Security News

Check in here for all the late-breaking AppSec news, including details about new vulnerabilities and recent breaches.

To Weak Authentication, A Thief Looks Exactly Like A Cop

eschuman's picture
By Evan Schuman August 3, 2016  | Security News

Here's an uncomfortable truth for IT to internalize: enabling access for a friend facilitates access for an enemy. This is what was behind the anti-backdoor argument that Apple aggressively made, albeit for non-altruistic sell-more-hardware reasons. In effect, if you provide an easy way for government investigators to access data, there's no reason to believe that bad guys won't use a... READ MORE

Vulnerable Method detection now available for Python projects

dfoo's picture
By Darius Foo August 1, 2016

SourceClear now supports Vulnerable Method detection for both Java and Python projects. In addition to notifying you of the vulnerable libraries you're using, we will now let you know exactly where you are using the vulnerable code. Of course, if it turns out you're not actually vulnerable, we'll let you know that too. More signal, less noise. How does it work? To support Vulnerable Methods in... READ MORE

Keeping Your Breach a Secret and Other Self-Destructive Decisions

eschuman's picture
By Evan Schuman July 21, 2016  | Security News

Here's a delightful bit of survey happiness out of Ireland: a vendor survey found that "almost half of Irish businesses wouldn’t disclose a data security breach to impacted third parties, including customers and suppliers." Even worse, these results likely underestimate how many execs agree with that thinking, but are shrewd enough to not share that with someone taking a... READ MORE

How Do You Avoid Paying a Ransom?

sporemba's picture
By Sue Poremba July 18, 2016  | Security News

Take Steps to Protect the Data before the Ransomware Attack Happens In a recent study conducted by Radware, C-level executives revealed that they had no interest in paying up if their network was hit by ransomware, but that response came before they were locked out from their data. Once they were actually attacked, nearly half of those executives admitted they have, indeed, paid the ransom. The... READ MORE

Ubuntu Forums Hacked – How Secure Is Your Community?

jzorabedian's picture
By John Zorabedian July 18, 2016  | Security News

Your web communities are an important way to engage your customers and solicit their feedback, but web forums are yet another website to secure, another potential entry point for attackers. A recent data breach shows just what can happen when community forums are left vulnerable. Canonical, the developer of the open-source Ubuntu operating system, announced last Friday that a database for its... READ MORE

App Encryption Soaring, But How It's Being Done Is Where Things Get Interesting

eschuman's picture
By Evan Schuman July 14, 2016  | Security News

There's a very interesting new Ponemon Institute report on app encryption, which concludes that app encryption usage is sharply increasing, as it has consistently for years. The report found 37 percent of the companies examined this year embrace enterprise encryption, up from 15 percent in 2005. The report sees this as a good thing and the upward trend is certainly encouraging. But to find... READ MORE

Think Your Data Leaks Are Limited To Your Databases? Think Again

eschuman's picture
By Evan Schuman July 7, 2016  | Security News

Security professionals spend an awful lot of time trying to protect sensitive corporate information, locking it away in virtual vaults, as they should. But they often neglect to protect the people who have the keys/combinations to those virtual vaults—in some cases, protecting those key-holders from themselves. This comes to mind as a recent story in The Intercept reminded us of how easy we often... READ MORE

Obscured Data Can Be A Psychological Security Trap

eschuman's picture
By Evan Schuman July 5, 2016  | Security News

Encryption and tokenization are great security tools—when executed properly—as they sidestep protecting data and instead attempt to make the data worthless to thieves. It's a great strategy. But when it's executed improperly, it can insidiously weaken security. This happens when IT gets cocky and overconfident that the data would indeed be worthless to attackers and starts to... READ MORE

How Can Enterprises Still Be Victimized By Attacks That We've Known About For Decades?

eschuman's picture
By Evan Schuman June 16, 2016  | Security News

As has become almost a weekly tradition, another major security hole was reported last week (June 8). This report, from Talos, is about a hole that allows malicious files to be launched when anyone clicks on a PDF from within the Google Chrome browser. The attack leverages "an exploitable heap buffer overflow vulnerability in the Pdfium PDF reader. By simply viewing a PDF document that... READ MORE

The Peril Of Confusing A Security Researcher With A Cyberthief

eschuman's picture
By Evan Schuman June 9, 2016  | Security News

The security researcher's lot is not an easy one. This player is an essential part of the security ecosystem, an experienced security person who tries and finds security holes in systems so that they can be flagged and fixed. The problem is that the good guy security researcher—at a glance—looks and acts an awful lot like a bad guy cyberthief. From the CISO's desk, how is one... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu