Aggregator

Best 7 Compliance Risk Assessment Tools for 2024

Security Boulevard
1 year 7 months ago

Organizations devote significant resources to their compliance risk assessments each year. Yet many compliance leads and senior executives feel stuck in a cycle of repetition and question whether these efforts yield meaningful benefits.  Do you find that your risk assessment process helps you tackle risk effectively? Does it offer a clear view of your top […]

The post Best 7 Compliance Risk Assessment Tools for 2024 appeared first on Centraleyes.

The post Best 7 Compliance Risk Assessment Tools for 2024 appeared first on Security Boulevard.

Rebecca Kappel

Bluesky 用户突破 1500 万

Solidot
1 year 7 months ago
Bluesky 用户突破 1500 万达到 1560 万,在美国总统大选结束一周内它增加了 100 万新用户,它现在是 iOS 上最受欢迎的社媒应用。Bluesky 基于去中心化的 AT 协议,首席运营官 Rose Wang 表示大部分新用户来自美国。其竞争对手、Meta 的微博客应用 Threads 报告有 2.75 亿月活跃用户,每天新增注册用户逾 100 万。Threads 和 Bluesky 目前都没有广告,Meta 已经表示 Threads 将在明年初引入广告。另一则相关消息是,因马斯克(Elon Musk)操纵 X/Twitter 的方式,英国《卫报》公开声明停止更新其 X 官方账号。

梆梆安全成为中国网络空间安全协会智能网联安全专业委员会首批成员单位

嘶吼
1 year 7 months ago

近日,中国网络空间安全协会智能网联安全专业委员会成立大会在湖北武汉召开,该委员会由华中科技大学、国家互联网应急中心、东风汽车、华为以及梆梆安全在内的53家会员单位联合发起,旨在发挥桥梁纽带作用,组织动员会员单位开展智能网联安全政策法规研讨、标准开发、技术创新、产业协作、智库建设、人才培养、国际交流等工作。

协会理事长指出,专委会要着眼新技术、新应用带来的挑战开展研究,及时向主管部门反馈研究成果及发展中面临的问题,积极支撑政策制定,助力行业形成广泛共识;要充分发挥专家智库作用,加速推动智能网联汽车、无人机、工业控制等领域网络与数据安全能力提升。

梆梆安全作为国内早期投身于车联网安全研究的企业,在汽车信息安全测试、车联网应用安全、信息安全能力建设等方向积累了丰富的经验,梆梆安全以车联网应用的安全风险管控为核心目标,构建涵盖事前检测、事中防护、事后监测的车联网应用安全体系,在关键环节落实好相应安全措施,确保车联网应用的软件安全和数据安全。

基于多年来在车联网安全方面的研究基础和检测评估实践,梆梆安全推出汽车信息安全测试平台,内置整车、零部件、通信协议、等多方面的常用测试用例和主流安全测试工具,可对整车机零部件进行信息安全测试和管理,快速满足车联网相关企业安全合规、风险发现及安全防护能力提升等需求。

梆梆安全作为专委会发起单位之一,将积极发挥车联网安全研究优势,通过技术创新推进我国智能网联安全产业发展,同时为专委会各项工作提供全方位支持,为我国的智能网联安全事业贡献力量。

梆梆安全

CVE-2024-45809 | Envoy up to 1.29.8/1.30.5/1.31.1 Routing Table memory corruption (GHSA-wqr5-qmq7-3qw3 / Nessus ID 210925)

Vuldb Updates
1 year 7 months ago
A vulnerability was found in Envoy up to 1.29.8/1.30.5/1.31.1 and classified as critical. Affected by this issue is some unknown functionality of the component Routing Table Handler. The manipulation leads to memory corruption. This vulnerability is handled as CVE-2024-45809. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2022-46751 | Oracle Business Intelligence Enterprise Edition 6.4.0.0.0 Visual Analyzer xml injection (Nessus ID 210929)

Vuldb Updates
1 year 7 months ago
A vulnerability classified as critical was found in Oracle Business Intelligence Enterprise Edition 6.4.0.0.0. This vulnerability affects unknown code of the component Visual Analyzer. The manipulation leads to xml injection. This vulnerability was named CVE-2022-46751. The attack can be initiated remotely. There is no exploit available.
vuldb.com

CVE-2024-45808 | Envoy up to 1.28.6/1.29.4/1.30.0 REQUESTED_SERVER_NAME neutralization for logs (GHSA-p222-xhp9-39rc / Nessus ID 210925)

Vuldb Updates
1 year 7 months ago
A vulnerability, which was classified as critical, was found in Envoy up to 1.28.6/1.29.4/1.30.0. This affects an unknown part. The manipulation of the argument REQUESTED_SERVER_NAME leads to improper output neutralization for logs. This vulnerability is uniquely identified as CVE-2024-45808. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2024-45806 | Envoy up to 1.28.6/1.29.4/1.30.0 internal_address_config authorization (GHSA-ffhv-fvxq-r6mf / Nessus ID 210925)

Vuldb Updates
1 year 7 months ago
A vulnerability has been found in Envoy up to 1.28.6/1.29.4/1.30.0 and classified as critical. This vulnerability affects unknown code. The manipulation of the argument internal_address_config leads to authorization bypass. This vulnerability was named CVE-2024-45806. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2024-52553 | Jenkins OpenId Connect Authentication Plugin up to 4.418.vccc7061f5b_6d improper authentication (Nessus ID 210929)

Vuldb Updates
1 year 7 months ago
A vulnerability was found in Jenkins OpenId Connect Authentication Plugin up to 4.418.vccc7061f5b_6d. It has been classified as critical. Affected is an unknown function. The manipulation leads to improper authentication. This vulnerability is traded as CVE-2024-52553. Access to the local network is required for this attack. There is no exploit available.
vuldb.com

CVE-2022-46751 | Apache Ivy up to 2.5.1 xml external entity reference (Nessus ID 210929)

Vuldb Updates
1 year 7 months ago
A vulnerability was found in Apache Ivy up to 2.5.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to xml external entity reference. This vulnerability is known as CVE-2022-46751. The attack can only be initiated within the local network. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2022-46751 | Oracle Communications Cloud Native Core Automated Test Suite ATS Framework xml injection (Nessus ID 210929)

Vuldb Updates
1 year 7 months ago
A vulnerability, which was classified as critical, has been found in Oracle Communications Cloud Native Core Automated Test Suite 23.1.3/23.2.1/23.3.0. Affected by this issue is some unknown functionality of the component ATS Framework. The manipulation leads to xml injection. This vulnerability is handled as CVE-2022-46751. The attack may be launched remotely. There is no exploit available.
vuldb.com

CVE-2024-45086 | IBM WebSphere Application Server 8.5/9.0 xml external entity reference (Nessus ID 210932)

Vuldb Updates
1 year 7 months ago
A vulnerability classified as problematic has been found in IBM WebSphere Application Server 8.5/9.0. Affected is an unknown function. The manipulation leads to xml external entity reference. This vulnerability is traded as CVE-2024-45086. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

第六届数字发展论坛丨梆梆安全获国家级特色案例

嘶吼
1 year 7 months ago

2024年11月8日,以“数据要素驱动高质量发展”为主题的第六届数字发展论坛在北京成功召开,论坛由中国互联网协会主办,中国互联网协会数字化转型与发展工作委员会、伏羲智库承办,中国科学院计算技术研究所、清华大学公共管理学院、清华大学互联网治理研究中心提供学术支持。

围绕服务经济、工业转型、数字政务、数字社会、数字文明、智能城市、基础设施、数字农业等八个主题召开分论坛,分论坛邀请到政产学研等各个领域的近三十位资深专家,梆梆安全资深安全专家张裕受邀出席并发表《政务服务移动应用安全体系建设》主题演讲,共同探讨政务服务应用安全体系建设与实践应用。

政务服务移动应用安全体系建设

梆梆安全资深安全专家张裕表示,随着政务移动互联网应用的快速发展,移动端应用的数量和业务丰富度爆发式增长。与此同时,移动终端面临的安全威胁种类和数量也在不断增多,手机操作系统漏洞,不可预知的业务逻辑缺陷,运行时的动态攻击,虚假设备,地下黑产等各类攻击手段,严重影响用户数据安全及合法权益。

同时,国家出台各项政策法规要求政务服务平台应加强移动端安全防护工作。2023年6月,国家信息中心牵头编制的GB/T 35282—2023《信息安全技术 电子政务移动办公系统安全技术规范》对政务服务移动应用管理和安全监测两个方面提出要求,应支持对政务APP进行安全防护、加固、安全检测和签名,防止受到恶意程序的破坏、破解和篡改;应支持对移动终端的网络攻击行为进行监测和告警。

政务移动应用“端到端” 安全建设

梆梆安全政务服务移动应用安全体系建设方案采用动静结合实时防御的安全防御策略,动态安全防御机制与现有的静态防御机制进行联动及协同防御。通过政务服务移动应用安全保障体系建设,实现以下效果:

1.实时感知客户端风险,包括移动应用加固破解、动态攻击等;将前端风险感知与后端流量感知相结合,实现端到端的安全协同;

2.前端风险感知能力亦需要纳入当前的静态保护范围,防止被逆向分析;

3.针对前端风险的防御机制做到实时防御,同时覆盖不同业务渠道,不同渠道安全防御做到联防联控;

助力经济社会数字化转型特色案例

在“互联网助力经济社会数字化转型”案例征集发布环节,根据专家评审结果,中国互联网协会副理事长,伏羲智库创始人、主任李晓东教授公布了2024“互联网助力经济社会数字化转型”中国互联网协会特别推荐案例与特色案例,梆梆安全“政务服务移动应用安全体系建设”入选中国互联网协会2024年度互联网助力经济社会数字化转型特色案例。

该案例为某省级政务移动应用“某事办”,作为某省全省各部门政务服务的“一站式直达”应用,承载政务服务移动端平台的全部功能,承建单位应提供针对客户端的安全检测、安全防护、安全监测能力,确保移动应用客户端的应用安全、数据安全、通信安全、身份认证安全、个人信息安全;某事办”安全管理监控能力较弱,缺少自动化的移动应用安全监控、预警能力。

梆梆安全为“某事办”提出“事前提高安全等级+事中实时监测响应+事后违规事件溯源”的移动应用全生命周期解决方案,从终端、应用、业务、数据等方面,全面构建政务服务应用应用的安全体系。

对移动应用上线前进行合规检测、安全检测及安全加固,“某事办”移动应用内禁止截屏、录屏等权限控制功能,实现防止数据通过截屏/录屏泄漏;进行账号与手机设备进行绑定,防止重要账号被盗用,防止泄露数据。

移动应用上线后,通过移动应用威胁感知平台,发现移动应用运行过程中遭受到的攻击与威胁;检测到风险后,进行定位、阻断、溯源,全方位保护移动应用安全。

前三个月服务期间,根据平台策略安全配置规则(威胁程度、监测范围)对攻击数据进行处理后,总共监测到威胁总数共510019次,影响设备数为156510台,影响设备率6.85%;针对于此次巡检分析,筛选出典型设备攻击示例,分别为人脸绕过攻击和渗透测试攻击。

携手共进 共创未来

在创建“数字中国”的远大目标下,我国法律法规以及监管执法的落地技术手段将不断完善。作为政务服务应用的开发者、运营者,应以长远目光结合体系化建设思路看待政务服务移动应用安全建设。未来,梆梆安全将在政务服务移动应用安全的路上,打造移动应用安全盾牌,不断完善移动安全体系,为政务应用的安全运转和顺利运行提供安全防御支撑,为我国电子政务服务业务发展保驾护航。

梆梆安全

Managed ad