Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Content by planetlevel

planetlevel
Member Since: April 1, 2014
Author
Blog Posts: 22
Posts: 32

Most Recently Posted

All (60)           Blogs (22)           Comments (38)          
All
It's High Time for a Security Scoring System for Applications and Open Source Libraries
Commentary  |  7/6/2021  | 
A benchmarking system would help buyers choose more secure software products and, more importantly, light a fire underneath software producers to make products secure.
Tough Love: Debunking Myths about DevOps & Security
Commentary  |  8/19/2019  | 
It's time to move past trivial 'shift left' conceptions of DevSecOps and take a hard look at how security work actually gets accomplished.
Open Source Software Poses a Real Security Threat
Commentary  |  8/15/2018  | 
It's true that open source software has many benefits, but it also has weak points. These four practical steps can help your company stay safer.
How Code Vulnerabilities Can Lead to Bad Accidents
Commentary  |  7/10/2017  | 
The software supply chain is broken. To prevent hackers from exploiting vulnerabilities, organizations need to know where their applications are, and whether they are built using trustworthy components.
New OWASP Top 10 Reveals Critical Weakness in Application Defenses
Commentary  |  4/27/2017  | 
It's time to move from a dependence on the flawed process of vulnerability identification and remediation to a two-pronged approach that also protects organizations from attacks.
Comment: Bad strategy? - planetlevel - 4/14/2016
Why Its Insane To Trust Static Analysis
Commentary  |  9/22/2015  | 
If you care about achieving application security at scale, then your highest priority should be to move to tools that empower everyone, not just security experts.
Comment: Re: Testing - planetlevel - 8/19/2015
Comment: Re: Testing - planetlevel - 8/18/2015
What Do You Mean My Security Tools Dont Work on APIs?!!
Commentary  |  6/25/2015  | 
SAST and DAST scanners havent advanced much in 15 years. But the bigger problem is that they were designed for web apps, not to test the security of an API.
Why We Can't Afford To Give Up On Cybersecurity Defense
Commentary  |  5/18/2015  | 
There is no quick fix, but organizations can massively reduce the complexity of building secure applications by empowering developers with four basic practices.
Which Apps Should You Secure First? Wrong Question.
Commentary  |  3/5/2015  | 
Instead, develop security instrumentation capability and stop wasting time on '4 terrible tactics' that focus on the trivial.
What Government Can (And Cant) Do About Cybersecurity
Commentary  |  1/22/2015  | 
In his 2015 State of the Union address, President Obama introduced a number of interesting, if not terribly novel, proposals. Here are six that will have minimal impact.
The New Target for State-Sponsored Cyber Attacks: Applications
Commentary  |  12/17/2014  | 
Skilled hackers are now using simple web application vulnerabilities like SQL Injection to take over database servers. Are you prepared to defend against this new type of threat actor?
The Staggering Complexity of Application Security
Commentary  |  11/10/2014  | 
During the past few decades of high-speed coding we have automated our businesses so fast that we are now incapable of securing what we have built.
In AppSec, Fast Is Everything
Commentary  |  10/13/2014  | 
The world has shifted. The SAST and DAST tools that were invented over a decade ago are no longer viable approaches to application security.
An AppSec Report Card: Developers Barely Passing
Commentary  |  9/19/2014  | 
A new study reveals that application developers are getting failing grades when it comes to their knowledge of critical security such as how to protect sensitive data, Web services, and threat modeling.
Why Your Application Security Program May Backfire
Commentary  |  7/2/2014  | 
You have to consider the human factor when youre designing security interventions, because the best intentions can have completely opposite consequences.
The Only 2 Things Every Developer Needs To Know About Injection
Commentary  |  5/22/2014  | 
Theres no simple solution for preventing injection attacks. There are effective strategies that can stop them in their tracks.
The Real Wakeup Call From Heartbleed
Commentary  |  4/16/2014  | 
There's nothing special about Heartbleed. Its another flaw in a popular library that exposed a lot of servers to attack. The danger lies in the way software libraries are built and whether they can be trusted.
Flying Naked: Why Most Web Apps Leave You Defenseless
Commentary  |  3/28/2014  | 
Even the best-funded and "mature" corporate AppSec programs aren't testing all their web applications and services. That leaves many applications with no real security in place.
The 7 Deadly Sins of Application Security
Commentary  |  2/6/2014  | 
How can two organizations with the exact same app security program have such wildly different outcomes over time? The reason is corporate culture.
What Healthcare Can Teach Us About App Security
Commentary  |  1/15/2014  | 
The Centers for Disease Control protects people from health threats and increases the health security of our nation. Its a mission thats not so different from InfoSec.
Secure Code Starts With Measuring What Developers Know
Commentary  |  12/19/2013  | 
I recently discovered Ive been teaching blindly about application security. I assumed that I know what students need to learn. Nothing could be further from the truth.
Application Security: We Still Have A Long Way To Go
Commentary  |  11/21/2013  | 
The past decade shows only trivial progress in improving web app security, according to new vulnerability guidelines in the OWASP Top Ten 2013.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-23463
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes suc...
CVE-2022-23464
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information...
CVE-2022-23461
PUBLISHED: 2022-09-24
Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds.
CVE-2022-36025
PUBLISHED: 2022-09-24
Besu is a Java-based Ethereum client. In versions newer than 22.1.3 and prior to 22.7.1, Besu is subject to an Incorrect Conversion between Numeric Types. An error in 32 bit signed and unsigned types in the calculation of available gas in the CALL operations (including DELEGATECALL) results in incor...
CVE-2022-39240
PUBLISHED: 2022-09-24
MyGraph is a permission management system. Versions prior to 1.0.4 are vulnerable to a storage XSS vulnerability leading to Remote Code Execution. This issue is patched in version 1.0.4. There is no known workaround.