Security Experts:

long dotted


Yahoo paid out over $1.6 million through its bug bounty program for 2,200 eligible vulnerability reports [Read More]
VMware releases updates for several of its products to address a couple of security issues rated critical and important [Read More]
Apple releases security updates for OS X, iOS, Safari, iTunes, watchOS and tvOS [Read More]
An update for the open source file archiver 7-Zip patches serious vulnerabilities discovered by Cisco researchers [Read More]
In a legal brief, Mozilla warns that “the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of the vulnerability. [Read More]
Adobe has patched 25 Flash Player vulnerabilities, including a zero-day exploited in the wild [Read More]
Google on Wednesday released yet another set of security patches for Chrome 50, resolving five vulnerabilities in the popular web browser. [Read More]
Yahoo rewarded a researcher after he exploited the ImageTragick flaw to get RCE on the Polyvore website [Read More]
Onapsis warns that there are indicators of exploitation against 36 large-scale global enterprises around the world. [Read More]
SAP on May 10 issued a new round of monthly security updates for its products, patching a total of 10 vulnerabilities, including critical flaws in ASE XPServer, Crystal Report for Enterprise, and Predictive Analytics. [Read More]

FEATURES, INSIGHTS // Vulnerabilities

rss icon

Emily Ratliff's picture
Wendy Nather coined the term “security poverty line” to describe how organizations operate when they have insufficient investment in IT security.
Jim Ivers's picture
Software that protects the crown jewels of the organization and reduces risk translates to “valuable.”
Jim Ivers's picture
Developers are not trained in security and security is not yet an adequately integrated component of the development process. We are not applying good, or even minimal, security practices.
Emily Ratliff's picture
Writing yet another “security” paper isn’t going to do the trick. Security practitioners need to do a better job of getting our messages integrated into core developer documentation.
Jim Ivers's picture
The Internet of Things (IoT) will result in billions of connected devices coming on line in the next ten years, and the associated software will be built by industries that traditionally have not emphasized software security.
Emily Ratliff's picture
When you run an application, how can you verify that what you are running was actually built from the code that a trusted developer wrote?
David Holmes's picture
A determined attacker could almost certainly find another, easier (non-SSL) vulnerability much faster and cheaper than by using DROWN.
Jim Ivers's picture
Aside from tools, there are many types of application security testing that can be used to find vulnerabilities in software. An organization must consider multiple software security testing methods to really manage its risk.
Torsten George's picture
The benefits of automatic patching far exceed the risks, but with differing risk perceptions and tolerance levels, the decision must be made by each organization.
Jim Ivers's picture
What is missing from the conversation is how large a role software plays in the IoT equation. Plugging something into the Internet does not make it work -- it just makes it vulnerable.