%term

How to Protect Cloud Workloads from Zero-day Vulnerabilities

Feb 4, 2022 By John Walker In CrowdStrike

Protecting cloud workloads from zero-day vulnerabilities like Log4Shell is a challenge that every organization faces. When a vulnerability is published, organizations can try to identify impacted artifacts through software composition analysis, but even if they’re able to identify all impacted areas, the patching process can be cumbersome and time-consuming. As we saw with Log4Shell, this can become even more complicated when the vulnerability is nearly ubiquitous.

Read Post

CrowdStrike

Read more about How to Protect Cloud Workloads from Zero-day Vulnerabilities

Log4Shell remediation with Snyk by the numbers

Feb 4, 2022 By Jason Lane In Snyk

We’re almost two months from the disclosure of Log4Shell, and we here at Snyk couldn’t be more excited with the role we’ve gotten to play in finding and fixing this critical vulnerability that’s impacted so many Java shops. For starters, we’ve been able to help our customers remediate Log4Shell 100x faster than the industry average! How have we been able to achieve that?

Read Post

Snyk

Read more about Log4Shell remediation with Snyk by the numbers

ServiceNow - Username Enumeration Vulnerability (CVE-2021-45901)

Feb 4, 2022 By Trustwave In Trustwave

During a recent engagement Trustwave SpiderLabs discovered a vulnerability (CVE-2021-45901) within ServiceNow (Orlando) which allows for a successful username enumeration by using a wordlist. By using an unauthenticated session and navigating to the password reset form, it is possible to infer a valid username. This is achieved through examination of the HTTP POST response data initially triggered by the password reset web form. This response differs depending on a username's existence.

Read Post

Trustwave

Read more about ServiceNow - Username Enumeration Vulnerability (CVE-2021-45901)

Pentest 101: How to Dodge the Directory Traversal Vulnerability

Feb 4, 2022 By Astra In Astra

Directory Traversal might not be considered as a high-impact vulnerability but it can be a stepping stone to information leak and shell upload vulnerability. The lack of directory traversal security can allow an attacker to manipulate the file path to gain unauthorized access to different files in the directory. You need penetration testing to detect the directory traversal vulnerability. This video is a short explanation of how the file traversal vulnerability can be exploited, and how you can avoid it.

View Video

Astra

Read more about Pentest 101: How to Dodge the Directory Traversal Vulnerability

Vulns Unleashed: Pwnkit

Feb 3, 2022 By Snyk In Snyk

Dive in to the Pwnkit privilege escalation vulnerability with Kyle and Brian!

View Video

Snyk

Read more about Vulns Unleashed: Pwnkit

Fun with ciphers in copycat Wordles

Feb 2, 2022 By Micah Silverman In Snyk

Here at Snyk, we spend a lot of time researching vulnerabilities. We do that because there are a lot of other folks out there researching new ways to break into apps and systems. We’re often putting on our “grey hats” to think like a malicious hacker. I regularly view-source, look at network traffic and eyeball query strings. One such delicious little query string caught my attention this week on one of the many copycat Wordle sites.

Read Post

Snyk

Read more about Fun with ciphers in copycat Wordles

Log4Shell Live Hack: A Hands-on, Actionable Fix Guide

Feb 2, 2022 By Snyk In Snyk

In this live hack webinar on the Log4Shell exploit we give a brief overview of the vulnerability and dive right into some examples of the exploit in action. We then show several real-world remediation approaches as well as other fixes outside of code. We feature a final round of fun demos, including container and IaC hacks and Java-based game hacks. We wrap up with a great list of takeaway resources and answer your questions.

View Video

Snyk

Read more about Log4Shell Live Hack: A Hands-on, Actionable Fix Guide

Top 10 Uses of Website Vulnerability Scanner Tools

Feb 2, 2022 By Indusface In Indusface

The average cost of data breaches in 2021 was USD 4.24 million, the highest figure in at least 17 years. So, proactive, accurate, and effective identification of security vulnerabilities is non-negotiable and offers a solid basis for adequate security. By proactively identifying these vulnerabilities, weaknesses, and flaws in the application, website vulnerability scanner tools bring accuracy and efficiency in web application security.

View Video

Indusface

Read more about Top 10 Uses of Website Vulnerability Scanner Tools

The Impact of CVE-2022-0185 Linux Kernel Vulnerability on Popular Kubernetes Engines

Feb 1, 2022 By Itay Vaknin and Jonathan Sar Shalom In JFrog

Last week, a critical vulnerability identified as CVE-2022-0185 was disclosed, affecting Linux kernel versions 5.1 to 5.16.1. The security vulnerability is an integer underflow in the Filesystem Context module that allows a local attacker to run arbitrary code in the context of the kernel, thus leading to privilege escalation, container environment escape, or denial of service.

Read Post

JFrog

Read more about The Impact of CVE-2022-0185 Linux Kernel Vulnerability on Popular Kubernetes Engines

Snyk integrates with AWS CloudTrail Lake to simplify security audits

Feb 1, 2022 By David Lugo, David Schott In Snyk

Since organizations around the globe began investing more aggressively in their digital transformation by migrating and modernizing applications within the cloud, the value of audit logging has shifted. It has expanded from industries like finance and healthcare to nearly any company with a digital strategy.

Read Post