Security News
Let's face it: AppSec and developers often feel like they're on opposing teams. Ever wish they proactively cared about security? The answer lies in a proven, but often overlooked, strategy: Security Champion Programs - a way to turn developers from adversaries into security advocates?
Cyber security workers only review major updates to software applications only 54 percent of the time, according to a poll of tech managers. Twenty-two percent of respondents confessed they did a security review under half of the time, and the same percentage claim to have reviewed code 50 to 74 percent of the time.
It's becoming evident that the legacy practice of signature-based threat detection needs to be improved for cloud security challenges. In this Help Net Security video, Jimmy Mesta, CTO at RAD Security, discusses a new proposed standard for creating behavioral fingerprints of open-source image behavior at runtime.
Microsoft is rolling out inbound SMTP DANE with DNSSEC for Exchange Online in public preview, a new capability to boost email integrity and security. The SMTP DANE security protocol utilizes a TLS Authentication DNS record to verify the identity of destination mail servers and the authenticity of the certificates used for securing email communication.
The financially motivated threat actor known as FIN7 has been observed using multiple pseudonyms across several underground forums to likely advertise a tool known to be used by ransomware groups like Black Basta. "AvNeutralizer, a highly specialized tool developed by FIN7 to tamper with security solutions, has been marketed in the criminal underground and used by multiple ransomware groups," cybersecurity company SentinelOne said in a report shared with The Hacker News.
In this Help Net Security, Ankita Gupta, CEO at Akto, discusses API security best practices, advocating for authentication protocols like OAuth 2.0 and OpenID Connect, strict HTTPS encryption, and the use of JWTs for stateless authentication. Use shift left tools to catch authentication and authorization issues early in the development process, ensuring that security is a foundational aspect of your API. What metrics or indicators should organizations focus on to detect and respond to API security threats?
Kaspersky is offering free security products for six months and tips for staying safe as a parting gift to consumers in the United States. [...]
The first step to managing data security risks is to identify and understand what data you have. Without this level of data visibility, managing data security risks is impossible, because data has no rules.
Censys warns that over 1.5 million Exim mail transfer agent instances are unpatched against a critical vulnerability that lets threat actors bypass security filters. Tracked as CVE-2024-39929 and patched by Exim developers on Wednesday, the security flaw impacts Exim releases up to and including version 4.97.1.
Webinar Threat actors are always looking for that easy way in by testing weak spots, and user identities are one of their favourite targets. While additional security layers can ward off these attacks, what's the cost to the end user experience?