Unlocking sustainable security practices with secure coding education

Despite stringent regulations and calls for ‘security by design’, organizations are still failing to equip teams with the knowledge to secure code, according to Security Journey. In fact, only 20% of respondents were confident in their ability to detec… Continue reading Unlocking sustainable security practices with secure coding education

The effect of omission bias on vulnerability management

Whether we’d like to admit it to ourselves or not, all humans harbor subconscious biases that powerfully influence our behavior. One of these is the omission bias, which has interesting ramifications in the world of cyber security, specifically vulnera… Continue reading The effect of omission bias on vulnerability management

Friday Squid Blogging: Unpatched Vulnerabilities in the Squid Caching Proxy

In a rare squid/security post, here’s an article about unpatched vulnerabilities in the Squid caching proxy.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting gu… Continue reading Friday Squid Blogging: Unpatched Vulnerabilities in the Squid Caching Proxy

November 2023 Patch Tuesday forecast: Year 21 begins

The October forecast for large numbers of CVEs addressed in Windows 10 and 11 and the recent record on the number fixed in Windows Server 2012 was spot on! Microsoft addressed 75 CVEs in Windows 11, 80 in Windows 10, and 61 in Server 2012 R2. While Ser… Continue reading November 2023 Patch Tuesday forecast: Year 21 begins

Organizations lack the skills and headcount to manage Kubernetes

The Kubernetes industry is undergoing rapid change and evolution due to the growth of edge computing, the acceleration of AI, and the pressing need to modernize Kubernetes management in response to increasing technology scale and complexity, according … Continue reading Organizations lack the skills and headcount to manage Kubernetes

Curl project squashes high-severity bug in omnipresent libcurl library (CVE-2023-38545)

Curl v8.4.0 is out, and fixes – among other things – a high-severity SOCKS5 heap buffer overflow vulnerability (CVE-2023-38545). Appropriate patches for some older curl versions have been released, too. Preparation for the security updates … Continue reading Curl project squashes high-severity bug in omnipresent libcurl library (CVE-2023-38545)

Be prepared to patch high-severity vulnerability in curl and libcurl

Details about two vulnerabilities (CVE-2023-38545, CVE-2023-38546) in curl, a foundational and widely used open-source software for data transfer via URLs, are to be released on Wednesday, October 11. Daniel Stenberg, the original author and lead devel… Continue reading Be prepared to patch high-severity vulnerability in curl and libcurl

Google “confirms” that exploited Chrome zero-day is actually in libwebp (CVE-2023-5129)

The Chrome zero-day exploited in the wild and patched by Google a few weeks ago has a new ID (CVE-2023-5129) and a description that tells the whole story: the vulnerability is not in Chrome, but the libwebp library, which is used by many popular applic… Continue reading Google “confirms” that exploited Chrome zero-day is actually in libwebp (CVE-2023-5129)

Baseline standards for BYOD access requirements

49% of enterprises across Europe currently have no formal Bring-Your-Own-Device (BYOD) policy in place, meaning they have no visibility into or control over if and how employees are connecting personal devices to corporate resources, according to a Jam… Continue reading Baseline standards for BYOD access requirements

Old vulnerabilities are still a big problem

A recently flagged phishing campaign aimed at delivering the Agent Tesla RAT to unsuspecting users takes advantage of old vulnerabilities in Microsoft Office that allow remote code execution. “Despite fixes for CVE-2017-11882/CVE-2018-0802 being … Continue reading Old vulnerabilities are still a big problem