Security News

The multiplication of the number of secrets being simultaneously in use within the development cycle makes it all too easy to fall off the control of sound security measures and "Leak." Critically, if a developer hardcodes secrets into their code or configuration files and the code is pushed to a GitHub repository, those secrets are also pushed.

How? APIs, of course! More formally known as application programming interfaces, API calls are growing twice as fast as HTML traffic, making APIs an ideal candidate for new security solutions aimed at protecting customer data, according to Cloudflare. According to the "Quantifying the Cost of API Insecurity" report, US businesses incurred upwards of $23 billion in losses from API-related breaches in 2022.

Office Open XML Signatures, an Ecma/ISO standard used in Microsoft Office applications and open source OnlyOffice, have several security flaws and can be easily spoofed. Microsoft refers to the format simply as Open XML. The boffins say they found discrepancies in the structure of office documents and the way signatures get verified.

In this Help Net Security video, Denis Mandich, CTO at Qrypt, talks about quantum computing. If we thought AI turned security and privacy on their head, quantum computing will break how we encrypt data today and risk revealing sensitive data of citizens, governments, hospitals, banks, and more.

Security leaders are recognizing that cloud and the way cloud security teams work today are becoming increasingly critical to business and IT operations, according to Trend Micro. As a result, cloud security and the foundational practices of their teams will be absorbed into the SOC to increase efficiencies in the coming years.

During the Google I/O event last month, the global tech giant showed off new elements of ChromeOS, focused on security, ecosystem and user experience, as well as benefits of the Chrome Enterprise Connectors Framework⁠. The framework lets organizations integrate vendors, including security providers, with the Chrome browser and ChromeOS using APIs and "Connectors" - with the goal of making it easier for organizations to control who has access to data.

Microsoft stands accused by cyber intelligence firm Hold Security of violating an agreement between the pair by misusing Hold's database of more than 360 million sets of credentials culled from the dark web. In a lawsuit filed in King County Superior Court in Washington, Hold said it had an agreement with Microsoft going back to 2014 to grant the Windows giant access to its database of compromised accounts with the expectation that Microsoft would limit use to matching Hold's records against Microsoft customer accounts.

In this Help Net Security interview, Ken Briggs, General Counsel at Salucro, discusses how fostering a culture of security awareness has become paramount for healthcare organizations. Considering the recent trends in cybersecurity, such as the rise of cloud computing and remote work, what considerations should healthcare organizations keep in mind to maintain a strong security posture? How can they balance convenience and accessibility with the need for robust security measures?

Organizations are still grappling with identity-related incidents, with an alarming 90% reporting one in the last 12 months, a 6% increase from last year, according to The Identity Defined Security Alliance. As identities continue to significantly grow, identity stakeholders are faced with an increasing number of barriers without the needed support from leadership.

Progress Software warned customers today of newly found critical SQL injection vulnerabilities in its MOVEit Transfer managed file transfer solution that can let attackers steal information from customers' databases. "An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content," Progress says in an advisory published today.