Security Experts:

long dotted

NEWS & INDUSTRY UPDATES

CERT details the Accellion File Transfer Appliance vulnerabilities uncovered by a researcher while trying to hack a Facebook server [Read More]
Vulnerability in PL/SQL Developer allows MitM attackers to deliver malware and execute arbitrary commands [Read More]
Microsoft offering up to $15,000 for serious vulnerabilities in the Nano Server installation option of Windows Server 2016 [Read More]
Google on Thursday released an updated version of Chrome 50 for Windows, Mac, and Linux, to resolve 9 security vulnerabilities in the popular web browser. [Read More]
OpenSSL will patch high severity vulnerabilities with the release of versions 1.0.2h and 1.0.1t on May 3 [Read More]
Mozilla patches 14 vulnerabilities, including critical and high severity issues, with the release of Firefox 46 [Read More]
Facebook paid out a $5,000 bounty to a researcher who found a login flaw that could have been leveraged to impersonate users on other websites [Read More]
HP has released security updates for various HP Data Protector iterations, in an attempt to patch a series of critical vulnerabilities that could result in remote code execution or disclosure of information. [Read More]
MIT launches bug bounty program and invites affiliates to find vulnerabilities on its domains [Read More]
Microsoft’s Windows AppLocker, a feature introduced in Windows 7 to specify which users can run apps within an organization, can be bypassed to execute remote scripts on a machine, a researcher has discovered. [Read More]

FEATURES, INSIGHTS // Vulnerabilities

rss icon

Jim Ivers's picture
Developers are not trained in security and security is not yet an adequately integrated component of the development process. We are not applying good, or even minimal, security practices.
Emily Ratliff's picture
Writing yet another “security” paper isn’t going to do the trick. Security practitioners need to do a better job of getting our messages integrated into core developer documentation.
Jim Ivers's picture
The Internet of Things (IoT) will result in billions of connected devices coming on line in the next ten years, and the associated software will be built by industries that traditionally have not emphasized software security.
Emily Ratliff's picture
When you run an application, how can you verify that what you are running was actually built from the code that a trusted developer wrote?
David Holmes's picture
A determined attacker could almost certainly find another, easier (non-SSL) vulnerability much faster and cheaper than by using DROWN.
Jim Ivers's picture
Aside from tools, there are many types of application security testing that can be used to find vulnerabilities in software. An organization must consider multiple software security testing methods to really manage its risk.
Torsten George's picture
The benefits of automatic patching far exceed the risks, but with differing risk perceptions and tolerance levels, the decision must be made by each organization.
Jim Ivers's picture
What is missing from the conversation is how large a role software plays in the IoT equation. Plugging something into the Internet does not make it work -- it just makes it vulnerable.
Simon Crosby's picture
Attackers return again and again to vulnerable components like Flash because they can keep tapping into perennial vulnerabilities.
Jim Ivers's picture
Experienced organizations learn that security is not a drag on performance, but can provide productivity gains by eliminating security vulnerabilities early in the development process.