Protecting from BioMetric Security Flaws
Suprema Security Breach: Protecting Apps from BioMetric Security FlawsCourtesy : MedGadgetWelcome to the world of biometric authentication, where your eyes, ears, and fingerprints are the access code to prove individual identity. Biometric technology will soon become the default identification standard.Biometric identification is a technology that identifies and authenticates individuals based ... Read More
Capital One breach crime board — case of speculative sleuthing
Capital One Breach: A Crime Board & A Case of Speculative SleuthingBackgroundCapital One is not only one of the most well respected financial institutions in the world for their business success, but they’ve also been a leader in driving software modernization in financial services.Circa 2015, Capital One unveiled its cloud ... Read More
Deconstructing Data Leak incident of Signet Jewelers (parent company of Kay and Jared jewelers)
Protecting the Crown Jewels: Deconstructing Data Leakage in Exotic Environments (Inspiration from Signet — Kay/Jared Jewelers Breach)Credits : Micheal HillNote : The following series of deconstruction/post-mortem is indicative of the security issues similar to the one found in Signet Jewelers infrastructure and first reported by KerbsOnSecurity (https://krebsonsecurity.com/2018/12/jared-kay-jewelers-parent-fixes-data-leak/). While they follow similar patterns, ... Read More
Directory traversal (dubbed ZipSlip) vulnerability discovered in DeepLearning4j (ArchiveUtils)…
Directory traversal (dubbed ZipSlip) vulnerability discovered in DeepLearning4j (ArchiveUtils) libraryRecently, we’ve identified a number of our customers who are susceptible to a Directory traversal vulnerability. The exploit chain (circumstances to exploit the vulnerability) is being triggered by customer application’s dependency on a DeepLearning4j ArchiveUtils utility. This vulnerability is particularly tricky ... Read More
Connected feedback loops in Application Security — Understand offense to inform defense
I recently read this fascinating post by Jeremiah Grossman titled “All these vulnerabilities, rarely matter”. I’d highly encourage everyone to read it.There has been a rampant adoption and agreement that security awareness needs to be shifted to the left.The shift left (verb) paradigm requires measuring the security posture of application ... Read More
Java Deserialization Vulnerability Found to be Widespread Across SaaS Vendor SDKs
Courtesy (http://gallerycartoon.blogspot.com)Recently, we’ve identified a number of our customers who are susceptible to a deserialization-based remote control execution (RCE) vulnerability. In the majority of cases, a subset of the gadget chain (circumstances to exploit the deserialization vulnerability) is being triggered by customer application’s dependency on a one or more 3rd ... Read More
Do not meme to shame Twitter’s password leak incident
Twitter’s password security breach raised panic among social media users when they announced that they had discovered a bug that “inadvertently stored passwords unmasked in an internal log”.We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a ... Read More
A language to speak Dev[Sec]Ops
From SecOps to DevSecOps and SecDevOps, there seems to be an unending stream of new buzzwords in systems technology. With all this jargon, increasingly stories can read more like inside baseball rather than an intentional strategy.To understand insertion of “Security” into “‘DevOps”, we need to reminisce about the origins of ... Read More
Detecting and Preventing Data Loss Using Semantic Code Property Graphs and Security Profiles
Detecting and preventing data loss is one of the top security concerns today. It’s a concern that has significantly amplified as companies move to trust third parties with their data, especially with increased reliance on cloud computing. To prevent and mitigate data loss, companies must ensure that their data is ... Read More
