Security Boulevard

Authors/Presenters:Seunghoon Woo, Eunjin Choi, Heejo Lee, Hakjoo Oh

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – V1SCAN: Discovering 1-day Vulnerabilities in Reused C/C++ Open-Source Software Components Using Code Classification Techniques appeared first on Security Boulevard.

We’ve written extensively before about FedRAMP’s impact levels. As a brief refresher, there are four: Li-SaaS, the lowest of the low-security levels, is made for non-critical cloud applications that handle no tangible CUI. Low Impact, which can handle some CUI, but is largely focused solely on very basic and public information like the basic information […]

The post Move From FedRAMP to DoD with Impact Level Assessment appeared first on Security Boulevard.

The post Cyber attacks 2024: The biggest attacks of the first half of 2024 appeared first on Click Armor.

The post Cyber attacks 2024: The biggest attacks of the first half of 2024 appeared first on Security Boulevard.

Sonatype kicked off its Summer of Software Regulations & Compliance webinar series this week with a broad look at some of the key regulations on improving cybersecurity. Jen Ellis, one of the hosts of the Distilling Cyber Policy podcast, moderated a discussion with Alex Botting, her co-host and EU Engagement Officer at the Center for Cybersecurity Policy, and Sonatype's Ilkka Turunen.

The post Sonatype’s summer webinar series: Future cybersecurity requirements appeared first on Security Boulevard.

Authors/Presenters:Santiago Cuéllar, Bill Harris, James Parker, Stuart Pernsteiner, Eran Tromer

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – Cheesecloth: Zero-Knowledge Proofs of Real World Vulnerabilities appeared first on Security Boulevard.

The post Behind the Scenes at Black Hat 2024 appeared first on AI-enhanced Security Automation.

The post Behind the Scenes at Black Hat 2024 appeared first on Security Boulevard.

Hewlett Packard Enterprise (HPE) this week at the Black Hat USA 2024 conference extended its network detection and response (NDR) capabilities that make use of artificial intelligence (AI) models to enable behavioral analytics.

The post HPE Infuses AI Into Network Detection and Response Platform appeared first on Security Boulevard.

Aqua Security this week at the Black Hat USA 2024 conference revealed that it has discovered six vulnerabilities in the cloud services provided by Amazon Web Services (AWS).

The post Aqua Security Researchers Disclose Series of AWS Flaws appeared first on Security Boulevard.

via the comic & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘University Age’ appeared first on Security Boulevard.

Understand the security status of GitHub Actions workflows and how to mitigate the risk.

The post Preview of State of GitHub Actions Security Report: Security of GH Workflows Building Blocks appeared first on Security Boulevard.

Authors/Presenters:Nicholas Boucher, Ross Anderson

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – Trojan Source: Invisible Vulnerabilities appeared first on Security Boulevard.

Optimizing Kubernetes security and efficiency of through granular control Kubernetes stands out as a powerful and versatile platform amongst application systems, allowing organizations to efficiently manage containers. However, enterprises face security challenges as they adopt Kubernetes in the context of network segmentation. Microsegmentation, a strategic approach to network security, plays a pivotal role in this...

The post The Role of Microsegmentation in Kubernetes Environments appeared first on TrueFort.

The post The Role of Microsegmentation in Kubernetes Environments appeared first on Security Boulevard.

Insight #1  

As I watch the sea of news out of Black Hat, from CrowdStrike fallout to the ever-present-flow of AI tools (both threat and savior?), one announcement stands out. Software now powers the world, but it's also the simplest way for attackers to breach an organization. Despite this, we've lacked visibility into the inner workings of applications beyond passive log analysis. Application Detection and Responseis the solution we've been missing! 

The post Cybersecurity Insights with Contrast CISO David Lindner | 8/9/24 appeared first on Security Boulevard.

Hello, My name is Chen, and I work as a threat intelligence analyst at Salt Security.

Every day, I dive into the complex world of cybersecurity, uncovering the hidden threats that hide in our digital lives. Today, I'd like to take you on a journey through the evolving landscape of API threats.

APIs are the quiet helpers of the digital world, allowing software applications to communicate easily with each other. They bring convenience and functionality to our digital interactions but also open doors to various vulnerabilities and risks.

Imagine APIs as bridges connecting islands of data and services. These bridges are essential for the smooth flow of information, but if not properly secured, they can allow unwanted people in or expose private information.

So now that we all agree that APIs, while super helpful, can also involve many risks, the question to be asked is, what are those risks, and how can we effectively map them?

Since API security is a relatively new domain, there is no standard methodology for achieving it. In this blog post, I want to share some standard techniques I use in my day-to-day job.

CVEs - Vulnerabilities By Type

Our first destination is the world of Common Vulnerabilities and Exposures (CVEs). Consider CVEs a lighthouse, highlighting hidden security flaws that we must recognize and understand to navigate the cybersecurity field safely.

One great resource for better understanding CVEs is CVEdetails. This site is a collection of detailed visualizations and valuable insights. It includes many interesting details, including this table:

The table summarizes all the CVEs found over the past decade, revealing the rise of various types of vulnerabilities. Web vulnerabilities like SQL injection and XSS truly stand out with their remarkable growth over the years.

In 2020, SQL injection-related CVEs were at 466. Fast forward to 2023, and this number has soared to 2,159—a staggering increase of 363.30% in just three years. Similarly, XSS has seen an impressive climb, with CVEs jumping from 2,203 in 2020 to 5,179 in 2023, marking a substantial 135.08% rise.

But our story doesn’t end there. As we delve deeper, we encounter CSRF, which saw its CVEs grow from 416 in 2020 to an astounding 1,398 in 2023, marking an increase of 236.05%. SSRF, too, has its tale of growth, with CVEs rising from 132 in 2020 to 248 in 2023, reflecting an 87.87% increase.

While this table provides great insights, as always in our domain, one source of information is rarely enough.

Take, for example, OAuth vulnerabilities. Salt-Labs' previous publications indicate that OAuth is a popular and rising attack vector. However, this table does not seem to reflect this.

When looking at the raw CVE data from this website, it seems this information is available. I gathered all the CVEs related to OAuth over the past few years and calculated their numbers for each year. Here are the results of my investigation:

I’ve observed a significant increase in OAuth vulnerabilities. In 2012, there was just one CVE, whereas in 2023, there were 42 CVEs. This significant rise had a notable impact on our product, influencing its detection. For further details about our OAuth Protection Package, you can find more information right here.

Bug Bounty Reports

The second destination for better understanding the threat landscape is Bug Bounty reports. The bug bounty community has grown substantially over the past few years, and looking into the public reports and available information from them can yield fascinating insights.

If you inspect all of the categories related to web vulnerabilities and count the number of reports from 2014 to 2022. It's important to note that I excluded 2023 from my analysis due to incomplete data.

You can quickly notice a clear rise in SSRF reports when delving into the data. In 2022, there was a significant increase, fitting well with the broader trends in the OWASP API 2023.

On the other hand, there's been a sharp decline in reports of CSRF vulnerabilities. Once a significant concern, CSRF saw a substantial drop of 79.27% in reports from 2017 to 2022. This downward trend contrasts with the results from our CVE research. However, given that bug bounty data is typically more accurate, I suggest that CSRF might no longer be a focal point in the threat landscape in 2024.

Internal DB of Salt Security

So now that we have a better understanding of the API threat landscape from several different sources, we must ask ourselves how this correlates with the internal telemetry data we collect at Salt-Labs.

Focusing on categories such as 'SQL injection',  'Code Injection',  'XSS', and 'Path Traversal', based on 2023, we saw an increase in web vulnerabilities every month. At the beginning of 2024, the numbers within these key categories were 1.5 times higher than those recorded in 2023.

Our journey ends here, and what we've learned is alarming: web vulnerabilities are escalating and remain a significant threat in the security landscape. As we move into 2024, these issues will persist and potentially affect more companies.

How Salt Can Help

From day one, Salt Security could detect OAuth vulnerabilities and code injections. Recently, we extended these capabilities, launching a new, multi-layered OAuth protection package that can detect attempts to exploit OAuth and proactively fix vulnerabilities. We have enhanced our API protection platform with a comprehensive suite of new OAuth threat detections and posture rules to address the growing challenge of OAuth exploitation. The first API security vendor to launch deep OAuth threat detection capabilities. These innovations will empower organizations to identify and mitigate malicious attempts to exploit OAuth flows, ultimately safeguarding sensitive data and user accounts.

If you would like to learn more about Salt and how we can help you on your API Security journey through discovery, posture management, and run-time threat protection, please contact us, schedule a demo, or check out our website.

Action Items

• Keep Software Updated: Regularly update your operating system, browsers, and applications to protect against security vulnerabilities.
• Educate Yourself and Others: Stay informed about common cyber threats and educate friends and family about safe internet practices.
• Beware of Suspicious Links: Avoid clicking links or opening attachments from unknown sources, as these may lead to malicious sites that exploit these vulnerabilities.
• Boost Your Cybersecurity with Expert Partners: To enhance your protection against cyber threats, consider partnering with third-party companies specializing in cybersecurity. These experts can offer tailored solutions, continuous monitoring, and advanced threat detection, ensuring your systems stay secure and resilient.

The post Exploring the dynamic landscape of cybersecurity threats appeared first on Security Boulevard.

Penetration testing plays a key role in evaluating a company’s infrastructure security, and this blog focuses on web penetration testing. The process has an impact on four main steps: gathering information, researching and exploiting vulnerabilities, writing reports with suggestions, and fixing issues while providing ongoing support. These tests are vital to ensure secure software development […]

The post Automated vs Manual: Web Penetration Testing appeared first on Kratikal Blogs.

The post Automated vs Manual: Web Penetration Testing appeared first on Security Boulevard.

Entrust, a once-trusted Certificate Authority (CA), has faced a significant setback as Google and Mozilla have announced they will no longer trust Entrust's SSL/TLS certificates due to security concerns. This move leaves current Entrust customers scrambling to find alternative CAs to ensure secure digital connections. The article emphasizes the urgency of transitioning to a new, reliable CA, such as Sectigo, to avoid potential cybersecurity risks and ensure continued protection. It also outlines steps for migrating certificates, stressing the importance of active management and automation in maintaining digital security.

The post Entrust distrust: How to move to a new Certificate Authority appeared first on Security Boulevard.

Reading Time: 5 min PowerDMARC now integrates with SecLytics to deliver advanced threat intelligence. Strengthen your email security with our powerful combination.

The post PowerDMARC Integrates with SecLytics for Predictive Threat Intelligence Analysis appeared first on Security Boulevard.

Embracing a just-in-time and just-enough privilege approach that harnesses context and automation can remove the tension between security and productivity, enabling teams to run faster without compromising on security standards.

The post Overcoming the 5 Biggest Challenges to Implementing Just-in-Time, Just Enough Privilege appeared first on Security Boulevard.

Situational awareness means what is happening around you, making educated judgments, and responding appropriately to any given scenario. It can be helpful on an individual level and also to organizations for making better decisions.

The post  How Situational Awareness Enhances the Security of Your Facility appeared first on Security Boulevard.

As summer ends and the back-to-school season begins, K-12 tech leaders face many cybersecurity and safety challenges. To help smooth the transition to a secure start to the 2024-2025 school year, we recently hosted a webinar featuring Samuel Hoch, Technology Director at Catoosa Public Schools, and Robert Batson, Technology Director at Tahlequah Public Schools. In ...

The post Phishing and Malware Detection: Top Tips from K-12 Technology Leaders appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.

The post Phishing and Malware Detection: Top Tips from K-12 Technology Leaders appeared first on Security Boulevard.