November 27, 2024 at 11:30AM A critical security flaw (CVE-2024-11680) in the ProjectSend application, linked to improper authorization, has been actively exploited since September 2024. Despite a patch released in August 2024, only 1% of servers are updated. Users are urged to apply the latest patches to mitigate risks. CVSS score: 9.8. ### Meeting Takeaways … Read more
November 26, 2024 at 11:24AM CyCognito released a report highlighting security risks for ecommerce platforms during the holiday shopping season, noting increased threats to customer data. With vulnerabilities in web applications, retailers must prioritize security checks to avoid potential data breaches and disruptions. Key issues include lack of HTTPS, WAF protections, and trust certificate validity. … Read more
November 14, 2024 at 12:48PM Cloud-targeting ransomware is shifting focus to unprotected web applications, particularly PHP, exploiting vulnerabilities to encrypt data. New scripts, like “Pandora,” use advanced tactics for attack and data exfiltration. Protecting against these threats requires assessing cloud environments, managing permissions, and enforcing strong identity management practices, including MFA. ### Takeaways from the … Read more
October 21, 2024 at 08:24AM Pentest checklists are crucial for thorough security assessments as they help identify vulnerabilities systematically across various assets. Tailored for specific characteristics, these checklists enhance penetration testing efficiency and effectiveness, ensuring comprehensive coverage. BreachLock offers guides covering checklists for networks, applications, APIs, mobile, wireless, and social engineering. ### Meeting Takeaways: Penetration … Read more
September 18, 2024 at 08:24AM CISA and the FBI issued a Secure by Design alert highlighting the prevalence of cross-site scripting (XSS) vulnerabilities. They urge organizations to eliminate XSS flaws by validating and sanitizing user input, implementing additional security measures, conducting code reviews, and using modern web frameworks. The agencies also recommend implementing secure by … Read more
September 12, 2024 at 02:42PM The global Security Testing Market is projected to grow from USD 14.5 billion in 2024 to USD 43.9 billion by 2029, with a CAGR of 24.7%, driven by the increasing incidence of cyberattacks. The adoption of Static Application Security Testing (SAST) and web application security testing is on the rise, … Read more
September 11, 2024 at 12:00PM A new campaign known as DragonRank, linked to a Chinese-speaking actor, is orchestrating black hat SEO attacks across Asia and Europe. Exploiting web applications, the group deploys malware to manipulate search engine algorithms, boosting the ranking of targeted websites. The attacks span various industry sectors and deploy methods to drive … Read more
August 2, 2024 at 07:00AM Enterprise Resource Planning (ERP) Software, including the open-source framework OFBiz, faces critical security vulnerabilities, as demonstrated by the exploitation of a directory traversal flaw. The SANS Internet Storm Center reported an increase in exploit attempts, with attackers targeting OFBiz using the Mirai botnet. The vulnerabilities pose a threat to sensitive … Read more
April 2, 2024 at 07:09AM The OWASP Foundation announced a data breach revealing personal information of aspiring members from over a decade ago. The breach exposed names, addresses, phone numbers, and emails of members, prompting the organization to take security measures, notify impacted individuals, and caution the public. While the exposed data is old, caution … Read more
December 18, 2023 at 05:43PM An unpatched Java deserialization vulnerability in the Google Web Toolkit (GWT) open source application framework remains unresolved after over eight years. This flaw, which enables remote code execution, could potentially require significant framework fixes for vulnerable applications. According to research by Bishop Fox, addressing this issue may necessitate architectural changes … Read more