As part of our efforts to improve the security of open-source software, we continuously test open-source projects with our JVM fuzzing engine Jazzer in Google’s OSS-Fuzz. One of our tests yielded a Denial of Service vulnerability in the Spring Framework (CVE-2023-20861). Spring is one of the most widely used frameworks for developing web applications in Java. As a result, vulnerabilities have an amplified impact on all applications that rely on the vulnerable version.

In this episode of SaaSTrana, Venky and Raghu, Co-Founder of Sprinto, discusses why SaaS companies should pay close attention to security measures to become SOC 2 compliant.

A now fixed zero-day elevation of privilege (EoP) vulnerability in Microsoft Outlook (CVE-2023-23397) allows attackers to send craft emails to exploit Outlook. The vulnerability does not require user interaction to be exploited and runs even before the email is visualized in the preview pane of Outlook, which makes this vulnerability even more dangerous.

The more technology your organization adopts, the more exposed it becomes to third-party risks. Consider these statistics: Organizations have responded to these risks by implementing robust third-party risk assessment procedures. However, a common mistake is to view vendor risk management as a one-time activity, typically conducted prior to onboarding a new vendor. Since third-party risks are constantly evolving, it's crucial to evaluate vendor security at every phase of the vendor lifecycle.

The business impact of critical open source vulnerabilities such as Spring4Shell and Log4j illustrate the crucial importance of detecting remediating such vulnerabilities as fast as possible, This is particularly important for the financial technology, which handles vast volumes of sensitive financial data for investors. That was certainly the case for MSCI, who deployed Mend to speedily thwart any potential threats posed by Spring4Shell.

Trustwave’s MailMarshal received a major update this month with the addition of PageML to the Blended Threat Module. The BTM enables the email security solution to conduct in-depth, real-time scans when a URL in an email is clicked to determine if the URL is malicious. PageML boosts the BTM’s ability to detect malicious URLs by one-third by applying machine learning techniques to page content in real time. The new scanning feature is named PageML, short for Page Machine Learning.

Late last year, the EU Parliament formally adopted a new Directive, NIS2, updating and superseding the existing NIS Directive which helped the organisations responsible for Europe’s critical national infrastructure to better understand, manage, and reduce their cybersecurity risk.

The not-so-distant memories of security events like Log4Shell and the SolarWinds attack keep software supply chain attacks front of mind for developers. There are things organizations can do to detect and deter malicious supply chain attacks, including the recently mandated (as per the U.S. federal government) software bill of materials (SBOM).