Addressing the challenges of vulnerability coordination

The FIRST Vulnerability Coordination Special Interest Group (SIG) made available for public comment through January 31, 2017 the draft Guidelines and Practices for Multi-party Vulnerability Coordination. Stakeholder roles and communication paths While ISO standards provide basic guidance on the handling of potential vulnerabilities in products, the guidelines document is geared to consider more complex and typical real-life scenarios. Case studies start with products in the design stage with no affected users and scale to vulnerability … More

Joomla vulnerability can be exploited to hijack sites, so patch now!

If you’re running a website on Joomla, you should update to the newly released 3.6.5 version as soon as possible – or risk your site being hijacked. The newest version of the popular CMS has been released on Tuesday (December 13), and it fixes three vulnerabilities, several bugs, and includes a number of new security hardening mechanisms. Among the fixed vulnerabilities is one (CVE-2016-9838) that is especially dangerous, as it could allow attackers to take … More

Components of an effective vulnerability management process

Vulnerabilities continue to grab headlines. Whether it is a zero-day that affects “tens of millions” servers around the globe or an old unpatched flaw that leads to a data compromise, we will keep reading about them. The modern security landscape demands a process to manage and keep on the top of the ever-evolving threats and vulnerabilities. This process is known as a vulnerability management program and it is designed to identify, classify and proactively prevent … More

Top trends in security testing and vulnerability management

Many businesses fail to conduct frequent security testing despite believing that it’s critically important to securing their systems and data. One in five of businesses surveyed admitted they don’t do any security testing, despite the fact that 95 percent of survey respondents reported encountering one of the dozen common security issues associated with security vulnerabilities. The findings are based on an Osterman Research survey of 126 security professionals who have knowledge about or responsibility for … More

Key elements for successfully prioritizing vulnerability remediation

New vulnerabilities are disclosed every day, amounting to thousands per year. Naturally, not all vulnerabilities are created equal. In this podcast recorded at Black Hat USA 2016, Tim White, Director of Product Management at Qualys, talks about Qualys ThreatPROTECT, a cloud-based solution that helps IT professionals automatically prioritize the vulnerabilities that pose the greatest risk to their organization. How? By correlating active threats against your vulnerabilities. Live Threat Intelligence Feed ThreatPROTECT also includes a Live … More

ThreadFix: Software vulnerability aggregation and management system

ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems. A view of the application portfolio Application security programs tend to involve a number of technologies and activities, and application security teams struggle managing these testing activities and all the data they are generating. “We built ThreadFix so that application security teams can create a consolidated view of their applications … More

Faraday: Collaborative pen test and vulnerability management platform

Faraday is an integrated multi-user penetration testing environment that maps and leverages all the knowledge you generate in real time. It gives CISOs a better overview of their team’s job, tools and results. You can run it on Windows, Linux and OS X. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multi-user way. Faraday supports more than 50 tools, including Burp Suite, … More

Chrome vulnerability lets attackers steal movies from streaming services

A significant security vulnerability in Google technology that is supposed to protect videos streamed via Google Chrome has been discovered by researchers from the Ben-Gurion University of the Negev Cyber Security Research Center (CSRC) in collaboration with a security researcher from Telekom Innovation Laboratories in Berlin, Germany. The video below shows how easily content can be stolen from a protected video: The vulnerability in the encryption technology, Widevine EME/CDM, opens an easy way for attackers … More

Week in review: Docker security, SWIFT warns of new attacks, SAP vulnerability exploited

Here’s an overview of some of last week’s most interesting news and articles: SWIFT warns of new attacks, Bangladesh Bank heist linked to Sony hack They believe that its customers are facing “a highly adaptive campaign targeting banks’ payment endpoints.” Internet of Fail: How modern devices expose our lives During the past few years we’ve seen examples of all sorts of IoT devices exhibiting glitches, getting hacked, manipulated, and the information they hold exfiltrated. CryptXXX … More

Vulnerability management trends in Asia Pacific

A new study conducted by Forrester Consulting evaluated perceived challenges, drivers and benefits of various vulnerability management strategies and investments based on responses from information security professionals in Australia, China, Japan, New Zealand and Singapore. According to survey results, one of the top security priorities of companies is protecting customer data, with a focus on application security, data security and protection of customers’ personal information. Despite their customer focus, only 22 percent of security decision … More