July 18, 2024 at 03:36AM According to a CrowdStrike report, only 54 percent of cyber security workers review major software updates. The process is time-consuming and costly, with an average annual expenditure of nearly $1.2 million for code reviews. Security managers face challenges such as misaligned tools and prioritizing issues. Strengthening application security is critical … Read more
July 12, 2024 at 02:34PM CISA and the FBI issued a critical “Secure by Design Alert” urging software developers to address OS command-injection vulnerabilities. Recent exploits, such as the CVE-2024-20399 bug in Cisco’s NX-OS software, demonstrate the potential for system takeovers and data leaks. The agencies advocate for a secure-by-design approach and OPSEC principles to … Read more
May 7, 2024 at 10:51AM A critical vulnerability in XZ Utils raised comparisons to the SolarWinds hack and highlighted the power of the open source community in averting a disaster. However, it also raised questions about security and trust within the ecosystem. The incident suggests the need for stricter security measures and consideration of internal … Read more
March 26, 2024 at 12:52PM The FBI and CISA issued a warning to software vendors about the prevalence of SQL injection vulnerabilities. They emphasized the need for formal code reviews and secure-by-design programming practices to eradicate these vulnerabilities from the development process. They also urged vendors to use parameterized queries and be transparent in disclosing … Read more
February 15, 2024 at 09:51AM A recent AppSec survey found that costly code reviews, limited security scrutiny, and manual cataloging of applications and APIs are common issues. Only 54% of major code changes undergo full security reviews, and organizations face challenges with the time and cost of the review process. The survey also highlights the … Read more
November 15, 2023 at 11:11AM The encryption algorithms used to secure emergency radio communications will be released to the public domain, after vulnerabilities were found in TETRA. The decision to go public is a complete turn from ETSI, which initially denied vulnerabilities. The algorithms will be open to academic research for independent reviews. No date … Read more
October 19, 2023 at 01:03PM Setting up a CI/CD pipeline comes with several challenges, but there are strategies to overcome them. These include implementing strong authentication practices, ensuring robust networking, conducting code reviews, selecting the right branching strategy, managing secrets securely, practicing effective change management, validating the pipeline through automation and monitoring, and effectively communicating … Read more
October 13, 2023 at 06:18AM Dozens of vulnerabilities in the Squid caching and forwarding web proxy, discovered in 2021 by researcher Joshua Rogers, remain unpatched. Only a few flaws have been addressed, while 35 vulnerabilities still exist. The Squid Team lacks resources to address the issues, and the researcher suggests reassessing the use of Squid … Read more