CyberSecurity Dive
CISA, FBI urge software companies to eliminate directory traversal vulnerabilities
The software defects are linked to recent exploitation campaigns against critical infrastructure providers, including healthcare and schools.
SecurityWeek
Cybersecurity M&A Roundup: 33 Deals Announced in April 2024
Thirty-three cybersecurity-related merger and acquisition (M&A) transactions were announced by companies in April 2024.
SecurityWeek
IBM Acquiring HashiCorp for $6.4 Billion
IBM is acquiring HashiCorp for $6.4 billion for its infrastructure lifecycle management and security lifecycle management capabilities.
SecurityWeek
Armis Acquires Silk Security for $150 Million
Armis has acquired cyber risk prioritization and remediation company Silk Security for $150 million.
SecurityWeek
Veracode Buys Longbow Security for Automated Root Cause Analysis Tech
Veracode announces a deal to acquire Låç≈ongbow Security, a seed-stage startup working on automated root cause analysis technology.
CSO
Software security debt piles up for organizations even as critical flaws drop
Software security debt, defined in the research as any flaw that persisted unremediated for over a year, was found in 42% of all applications.
DarkReading
China Infiltrates US Critical Infrastructure in Ramp-up to Conflict
Threat actors linked to the People's Republic of China, such as Volt Typhoon, continue to "pre-position" themselves within the critical infrastructure of the United States, according to military and law enforcement officials.
SC Magazine
Feds untether hundreds of routers from Volt Typhoon botnet
The Justice Department and FBI confirmed they had disrupted the botnet run by a Chinese APT group targeting U.S. critical infrastructure.
DarkReading
Will Putting a Dollar Value on Vulnerabilities Help Prioritize Them?
Zoom's Vulnerability Impact Scoring System calculates the impact of a vulnerability to assign a cash payouts for bugs, leading hackers to prioritize more severe flaws. Can it do the same for companies?
CSO
Cloudflare report: Log4j remains top target for attacks in 2023
The company warns that HTTP/2 Rapid Reset is emerging as significant new vulnerability.
The Hacker News
Lazarus Group Using Log4j Exploits to Deploy Remote Access Trojans
Lazarus Group launched a new global campaign involves exploiting security flaws in Log4j to deploy previously undocumented RAT on compromised hosts.
Infosecurity News
Two-Fifths of Log4j Apps Use Vulnerable Versions
Two years after a critical vulnerability was found in utility Log4j, 38% of apps still use buggy versions
The Record
North Korean hackers using Log4J vulnerability in global campaign
Hackers connected to North Korea’s Lazarus Group have been exploiting the Log4j vulnerability in a campaign of attacks targeting companies in the manufacturing, agriculture and physical security sectors.
Bleeping Computer
Over 30% of Log4J apps use a vulnerable version of the library
Roughly 38% of applications using the Apache Log4j library are using a version vulnerable to security issues, including Log4Shell, a critical vulnerability identified as CVE-2021-44228 that carries the maximum severity rating, despite patches being available for more than two years.
CyberSecurity Dive
2 years on, Log4j still haunts the security community
Research from Veracode shows nearly 2 in 5 applications are still running vulnerable versions.
SecurityWeek
Hacker Conversations: Chris Wysopal, AKA Weld Pond
Chris Wysopal (AKA Weld Pond) founder and CTO of Veracode and member of the hacker collective L0pht Heavy Industries.
-1-1.webp)
Cyber Security News
Top 10 Best SaaS Security Tools
Top 10 Best SaaS Security Tools. 1. DoControl, 2. Splunk, 3. Zscaler, 4. Qualys, 5. Proofpoint, 6. Veracode, 7. Okta, 8. Trend Micro.
Cyber Security News
Top 10 Best DevOps Tools to Shift Your Security
DevOps refers to a collection of processes and technologies used in software development and IT operations that reduce the system development life cycle and enable continuous delivery.
The Record
Vulnerability in popular ‘libwebp’ code more widespread than expected
Initial alerts about a bug in the obscure but widely used libwebp library have expanded into concerns that it affects not only web browsers like Chrome, but also many other common pieces of software.
SecurityWeek
Hacker Conversations: Cris Thomas (AKA Space Rogue) From Lopht Heavy Industries
Conversation with Cris Thomas, also known as Space Rogue, who was a founding member of the Lopht Heavy Industries hacker collective.
The Record
White House, CISA call for help with security of open source software
The White House and a handful of government agencies on Thursday called for experts to help them create policies around the cybersecurity of open source software and promote the use of more security programming languages.
Cyber Security News
50 World's Best Penetration Testing Companies - 2023
Best Penetration Testing Companies: 1. Crowdstrike 2. Secureworks 3. Rapid7 4. Acunetix 5. Trellix 6. Invicti 7. Cobalt 8. Intruder.
CyberSecurity Dive
Software industry leaders debate real costs and benefits of CISA security push
The global effort to promote secure by design is seen as a potential game changer for software security, but may require substantial investments and considerable cultural changes.
CSO
Hard-coded secrets up 67% as secrets sprawl threatens software supply chain
2022 was a particularly leaky year in relation to secrets, GitGuardian’s latest State of Secrets Sprawl report finds.
DarkReading
Half of Apps Have High-Risk Vulnerabilities Due to Open Source
Open source software dependencies are affecting the software security of different industries in different ways, with mature industries becoming more selective in their open source usage.
DarkReading
Window Snyder's Start-up Launches Security Platform for IoT Device Makers
Thistle's technology will give device makers a way to easily integrate features for secure updates, memory management, and communications into their products, Snyder says.
CyberSecurity Dive
GitHub resets code signing certificates following breach
The incident closely follows a series of indirect source code repository breaches impacting Slack and Okta.
DarkReading
Java, .NET Developers Prone to More Frequent Vulnerabilities
About three-quarters of Java and .NET applications have vulnerabilities from the OWASP Top 10 list, while only 55% of JavaScript codebases have such flaws, according to testing data.
CyberSecurity Dive
Open-source repository risk amplified on GitHub
Inconsistent or delayed code commits create risk as repositories age, Veracode research found.
Infosecurity News
Applications Five Years or Older Likely to have Security Flaws
Veracode’s 2023 State of Software Security Report is focused on flaw introduction
SecurityWeek
Cybersecurity M&A Roundup: 16 Deals Announced in December 2022
Sixteen cybersecurity-related merger and acquisition (M&A) deals were announced in December 2022.
SecurityWeek
Cybersecurity M&A Roundup for December 1-15, 2022
A dozen cybersecurity-related merger and acquisition (M&A) deals were announced in the first half of December 2022.
Computerworld
Apple sets a security challenge for 2023
With its decision to introduce powerful new data protection tools for iMessage and to enable users to encrypt more of their information in iCloud, Apple has set the scene for security to be the big trend in tech in the year ahead.
CyberSecurity Dive
Three-quarters of retail, hospitality applications have security flaws
Nearly 1 in 5 vulnerabilities in the retail and hospitality industry are considered high severity, Veracode found, creating considerable risks to the organization.
CSO
US OMB releases guidance on federal agency software security requirements
The guidance aims to improve the security of software federal agencies use, but expects self-attestation for compliance.
CyberSecurity Dive
The same old problems nag cybersecurity professionals
Technical complexities abound as the perceived level of risk rises in an unrelenting fashion.
SecurityWeek
Black Hat USA 2022 - Announcements Summary
SecurityWeek is publishing a digest summarizing some of the announcements made by vendors at Black Hat USA 2022.
Computerworld
Google’s open-source security move may be pointless. In a perfect world, it should be.
Given that one of the uglier threats to enterprise cybersecurity involves re-purposed third-party code and open-source code, you might think that Google addressing the issue would be a big help. Think again.
CSO
A year later, Biden’s cybersecurity executive order driving positive change
Notable experts say the cybersecurity executive order has improved the nation's security posture, but more work is to be done.
SecurityWeek
The VC View: The DevSecOps Evolution and Getting "Shift Left" Right
For providers of DevSecOps services and solutions, the focus should be on removing friction from integrating security and helping teams come together to make security everyone’s responsibility.
SecurityWeek
Code Security Firm SonarSource Raises $412 Million at $4.7 Billion Valuation
Code quality software firm SonarSource announced a $412 million funding round at a $4.7 billion valuation, as investors continue to pour money into startups tackling software supply chain security.
CyberSecurity Dive
IT leaders remain bullish on open source despite security hiccups
Enterprise adoption of open source has not cooled, but flaws have highlighted the need for a better understanding of dependencies.
Cyber Security News
10 Best Free Penetration Testing Tools 2022 - Cyber Security News
When we talk about the penetration Testing tools, that the first thing that comes up to our mind is the threat. Here the Top 10 best Pentestinng tools.
Infosecurity News
82% of Public Sector Applications Contain Security Flaws
The researchers also found the public sector takes twice as long to fix flaws once detected compared to other industries
CSO
NIST releases software, IoT, and consumer cybersecurity labeling guidance
The new guidance aims to tighten security requirements for federally purchased software and give consumers better insight into the security of software and devices they buy.
ThreatPost
Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack
The Log4Shell vulnerability critically threatens anybody using the popular open-source Apache Struts framework and could lead to a “Mini internet meltdown soonish.”
ZDNet
Too many bosses are reluctant to spend money on cybersecurity. Then they get hacked | ZDNet
Preventing a cyberattack is more cost effective than reacting to one - but many boardrooms still aren't willing to free up budget.