Security News

While the specifics for security testing vary for applications, web applications, and APIs, a holistic and proactive applications security strategy is essential for all three types. There are six core types of testing that every security professional should know about to secure their applications, regardless of what phase they are in in development or deployment.

I am the Chief of Security Architecture at Inrupt, Inc., the company that is commercializing Tim Berners-Lee's Solid open W3C standard for distributed data ownership. This week, we announced a digital wallet based on the Solid architecture.

Meta Platforms on Wednesday said it took steps to remove around 63,000 Instagram accounts in Nigeria that were found to target people with financial sextortion scams. In cases where some of these accounts attempted to target minors, Meta said it reported them to the National Center for Missing and Exploited Children.

Ironically the browser is also one of the least protected threat surfaces of the modern enterprise. Modern cybersecurity requires a new approach based on the protection of the browser itself, which offers both security and frictionless deployment.

The PIR is a bit confusing to read and parse, because it attempts to assure readers that the company carefully and comprehensively tests their products - even though the company's failures on that front are obvious. CrowdStrike has implemented an update architecture that only rigorously tests some of the updates sent to clients.

Cybersecurity researchers have disclosed a privilege escalation vulnerability impacting Google Cloud Platform's Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner. "An attacker could escalate their privileges to the Default Cloud Build Service Account and access numerous services such as Cloud Build, storage, artifact registry and container registry," the exposure management company said in a statement.

Coupled with an exploding ecosystem of third-party apps, endpoint management tools that aren't really designed to handle patch management, bandwidth issues, and architectural challenges, IT teams have "An overwhelming amount of work to do," Hewitt told us. Endpoint management biz Adaptiva revealed in its 2023 state of patch handling report [PDF] that the average organization manages around 2,900 software applications, and 69 percent of IT teams believe it's impossible to get all of them patched on schedule.

BIND 9.20, a stable branch suitable for production use, has been released. In BIND 9.16, the developers introduced a new networking manager using libuv as an asynchronous event handler on top of the existing application infrastructure.

Docker is warning of a critical flaw impacting certain versions of Docker Engine that could allow an attacker to sidestep authorization plugins under specific circumstances. "An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly," the Moby Project maintainers said in an advisory.

The Internet Systems Consortium (ISC) has released patches to address multiple security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that...