Newer OpenSSL vulnerabilities are identified regularly by genuine security researchers or come to light as zero-day vulnerabilities when exploited by threat actors. While patching the bugs and OpenSSL vulnerabilities are important, organizations cannot wait for and rely just on patches to protect their websites. They need to be proactive in identifying and securing these vulnerabilities before attackers can find and exploit them.
On September 11th, 2022, Snyk published a vulnerability report for the popular CSRF token management csurf npm package. The vulnerability impacts all known versions, which are currently yielding more than 400,000 downloads per week. The vulnerability report is based on the public disclosure by security consultant Adrian Tiron and their write-up on the Fortbridge blog.
For the past few days, I’ve been getting a lot of messages asking about my experience at this year’s Black Hat USA. So in this post, I’ll be recapping the conference to give you an inside look at what was presented and provide some helpful perspective. Black Hat is one of the largest — and most talked about — cybersecurity conferences. Its inception dates back to 1997.
As enterprises adopt containers, microservices, and Kubernetes for cloud-native applications, vulnerability management is crucial to improve the security posture of containerized workloads throughout build, deploy, and runtime. Securing your build artifacts and deployment pipeline, especially when it comes to images, is extremely important.
In cybersecurity, the things to consider are endless. Before we get ahead of ourselves, let’s make sure we fully understand three fundamental concepts of security: In this article, we’ll look at these security concepts in depth and hear from industry experts. (For the latest and greatest in all things security, check out the Splunk Security Blog & these Cybersecurity and InfoSec Events & Conferences.)
In the middle of March 2022, Zenity research team discovered a sandbox-escape vulnerability in Code by Zapier, a service used by Zapier to execute custom code as part of a Zap. Exploiting this vulnerability, any user could take full control over the execution environment of their entire account allowing them to manipulate results and steal sensitive data. For example, a Zapier user could take control over the admin’s custom code execution environment.
On 28th of August fortbridge.co.uk reported a vulnerability in csurf middleware – expressjs supporting library that enables CSRF protection in expressjs. As of 13th of September csurf library has been deprecated with no plans to fix the vulnerabilities. There is no viable alternative for csurf middleware now.
