September 20, 2024 at 11:37AM The US Cybersecurity and Infrastructure Security Agency (CISA) has added the latest Ivanti weakness, a path traversal flaw, to its Known Exploited Vulnerability catalog. This came after a string of high-profile path traversal bugs affecting IT vendors. Ivanti has released a fix for the critical severity bug affecting its Cloud … Read more
September 19, 2024 at 08:37PM Jen Easterly, head of the US government’s Cybersecurity and Infrastructure Security Agency, emphasizes that software vendors are to blame for cyber attacks due to shipping faulty code. She encourages the industry to stop glamorizing cyber crime and demands better quality, secure products. Easterly calls for using procurement power to pressure … Read more
September 18, 2024 at 08:24AM CISA and the FBI issued a Secure by Design alert highlighting the prevalence of cross-site scripting (XSS) vulnerabilities. They urge organizations to eliminate XSS flaws by validating and sanitizing user input, implementing additional security measures, conducting code reviews, and using modern web frameworks. The agencies also recommend implementing secure by … Read more
September 17, 2024 at 12:46PM CISA and the FBI advised technology manufacturers to review software for cross-site scripting vulnerabilities before shipping and implement secure-by-design practices to eliminate such flaws entirely. They recommended input validation, output encoding functions, code reviews, and adversarial testing to prevent XSS vulnerabilities in future software releases. This warning is part of … Read more
August 19, 2024 at 10:07AM Cyberattacks have become the biggest threat to businesses, despite significant consequences. The human tendency to procrastinate, known as temporal discounting, leads to the delay in adopting modern security practices. Governments can combat this by enforcing penalties and regulations, similar to the automotive and food safety industries. Furthermore, guidance like automatic … Read more
August 2, 2024 at 07:00AM Enterprise Resource Planning (ERP) Software, including the open-source framework OFBiz, faces critical security vulnerabilities, as demonstrated by the exploitation of a directory traversal flaw. The SANS Internet Storm Center reported an increase in exploit attempts, with attackers targeting OFBiz using the Mirai botnet. The vulnerabilities pose a threat to sensitive … Read more
August 1, 2024 at 12:12PM SentinelOne has appointed Alex Stamos as its new Chief Information Security Officer (CISO). With a background at Yahoo and Facebook, Stamos aims to prioritize security over profit, referencing the dangers of upselling in the industry. The decision reflects SentinelOne’s commitment to a security-first approach in the face of increasing cyber … Read more
July 30, 2024 at 11:36AM Phil Venables, Google Cloud’s CISO, shares insights on their mission to secure cloud infrastructure, products, and services, and improve overall ecosystem security. He discusses the complexities and optimism around the state of cybersecurity, emphasizing the need for security to be built in, not bolted on, and government initiatives for secure-by-design … Read more
July 12, 2024 at 02:34PM CISA and the FBI issued a critical “Secure by Design Alert” urging software developers to address OS command-injection vulnerabilities. Recent exploits, such as the CVE-2024-20399 bug in Cisco’s NX-OS software, demonstrate the potential for system takeovers and data leaks. The agencies advocate for a secure-by-design approach and OPSEC principles to … Read more
July 11, 2024 at 10:36AM The Cybersecurity and Infrastructure Security Agency (CISA) conducted a SILENTSHIELD red team assessment against a Federal Civilian Executive Branch organization in early 2023. The red team mimicked the techniques, tradecraft, and behaviors of sophisticated threat actors to assess the organization’s security posture. The assessment revealed findings related to initial access, … Read more