In December 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) identified exploits against vulnerable public-facing applications as the most common initial attack vector for cybercriminals, followed by attacks on external remote services such as VPNs. According to a study by CrowdStrike, exploit activity targeting cloud apps and assets grew 95% from 2021 to 2022, and instances of threat actors directly targeting cloud apps exploded by 288% during that period.
One of the top security concerns we hear from technology leaders is about the security of open source software (OSS) and cloud software development. An open source vulnerability scanner (for scanning OSS) helps you discover risk in the third-party code you use. However, just because a solution scans open source does not mean you are ultimately reducing security risk with it.
On December 20, 2023, NIST updated a CVE to reflect a new path traversal vulnerability in struts-core. This is CVE-2023-50164, also listed on the Snyk Vulnerability database, with 9.8 critical severity CVSS. If you’ve been doing cybersecurity long enough, you remember the 2017 Equifax breach, which also took place due to an unpatched Struts vulnerability. In this post, I outline the issue, discuss its severity, walk you through a proof-of-concept exploit, and provide remediation advice.
Recently, Snyk hosted a wine tasting & customer discussion featuring David Imhoff, Product Security Leader at Kroger. The discussion focused on tackling the challenges of securing digital supply chains. Kroger is a retail giant with 2,700 stores and 400,000 employees. The organization faces unique challenges because it operates on such a massive scale, adding complexity to its software supply chain and security.
Googling your organization’s name will bring up all sorts of information. However, there’s more to the internet than the surface web that’s accessed through regular search engines: the deep web and the dark web. To stay ahead of potential threats and maximize incident response performance, security teams need a complete view of their organization’s presence across all areas of the internet.
Coming into 2023, we predicted that the economic downturn would fuel sophisticated fraud, the growth of serverless workloads will increase the attack surface, and there would be more MFA bombing attacks. As we look to 2024, Outpost24’s team of security experts have predicted the emerging threats that will shape the cybersecurity landscape. Dark AI tools, and a shift in security priorities are some of the challenges that organizations will face.