Security Experts:

long dotted


HTML5 will not prevent malvertising. This has nothing to do with HTML5 per se, but is down to the nature of the adverts themselves. [Read More]
Several arbitrary code execution vulnerabilities have been patched in the open-source Libarchive library [Read More]
Exploit kit traffic is only a small percentage of what it used to be: it dropped 96% since early April 2016 [Read More]
Dubbed Containers, a few feature in Firefox is meant to allow people use different browser tabs for different contexts, including work, banking, shopping, or personal. [Read More]
Security updates for Drupal 7 and 8 patch privilege escalation and access bypass vulnerabilities [Read More]
Microsoft releases 16 security bulletins to address vulnerabilities in Windows, IE, Edge, Office and Exchange Server [Read More]
Adobe has released patches for several of its products, but a Flash Player zero-day exploited in targeted attacks will only be addressed later this week [Read More]
Intel has revealed Control-flow Enforcement Technology (CET), a new safety mechanism to hinder Return Oriented Programming (ROP) and Jump Oriented Programming (JOP) attacks. [Read More]
Thousands of Let's Encrypt users saw their email addresses being exposed when the open certificate authority (CA) started sending a notification to active subscribers. [Read More]
Symantec this week introduced a new IoT security solution specifically designed to protect connected vehicles from zero-day attacks and never-before-seen threats. [Read More]

FEATURES, INSIGHTS // Vulnerabilities

rss icon

Torsten George's picture
Google Dorking can be used to identify vulnerable systems and trace them to a specific place on the Internet.
Emily Ratliff's picture
Wendy Nather coined the term “security poverty line” to describe how organizations operate when they have insufficient investment in IT security.
Jim Ivers's picture
Software that protects the crown jewels of the organization and reduces risk translates to “valuable.”
Jim Ivers's picture
Developers are not trained in security and security is not yet an adequately integrated component of the development process. We are not applying good, or even minimal, security practices.
Emily Ratliff's picture
Writing yet another “security” paper isn’t going to do the trick. Security practitioners need to do a better job of getting our messages integrated into core developer documentation.
Jim Ivers's picture
The Internet of Things (IoT) will result in billions of connected devices coming on line in the next ten years, and the associated software will be built by industries that traditionally have not emphasized software security.
Emily Ratliff's picture
When you run an application, how can you verify that what you are running was actually built from the code that a trusted developer wrote?
David Holmes's picture
A determined attacker could almost certainly find another, easier (non-SSL) vulnerability much faster and cheaper than by using DROWN.
Jim Ivers's picture
Aside from tools, there are many types of application security testing that can be used to find vulnerabilities in software. An organization must consider multiple software security testing methods to really manage its risk.
Torsten George's picture
The benefits of automatic patching far exceed the risks, but with differing risk perceptions and tolerance levels, the decision must be made by each organization.