First things first, let’s be clear that this is NOT a new Log4Shell or Spring4Shell vulnerability. Although it is a remote code execution issue, the impact is neither as severe nor as easily exploitable as the issue in Log4j from December 2021. Similar to the Log4j issue, the essence of the problem is that you can perform a lookup that can then be misused. However, the Log4shell vulnerability was very easy to exploit — which is not necessarily the case this time.

There are many types of security research, from digging into malware to discovering the latest DDoS attack vectors. At Mend, vulnerability research is a primary focus for our research team, but even that area has many different avenues to pursue. For example, we tend to focus on open source vulnerabilities, so it is quite unlikely that you’ll see us doing reverse engineering and trying to understand assembly code.

One of the most important parts of a solid security program involves testing to see where your weaknesses lie. Continual improvement cannot be achieved without continual review. However, many people confuse the importance of vulnerability scanning with penetration testing. As a means of protecting an enterprise, one can never take precedence over, or replace the other. Both are equally important, and in some cases, they are suggested, if not outright directed by many standards and regulations.

Meet Guacamaya – a hacktivist group advocating for the indigenous people of Central America

With most of us working from anywhere, smartphones and tablets have become a big part of how we stay productive. At the same time, the average cost of data breaches continues to rise, averaging $4.35 million in 2022. While there are numerous threat vectors organizations have to juggle, this got me thinking about how applications and device vulnerabilities are currently managed.

Imagine you are developing an application – no matter if it’s a web, mobile, or desktop app – and your IDE informs you of security vulnerabilities as you code. The release of Code Sight 2022.9.0 for VS Code and IntelliJ makes that a reality. With Synopsys’ industry-leading static application security testing (SAST) engine powering Code Sight’s Rapid Scan Static, there is no configuration or tuning. It’s actual sophisticated taint flow and not just lint.

When developers need to handle URLs in different forms for different purposes — such as browser history navigation, anchored targets, query parameters, and so on — we often turn to Java. However, its frequent use motivates attackers to exploit its vulnerabilities. This risk of exploitation is why we must implement URL validation in our JavaScript applications.

Nowadays, we do virtually everything online: book flights, pay for goods, transfer bank funds, message friends, store documents, and so on. Many things we do require giving out sensitive information like our credit card details and banking information. If a website uses an unsecured network, a malicious hacker can easily steal user information. This is why encryption is so important.

On Tuesday, October 11th, 2022, Aruba disclosed three critical vulnerabilities impacting EdgeConnect Enterprise Orchestrator. The vulnerabilities, CVE-2022-37913, CVE-2022-37914, CVE-2022-37915, are remote code execution and authentication bypass vulnerabilities that could enable remote threat actors to compromise a host. In order for a threat actor to exploit these vulnerabilities, WAN access would need to be available for the CLI and/or web-based management interfaces.