Security Boulevard

via the cosmic humor & dry-as-the-desert wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Mass Spec’ appeared first on Security Boulevard.

Web hosting giant GoDaddy for years has mislead customers about the strength of its security program, but after a series of data breaches, the FTC is ordering the company to implements robust defenses and stop lying about its cybersecurity capabilities.

The post FTC Orders GoDaddy to Bolster its Security After Years of Attacks appeared first on Security Boulevard.

May 28, 2025 - Lina Romero - Your Mobile Apps May Not Be as Secure as You Think…
Excerpt:
Cybersecurity risks are too close for comfort. Recent data from the Global Mobile Threat Report reveals that our mobile phone applications are most likely exposing our data due to insecure practices such as API key hardcoding.
Summary:
In 2025, most of us are reliant on our mobile devices for everything from communication to transportation and commerce. But the applications that are powering these functions are leaving users open to risk…
Blog Text:
It is no secret that many of us would be helpless without our mobile devices. Similarly, our mobile devices would be helpless without APIs. APIs are what allow mobile applications to communicate with one another, and send and receive requests between platforms, such as between your phone and the mobile application's cloud platform. If these APIs aren’t secure, the information you are putting into your mobile applications- which can include location data, banking details, and other PII- isn’t secure, either. A recent report from Zimperium revealed that mobile applications often fail to follow best practices around authentication and authorization, which leads to critical vulnerabilities for the user. A secure application should use placeholder tokens instead of direct access through a login. Best practices around authentication such as session-based authentication and header-based authentication can also help ensure only authenticated users are gaining access. Session-based authentication uses sessions to track authenticated user activity and stores information about the usage, creating a unique identifier to store information about the user. This information is kept in a cookie that can be sent to each server where a request is made, and these servers can in turn check if the session ID matches the authenticated user. Header-based authentication uses HTTP headers to authenticate the user on a separate server externally, sometimes a web gateway or proxy server. However, some developers use hard-coded API keys as a shortcut, meaning the token is the same for each user of the app. This is a bad practice when it comes to cybersecurity, because it means that if one user is compromised, they effectively all are. Even AI systems will not let you hardcode API keys, as they have been programmed against it for security reasons. As we see in the tables below (source: Zimperium), both Android and ios applications have a whole host of vulnerabilities, however Android seems to be significantly worse, particularly in regards to the Hardcoded API keys. The numbers are staggering- between 5 and 9 percent of Android applications use Hardcoded API keys. This percentage is alarmingly highest (8.7%) for lifestyle apps, which include journaling, meditation, planning apps, and some social media. For iOS applications, this number is slightly lower, between 1.6-3.6%, however, when you think about the sheer number of applications and installations of those applications out there, this is still too high. In addition to these applications that use Hardcoded API keys, there are many other glaring vulnerabilities brought to light in the Zimperium report. For example, large percentages of Android applications and smaller but still significant percentages of iOS applications are still using vulnerable encryption algorithms. And on the whole, both iOS and Android applications have a startlingly large percentage that leak sensitive data. For iOS, the biggest culprit are travel applications, of which around 59% leak sensitive data, which is more than half, and financial applications follow closely behind at 54%. This is even more worrying considering the types of PII these apps handle. For Android, entertainment apps such as social media have the highest percentage of data leakage, around 42.8%, which is close to half, and travel and lifestyle apps are close behind. Overall, our mobile applications are not nearly as secure as we would hope, especially given how reliant most of us are on these apps day to day. Many of them still use outdated practices such as Hardcoded API Keys which can compromise authentication for many users at once. In 2025, it is a travesty that these applications have not addressed these critical vulnerabilities. Individual users have little control over their data and the average consumer is not adequately prepared for a PII breach. The best things we can do in this current cyber landscape are…
Staying vigilant
Changing passwords frequently
Installing 2-factor authentication whenever possible
Updating applications frequently to ensure you are using the most recent and secure version. If you want to take control of your organization’s cybersecurity posture, see how FireTail can help you today. Schedule a demo or join our free tier to learn more.

The post Your Mobile Apps May Not Be as Secure as You Think… – FireTail Blog appeared first on Security Boulevard.

Launching a HealthTech startup without data governance is like building a hospital with no patient records: risky, chaotic, and destined for regulatory headaches. In an...Read More

The post How HealthTech Startups Can Build Scalable Data Governance Frameworks from Day One appeared first on ISHIR | Software Development India.

The post How HealthTech Startups Can Build Scalable Data Governance Frameworks from Day One appeared first on Security Boulevard.

Author/Presenter: Kenton McDonough

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – PasswordsCon – Zero Downtime Credential Rotation appeared first on Security Boulevard.

Major tech companies now generate 30% of code with AI. Explore the dramatic shift from manual coding to AI orchestration—and why the next 3 years will transform who can build software.

The post The Evolution of Software Development: From Machine Code to AI Orchestration appeared first on Security Boulevard.

RDP and SSH remain top targets for attackers because they offer direct access to the systems that matter most. As covered in our earlier post (Why You Should Segment RDP & SSH), segmenting these high-risk protocols is one of the … Read More

The post How to Segment SSH and RDP for Zero Trust Success  appeared first on 12Port.

The post How to Segment SSH and RDP for Zero Trust Success  appeared first on Security Boulevard.

Mental denial of service (DOS) is the manipulative content that hijacks the cognitive processing of individuals and institutions.

The post Mental Denial of Service: Narrative Malware and the Future of Resilience appeared first on Security Boulevard.

Cary, North Carolina, 28th May 2025, CyberNewsWire

The post INE Security and RedTeam Hacker Academy Announce Partnership to Advance Cybersecurity Skills in the Middle East appeared first on Security Boulevard.

The Cookie-Bite attack is an advanced evolution of Pass-the-Cookie exploits. This tactic bypasses Multi-Factor Authentication (MFA) by leveraging stolen authentication cookies—such as Azure Entra ID’s ESTSAUTH and ESTSAUTHPERSISTENT—to impersonate users.

The post Understanding the Cookie-Bite MFA Bypass Risk appeared first on Security Boulevard.

by Source Defense Even with the PCI DSS 4.0 deadline now behind us, many organizations are still exposed to costly eSkimming threats and compliance gaps. Source Defense recently hosted a webinar to explore how compliance actually drives better business outcomes – as seen through the lens of the positive bottom line impacts of implementing PCI

The post eSkimming Security – Driving Bottom Line Results through Fraud Reduction and Revenue Maximization appeared first on Source Defense.

The post eSkimming Security – Driving Bottom Line Results through Fraud Reduction and Revenue Maximization appeared first on Security Boulevard.

Author/Presenter: Dwayne McDaniel

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – PasswordsCon – Long Live Short Lived Credentials – Auto-Rotating Secrets At Scale appeared first on Security Boulevard.

via the cosmic humor & dry-as-the-desert wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Drafting’ appeared first on Security Boulevard.

PQC PDQ: Researchers find we’ll need 20 times fewer qubits to break conventional encryption than previously believed.

The post RSA and Bitcoin at BIG Risk from Quantum Compute appeared first on Security Boulevard.

At Seceon, we’re honored to announce that we have been named the “MSP Platform Provider Vendor of the Year” at the Technology Reseller Awards 2025. This recognition is a meaningful milestone that celebrates our ongoing commitment to delivering an innovative, AI-driven cybersecurity platform designed to meet the evolving needs of Managed Service Providers (MSPs) and

The post Seceon Wins “MSP Platform Provider Vendor of the Year” at Technology Reseller Awards 2025 appeared first on Seceon Inc.

The post Seceon Wins “MSP Platform Provider Vendor of the Year” at Technology Reseller Awards 2025 appeared first on Security Boulevard.

As software supply chain threats become more complex, organizations need more than just vulnerability scanning — they need complete visibility into the components that make up their applications.

The post SBOM management and generation: How Sonatype leads in software supply chain visibility appeared first on Security Boulevard.

Discover how Claroty and ColorTokens secure IoMT and prevent lateral movement in healthcare networks with agentless microsegmentation and visibility.

The post Protecting Biomedical Devices in the Large Healthcare Enterprise appeared first on ColorTokens.

The post Protecting Biomedical Devices in the Large Healthcare Enterprise appeared first on Security Boulevard.

An alert from CISA, FBI, EPA and DOE came after CISA observed attacks by “unsophisticated” cyber actors leveraging “basic and elementary intrusion techniques” against ICS/SCADA systems. 

The post Unsophisticated Actors, Poor Hygiene Prompt CI Alert for Oil & Gas  appeared first on Security Boulevard.

Author/Presenter: Per Thorsheim

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – PasswordsCon – Combating Phone Spoofing With STIR/SHAKEN appeared first on Security Boulevard.

Detection as code (DaC) is a powerful way for security teams to streamline rule development, automate threat detection, and respond to attacks with greater speed and precision. The DaC approach applies formal software development practices to write, manage, and deploy rules for detecting security threats.

The post Detection as code: How to enhance your real-time threat detection appeared first on Security Boulevard.