It’s no secret: the number of security vulnerabilities organizations must contend with is overwhelming. According to a 2019 Risk Based Security report, there were 22,316 newly-discovered vulnerabilities last year. One Patch Tuesday disclosed a record number of 327 vulnerabilities in a single day. Just keeping up is becoming a monumental task. But knowing where and how your organization may be vulnerable is critical to maintaining a healthy security posture.

Three WPA authentication bypass vulnerabilities were found in wireless routers using the Defensics fuzz testing tool. WPA3 will become a mandate for all new wireless devices, which can only be a good thing considering the number of vulnerabilities found in WPA2 implementations. Learn about the basic concepts (and common weaknesses) of WPA authentication, how these vulnerabilities work, and how proactive fuzz testing can identify and address similar issues in WPA implementations.

While auditing the Kubernetes source code, I recently discovered an issue (CVE-2020-8566) in Kubernetes that may cause sensitive data leakage. You would be affected by CVE-2020-8566 if you created a Kubernetes cluster using ceph cluster as storage class, with logging level set to four or above in kube-controller-manager. In that case, your ceph user credentials will be leaked in the cloud-controller-manager‘s log.

In our previous blog we covered the first 10 of the NSA vulnerabilities currently targeted by Chinese hackers, here the remaining ones, again demonstrating the predictive power of our risk based vulnerability management tool Farsight

This week NSA published a list of the top 25 vulnerabilities that Chinese hackers are actively exploiting, and unsurprisingly the list included some of the most prominent CVEs that we’ve covered in our previous risk based vulnerability management blogs.

Using open source code makes it easier to build applications, but the freely available nature of open source code introduces the risk of pulling potential security vulnerabilities into your environment. Knowing whether or not customers are actually accessing the vulnerable parts of your application is key to triaging security threats without spending hours fixing an issue that doesn’t affect end users.

Out of all the cat videos you could watch, how do you decide which one to view first? The beauty of social media is its real-time, democratic operation. Everyone gets to vote and the content with the most shares is the People’s Choice, rightfully ‘The Best’. But we now know this Facebook-era notion of ‘most popular equals best’ is open to abuse. It turns out that a significant proportion of social media interaction is in fact, manufactured.

Common Vulnerability Scoring System (CVSS) scores have been viewed as the de facto measure to prioritize vulnerabilities. Vulnerabilities are assigned CVSS scores ranging from one to 10, with 10 being the most severe. However, they were never intended as a means of risk prioritization. If you’ve relied on CVSS scores alone to safeguard your organization, here’s why you’re probably using them incorrectly.

Full stack development is all the rage these days, and for good reason: developers with both front-end web development skills and back-end/server coding prowess clearly offer substantially more value to their respective organizations. The ability to traverse the entire stack competently also makes interacting and cooperating with operations and security an easier affair—a key tenet of DevOps culture.