Search results for: vulnerability

security platform

Nucleus Security CISA KEV Enrichment Dashboard provides insights into vulnerability prioritization

Nucleus Security has launched the CISA KEV Enrichment Dashboard, a free tool that enables vulnerability researchers to observe known and exploitable vulnerabilities identified by CISA and layer additional enrichment intelligence onto their vulnerability prioritization. The CISA KEV Vulnerability Enrichment Dashboard provides a list of the CISA Known Exploitable Vulnerabilities (KEV) Catalog, which is then enriched with CVSS, EPSS and GreyNoise Threat Intelligence. There are approximately 198,000 known critical vulnerabilities and exposures (CVE), of which only … More

security platform

Tanium Software Bill of Materials identifies software supply-chain vulnerabilities

Tanium launched the Tanium Software Bill of Materials (SBOM) to help organizations protect digital assets against external threats stemming from open-source software including OpenSSL v3. Tanium is a solution that empowers IT and security teams with granular visibility and real-time remediation of software packages for every application on every endpoint at runtime. The modern digital economy is powered by open-source software, but the average application-development project contains nearly 50 vulnerabilities spanning 80 direct dependencies. While … More

security platform

Cisco enhances its security portfolio to protect organizations against the wide array of adversaries

Cisco announced new capabilities across its security portfolio so teams can be more productive and protected wherever they are working from. The end-to-end platform will safeguard users, devices and applications across public clouds and private data centers, without public cloud lock-in. “Security is no longer optional. It is critical to every major initiative an organization may have,” said Jeetu Patel, Executive Vice President and General Manager of Security and Collaboration at Cisco. “We are committed … More

security platform

Qualys TotalCloud with FlexScan helps enterprises strengthen cloud-native security

Qualys announced TotalCloud with FlexScan delivering cloud-native VMDR with Six Sigma Accuracy via agent and agent-less scanning for comprehensive coverage of cloud-native posture management and workload security across multi-cloud and hybrid environments. As business applications and on-premises infrastructure migrate to the cloud, security teams struggle with managing cyber risk across cloud workloads, services, resources, users, and applications. Additionally, teams must deal with a plethora of industry acronym-driven point solutions that provide a fragmented view of … More

OpenSSL

High-severity OpenSSL vulnerabilities fixed (CVE-2022-3602, CVE-2022-3786)

Version 3.0.7 of the popular OpenSSL cryptographic library is out, with fixes for CVE-2022-3602 and CVE-2022-3786, two high-severity buffer overflow vulnerabilities in the punycode decoder that could lead to crashes (i.e., denial of service) or potentially remote code execution. CVE-2022-3602, whose existence was preannounced by the OpenSSL Project team a week ago, has luckily turned out to be less dangerous than initially thought. So the much feared *Critical* #OpenSSL turns out to be "just" a … More

open source security

Following Log4j: Supporting the developer community to secure IT

How bad was the Log4j vulnerability for open source’s reputation? One of the most high-profile exploits in recent years, it even led to a government advisory from the UK’s National Cyber Security Center being issued after Iranian state hackers took advantage of it. It’s hard to say just how much impact this incident had, but a recent report from VMware found that one in ten companies say they will no longer use open-source software. This … More

You can up software supply chain security by implementing these measures

The COVID-19 pandemic has been a driving force in digital acceleration, and it continues to wield its influence in how organizations and their staff embrace work. In the push to accommodate remote and hybrid work models, enterprises have ramped up their use of cloud-based services to maintain connectivity and continuity within their workforce. As the number of commercial relationships have ballooned, so have the attack surfaces and risks of compromise for companies. Recent cyberthreats have … More

Infosec products of the month: October 2022

Here’s a look at the most interesting products from the past month, featuring releases from: ABBYY, ARMO, Array, AuditBoard, AwareGO, Code42, Corelight, Digi International, EnigmaSoft, Exabeam, HashiCorp, Illusive, Kasten by Veeam, Legit Security, LiveAction, LogRhythm, Mandiant, Pentest People, Portnox, Prove, RSA, SkyKick, Socure, Stytch, Thales, and Verica. AuditBoard ESG enables users to centralize and manage their ESG programs AuditBoard ESG centralizes data in a single system of record; simplifying evidence collection and reporting; and enabling … More

security platform

Trustwave Enterprise Pen Testing allows enterprises to proactively identify known and unknown threats

Trustwave announced its new Enterprise Pen Testing (EPT) offering, designed to meet the complex testing needs of large organizations with an extensive breadth and depth of vulnerability identification, ability to deliver scaled programs of work, and extremely competitive pricing. The expert Trustwave SpiderLabs team supports EPT clients with a mix of onshore, nearshore, and offshore pentesters, testing within a CREST-endorsed methodology, providing high-quality testing in a flexible and cost-effective manner. The EPT service is augmented … More

security platform

Synack’s API pentesting capability empowers users to verify exploitable API vulnerabilities

Synack launched an API pentesting capability powered by its global community of elite security researchers. Organizations can now rely on the Synack platform for continuous pentesting coverage across “headless” API endpoints that lack a user interface and are increasingly exposed to attackers. “Synack’s human-led, adversarial approach is ideal for testing APIs that form the backbone of society’s digital transformation,” said Synack CTO and co-founder Mark Kuhr, a former National Security Agency cybersecurity expert. “We are … More

ConnectWise backup solutions open to RCE, patch ASAP!

ConnectWise has fixed a critical vulnerability in ConnectWise Recover and R1Soft Server Backup Manager that could allow attackers to achieve remote code exection (RCE) or access confidential data. The company advises users to patch as soon as possible, as the vulnerability is “either being targeted or have a higher risk of being targeted by exploits in the wild.” A RCE flaw in two ConnectWise backup solutions ConnectWise Recover is a backup solution for small businesses, … More

week in review

Week in review: OpenSSL critical fix, Medibank data breach, Apple fixes zero-day vulnerability

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Incoming OpenSSL critical fix: Organizations, users, get ready! The OpenSSL Project team has announced that, on November 1, 2022, they will release OpenSSL version 3.0.7, which will fix a critical vulnerability in the popular open-source cryptographic library (but does not affect OpenSSL versions before 3.0). Apple fixes exploited iOS, iPadOS zero-day (CVE-2022-42827) For the ninth time this year, Apple has … More