Application Security
News & Commentary
DHS-Funded 'SWAMP' Helps Scour Code For Bugs
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
Cloud-based platform offering free secure coding tools for developers in government, enterprises, academia, gaining commercial attention as well.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 7/28/2014
Comment5 comments  |  Read  |  Post a Comment
Hidden iOS Services Bypass Security
Thomas Claburn, Editor-at-LargeCommentary
A computer researcher asks why Apple allows undocumented services to bypass encryption and access user data.
By Thomas Claburn Editor-at-Large, 7/21/2014
Comment13 comments  |  Read  |  Post a Comment
Active Directory Flaw Lets Attackers Change Passwords
Sara Peters, Quick Hits
Aorato finds way to compromise Active Directory and change passwords without being noticed by SIEM.
By Sara Peters , 7/15/2014
Comment11 comments  |  Read  |  Post a Comment
Retro Macro Viruses: They're Baaack
Kevin Casey, Commentary
Malicious Virtual Basic for Applications (VBA) macros are back, this time using social engineering to trick users into opening infected attachments, says Sophos.
By Kevin Casey , 7/9/2014
Comment2 comments  |  Read  |  Post a Comment
Why Your Application Security Program May Backfire
Jeff Williams, CTO, Contrast SecurityCommentary
You have to consider the human factor when you’re designing security interventions, because the best intentions can have completely opposite consequences.
By Jeff Williams CTO, Contrast Security, 7/2/2014
Comment4 comments  |  Read  |  Post a Comment
Microsoft Expands Encryption, Opens First Transparency Center
Sara Peters, Quick Hits
As part of Microsoft's new privacy initiative, Outlook and OneDrive have also gotten encryption enhancements.
By Sara Peters , 7/1/2014
Comment1 Comment  |  Read  |  Post a Comment
How Microsoft Cracks The BYOD Code: 3 Tips
Bret Arsenault, CISO, MicrosoftCommentary
Microsoft’s CISO shares best-practices for balancing employee autonomy and security in today’s bring-your-own world.
By Bret Arsenault CISO, Microsoft, 6/30/2014
Comment5 comments  |  Read  |  Post a Comment
Why A Secured Network Is Like The Human Body
Dan Ross, CEO & President, PromisecCommentary
It’s time to throw away the analogies about building fortresses and perimeter defenses and start to approach InfoSec with the same standard of care we use for public health.
By Dan Ross CEO & President, Promisec, 6/26/2014
Comment11 comments  |  Read  |  Post a Comment
Scope Of SAP Bugs Still Plagues Enterprises
Ericka Chickowski, Contributing Writer, Dark ReadingNews
As SAP closes its 3,000th security vulnerability, ERP experts expound on the dangers of these vulns and enterprises' continued head-in-the-sand attitude about them.
By Ericka Chickowski Contributing Writer, Dark Reading, 6/17/2014
Comment3 comments  |  Read  |  Post a Comment
Heartbleed & The Long Tail Of Vulnerabilities
Martin McKeay, Senior Security Advocate, AkamaiCommentary
To this day there are still unpatched systems, still hackers scanning for vulnerable systems, and still cyber criminals using Heartbleed every day to break into companies.
By Martin McKeay Senior Security Advocate, Akamai, 6/13/2014
Comment5 comments  |  Read  |  Post a Comment
Twitter Rules Trustworthy Websites
Kristin Burnham, Senior Editor, InformationWeek.comCommentary
Social networks scored high in a new report on website privacy and security, while news companies scored the lowest.
By Kristin Burnham Senior Editor, InformationWeek.com, 6/13/2014
Comment2 comments  |  Read  |  Post a Comment
XSS Flaw In TweetDeck Leads To Spread Of Potential Exploits
Tim Wilson, Editor in Chief, Dark ReadingQuick Hits
Twitter unit fixes cross-site scripting problem, but not before many users spread vulnerable scripts with their tweets.
By Tim Wilson Editor in Chief, Dark Reading, 6/12/2014
Comment5 comments  |  Read  |  Post a Comment
SQL Injection Attacks Haunt Retailers
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
Only about a third of companies have the ability to detect SQL injection attacks, a new Ponemon report finds.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 6/10/2014
Comment3 comments  |  Read  |  Post a Comment
TweetDeck Scammers Steal Twitter IDs Via OAuth
Brian Prince, Contributing Writer, Dark ReadingNews
Users who give up their TweetDeck ID are promised 20 followers for free or 100 to 5,000 new followers a day for five days.
By Brian Prince Contributing Writer, Dark Reading, 6/6/2014
Comment4 comments  |  Read  |  Post a Comment
If HTML5 Is The Future, What Happens To Access Control?
Garret Grajek, CTO & COO, SecureAuthCommentary
The solution for multi-device deployment is HTML5. The challenge, for the enterprise, is deploying it correctly. Here are seven tools you will need.
By Garret Grajek CTO & COO, SecureAuth, 6/5/2014
Comment1 Comment  |  Read  |  Post a Comment
DARPA Announces Teams For First Cyber Grand Challenge
Sara Peters, Quick Hits
DEF CON 2016 will host the final competition for DARPA's first-of-its-kind tournament for developing automated security systems that can fight against cyber attacks as fast as they are launched.
By Sara Peters , 6/3/2014
Comment2 comments  |  Read  |  Post a Comment
Researchers: Mobile Applications Pose Rapidly Growing Threat To Enterprises
Tim Wilson, Editor in Chief, Dark ReadingQuick Hits
The average user has about 200 apps running on his smartphone -- and they're not all safe, Mojave Networks study says.
By Tim Wilson Editor in Chief, Dark Reading, 6/3/2014
Comment0 comments  |  Read  |  Post a Comment
SSL: Security's Best Friend Or Worst Enemy?
Ericka Chickowski, Contributing Writer, Dark ReadingNews
A new report shows that applications using SSL are on the rise in enterprises, putting them at greater risk of attacks that hide in plain sight or use vulnerabilities like Heartbleed.
By Ericka Chickowski Contributing Writer, Dark Reading, 6/2/2014
Comment0 comments  |  Read  |  Post a Comment
Government Cloud Use Hits Inflection Point
Michael Biddick, CEO, Fusion PPTCommentary
New standards, security, and architectures mean the CloudFirst stars are finally coming into alignment.
By Michael Biddick CEO, Fusion PPT, 5/30/2014
Comment1 Comment  |  Read  |  Post a Comment
Microsoft: Ignore Unofficial XP Update Workaround
Sara Peters, News
A small change to the Windows XP Registry allows users to receive security updates for another five years. Yet the tweak could create other security and functionality issues for XP holdouts.
By Sara Peters , 5/28/2014
Comment8 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Security Insights
DoD's Bold Initiative: Secure The User, Not The Device
DoD's Bold Initiative: Secure The User, Not The Device
Joint Information Environment effort under way to improve its ability to share information between the services, industry partners, and other government agencies
Comment1 comments
Read | Post a Comment
More Sophos Security Insights
PR Newswire
Register for Dark Reading Newsletters
White Papers
Current Issue
Cartoon
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3541
Published: 2014-07-29
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3542
Published: 2014-07-29
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

Best of the Web
Dark Reading Radio