Authors/Presenters:Nicholas Boucher, Ross Anderson
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The post USENIX Security ’23 – Trojan Source: Invisible Vulnerabilities appeared first on Security Boulevard.
Optimizing Kubernetes security and efficiency of through granular control Kubernetes stands out as a powerful and versatile platform amongst application systems, allowing organizations to efficiently manage containers. However, enterprises face security challenges as they adopt Kubernetes in the context of network segmentation. Microsegmentation, a strategic approach to network security, plays a pivotal role in this...
The post The Role of Microsegmentation in Kubernetes Environments appeared first on TrueFort.
The post The Role of Microsegmentation in Kubernetes Environments appeared first on Security Boulevard.
As I watch the sea of news out of Black Hat, from CrowdStrike fallout to the ever-present-flow of AI tools (both threat and savior?), one announcement stands out. Software now powers the world, but it's also the simplest way for attackers to breach an organization. Despite this, we've lacked visibility into the inner workings of applications beyond passive log analysis. Application Detection and Responseis the solution we've been missing!
The post Cybersecurity Insights with Contrast CISO David Lindner | 8/9/24 appeared first on Security Boulevard.
Hello, My name is Chen, and I work as a threat intelligence analyst at Salt Security.
Every day, I dive into the complex world of cybersecurity, uncovering the hidden threats that hide in our digital lives. Today, I'd like to take you on a journey through the evolving landscape of API threats.
APIs are the quiet helpers of the digital world, allowing software applications to communicate easily with each other. They bring convenience and functionality to our digital interactions but also open doors to various vulnerabilities and risks.
Imagine APIs as bridges connecting islands of data and services. These bridges are essential for the smooth flow of information, but if not properly secured, they can allow unwanted people in or expose private information.
So now that we all agree that APIs, while super helpful, can also involve many risks, the question to be asked is, what are those risks, and how can we effectively map them?
Since API security is a relatively new domain, there is no standard methodology for achieving it. In this blog post, I want to share some standard techniques I use in my day-to-day job.
CVEs - Vulnerabilities By TypeOur first destination is the world of Common Vulnerabilities and Exposures (CVEs). Consider CVEs a lighthouse, highlighting hidden security flaws that we must recognize and understand to navigate the cybersecurity field safely.
One great resource for better understanding CVEs is CVEdetails. This site is a collection of detailed visualizations and valuable insights. It includes many interesting details, including this table:
The table summarizes all the CVEs found over the past decade, revealing the rise of various types of vulnerabilities. Web vulnerabilities like SQL injection and XSS truly stand out with their remarkable growth over the years.
In 2020, SQL injection-related CVEs were at 466. Fast forward to 2023, and this number has soared to 2,159—a staggering increase of 363.30% in just three years. Similarly, XSS has seen an impressive climb, with CVEs jumping from 2,203 in 2020 to 5,179 in 2023, marking a substantial 135.08% rise.
But our story doesn’t end there. As we delve deeper, we encounter CSRF, which saw its CVEs grow from 416 in 2020 to an astounding 1,398 in 2023, marking an increase of 236.05%. SSRF, too, has its tale of growth, with CVEs rising from 132 in 2020 to 248 in 2023, reflecting an 87.87% increase.
While this table provides great insights, as always in our domain, one source of information is rarely enough.
Take, for example, OAuth vulnerabilities. Salt-Labs' previous publications indicate that OAuth is a popular and rising attack vector. However, this table does not seem to reflect this.
When looking at the raw CVE data from this website, it seems this information is available. I gathered all the CVEs related to OAuth over the past few years and calculated their numbers for each year. Here are the results of my investigation:
I’ve observed a significant increase in OAuth vulnerabilities. In 2012, there was just one CVE, whereas in 2023, there were 42 CVEs. This significant rise had a notable impact on our product, influencing its detection. For further details about our OAuth Protection Package, you can find more information right here.
Bug Bounty ReportsThe second destination for better understanding the threat landscape is Bug Bounty reports. The bug bounty community has grown substantially over the past few years, and looking into the public reports and available information from them can yield fascinating insights.
If you inspect all of the categories related to web vulnerabilities and count the number of reports from 2014 to 2022. It's important to note that I excluded 2023 from my analysis due to incomplete data.
You can quickly notice a clear rise in SSRF reports when delving into the data. In 2022, there was a significant increase, fitting well with the broader trends in the OWASP API 2023.
On the other hand, there's been a sharp decline in reports of CSRF vulnerabilities. Once a significant concern, CSRF saw a substantial drop of 79.27% in reports from 2017 to 2022. This downward trend contrasts with the results from our CVE research. However, given that bug bounty data is typically more accurate, I suggest that CSRF might no longer be a focal point in the threat landscape in 2024.
Internal DB of Salt SecuritySo now that we have a better understanding of the API threat landscape from several different sources, we must ask ourselves how this correlates with the internal telemetry data we collect at Salt-Labs.
Focusing on categories such as 'SQL injection', 'Code Injection', 'XSS', and 'Path Traversal', based on 2023, we saw an increase in web vulnerabilities every month. At the beginning of 2024, the numbers within these key categories were 1.5 times higher than those recorded in 2023.
Our journey ends here, and what we've learned is alarming: web vulnerabilities are escalating and remain a significant threat in the security landscape. As we move into 2024, these issues will persist and potentially affect more companies.
How Salt Can HelpFrom day one, Salt Security could detect OAuth vulnerabilities and code injections. Recently, we extended these capabilities, launching a new, multi-layered OAuth protection package that can detect attempts to exploit OAuth and proactively fix vulnerabilities. We have enhanced our API protection platform with a comprehensive suite of new OAuth threat detections and posture rules to address the growing challenge of OAuth exploitation. The first API security vendor to launch deep OAuth threat detection capabilities. These innovations will empower organizations to identify and mitigate malicious attempts to exploit OAuth flows, ultimately safeguarding sensitive data and user accounts.
If you would like to learn more about Salt and how we can help you on your API Security journey through discovery, posture management, and run-time threat protection, please contact us, schedule a demo, or check out our website.
Action ItemsThe post Exploring the dynamic landscape of cybersecurity threats appeared first on Security Boulevard.
Penetration testing plays a key role in evaluating a company’s infrastructure security, and this blog focuses on web penetration testing. The process has an impact on four main steps: gathering information, researching and exploiting vulnerabilities, writing reports with suggestions, and fixing issues while providing ongoing support. These tests are vital to ensure secure software development […]
The post Automated vs Manual: Web Penetration Testing appeared first on Kratikal Blogs.
The post Automated vs Manual: Web Penetration Testing appeared first on Security Boulevard.
Entrust, a once-trusted Certificate Authority (CA), has faced a significant setback as Google and Mozilla have announced they will no longer trust Entrust's SSL/TLS certificates due to security concerns. This move leaves current Entrust customers scrambling to find alternative CAs to ensure secure digital connections. The article emphasizes the urgency of transitioning to a new, reliable CA, such as Sectigo, to avoid potential cybersecurity risks and ensure continued protection. It also outlines steps for migrating certificates, stressing the importance of active management and automation in maintaining digital security.
The post Entrust distrust: How to move to a new Certificate Authority appeared first on Security Boulevard.
Reading Time: 5 min PowerDMARC now integrates with SecLytics to deliver advanced threat intelligence. Strengthen your email security with our powerful combination.
The post PowerDMARC Integrates with SecLytics for Predictive Threat Intelligence Analysis appeared first on Security Boulevard.
Embracing a just-in-time and just-enough privilege approach that harnesses context and automation can remove the tension between security and productivity, enabling teams to run faster without compromising on security standards.
The post Overcoming the 5 Biggest Challenges to Implementing Just-in-Time, Just Enough Privilege appeared first on Security Boulevard.
Situational awareness means what is happening around you, making educated judgments, and responding appropriately to any given scenario. It can be helpful on an individual level and also to organizations for making better decisions.
The post How Situational Awareness Enhances the Security of Your Facility appeared first on Security Boulevard.
As summer ends and the back-to-school season begins, K-12 tech leaders face many cybersecurity and safety challenges. To help smooth the transition to a secure start to the 2024-2025 school year, we recently hosted a webinar featuring Samuel Hoch, Technology Director at Catoosa Public Schools, and Robert Batson, Technology Director at Tahlequah Public Schools. In ...
The post Phishing and Malware Detection: Top Tips from K-12 Technology Leaders appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.
The post Phishing and Malware Detection: Top Tips from K-12 Technology Leaders appeared first on Security Boulevard.
Reading Time: 8 min Data security is critical in email marketing to protect against threats like phishing and data leaks. Learn how to stay safe and maintain customer trust.
The post Why Data Security is Crucial to Email Marketing appeared first on Security Boulevard.
A study by the CSA found that the human element continues to play a key role in the top threats facing cloud computing environments, including misconfigurations, IAM, and insecurity interfaces and APIs.
The post Humans are Top Factor in Cloud Security: CSA Study appeared first on Security Boulevard.
Our comprehensive guide ranks the top 10 DMARC ...
The post Top 10 DMARC Solutions in 2024 appeared first on EasyDMARC.
The post Top 10 DMARC Solutions in 2024 appeared first on Security Boulevard.
Valimail is a leading DMARC provider, but it ...
The post Top 10 Valimail Alternatives and Competitors in 2024 appeared first on EasyDMARC.
The post Top 10 Valimail Alternatives and Competitors in 2024 appeared first on Security Boulevard.
BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware.
The post Updated SafeBreach Coverage for AA23-061A – BlackSuit (Royal) Ransomware appeared first on SafeBreach.
The post Updated SafeBreach Coverage for AA23-061A – BlackSuit (Royal) Ransomware appeared first on Security Boulevard.
Authors/Presenters:Daniel Reijsbergen, Aung Maw, Zheng Yang, Tien Tuan Anh Dinh, Jianying Zhou
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The post USENIX Security ’23 – TAP: Transparent and Privacy-Preserving Data Services appeared first on Security Boulevard.
5 min read See how we're helping you enhance serverless security with dynamic tokens, policy enforcement, and no-code support for non-human identities
The post Introducing Secretless Identity and Access for Serverless with AWS Lambda appeared first on Aembit.
The post Introducing Secretless Identity and Access for Serverless with AWS Lambda appeared first on Security Boulevard.
Yesterday at the Black Hat conference, Microsoft announced the public preview of Entra FIDO2 provisioning APIs. HYPR worked closely with Microsoft on these critical enhancements, which make it easier for Entra customers to provision passkeys for their users. Like the EAM integration unveiled a few months ago, collaborative development of such features is essential to fuel adoption of secure, phishing-resistant authentication methods. We are honored that Microsoft named HYPR as a fully-tested vendor to help Entra customers on their FIDO2 provisioning journey.
The post HYPR and Microsoft Partner on Entra FIDO2 Provisioning APIs appeared first on Security Boulevard.
Salt Security this week extended its core platform to make it easier to discover and govern application programming interfaces (APIs).
The post Salt Security Extends Scope of API Security Platform appeared first on Security Boulevard.
There’s so much to keep up with in the world of cybercrime…especially for security practitioners. Leaky Weekly is a bi-weekly podcast hosted by security researcher Nick Ascoli as he dives into the most pressing stories on data leaks, cybercrime, and the dark web in the last week or so. Tune in for current events every […]
The post Launching Leaky Weekly with Flare, Cybercrime Current Events Podcast appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.
The post Launching Leaky Weekly with Flare, Cybercrime Current Events Podcast appeared first on Security Boulevard.
