Problem solve

Web application and API security best practices

• How to prevent buffer overflow attacks

  Read up on types of buffer overflow attacks, and learn secure coding best practices that prevent such vulnerabilities, as well as post-deployment steps to keep apps and websites safe. Continue Reading

• Who wins the security vs. privacy debate in the age of AI?

  When trying to maintain balance between security and privacy in an AI-enabled world, who decides which side should tip and when? So continues the security vs. privacy debate. Continue Reading

• How to mitigate 5 persistent application security threats

  The most widely known application security threats are sometimes the most common exploits. Here is a list of the top app threats and their appropriate security responses. Continue Reading

• How to prevent software piracy

  Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading

• 7 TCP/IP vulnerabilities and how to prevent them

  While many TCP/IP security issues are in the protocol suite's implementation, there are some vulnerabilities in the underlying protocols to be aware of. Continue Reading

• How to encrypt and secure a website using HTTPS

  The web is moving to HTTPS. Find out how to encrypt websites using HTTPS to stop eavesdroppers from snooping around sensitive and restricted web data.Continue Reading

• How can developers avoid a Git repository security risk?

  Learn how managing web development content with the popular version control system can be risky without taking action to avoid these basic Git repository security risks.Continue Reading

• 5 common web application vulnerabilities and how to avoid them

  Common web application vulnerabilities continue to confound enterprises. Here's how to defend against them and stop enabling exploits.Continue Reading

• How can credential stuffing attacks be detected?

  Credential stuffing attacks can put companies that offer online membership programs, as well as their customers, at risk. Find out how to proactively manage the threat.Continue Reading

• How did an Electron framework flaw put Slack at risk?

  An Electron framework flaw put users of Slack, Skype and other big apps at risk. Expert Michael Cobb explains how this remote code execution flaw works and how to prevent it.Continue Reading

• Addressing vulnerable web systems that are often overlooked

  Web security vulnerability scanners often focus on large applications within the enterprise. However, there are plenty of overlooked web systems that contain hidden flaws.Continue Reading

• How can the Jenkins vulnerabilities in plug-ins be mitigated?

  A wave of Jenkins vulnerabilities related to plug-ins were recently discovered. Expert Judith Myerson explains the flaws and how enterprises should mitigate them.Continue Reading

• Common web application login security weaknesses and how to fix them

  Flawed web application login security can leave an enterprise vulnerable to attacks. Expert Kevin Beaver reviews the most common mistakes and how to fix them.Continue Reading

• What tools can bypass Google's CAPTCHA challenges?

  The ReBreakCaptcha exploit can bypass Google's reCAPTCHA verification system using flaws in Google's own API. Expert Michael Cobb explains how the attack works.Continue Reading

• How did a Moodle security vulnerability enable remote code execution?

  A series of logic flaws in Moodle enabled attackers to remotely execute code on servers. Expert Michael Cobb explains how the Moodle security vulnerability can be exploited.Continue Reading

• WordPress REST API flaw: How did it lead to widespread attacks?

  A REST API endpoint vulnerability enabled attacks on 1.5 million sites running WordPress. Expert Michael Cobb explains how this vulnerability works and how to prevent attacks.Continue Reading

• How to identify and address overlooked web security vulnerabilities

  Certain web security vulnerabilities evade detection due to oversight or carelessness. Expert Kevin Beaver discusses the top overlooked issues and how to address them.Continue Reading

• How are hackers using Twitter as C&C servers for malware?

  C&C servers have been replaced with Twitter accounts, which spread the Android Trojan Twitoor to user devices. Expert Michael Cobb explains how to stop this attack.Continue Reading

• DevOps and security promises better apps, infrastructures

  DevOps is a process aimed at creating and updating applications quickly and, traditionally, it has lacked effective security controls. The software that was created too often contained vulnerabilities right from the start. Combining DevOps and ...Continue Reading

• How to resolve a Web application security vulnerability

  Web application security vulnerabilities can exist from browser to SSL/TLS. Expert Brad Causey explains how application security testing and Web application firewalls can address this.Continue Reading

• How can enterprises prevent ASLR bypass flaws?

  Microsoft won't patch certain ASLR bypass flaws, but enterprises still need to protect against them. Expert Nick Lewis explains the threat and how to avoid it.Continue Reading

• How does a new malware obfuscation technique use HTML5?

  A new malware obfuscation technique uses HTML5 to prevent detection of drive-by downloads. Expert Nick Lewis explains the technique and what enterprises can do about it.Continue Reading

• How can address bar spoofing vulnerabilities be prevented?

  Address bar spoofing attacks can be detrimental to an organization. Expert Michael Cobb details several vulnerabilities and explains how to defend against the threat.Continue Reading

• Does analyzing motion for mobile malware detection work?

  Motion and gestures are being used for mobile malware detection on smartphones. Learn how this method works and whether it is a worthy addition to an enterprise security strategy.Continue Reading

• XSS vs. XSSI: What is cross-site script inclusion?

  Expert Michael Cobb explains the difference between cross-site scripting and cross-site scripting inclusion (XSSI) flaws.Continue Reading

• Can a subscription ease SSL certificate management?

  SSL subscription services are emerging to help enterprises handle the daunting task of SSL certificate management. Expert Michael Cobb discusses the benefits of such a service.Continue Reading

• How can enterprises prevent same-origin policy XSS vulnerabilities?

  Researchers warned about the rise of a new cross-site scripting flaw involving same-origin policy. Expert Nick Lewis explains the vulnerability and how to prevent falling victim.Continue Reading

• How can malicious software wrapping be avoided?

  Malware authors are adopting software wrapping to hide malicious code and avoid detection. Expert Nick Lewis explains how to defend against the threat.Continue Reading

• How can enterprises defend against digitally signed malware?

  Malicious software using legitimate digital certificates is reportedly on the rise. Expert Nick Lewis explains how to mitigate the risks of digitally signed malware.Continue Reading

• How can power consumption-tracking malware be avoided?

  Malware authors are using power consumption tracking-malware to eavesdrop on and attack mobile devices. Expert Nick Lewis explains the threat and how to defend against it.Continue Reading

• What is domain shadowing and how can enterprises defend against it?

  Exploit kits and malware attacks have adopted a technique called domain shadowing to stay ahead of the game. Learn what domain shadowing is and how to defend against attacks using it.Continue Reading

• Bloom cookies: Privacy without prohibiting Web personalization?

  While cookies are critical to delivering personalized Web content, they are a privacy concern. Learn how adding Bloom filters to cookies can help enhance privacy while maintaining personalization.Continue Reading

• WordPress security: How can the SoakSoak malware be stopped?

  Enterprise threats expert Nick Lewis offers advice on how to defend against the SoakSoak malware targeting insecure WordPress sites.Continue Reading

• How can we detect and uninstall bloatware?

  Unwanted preinstalled software -- also known as bloatware -- has made its way onto PCs and mobile devices alike. Expert Nick Lewis explains how to detect and uninstall the potential threat.Continue Reading

• Are HTML5 mobile apps an enterprise security concern?

  Gartner predicts more than half of all mobile apps will use HTML5 by 2016, but what threats will this cause the enterprise? Expert Michael Cobb discusses.Continue Reading

• Can public key pinning improve Mozilla Firefox security?

  Public key pinning aims to reduce the lack of trust associated with digital certificates and certificate authorities. Expert Michael Cobb explains how it works and its benefits.Continue Reading

• Are one-day wonders enterprise Web security risks?

  One-day wonders are websites that persist for 24 hour or less. Should these phenomena be an enterprise security concern? Expert Michael Cobb explains.Continue Reading

• Are mobile persistent cookies a threat to enterprise data security?

  While cookies can be helpful, mobile persistent cookies can pose a serious threat to users and enterprises. Expert Michael Cobb explains how to mitigate the risk and eliminate the threat.Continue Reading

• How does public key pinning improve website security?

  Certificate authority confidence is waning, but the emergence of public key pinning can help keep websites secure. Expert Michael Cobb explains how.Continue Reading

• In the API economy, API security moves to center stage

  Integrating systems and data could pay off big. But publishing an API requires a lifetime commitment to monitoring its use.Continue Reading

• Enterprises call on API management for better API security

  Poor API hygiene can put your organization’s health at risk.Continue Reading

• Malvertising: How can enterprises defend against malicious ads?

  Malicious ads are becoming an increasing threat vector. Expert Nick Lewis explains how to defend your enterprise against the risks of malvertising.Continue Reading

• Four questions to ask before buying a Web application firewall

  Web application firewalls are complex products. Expert Brad Causey explains the key criteria enterprises need to consider before investing in a WAF product.Continue Reading

• How can shortened URLs carrying malicious links be detected?

  While shortened URLs are convenient and space-saving, they can potentially lead users to malicious websites. Enterprise threats expert Nick Lewis explains how to avoid the threat.Continue Reading

• How can outdated ActiveX controls be blocked?

  Outdated ActiveX controls can pose serious security risks. Enterprise threats expert Nick Lewis discusses how to block them in the enterprise.Continue Reading

• How can e-commerce website security be ensured?

  While the fundamentals of securing an e-commerce website haven't changed in a few years, there are new threat vectors and security risks to be aware of. Expert Michael Cobb explains.Continue Reading

• July 2014 Oracle CPU: Java security problems persist

  With another round of patches for several serious Java flaws, Oracle's quarterly CPU showed that Java security problems are not receding.Continue Reading

• Web security issues (and how a secure Web gateway can solve them)

  Did you know a secure Web gateway can combat Web security issues such as malware, unapproved application use and social media threats?Continue Reading

• Mobile email security: Mitigating JavaScript risks, data loss

  Mitigating JavaScript risks is essential to ensuring mobile email security. Discover how to keep your enterprise safe.Continue Reading

• HealthCare.gov security issues: Lessons learned for enterprises

  Researchers have warned of numerous HealthCare.gov security issues. Michael Cobb reviews the website security lessons learned for enterprises.Continue Reading

• Detect and mitigate Java backdoors that enable botnet communication

  Nick Lewis offers advice on detecting a particular strand of malware that utilizes a Java backdoor to enable botnet communication.Continue Reading

• API security: How to ensure secure API use in the enterprise

  API security is a growing enterprise concern. In the wake of recent high-profile breaches, discover how to alleviate the issues of insecure APIs.Continue Reading

• Web browser protection for users: Adapting to new Web security threats

  Expert Nick Lewis explains how to provide a secure Web browsing experience for users when threats are no longer contained to certain parts of the Web.Continue Reading

• Java patching: Lost cause, or an enterprise security necessity?

  After a plethora of Java and JRE security flaws, threats expert Nick Lewis weighs in on whether Java patching is now an exercise in futility.Continue Reading

• HSTS: How HTTP Strict Transport Security enhances application security

  Many websites are using HTTP Strict Transport Security (HSTS) to enhance application security, but is it really more effective than HTTPS?Continue Reading

• How Google Chrome Canary improves malware defense, prevents infection

  The forthcoming Google Chrome Canary browser boasts the ability to boost malware defense and prevent malware infection. Michael Cobb explains how.Continue Reading

• With its new security features, is Dropbox safe for enterprise use?

  Do Dropbox's new 'enterprise-grade' security features make it safe enough to leverage in the enterprise? Expert Michael Cobb offers his analysis.Continue Reading

• How ISP services can improve enterprise cybersecurity

  Uncover which ISP services enterprises should seek from their providers to improve cybersecurity and mitigate cyberattacks.Continue Reading

• Preventing plaintext password problems in Google Chrome

  Plaintext passwords are risky business. Michael Cobb discusses what Google says about the Chrome password vulnerability and potential exploits.Continue Reading

• Countdown of the top seven bad habits victims of malware attacks share

  Learn the seven bad habits that leave you vulnerable to Web-borne malware attacks, and the changes you can make to secure your online life in 2014.Continue Reading

• Separate but equal: Mitigating the risk of Web-borne malware infections

  The potential damage from Web-borne malware can be effectively limited through a process of separation.Continue Reading

• How to defend against a DOM-based XSS attack

  Learn how DOM-based XSS attacks differ from typical cross-site scripting attacks, and learn best practices for defending against them.Continue Reading

• Using the Google Transparency Report to enhance website blacklisting

  Threats expert Nick Lewis explores whether Google's Transparency Report can be used to enhance blacklisting of malicious websites in the enterprise.Continue Reading

• W3af tutorial: How to use w3af for a Web application security scan

  In this screencast video, Keith Barker of CBT Nuggets offers a tutorial on how to perform a thorough Web application security scan using w3af.Continue Reading

• What to look for in a website security service provider

  When evaluating website security service providers, expert Michael Cobb says be sure to ask for qualifications, references and past work examples.Continue Reading

• Inside the BREACH attack: How to avoid HTTPS traffic exploits

  Enterprise threats expert Nick Lewis examines how the BREACH attack exploits HTTPS traffic and what enterprises can do to mitigate the attack risk.Continue Reading

• CMS security recommendations for Drupal and WordPress

  Application security expert Michael Cobb offers advice on how to secure content management systems like WordPress and Drupal.Continue Reading

• The value of 2,048-bit encryption: Why encryption key length matters

  Leading browsers are required to use 2,048-bit length keys by the end of the year, but what effect does this have on security?Continue Reading

• How certificate pinning improves certificate authority security

  Certificate pinning reduces reliance on trusting certificates authorities and improves digital certificate trustworthiness. Michael Cobb explains how.Continue Reading

• Malware defense revisited: How to improve Web-based malware detection

  Signature-based AV doesn't stop Web-based malware, but what does? Spyro Malaspinas points out what's next in enterprise malware detection technology.Continue Reading

• Identifying and locking down known Java security vulnerabilities

  Expert Michael Cobb discusses why known Java security vulnerabilities are on so many endpoints and how to contain them -- without updating Java.Continue Reading

• Using free Web application security scanning tools to secure Web apps

  Expert Michael Cobb explains how free Web application security scanning tools can help secure Web apps for budget-strapped organizations.Continue Reading

• How to avoid security problems with Java outside the browser

  Another Java zero-day vulnerability has a security pro asking threats expert Nick Lewis how Java can safely be used with enterprise applications.Continue Reading

• Google Chrome clickjacking vulnerability: Time to switch browsers?

  Expert Nick Lewis explains the Google Chrome clickjacking vulnerability, including why avoiding the issue isn't as simple as switching browsers.Continue Reading

• Gauging the security risk posed by the WordPress pingback vulnerability

  Security expert Nick Lewis details the WordPress pingback vulnerability and advises whether it is time to update custom WordPress implementations.Continue Reading

• Zed Attack Proxy tutorial: Uncover Web app vulnerabilities using ZAP

  Video: Keith Barker of CBT Nuggets offers a OWASP Zed Attack Proxy tutorial. Learn how to find and nullify Web application vulnerabilities using ZAP.Continue Reading

• Web application security testing: Is a pen test or code review better?

  For Web application security testing, if cash is tight, should a penetration test top an application code review? Michael Cobb explains his choice.Continue Reading

• Antimalware software introduction: Business benefits and drawbacks

  Mike Rothman discusses how antimalware software has evolved to develop various business and technology issues, but also still holds many benefits.Continue Reading

• Adjusting third-party patch management after Flash updates move

  Expert Michael Cobb details whether third-party patch management program changes are necessary after the Adobe Flash marriage to Patch Tuesday.Continue Reading

• Remediation planning for Ruby on Rails security vulnerabilities

  The recent Ruby on Rails security vulnerabilities can be patched. Expert Michael Cobb discusses the fallout and offers help with remediation planning.Continue Reading

• Defending against watering hole attacks: Consider using a secure VM

  Expert Nick Lewis analyzes the techniques employed by watering hole attacks and discusses how to use a secure VM to defend enterprises against them.Continue Reading

• How to negate business logic attack risk: Improve security in the SDLC

  Expert Nick Lewis details the threat posed by business logic attacks and how stressing the importance of security in the SDLC can reduce that threat.Continue Reading

• SSL certificate management: Avoiding common mistakes

  Errors are bound to occur when SSL certificate management is handled manually. Learn how to avoid these common mistakes.Continue Reading

• Avoiding the invisible: How to defend against iFrame attacks

  How can enterprises and users protect themselves from malicious content embedded in iFrames? Expert Nick Lewis explores iFrame attack mitigations.Continue Reading

• How to secure Java amid growing Java security vulnerabilities

  Constant Java security vulnerabilities plague Oracle and enterprises alike. Expert Nick Lewis offers tips on how to use Java and the JRE securely.Continue Reading

• Secure Web gateway overview: Implementation best practices

  In this secure Web gateway overview, learn how to implement, configure and maintain a Web security gateway to support other security devices.Continue Reading

• Consider disabling Java as malware targets JRE vulnerabilities

  Expert Nick Lewis advises enterprises to disable Java to defend against cross-platform malware that targets JRE vulnerabilities.Continue Reading

• Web 2.0 security threats and how to defend against them

  Continue Reading

• Web application firewalls: Patching, SDLC key for security, compliance

  Mike Chapple on improving defense-in-depth security with Web application firewalls (WAFs) and a strong software development lifecycle (SDLC) process.Continue Reading

• The SSL handshake process: Public and privates keys explained

  Expert Michael Cobb details the SSL handshake and the role of public and private keys in a C2B transaction.Continue Reading

• Revisiting JRE security policy amid new ways to exploit Java

  Expert Nick Lewis analyzes the increasing ability by hackers to exploit Java and the need to perform a JRE security policy analysis in response.Continue Reading

• Can XML encryption thwart XML attacks?

  Expert Nick Lewis discusses proof-of-concept XML attacks and possible steps for defending data protected by XML encryption.Continue Reading

• Securely implement and configure SSL to ward off SSL vulnerabilities

  Recent SSL vulnerabilities have renewed questions about the protocol's security. Expert Nick Lewis covers how to implement and configure SSL securely.Continue Reading

• HTML5 security: Will HTML5 replace Flash and increase Web security?

  Will HTML5 replace Flash? Expert Michael Cobb discusses whether HTML5 security is better than Flash, and why HTML5 traffic can be harder to secure.Continue Reading

• The switch to HTTPS: Understanding the benefits and limitations

  Expert Mike Cobb explains the value and limitations of HTTPS, and why making the switch to HTTPS may be easier than it seems.Continue Reading

• Inside the W3C Web security standards to prevent cross-site scripting

  Expert Mike Cobb details the W3C Web security standards designed to foster a content security policy and help prevent cross-site scripting attacks.Continue Reading

• Web-facing applications: Mitigating likely Web application threats

  New, interactive Web-facing applications are popping up all the time, but expert Nick Lewis advises enterprises on how to be vigilant against Web application threats.Continue Reading

• Submit your questions about application security

  Michael Cobb is standing by to give you free, unbiased advice on application security.Continue Reading

• Dangerous applications: Time to ban Internet Explorer, Adobe in the enterprise?

  CSIS says five dangerous applications are to blame for 99% of malware. Is it time to ban Internet Explorer, Flash and the others in the enterprise?Continue Reading

• Enabling secure Web development means treating vulnerabilities as bugs

  Gil Danieli explains why secure Web development depends on treating vulnerabilities like any other software bugs, and how to get Web developers to buy in.Continue Reading