP v1.4.0 affected by a security advisory?
Kea, an open source DHCP server, was issued a medium security advisory for a flaw that causes memory leakage in version 1.4.0. Discover the workarounds with Judith Myerson. Continue Reading
-
Answer
25 Oct 2018
Does pcAnywhere put election management systems at risk?
ES&S admitted it installed the insecure remote access program pcAnywhere on election management systems. Learn what pcAnywhere is and what this risk means for election systems. Continue Reading
-
Answer
24 Oct 2018
Siemens Siclock: How do threat actors exploit these devices?
Siemens disclosed six Siclock flaws that were found within its central plant clocks. Discover why three flaws have been rated critical and how threat actors can exploit devices. Continue Reading
-
Answer
23 Oct 2018
How do newly found flaws affect robot controllers?
Several vulnerabilities were found in controllers made by Universal Robots. Discover what these controllers are used for and how threat actors can exploit these vulnerabilities. Continue Reading
-
News
22 Oct 2018
Zero-day jQuery plugin vulnerability exploited for 3 years
A zero-day in jQuery File Upload could affect thousands of projects because the jQuery plugin vulnerability has existed for eight years and actively exploited for at least three years. Continue Reading
-
Answer
19 Oct 2018
Removable storage devices: Why are companies banning them?
IBM banned removable storage devices to encourage employees to use the company's internal file-sharing system. Learn how a ban like this can improve enterprise security. Continue Reading
-
Answer
16 Oct 2018
How does the APT attack Double Kill work in Office documents?
The Qihoo 360 Core Security team found a Microsoft vulnerability -- named Double Kill -- that affects applications via Office documents. Learn how this is possible with Nick Lewis. Continue Reading
-
Blog Post
15 Oct 2018
Mystery around Trend Micro apps still lingers one month later
The mystery around the Trend Micro apps that were removed from the Mac App Store continues despite Trend Micro's numerous updates on the matter. Continue Reading
-
News
12 Oct 2018
Mozilla delays distrust of Symantec TLS certificates, Google doesn't
Mozilla delays plans to distrust Symantec TLS certificates in Firefox because despite more than one year's notice, approximately 13,000 websites still use the insecure certificates. Continue Reading
-
Answer
12 Oct 2018
How does Apple's Quick Look endanger user privacy?
Apple's Quick Look feature previews thumbnails that are not encrypted. Learn how this poses a security threat to enterprises from expert Michael Cobb. Continue Reading
-
News
11 Oct 2018
Paul Vixie wants to stop malicious domains before they're created
Farsight Security's Paul Vixie says his company's new research into domain name lifespans and causes of death shows the need for new policies and action to curb malicious domains. Continue Reading
-
Tip
10 Oct 2018
The time to consider SIEM as a service has arrived
Now even your SIEM comes in the as-a-service model. Assess whether it's time to consider outsourcing this fundamental tool in your defense lineup. Continue Reading
-
News
10 Oct 2018
Google security audit begets product changes, German probe
A Google security audit uncovered a glitch in Google Plus that exposed data from nearly 500,000 accounts, causing the company to shutter the social network and spur a German data protection probe. Continue Reading
-
Tip
09 Oct 2018
Picking the right focus for web application security testing
Deciding which web applications on which to focus application security testing is a challenging task. Read this list of considerations to ensure you're addressing the right areas. Continue Reading
-
Answer
08 Oct 2018
How does TLBleed abuse the Hyper-Threading feature in Intel chips?
TLBleed exploits Intel's HTT feature to leak data via side-channel attacks. Learn about how TLBleed obtains sensitive memory information from expert Michael Cobb. Continue Reading
-
Answer
05 Oct 2018
How does FacexWorm malware use Facebook Messenger to spread?
Researchers at Trend Micro found a new strain of malware -- dubbed FacexWorm -- that targets users via a malicious Chrome extension. Discover how this attack works with Nick Lewis. Continue Reading
-
Answer
01 Oct 2018
SamSam ransomware: How is this version different from others?
Sophos recently discovered a SamSam extortion code that performs company-wide attacks using a range of vulnerability exploits. Discover how this version differs from past variants. Continue Reading
-
News
28 Sep 2018
UN exposes sensitive data on public Trello boards
News roundup: The U.N. accidentally exposed credentials on public Trello boards. Plus, Uber is set to pay $148 million settlement following its 2016 data breach cover-up, and more. Continue Reading
-
Answer
28 Sep 2018
How can live chat widgets leak personal employee data?
Project Insecurity researchers found live chat software leaking personal employee data. Learn how attackers can use this leaked information and data to hurt organizations. Continue Reading
-
News
27 Sep 2018
Congressional websites need to work on TLS
Congressional websites may not always have the best security, according to Joshua Franklin. Although, senators may be better at website security than House representatives. Continue Reading
-
News
27 Sep 2018
Election website security a mess for states and candidates alike
Joshua Franklin has been researching election website security for congressional candidates, and he found a lot of misconfigurations on official pages and other sites meant to confuse voters. Continue Reading
-
Tip
27 Sep 2018
Why communication is critical for web security management
Conveying the importance of web security to management can be difficult for many security professionals. Kevin Beaver explains how to best communicate with the enterprise. Continue Reading
-
News
26 Sep 2018
Controversial Chrome login feature to be partially rolled back
Google will modify the next version of Chrome in an attempt to appease critics of the browser's cookie retention functionality and automatic Chrome login feature. Continue Reading
-
News
26 Sep 2018
Browser Reaper POC exploit crashes Mozilla Firefox
A security researcher developed a proof-of-concept attack on Firefox, called Browser Reaper, which can crash or freeze the browser. But he gave Mozilla short notice of the flaw. Continue Reading
-
News
25 Sep 2018
Google Chrome sign-in changes cause confusion and concern
Google Chrome sign-in changes are being criticized by experts, and poor communication from Google has led to more confusion about user privacy and consent. Continue Reading
-
News
25 Sep 2018
Hardcoded credentials continue to bedevil Cisco
Cisco hit by yet another new hardcoded credentials flaw, the latest in a long line of such flaws since last year, this time in its video surveillance manager appliance. Continue Reading
-
Answer
24 Sep 2018
GoScanSSH: How does this malware work and differ from others?
A group of malware was discovered targeting public SSH servers. However, it avoided certain IP addresses. Discover how this is possible and how the malware works with Nick Lewis. Continue Reading
-
Podcast
20 Sep 2018
Risk & Repeat: Trend Micro apps land in hot water
In this week's Risk & Repeat podcast, SearchSecurity editors discuss Trend Micro's Mac apps, which have come under fire for questionable data collection features. Continue Reading
-
Answer
20 Sep 2018
Secure encrypted virtualization: How is this technology exploited?
Researchers claim to have found a new attack against VMs that affects SEV technology. Expert Judith Myerson explains what this attack is and how it can be exploited. Continue Reading
-
News
18 Sep 2018
WannaMine cryptojacker targets unpatched EternalBlue flaw
Unpatched systems are still being targeted by the WannaMine cryptojacker, despite warnings and global cyberattacks using the EternalBlue exploit leaked from the NSA. Continue Reading
-
Answer
13 Sep 2018
How does Telegram malware bypass end-to-end encryption?
A Telegram malware called Telegrab targets Telegram's desktop instant messaging service to collect and exfiltrate cache data. Expert Michael Cobb explains how Telegrab works. Continue Reading
-
News
12 Sep 2018
Microsoft patches Windows ALPC flaw exploited in the wild
Microsoft's September 2018 Patch Tuesday release included a fix for the Windows ALPC vulnerability that was exploited in the wild for about two weeks before being patched. Continue Reading
