Application Security
News & Commentary
Heartbleed Not Only Reason For Health Systems Breach
Sara Peters, Senior Editor at Dark ReadingNews
Community Health Systems' bad patching practices are nothing compared to its poor encryption, network monitoring, fraud detection, and data segmentation, experts say.
By Sara Peters Senior Editor at Dark Reading, 8/20/2014
Comment6 comments  |  Read  |  Post a Comment
Debugging The Myths Of Heartbleed
Steve Riley, Technical Leader, Office of the CTO, Riverbed TechnologyCommentary
Does Heartbleed really wreak havoc without a trace? The media and many technical sites seemed convinced of this, but some of us were skeptical.
By Steve Riley Technical Leader, Office of the CTO, Riverbed Technology, 8/20/2014
Comment2 comments  |  Read  |  Post a Comment
Cloud Apps & Security: When Sharing Matters
Krishna Narayanaswamy, Founder & Chief Scientist, NetskopeCommentary
Sharing documents and data is happening all over the cloud today but not all sharing activity carries equal risk.
By Krishna Narayanaswamy Founder & Chief Scientist, Netskope, 8/18/2014
Comment5 comments  |  Read  |  Post a Comment
Test Drive: GFI LanGuard 2014
John H. Sawyer, Contributing Writer, Dark ReadingCommentary
LanGuard worked well in the lab and may prove more beneficial to IT operations than security teams.
By John H. Sawyer Contributing Writer, Dark Reading, 8/15/2014
Comment1 Comment  |  Read  |  Post a Comment
Why Patching Makes My Heart Bleed
John Rostern, CRISC, QSA, VP Technology Audit & Advisory Services, CoalfireCommentary
Heartbleed was a simple mistake that was allowed to propagate through "business as usual" patching cycles and change management. It could easily happen again.
By John Rostern CRISC, QSA, VP Technology Audit & Advisory Services, Coalfire, 8/14/2014
Comment2 comments  |  Read  |  Post a Comment
CloudBot: A Free, Malwareless Alternative To Traditional Botnets
Sara Peters, Senior Editor at Dark ReadingNews
Researchers take advantage of cloud service providers' free trials and lousy anti-automation controls to use cloud instances like bots.
By Sara Peters Senior Editor at Dark Reading, 8/11/2014
Comment1 Comment  |  Read  |  Post a Comment
Closing The Skills Gap Between Hackers & Defenders: 4 Steps
W. Hord Tipton, Commentary
Improvements in security education, budgets, tools, and methods will help our industry avoid more costly and dangerous attacks and data breaches in the future.
By W. Hord Tipton , 8/11/2014
Comment17 comments  |  Read  |  Post a Comment
Automakers Openly Challenged To Bake In Security
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
An open letter sent to automobile manufacturer CEOs asks carmakers to adopt a proposed five-star cyber safety program.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 8/8/2014
Comment3 comments  |  Read  |  Post a Comment
Facebook Malware: Protect Your Profile
Kristin Burnham, Senior Editor, InformationWeek.comCommentary
Malicious "Color Change" app has resurfaced on Facebook, compromising thousands of profiles. Here's what to do if you're infected.
By Kristin Burnham Senior Editor, InformationWeek.com, 8/8/2014
Comment12 comments  |  Read  |  Post a Comment
Facebook Buys Security Startup PrivateCore
Kristin Burnham, Senior Editor, InformationWeek.comCommentary
Facebook plans to deploy PrivateCore technology into its server stack to bolster encryption and malware prevention, the social network said.
By Kristin Burnham Senior Editor, InformationWeek.com, 8/8/2014
Comment0 comments  |  Read  |  Post a Comment
Google To Factor Security In Search Results
Thomas Claburn, Editor-at-LargeCommentary
Websites that don't support HTTPS connections may soon be less prominent in Google search results.
By Thomas Claburn Editor-at-Large, 8/7/2014
Comment2 comments  |  Read  |  Post a Comment
DHS-Funded 'SWAMP' Helps Scour Code For Bugs
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
Cloud-based platform offering free secure coding tools for developers in government, enterprises, academia, gaining commercial attention as well.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 7/28/2014
Comment5 comments  |  Read  |  Post a Comment
Hidden iOS Services Bypass Security
Thomas Claburn, Editor-at-LargeCommentary
A computer researcher asks why Apple allows undocumented services to bypass encryption and access user data.
By Thomas Claburn Editor-at-Large, 7/21/2014
Comment13 comments  |  Read  |  Post a Comment
Active Directory Flaw Lets Attackers Change Passwords
Sara Peters, Senior Editor at Dark ReadingQuick Hits
Aorato finds way to compromise Active Directory and change passwords without being noticed by SIEM.
By Sara Peters Senior Editor at Dark Reading, 7/15/2014
Comment11 comments  |  Read  |  Post a Comment
Retro Macro Viruses: They're Baaack
Kevin Casey, Commentary
Malicious Virtual Basic for Applications (VBA) macros are back, this time using social engineering to trick users into opening infected attachments, says Sophos.
By Kevin Casey , 7/9/2014
Comment2 comments  |  Read  |  Post a Comment
Why Your Application Security Program May Backfire
Jeff Williams, CTO, Contrast SecurityCommentary
You have to consider the human factor when you’re designing security interventions, because the best intentions can have completely opposite consequences.
By Jeff Williams CTO, Contrast Security, 7/2/2014
Comment4 comments  |  Read  |  Post a Comment
Microsoft Expands Encryption, Opens First Transparency Center
Sara Peters, Senior Editor at Dark ReadingQuick Hits
As part of Microsoft's new privacy initiative, Outlook and OneDrive have also gotten encryption enhancements.
By Sara Peters Senior Editor at Dark Reading, 7/1/2014
Comment1 Comment  |  Read  |  Post a Comment
How Microsoft Cracks The BYOD Code: 3 Tips
Bret Arsenault, CISO, MicrosoftCommentary
Microsoft’s CISO shares best-practices for balancing employee autonomy and security in today’s bring-your-own world.
By Bret Arsenault CISO, Microsoft, 6/30/2014
Comment5 comments  |  Read  |  Post a Comment
Why A Secured Network Is Like The Human Body
Dan Ross, CEO & President, PromisecCommentary
It’s time to throw away the analogies about building fortresses and perimeter defenses and start to approach InfoSec with the same standard of care we use for public health.
By Dan Ross CEO & President, Promisec, 6/26/2014
Comment11 comments  |  Read  |  Post a Comment
Scope Of SAP Bugs Still Plagues Enterprises
Ericka Chickowski, Contributing Writer, Dark ReadingNews
As SAP closes its 3,000th security vulnerability, ERP experts expound on the dangers of these vulns and enterprises' continued head-in-the-sand attitude about them.
By Ericka Chickowski Contributing Writer, Dark Reading, 6/17/2014
Comment3 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Security Insights
DoD's Bold Initiative: Secure The User, Not The Device
DoD's Bold Initiative: Secure The User, Not The Device
Joint Information Environment effort under way to improve its ability to share information between the services, industry partners, and other government agencies
Comment1 comments
Read | Post a Comment
More Sophos Security Insights
PR Newswire
Register for Dark Reading Newsletters
White Papers
Current Issue
Cartoon
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.