Towards the end of 2020, a new vulnerability in MongoDB was found and published. The vulnerability affected almost all versions of MongoDB, up to v4.5.0, but was discussed and patched appropriately. The vulnerability, CVE-2020-7928, abuses a well-known component of MongoDB, known as the Handler, to carry out buffer overflow attacks by way of null-byte injections.
Electrical grid security has been getting a lot of attention recently. It started fairly quietly, and then when it was a featured story on a news program, it rose to the top of the collective consciousness. However, the news stories that followed were focused entirely on the physical vulnerabilities of the US power grids. Few, if any stories covered the cybersecurity angle of securing the grids.
Microsoft’s security advisory on Mercury and DEV-1084 and a report linking Russian hackers to attacks against NATO and the EU.
Microsoft 365 (formerly Office 365) is a Software-as-a-Service (SaaS) that offers a cloud-based version of its popular software productivity suite, including MS Word, Excel, PowerPoint, Outlook, and OneNote. In contrast, Azure Active Directory (Azure AD) is an Infrastructure-as-a-Service (IaaS) that offers a cloud-based version of Active Directory to control identity management and access to virtual resources across an organization.
Starting with Teleport 12.1, Teleport Enterprise teams can now use Teleport as a SAML SSO identity provider. This feature allows teams to use Teleport to authenticate to external services, thereby letting teams use SAML SSO to login to external SaaS apps and internal applications that support SAML. Let’s look at a few examples.
Organizations spend billions of dollars on cybersecurity tools and consultants each year. Beyond traditional tools like firewalls, antivirus software, and System Information and Event Management (SIEM), it is easy to get caught up in sophisticated threat detection using artificial intelligence, machine learning, user behavior and analytics.
If there’s one thing we learned in our years of building AppSec technology, it’s that the best tools in the world are useless if they don’t get used. We know from speaking with our customers and industry research that developers won’t use AppSec tools that make their lives harder. Forcing them into cumbersome processes, or making them switch tools and learn a new user interface, will likely lead to AppSec neglect in favor of hitting development deadlines.
