Security Boulevard

We are excited to announce a significant Salt Security API Protection Platform upgrade. We have recently introduced a new detection feature targeting a prevalent yet often neglected vulnerability: open redirect attacks. This issue is so severe that it is highlighted in the OWASP Top 10 API Security Risks!

What Makes Open Redirects So Dangerous?

Consider this: you receive a link in an email that appears to be from your bank. Instead of reaching your account page, you are led to a convincing fraudulent site designed to steal your login information. This is the deceptive nature of an open redirect attack.

Such attacks occur when an application uncritically accepts user-provided URLs and redirects users based on this unreliable input. Attackers take advantage of this by inserting harmful URLs, which can result in:

• Phishing attacks: Users are diverted to fake websites that resemble legitimate ones, tricking them into revealing sensitive information.
• Malware distribution: Users are sent to sites that host malware, endangering their devices and potentially the entire network.
• Data theft: Attackers can create URLs that extract sensitive information from the application during the redirect process.

Open redirects often serve as an initial step in a more extensive attack sequence. Think of the redirect as a way for attackers to gain initial access, leading to more harmful activities.

Why Are They So Common?

Although it seems straightforward to avoid, open redirects are alarmingly widespread. Developers frequently find it challenging to validate every URL that comes from user input. This task is tedious; updating validation as the application changes can be a significant burden.

This vulnerability is so common that it features in the OWASP API Top 10 2023 under API10:2023 Unsafe Consumption of APIs, underscoring its importance in the realm of API security. The category spotlights the risks associated with integrating with external APIs that may have poor security, potentially exposing your application by association. Open redirects directly fall into this category, as they exploit trust relationships between applications.

Salt Security Shuts Down the Threat

With our upcoming detection capability, Salt Security is elevating standards for API protection. Our platform employs advanced AI and machine learning to examine URL patterns and detect suspicious redirection attempts. This allows us to:

• Identify open redirect attacks in real-time: Stopping malicious redirects before they can affect your users or business.
• Provide comprehensive insights into attack attempts: Equipping your security team with essential information to understand the attack and respond appropriately.
• Mitigate your overall risk: We help you secure your APIs and protect sensitive data by neutralizing this frequent attack vector.

A Competitive Edge in API Security

We are confident that this new detection feature distinguishes us in the market. Many security solutions fail to address open redirects with the same level of precision and sophistication. By directly confronting this often-ignored vulnerability, Salt Security delivers a truly holistic API security solution.

You can use this new detection and all our other detection capabilities that make our intent engine industry-leading. This is just one more instance of how Salt Security continually innovates to remain ahead of the curve and ensure that our customers receive the best API protection possible.

If you want to learn more about Salt and how we can help you on your API Security journey through discovery, posture governance, and run-time threat protection, please contact us, schedule a demo, or check out our website.

The post Open Redirect? Game Over! Salt Security Neutralizes a Sneaky API Attack Vector appeared first on Security Boulevard.

3 min readWhen a single API key compromise spiraled into a broader attack, it exposed how overlooked non-human identities can become gateways for escalating threats.

The post BeyondTrust Breach Exposes API Key Abuse Risks appeared first on Aembit.

The post BeyondTrust Breach Exposes API Key Abuse Risks appeared first on Security Boulevard.

Textual's Pipeline workflow preps your data for AI, Structural's sensitivity scan is now customizable, and Ephemeral can be deployed on Azure or Google Cloud!

The post Tonic.ai product updates: July 2024 appeared first on Security Boulevard.

SQL Server support on Tonic Ephemeral, Db2 LUW on Tonic Structural, LLM synthesis in Tonic Textual, and expanded LLM access in Tonic Validate! Learn more about all the latest releases from Tonic.ai.

The post Tonic.ai product updates: April 2024 appeared first on Security Boulevard.

Tonic is now Tonic Structural and can output directly to Tonic Ephemeral, subsetting arrives for Snowflake, + Tonic Cloud is HIPAA certified!

The post Tonic.ai product updates: March 2024 appeared first on Security Boulevard.

Author/Presenter: Josh Pyorre

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Signature-Based Detection Using Network Timing appeared first on Security Boulevard.

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Radon’ appeared first on Security Boulevard.

Get details on this new cybersecurity Executive Order and its implications. 

The post White House Executive Order: Strengthening and Promoting Innovation in the Nation’s Cybersecurity appeared first on Security Boulevard.

Discover why relying on on premise software hinders innovation and explore how shifting employee behavior is driving modern SaaS adoption and usage trends.

The post Debunking the “On Premise Software” Myth | Grip Security appeared first on Security Boulevard.

We are thrilled to announce that Veriti has been mentioned in the 2025 Gartner Emerging Tech: Tech Innovators in Preemptive Cybersecurity as a Tech Innovator in the Preemptive Cybersecurity category. We hold the view that this mention underscores our role as a leader in enabling organizations to proactively address security exposures and reduce risk in […]

The post Veriti mentioned as a Tech Innovator in the 2025 Gartner® Emerging Tech: Tech Innovators in Preemptive Cybersecurity Report in the Preemptive Cybersecuirty Category.  appeared first on VERITI.

The post Veriti mentioned as a Tech Innovator in the 2025 Gartner® Emerging Tech: Tech Innovators in Preemptive Cybersecurity Report in the Preemptive Cybersecuirty Category.  appeared first on Security Boulevard.

Simplifying Compliance in the Complex U.S. FinServ Regulatory Landscape
andrew.gertz@t…
Thu, 01/16/2025 - 16:30

Compliance

Thales | Cloud Protection & Licensing Solutions
More About This Author >

If you work in compliance for a financial services organization, chances are you have been focused on the March 31st deadline for the implementation of the Payment Card Industry Data Security Standard version (PCI DSS 4.0). However, as important as PCI may be, United States financial services organizations operate in one of the world’s most stringent and complex compliance landscapes. Financial institutions must navigate a maze of requirements on the road to compliance and it is important to understand how to simplify and streamline compliance efforts across multiple regulations to achieve a faster time to compliance.

Understanding the US FinServ Compliance Landscape

The US financial services industry is subject to a vast number of laws and regulations. Some of the most important are Gramm-Leach-Bliley Act (GLBA), the National Association of Insurance Commissioners (NAIC) Data Security Model Law, the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, and the National Credit Union Administration (NCUA) cybersecurity guidance. Here is a quick summary of the most relevant regulations:

Gramm-Leach-Bliley Act (GLBA)

The GLBA mandates that a broad range of financial institutions based or operating in the United States, from banks and brokerage firms to payday and tax preparers, protect consumers’ personal financial information. It emphasizes the need for encryption, data governance, and secure information-sharing practices to prevent and mitigate cyber threats.

The most important components of the GBLA include the Federal Trade Commission (FTC) Safeguards Rule, which requires the development of a written information security plan, and the Financial Privacy Rule, which governs how financial data is collected and shared.

Compliance with the GBLA requires prioritizing data encryption and robust access controls to protect sensitive consumer information throughout its lifecycle.

NAIC Data Security Model Law

Designed to secure non-public information (NPI) within the insurance industry, the NAIC Data Security Model Law’s requirements closely resemble the GLBA requirements. It includes expectations for implementing comprehensive security programs, including risk assessments, incident response plans, periodic reporting, and controls like governance frameworks and application security protocols.

The NAIC, which applies to all insurance providers in the United States, is a perfect example of the value a unified approach to compliance can provide because its requirements overlap significantly with broader, well-established cybersecurity best practices, such as those found in the NIST Cybersecurity Framework.

NYDFS Cybersecurity Regulation

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is arduous. While it is a state regulation, because it applies to any financial organization that operates in the state of New York, it ends up applying to most organizations in the United States. The regulation is incredibly stringent and sets an unusually—albeit necessarily—high bar for cybersecurity practices. More than any other FinServ regulation, it includes unique components, such as the requirement for a Chief Information Security Officer (CISO) and an annual compliance certification.

That said, many of the requirements – establishing a risk-based cybersecurity program, maintaining secure access controls, and conducting regular penetration testing, for example – are either strongly recommended or mandated by the other regulations. Moreover, other compliance requirements included in the NYFDS, such as encryption, cloud security, and governance, are ubiquitous across US FinServ frameworks.

National Credit Union Administration (NCUA) Guidance

The NCUA guidance applies to credit unions and focuses heavily on data protection, vendor risk management, and incident response planning. Like other regulations, the NCUA calls for encryption to safeguard member data, governance policies to ensure accountability, and application security measures to protect against cyber threats. Access to resources can be a genuine concern for credit unions. As such, implementing a simplified, consolidated compliance strategy that addresses multiple frameworks at once is especially important.

Bringing it All Together

Now that you have a broad understanding of the US financial services regulatory landscape, you might notice that many of these regulations have significant overlaps. Every single one of the US financial services regulations mandates that organizations implement:

• Risk Assessment: Identifying data and systems at risk.
• Encryption: Protecting data at rest and in transit.
• Governance: Establishing accountability and enforcing policies.
• Cloud Security: Securing cloud environments against vulnerabilities.
• Access Control: Limiting access based on roles and responsibilities.
• Multi-Factor Authentication: Asserting the identity of people or systems.
• Application Security: Ensuring software is resilient to cyber threats.

Therefore, most requirements can be addressed with the same core technologies, without the need to duplicate efforts and dramatically reducing the time, effort, and resources necessary to achieve compliance. Differences between regulations can be addressed on a case-by-case basis.

Thales: Forging a Simplified Path to Compliance

As a leader in data security and cloud protection, Thales offers a comprehensive suite of solutions tailored to address financial institutions’ unique challenges. Partnering with Thales will help address the vast majority of requirements included in PCI DSS 4.0, GLBA, NAIC, NYDFS, and NCUA regulations – including risk assessment, encryption, governance, cloud security, access controls, and application security – and simplify the path to compliance so you can focus on the essentials: innovation, growth, and offering the best possible service to your customers.

I hope you will take the opportunity to review our new eBook to learn more about how Thales helps Financial Institutions operating in the United States to meet compliance requirements. It contains a detailed mapping of our cyber security capabilities to specific regulation requirements in the United States.

Schema {
"@context": "https://schema.org",
"@type": "BlogPosting",
"headline": "Simplifying Compliance in the Complex U.S. FinServ Regulatory Landscape",
"description": "Explore how financial institutions can navigate stringent U.S. FinServ regulations with simplified compliance strategies. Learn how Thales supports compliance with PCI DSS 4.0, GLBA, NAIC, NYDFS, and NCUA.",
"url": "https://cpl.thalesgroup.com/blog/data-security/simplifying-compliance-us-finserv-regulations",
"datePublished": "2025-01-16",
"author": {
"@type": "Person",
"name": "Tom Fusco",
"url": "https://www.linkedin.com/in/thomas-j-fusco-jr-68192b1/"
},
"publisher": {
"@type": "Organization",
"name": "Thales Group",
"description": "The world relies on Thales to protect and secure access to your most sensitive data and software wherever it is created, shared, or stored. Whether building an encryption strategy, licensing software, providing trusted access to the cloud, or meeting compliance mandates, you can rely on Thales to secure your digital transformation.",
"url": "https://cpl.thalesgroup.com",
"logo": "https://cpl.thalesgroup.com/sites/default/files/content/footer/thaleslogo-white.png",
"sameAs": [
"https://www.facebook.com/ThalesCloudSec",
"https://www.twitter.com/ThalesCloudSec",
"https://www.linkedin.com/company/thalescloudsec",
"https://www.youtube.com/ThalesCloudSec"
]
}
} studio THALES BLOG Simplifying Compliance in the Complex U.S. FinServ Regulatory Landscape

January 16, 2025

The post Simplifying Compliance in the Complex U.S. FinServ Regulatory Landscape appeared first on Security Boulevard.

Learn how one of Europe's largest healthcare tech leaders transformed their Secrets Security with GitGuardian, cutting incidents by half without compromising developer productivity.

The post How a Large Healthcare Company Slashed Their Secrets Incidents by Half appeared first on Security Boulevard.

Author/Presenter: Kyle Murbach

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Small Satellite Modeling and Defender Software appeared first on Security Boulevard.

This strategic partnership combines Smart Spatial's innovative digital twin platform with Hyperview's expertise in data center optimization, enabling businesses to achieve sustainability, operational efficiency, and proactive management Vancouver, British Columbia – January 16, 2025: Smart Spatial is excited to announce its partnership with Hyperview, the leading cloud-based DCIM platform. This collaboration represents a major ...

The post Smart Spatial and Hyperview Unite to Take Data Centers to the Next Level appeared first on Hyperview.

The post Smart Spatial and Hyperview Unite to Take Data Centers to the Next Level appeared first on Security Boulevard.

How does the mind react when people interact with technology? A question often asked but seldom answered. It was a Monday afternoon, the last day of our sales quarter, and amidst the tense air, a message popped up on the screen. It was a Purchase Order (P.O.) from a known organization with which we had […]

The post Cyberpsychology: The Mind Behind the Screen appeared first on ColorTokens.

The post Cyberpsychology: The Mind Behind the Screen appeared first on Security Boulevard.

With an NDR in place, your IT administrators can quickly detect anomalies on the network, from cyberattacks to malfunctioning application servers or network equipment.

The post Network Detection and Response (NDR) Done Right from the Ground Up appeared first on Security Boulevard.

While the power and potential of GenAI is evident for IT and security, the use cases in the security field are surprisingly immature largely due to censorship and guardrails that hamper many models’ utility for cybersecurity use cases.   

The post What is an Uncensored Model and Why Do I Need It appeared first on Security Boulevard.

Digital tools are reshaping the traditional K-12 learning experience, unleashing a wave of benefits in the process. This guide explores the significance of digital tools for the classroom and how they can support your school district in creating a dynamic, tech-enabled learning environment.  The power of digital classroom technology Education technology tools are software applications, ...

The post Top Digital Tools for the Classroom appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.

The post Top Digital Tools for the Classroom appeared first on Security Boulevard.

Discover top AutoSPF alternatives for dynamic SPF flattening and better email deliverability with advanced features and pricing.

The post Best AutoSPF Alternatives: Detailed Feature Comparison appeared first on Security Boulevard.

Policy management is the sturdy scaffolding that supports governance, risk, and compliance (GRC) objectives while shaping corporate culture and ensuring adherence to regulatory obligations. Yet, many organizations grapple with a fragmented approach—policies scattered across departments, processes misaligned, and technology underutilized. The result? A disjointed strategy that hampers visibility, agility, and, ultimately, effectiveness. Why Policy Management […]

The post 10 Essential GRC Policy Management Best Practices appeared first on Centraleyes.

The post 10 Essential GRC Policy Management Best Practices appeared first on Security Boulevard.