News & Commentary

Latest Content tagged with Application Security
Page 1 / 2   >   >>
Cryptomining Malware Continues Rapid Growth: Report
Quick Hits  |  9/25/2018  | 
Cryptomining malware is the fastest-growing category of malicious software, according to a new report.
Fault-Tolerant Method Used for Security Purposes in New Framework
News  |  9/24/2018  | 
A young company has a new patent for using fault tolerance techniques to protect against malware infection in applications.
Microsoft Deletes Passwords for Azure Active Directory Applications
News  |  9/24/2018  | 
At Ignite 2018, security took center stage as Microsoft rolled out new security services and promised an end to passwords for online apps.
6 Dark Web Pricing Trends
Slideshows  |  9/24/2018  | 
For cybercriminals, the Dark Web grows more profitable every day.
Executive Branch Makes Significant Progress As DMARC Deadline Nears
News  |  9/21/2018  | 
The DHS directive on email security has an approaching deadline that most departments in the executive branch might actually meet.
Retail Sector Second-Worst Performer on Application Security
News  |  9/20/2018  | 
A "point-in-time" approach to PCI compliance could be one reason why so many retailers appear to be having a hard time.
Cryptojackers Grow Dramatically on Enterprise Networks
News  |  9/19/2018  | 
A new report shows that illicit cryptomining malware is growing by leaps and bounds on the networks of unsuspecting victims.
As Tech Drives the Business, So Do CISOs
News  |  9/19/2018  | 
Security leaders are evolving from technicians to business executives as tech drives enterprise projects, applications, and goals.
5 Steps to Success for New CISOs
Commentary  |  9/19/2018  | 
You've been hired to make an impact. These tips can help set you up for continued success.
8 Keys to a Successful Penetration Test
Slideshows  |  9/19/2018  | 
Pen tests are expensive, but there are key factors that can make them worth the investment.
The Security Costs of Cloud-Native Applications
News  |  9/18/2018  | 
More than 60% of organizations report the bulk of new applications are built in the cloud. What does this mean for security?
Websites Attack Attempts Rose in Q2
News  |  9/18/2018  | 
New data shows hackers hit websites, on average, every 25 minutes.
Bomgar Buys BeyondTrust
Quick Hits  |  9/13/2018  | 
The companies join forces to broaden their privileged access management portfolio and will take on the BeyondTrust name.
The Increasingly Vulnerable Software Supply Chain
Commentary  |  9/13/2018  | 
Nation-state adversaries from Iran to Russia have leveraged the supply chain as a vehicle to compromise infrastructure and disrupt businesses.
Modular Malware Brings Stealthy Attacks to Former Soviet States
News  |  9/12/2018  | 
A new malware technique is making phishing attacks harder to spot when they succeed.
New Study Details Business Benefits of Biometrics
Quick Hits  |  9/12/2018  | 
Biometric authentication can be good for security and for business, according to a new study from Goode Intelligence
Mobile Attack Rates Up 24% Globally, 44% in US
Quick Hits  |  9/12/2018  | 
One-third of all fraud targets are mobile, a growing source of all digital transactions.
Foreshadow, SGX & the Failure of Trusted Execution
Commentary  |  9/12/2018  | 
Trusted execution environments are said to provide a hardware-protected enclave that runs software and cannot be accessed externally, but recent developments show they fall far short.
New 'Fallout' EK Brings Return of Old Ransomware
News  |  9/10/2018  | 
The Fallout exploit kit carries GandCrab into the Middle East in a new campaign.
Three Trend Micro Apps Caught Collecting MacOS User Data
News  |  9/10/2018  | 
After researchers found the security apps collecting and uploading users' browser histories, Apple removed the apps from its macOS app store and Trend Micro removed the apps' browser history collection capability.
GAO Says Equifax Missed Flaws, Intrusion in Massive Breach
Quick Hits  |  9/10/2018  | 
A report from the Government Accountability Office details the issues found and opportunities missed in the huge 2017 Equifax data breach.
DevOps Demystified: A Primer for Security Practitioners
Commentary  |  9/10/2018  | 
Key starting points for those still struggling to understand the concept.
TLS 1.3 Won't Break Everything
Commentary  |  9/7/2018  | 
The newest version of TLS won't break everything in your security infrastructure, but you do need to be prepared for the changes it brings.
8 Attack Vectors Puncturing Cloud Environments
Slideshows  |  9/7/2018  | 
These methods may not yet be on your security team's radar, but given their impact, they should be.
The Best Way To Secure US Elections? Paper Ballots
News  |  9/6/2018  | 
Voting machines that do not provide a paper trail or cannot be independently audited should immediately be removed, concludes a new report from the National Academies of Sciences, Engineering, and Medicine.
7 Ways Blockchain is Being Used for Security
Slideshows  |  9/5/2018  | 
Blockchain is being used as a security tool. If you haven't thought about adopting it, you might want to reconsider your take.
PowerPool Malware Uses Windows Zero-Day Posted on Twitter
News  |  9/5/2018  | 
Researchers detected the vulnerability in an attack campaign two days after it was posted on social media.
The Weakest Security Links in the (Block)Chain
Commentary  |  9/5/2018  | 
Despite the technology's promise to transform how business is done, there are significant limitations and potential risks at the intersection of the digital and physical worlds.
Thoughts on the Latest Apache Struts Vulnerability
Commentary  |  9/5/2018  | 
CVE-2018-11776 operates at a far deeper level within the code than all prior Struts vulnerabilities. This requires a greater understanding of the Struts code itself as well as the various libraries used by Struts.
Authentication Grows Up
News  |  9/4/2018  | 
Which forms of multi-factor authentication (MFA) are working, which are not, and where industry watchers think the market is headed.
Investor Sues AT&T for Cryptocurrency Theft Losses
Quick Hits  |  9/4/2018  | 
The victim of cybercurrency theft blames the carrier for failing its security obligations.
Lean, Mean & Agile Hacking Machine
Commentary  |  9/4/2018  | 
Hackers are thinking more like developers to evade detection and are becoming more precise in their targeting.
Machine Identities Need Protection, Too
Quick Hits  |  8/31/2018  | 
A new study shows that device identities need a level of protection that they're not getting from most organizations.
'Celebgate' Hacker Heading to Prison
Quick Hits  |  8/30/2018  | 
Connecticut man gets eight months for role in attack involving leak of personal celebrity photos, including those of actress Jennifer Lawrence.
IT Professionals Think They're Better Than Their Security
Quick Hits  |  8/29/2018  | 
More than half of professionals think they have a good shot at a successful insider attack.
Overestimating WebAssembly's Security Benefits Is Risky for Developers
Overestimating WebAssembly's Security Benefits Is Risky for Developers
Dark Reading Videos  |  8/29/2018  | 
Although WebAssembly technology promises both better performance and better security to developers, it also creates a new risk for native exploits in the browser.
Telecommunications Industry in the Bullseye
News  |  8/29/2018  | 
New report cites higher volume and increased sophistication of threats to the sector.
Instagram Debuts New Security Tools
Quick Hits  |  8/29/2018  | 
Updates include a new feature to verify the authenticity of popular accounts and a means of integrating two-factor authentication.
Free Cybersecurity Services Offer a First Step to Securing US Elections
News  |  8/28/2018  | 
Some key security vendors - including Microsoft, Google, Cloudflare - are offering pro bono services and tools for election jurisdictions and campaigns this election season. But will it help?
PCI SSC Releases New Security Tools for Small Businesses
Quick Hits  |  8/28/2018  | 
Tool intended to help small businesses understand their risk and how well they're being addressed.
Polish Parliament Enacts National Cybersecurity System
Quick Hits  |  8/28/2018  | 
The system classifies security incidents and splits national incident response into three separate teams.
Why CISOs Should Make Friends With Their CMOs
Slideshows  |  8/27/2018  | 
A partnership between IT security and marketing could offer many benefits to each group and to the entire enterprise.
Proof-of-Concept Released for Apache Struts Vulnerability
News  |  8/27/2018  | 
Python script for easier exploitation of the flaw is now available as well on Github.
T-Mobile Hit With Customer Information Hack
Quick Hits  |  8/24/2018  | 
Approximately 2 million users said to be affected.
Half of Small Businesses Believe They're Not Cybercrime Targets
News  |  8/24/2018  | 
New SMB version of the NIST Cybersecurity Framework could help these organizations properly assess and respond to their security risks.
Modular Downloaders Could Pose New Threat for Enterprises
News  |  8/24/2018  | 
Proofpoint says it has recently discovered two downloaders that let attackers modify malware after it has been installed on a system.
New Apache Struts Vulnerability Leaves Major Websites Exposed
News  |  8/23/2018  | 
The vulnerability, found in Struts' core functionality, could be more critical than the one involved in last year's Equifax breach.
6 Reasons Security Awareness Programs Go Wrong
Slideshows  |  8/23/2018  | 
While plenty of progress has been made on the training front, there's still some work ahead in getting the word out and doing so effectively.
Embedding Security into the DevOps Toolchain
Commentary  |  8/23/2018  | 
Security teams need to let go of the traditional security stack, stop fighting DevOps teams, and instead jump in right beside them.
Turla Threat Group Uses Email PDF Attachments to Control Stealthy Backdoor
News  |  8/23/2018  | 
The Russian-speaking group's latest tactic is the only known case of malware that's completely controllable via email, researchers at ESET say.
Page 1 / 2   >   >>


WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11763
PUBLISHED: 2018-09-25
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
CVE-2018-14634
PUBLISHED: 2018-09-25
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerabl...
CVE-2018-1664
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
CVE-2018-1669
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
CVE-2018-1539
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.