%term

Microsoft Exchange On-Prem Zero-Day Vulnerabilities Exploited in the Wild

Sep 30, 2022 By Sule Tatar In Arctic Wolf

On Thursday, September 29th, 2022, GTSC–a Vietnam-based cybersecurity company–published a blog detailing intrusion they investigated that chained together two exploits for Microsoft Exchange zero-day vulnerabilities to achieve remote code execution (RCE). Technical details around how to exploit these vulnerabilities were not provided.

Read Post

Arctic Wolf

Read more about Microsoft Exchange On-Prem Zero-Day Vulnerabilities Exploited in the Wild

CVE-2022-37461: Two Reflected XSS Vulnerabilities in Canon Medical's Vitrea View

Sep 29, 2022 By Trustwave In Trustwave

Vitrea View is a tool that uses the DICOM standard to view medical images. If exploited an attacker could access patient information and obtain additional access to various services associated with Vitrea View..

Read Post

Trustwave

Read more about CVE-2022-37461: Two Reflected XSS Vulnerabilities in Canon Medical's Vitrea View

Choosing the best Node.js Docker image

Sep 29, 2022 By Liran Tal In Snyk

Choosing a Node.js Docker image may seem like a small thing, but image sizes and potential vulnerabilities can have dramatic effects on your CI/CD pipeline and security posture. So, how do you choose the best Node.js Docker image? It can be easy to miss the potential risks of using FROM node:latest, or just FROM node(which is an alias for the former). This is even more true if you’re unaware of the overall security risks and sheer file size they introduce to a CI/CD pipeline.

Read Post

Snyk

Read more about Choosing the best Node.js Docker image

Snyk IaC for Terraform Enterprise: Expanding Snyk compatibility with HashiCorp Terraform

Sep 28, 2022 By Sarah Conway In Snyk

Even the most precise and regimented DevOps teams can be plagued by numerous post-deployment security issues, causing potentially damaging production delays and engineering rework. Building on Snyk’s successful acceleration of DevSecOps, Snyk IaC empowers developers to treat Terraform like any other form of code and proactively test IaC early as well as continuously monitor infrastructure post-deployment.

Read Post

Snyk

Read more about Snyk IaC for Terraform Enterprise: Expanding Snyk compatibility with HashiCorp Terraform

Introducing the new Snyk UI

Sep 28, 2022 By Steve Winton In Snyk

Starting October 12th, 2022 we’ll be rolling out some exciting new user interface changes for the Snyk application, at app.snyk.io. These changes make use of the Snyk design system by incorporating standardized UI components, an updated color palette, and other elements to help you get even more from Snyk. In this blog post, we’ll walk through the most important changes.

Read Post

Snyk

Read more about Introducing the new Snyk UI

Introduction to OWASP's Vulnerable Node.js Apps: Part 1 | Snyk

Sep 28, 2022 By Snyk In Snyk

Introduction to OWASP's Vulnerable Node.js Apps During this livestream we give an introduction to a vulnerable Node.js application created by the OWASP organization. We also show how some of the OWASP Top 10 security risks apply to web applications, and also how to mitigate these concerns. Didn't catch the live stream? Ask all of your Snyk questions and we’ll do our very best to answer them in the comment section.

View Video

Snyk

Read more about Introduction to OWASP's Vulnerable Node.js Apps: Part 1 | Snyk

Stranger Danger: Your Java Attack Surface Just Got Bigger

Sep 28, 2022 By Snyk In Snyk

Building Java applications today means that we take a step further from writing code. We use open-source dependencies, create a Dockerfile to deploy containers to the cloud, and orchestrate this infrastructure with Kubernetes. Welcome, you're a cloud native application developer! As developers, our responsibility broadened, and more software means more software security concerns for us to address.

View Video

Snyk

Read more about Stranger Danger: Your Java Attack Surface Just Got Bigger

Supply chain security and Executive Order M-21-30

Sep 28, 2022 By Vandana Verma In Snyk

On September 14, the White House released Executive Order M-21-30, emphasizing and reminding us that there are NIST guidelines for securing any software being sold to the US Government. According to the Executive Order (EO), self-attestation is a requirement for software vendors or agencies and acts as a “conformance statement” outlined by the NIST Guidance.

Read Post

Snyk

Read more about Supply chain security and Executive Order M-21-30

Unlock the Power of Automation: Vulnerability Management

Sep 27, 2022 By Dave Krasik In ThreatQuotient

We’ve spoken extensively about the importance of taking a data-driven approach to Vulnerability Management. In short the efficiency and effectiveness of vulnerability management processes depend heavily on inclusion of threat intelligence for both prioritization and response activities. At any given time, only a small fraction of existing vulnerabilities are actively exploited or exploitable.

Read Post

ThreatQuotient

Read more about Unlock the Power of Automation: Vulnerability Management

3 Best Practices to Save Yourself Zero-Day Exploits

Sep 26, 2022 By SecurityScorecard In SecurityScorecard

52% of attacks in 2021 began with a zero-day exploit. Here are 4 things you can do to make sure your organization is safe: Understand your attack surfaces from the outside. You need to understand how your external attack surface looks because that's how attackers break in. Have a patching program on hand. When a patch comes out from a software vendor, apply it as soon as possible. Then, rescan your entire attack surface to confirm that it’s applied properly. Build your network with resilience in mind.

View Video