Application Security
News & Commentary
SQL Injection Cleanup Takes Two Months or More
Kelly Jackson Higgins, Senior Editor, Dark ReadingQuick Hits
A new report highlights the prevalence and persistence of SQL injection attacks.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/17/2014
Comment0 comments  |  Read  |  Post a Comment
How A Little Obscurity Can Bolster Security
Corey Nachreiner, Director, Security Strategy & Research, WatchGuard TechnologiesCommentary
Most security professionals deride the idea of "security by obscurity." Is it time to re-evaluate the conventional wisdom?
By Corey Nachreiner Director, Security Strategy & Research, WatchGuard Technologies, 4/17/2014
Comment14 comments  |  Read  |  Post a Comment
Mobility: Who Bears The Brunt Of Data Security & Privacy
Grayson Milbourne, Director, Security Intelligence, WebrootCommentary
OS manufacturers, app developers, and consumers all have a role to play in smartphone data security. But not everyone is equally responsible.
By Grayson Milbourne Director, Security Intelligence, Webroot, 4/16/2014
Comment3 comments  |  Read  |  Post a Comment
Akamai Withdraws Proposed Heartbleed Patch
Mathew J. Schwartz, News
As researchers demonstrate OpenSSL bug exploits that retrieve private keys, Akamai rescinds a patch suggestion for the SSL/TLS library after a security researcher punches holes in it.
By Mathew J. Schwartz , 4/14/2014
Comment2 comments  |  Read  |  Post a Comment
Windows XP Alive & Well in ICS/SCADA Networks
Kelly Jackson Higgins, Senior Editor, Dark ReadingNews
End-of-life for XP support not raising many red flags in critical infrastructure environments, where patching is the exception.
By Kelly Jackson Higgins Senior Editor, Dark Reading, 4/10/2014
Comment1 Comment  |  Read  |  Post a Comment
Heartbleed: Examining The Impact
Tim Sapio, Security Analyst, Bishop FoxCommentary
With Heartbleed, there’s little hope of knowing if an asset was breached, if a breach can be identified, or what, if any, data was leaked. Here’s how to defend against future attacks.
By Tim Sapio Security Analyst, Bishop Fox, 4/10/2014
Comment5 comments  |  Read  |  Post a Comment
We Are the Perimeter
Malcolm Harkins, Vice President and Chief Security and Privacy Officer, Intel CorporationCommentary
End users, not technology, define the boundaries of the enterprise. Security strategies must protect this new perimeter.
By Malcolm Harkins Vice President and Chief Security and Privacy Officer, Intel Corporation, 4/7/2014
Comment1 Comment  |  Read  |  Post a Comment
Tech Insight: Making Data Classification Work
John H. Sawyer, Contributing Writer, Dark ReadingCommentary
Data classification involves much more than simply buying a product and dropping it in place. Here are some dos and don'ts.
By John H. Sawyer Contributing Writer, Dark Reading, 4/4/2014
Comment7 comments  |  Read  |  Post a Comment
API-First: 3 Steps For Building Secure Cloud Apps
Ravi Ithal, Chief Architect, NetskopeCommentary
When it comes to protecting data traveling to and from the cloud, today's choices are daunting. Here are three steps for making the application programming interface your new best friend.
By Ravi Ithal Chief Architect, Netskope, 4/3/2014
Comment4 comments  |  Read  |  Post a Comment
What Is The FIDO Alliance?
Dark Reading, CommentaryVideo
Phillip Dunkelberger of Nok Nok Labs explains why its proposed specifications will transform computing.
By Dark Reading , 4/2/2014
Comment0 comments  |  Read  |  Post a Comment
Flying Naked: Why Most Web Apps Leave You Defenseless
Jeff Williams, CTO, Contrast SecurityCommentary
Even the best-funded and "mature" corporate AppSec programs aren't testing all their web applications and services. That leaves many applications with no real security in place.
By Jeff Williams CTO, Contrast Security, 3/28/2014
Comment13 comments  |  Read  |  Post a Comment
Android Apps Hide Crypto-Currency Mining Malware
Mathew J. Schwartz, News
Apps downloaded by millions from Google Play and Spanish software forums include hidden altcoin-mining software. But criminals aren't getting rich quickly.
By Mathew J. Schwartz , 3/27/2014
Comment1 Comment  |  Read  |  Post a Comment
Finally, Plug & Play Authentication!
Phil Dunkelberger, President & CEO, Nok Nok LabsCommentaryVideo
FIDO Alliance technology will allow enterprises to replace passwords with plug-and-play multifactor authentication.
By Phil Dunkelberger President & CEO, Nok Nok Labs, 3/26/2014
Comment1 Comment  |  Read  |  Post a Comment
Outlook Users Face Zero-Day Attack
Mathew J. Schwartz, News
Simply previewing maliciously crafted RTF documents in Outlook triggers exploit of bug present in Windows and Mac versions of Word, Microsoft warns.
By Mathew J. Schwartz , 3/25/2014
Comment7 comments  |  Read  |  Post a Comment
Symantec Fires CEO In Surprise Move
Mathew J. Schwartz, News
Analysts question security and storage giant's turnaround after the board fires its second CEO in two years.
By Mathew J. Schwartz , 3/21/2014
Comment10 comments  |  Read  |  Post a Comment
Windows XP Holdouts: 6 Top Excuses
Michael Endler, Associate Editor, InformationWeek.comNews
Microsoft cuts support for Windows XP in less than a month, but millions still use the OS. Are these rationales worth the risk?
By Michael Endler Associate Editor, InformationWeek.com, 3/17/2014
Comment0 comments  |  Read  |  Post a Comment
DDoS Attacks Hit NATO, Ukrainian Media Outlets
Mathew J. Schwartz, News
As pro-Russia hackers continue DDoS campaigns, Anonymous-branded propaganda reports "imminent US invasion of the Ukraine"
By Mathew J. Schwartz , 3/17/2014
Comment0 comments  |  Read  |  Post a Comment
Safe Harbor, Lavabit & The Future Of Cloud Security
Elad Yoran, Commentary
For cloud computing to grow, we need a balance between individual privacy and control of data, and the government's ability to fight crime and terrorism. Persistent encryption may be the answer.
By Elad Yoran , 3/14/2014
Comment1 Comment  |  Read  |  Post a Comment
7 Behaviors That Could Indicate A Security Breach
Becca Lipman, News
Breaches create outliers. Identifying anomalous activity can help keep firms in compliance and out of the headlines.
By Becca Lipman , 3/14/2014
Comment1 Comment  |  Read  |  Post a Comment
Defense Department Adopts NIST Security Standards
Leonard T. Marzigliano, CISSP-ISSMP, Information Assurance Architect, Defense Logistics AgencyNews
DOD replaces longstanding information assurance process with NIST's holistic "built-in, not bolt-on," risk-focused security approach
By Leonard T. Marzigliano CISSP-ISSMP, Information Assurance Architect, Defense Logistics Agency, 3/14/2014
Comment0 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Security Insights
DoD's Bold Initiative: Secure The User, Not The Device
DoD's Bold Initiative: Secure The User, Not The Device
Joint Information Environment effort under way to improve its ability to share information between the services, industry partners, and other government agencies
Comment1 comments
Read | Post a Comment
More Sophos Security Insights
PR Newswire
Register for Dark Reading Newsletters
White Papers
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web