Snyk Security Horror Story with Andrew Betts
Andrew Betts shares his security horror story of how the Financial Times was hacked by the Syrian Electronic Army.
Security | Threat Detection | Cyberattacks | DevSecOps | Compliance
The Latest Cybersecurity News & Insights From Around The World
Elbow Taps, Airhugs and 5,000 KubeCon Friends
A recap of my time at the CNCF’s signature conference, KubeCon + CloudNativeCon NA 2021. What an amazing week at the first in-person KubeCon + CloudNativeCon since the pandemic started. This KubeCon set a precedent as one of the first major conferences to bring back an in-person component! The theme this time around was Resilience Realized, and they put this on display at the top of the convention hall.
Secure Python Development and Package Management
How do you become a secure python developer? Following best practices, and learning about application security from experts! In this session we will explore and explain explain how Python manages dependencies, the requirements.txt file, and other aspects of 3rd-party open source software. We will gently touch upon an intro to the different package managers, such as pipenv, and poetry.
Windows 10 most critical vulnerabilities for 2021
Windows 10 is probably the most used Operating System (OS) in organizations these days. The fact that every level of user in the organization, from IT experts to entities that has little knowledge in cybersecurity use it, it is prone to be targeted by attackers as a gate to the entire network. A lot of attention is invested in users’ behavior and phishing campaigns, while many risks hide in the OS itself.
CVE-2021-37136 & CVE-2021-37137 - Denial of Service (DoS) in Netty's Decompressors
The JFrog Security research team has recently disclosed two denial of service issues (CVE-2021-37136, CVE-2021-37137) in Netty, a popular client/server framework which enables quick and easy development of network applications such as protocol servers and clients. In this post we will elaborate on one of the issues – CVE-2021-37136.
Snyk Security Horror Story with Jim Manico
In honor of 31 Days of Security and Halloween, Jim Manico shares his security horror story.
Security Horror Story: Accidentally exposing PII data
Nothing beats a good horror story… especially not when you talk about software development and security. I mean, what could possibly go wrong when you develop software???
Popular JavaScript Library ua-parser-js Compromised via Account Takeover
A few hours ago, an npm package with more than 7 million weekly downloads was compromised. It appears an ATO (account takeover) occurred in which the author’s account was hijacked either due to a password leakage or a brute force attempt (GitHub discussion).
New Kubernetes high severity vulnerability alert: CVE-2021-25742
On Oct 21st, the Kubernetes Security Response Committee issued an alert that a new high severity vulnerability was discovered in Kubernetes with respect to the ingress-nginx - CVE-2021-25742. The issue was reported by Mitch Hulscher. Through this vulnerability, a user who can create or update ingress objects, can use the custom snippets feature to obtain all secrets in the cluster.
CISOs to Developers: Changing the Way Organizations Look at Authorization Policy
In today’s cloud-native, app-first and remote-first world, it has become a considerably more complicated task to verify the identity of a user or a service, and determine policies that say what they are and aren’t allowed to do. Yet, the first half of that problem, authentication, for the most part, is already solved because of standards like Security Assertion Markup Language (SAML), OAuth and Secure Production Identity Framework for Everyone (SPIFFE).