Vulnerabilities / Threats //

Vulnerability Management

News & Commentary
The Human Factor in Social Media Risk
Dr. Sam Small, Chief Security Officer at ZeroFOXCommentary
Your employees need help recognizing the warning signs and understanding how to protect themselves online.
By Dr. Sam Small Chief Security Officer at ZeroFOX, 9/25/2018
Comment0 comments  |  Read  |  Post a Comment
Hacking Back: Simply a Bad Idea
Carolyn Crandall, Chief Deception Officer at Attivo NetworksCommentary
While the concept may sound appealing, it's rife with drawbacks and dangers.
By Carolyn Crandall Chief Deception Officer at Attivo Networks, 9/24/2018
Comment1 Comment  |  Read  |  Post a Comment
Data Manipulation: How Security Pros Can Respond to an Emerging Threat
PJ Kirner, CTO & Founder, IllumioCommentary
Industry leaders are scrambling to address the issue, which will take new thinking to overcome.
By PJ Kirner CTO & Founder, Illumio, 9/21/2018
Comment0 comments  |  Read  |  Post a Comment
Overhauling the 3 Pillars of Security Operations
Dave Frampton, Vice President of Security Solutions at Sumo LogicCommentary
Modern apps and the cloud mean that organizations must now rethink older security practices.
By Dave Frampton Vice President of Security Solutions at Sumo Logic, 9/18/2018
Comment2 comments  |  Read  |  Post a Comment
The 7 Habits of Highly Effective Security Teams
Gary Golomb, Co-Founder & Chief Research Officer at Awake SecurityCommentary
Security requires smart people, processes, and technology. Too often, the "people" portion of the PPT equation is neglected.
By Gary Golomb Co-Founder & Chief Research Officer at Awake Security, 9/17/2018
Comment0 comments  |  Read  |  Post a Comment
The Increasingly Vulnerable Software Supply Chain
Thomas Etheridge, Vice President of Services, CrowdStrikeCommentary
Nation-state adversaries from Iran to Russia have leveraged the supply chain as a vehicle to compromise infrastructure and disrupt businesses.
By Thomas Etheridge Vice President of Services, CrowdStrike, 9/13/2018
Comment0 comments  |  Read  |  Post a Comment
DevOps Demystified: A Primer for Security Practitioners
John B. Dickson, CISSP,  Principal, Denim GroupCommentary
Key starting points for those still struggling to understand the concept.
By John B. Dickson CISSP, Principal, Denim Group, 9/10/2018
Comment0 comments  |  Read  |  Post a Comment
The Weakest Security Links in the (Block)Chain
Drew Peck & Tim Butler, Executive Director and CEO & Founder of TegoCommentary
Despite the technology's promise to transform how business is done, there are significant limitations and potential risks at the intersection of the digital and physical worlds.
By Drew Peck & Tim Butler Executive Director and CEO & Founder of Tego, 9/5/2018
Comment1 Comment  |  Read  |  Post a Comment
Thoughts on the Latest Apache Struts Vulnerability
 Tim Mackey, Technical Evangelist, Black Duck by SynopsysCommentary
CVE-2018-11776 operates at a far deeper level within the code than all prior Struts vulnerabilities. This requires a greater understanding of the Struts code itself as well as the various libraries used by Struts.
By Tim Mackey Technical Evangelist, Black Duck by Synopsys, 9/5/2018
Comment0 comments  |  Read  |  Post a Comment
Lean, Mean & Agile Hacking Machine
Derek Manky, Global Security Strategist, FortinetCommentary
Hackers are thinking more like developers to evade detection and are becoming more precise in their targeting.
By Derek Manky Global Security Strategist, Fortinet, 9/4/2018
Comment0 comments  |  Read  |  Post a Comment
Proof-of-Concept Released for Apache Struts Vulnerability
Curtis Franklin Jr., Senior Editor at Dark ReadingNews
Python script for easier exploitation of the flaw is now available as well on Github.
By Curtis Franklin Jr. Senior Editor at Dark Reading, 8/27/2018
Comment6 comments  |  Read  |  Post a Comment
A False Sense of Security
Steve Durbin, Managing Director of the Information Security ForumCommentary
Emerging threats over the next two years stem from biometrics, regulations, and insiders.
By Steve Durbin Managing Director of the Information Security Forum, 8/24/2018
Comment1 Comment  |  Read  |  Post a Comment
Embedding Security into the DevOps Toolchain
Dave Meltzer, Chief Technology Officer at TripwireCommentary
Security teams need to let go of the traditional security stack, stop fighting DevOps teams, and instead jump in right beside them.
By Dave Meltzer Chief Technology Officer at Tripwire, 8/23/2018
Comment0 comments  |  Read  |  Post a Comment
Building Security into the DevOps Pipeline
Dark Reading Staff, CommentaryVideo
As companies pump more code into production at a faster pace, CA Veracode VP of Security Research Chris Eng stresses the importance of avoiding vulnerabilities by building security directly into the DevOps pipeline.
By Dark Reading Staff , 8/17/2018
Comment0 comments  |  Read  |  Post a Comment
Simplifying Defense Across the MITRE ATT&CK Matrix
Dark Reading Staff, CommentaryVideo
Endgames Mark Dufresne says SOCs can achieve better results within their existing staff and budget constraints with AI- and visualization-empowered, unified defense across the MITRE ATT&CK matrix.
By Dark Reading Staff , 8/17/2018
Comment0 comments  |  Read  |  Post a Comment
New PHP Exploit Chain Highlights Dangers of Deserialization
Ericka Chickowski, Contributing Writer, Dark ReadingNews
PHP unserialization can be triggered by other vulnerabilities previously considered low-risk.
By Ericka Chickowski Contributing Writer, Dark Reading, 8/15/2018
Comment0 comments  |  Read  |  Post a Comment
Open Source Software Poses a Real Security Threat
Jeff Williams, CTO, Contrast SecurityCommentary
It's true that open source software has many benefits, but it also has weak points. These four practical steps can help your company stay safer.
By Jeff Williams CTO, Contrast Security, 8/15/2018
Comment1 Comment  |  Read  |  Post a Comment
The Data Security Landscape Is Shifting: Is Your Company Prepared?
Francis Dinha, CEO & Co-Founder of OpenVPNCommentary
New ways to steal your data (and profits) keep cropping up. These best practices can help keep your organization safer.
By Francis Dinha CEO & Co-Founder of OpenVPN, 8/13/2018
Comment1 Comment  |  Read  |  Post a Comment
10 Threats Lurking on the Dark Web
Steve Zurier, Freelance Writer
Despite some high-profile takedowns last year, the Dark Web remains alive and well. Here's a compilation of some of the more prolific threats that loom.
By Steve Zurier Freelance Writer, 8/8/2018
Comment0 comments  |  Read  |  Post a Comment
US-CERT Warns of New Linux Kernel Vulnerability
Dark Reading Staff, Quick Hits
Patches now available to prevent DoS attack on Linux systems.
By Dark Reading Staff , 8/7/2018
Comment0 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11763
PUBLISHED: 2018-09-25
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
CVE-2018-14634
PUBLISHED: 2018-09-25
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerabl...
CVE-2018-1664
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
CVE-2018-1669
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
CVE-2018-1539
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.