On October 16, 2023, Kroll Cyber Threat Intelligence (CTI) analysts were made aware of an ongoing exploitation of a recently discovered vulnerability within the web user interface (UI) functionality of Cisco IOS XE (CVE-2023-20198). This security flaw is critical with a CVSS score of 10.

Whether internally developed or purchased, your applications can be exposed to a host of vulnerabilities, especially via open source components that are widely used in today’s software. A recent survey found that 60% of data breach victims were compromised due to a known but unpatched vulnerability. Effective prevention and risk management requires being able to understand the vulnerability risk profile for each component of your Software Supply Chain.

In today's dynamic tech ecosystem, the need to manage AppSec programs at scale is paramount. As codebases expand and threats become more sophisticated, the emphasis is transitioning from addressing singular vulnerabilities to building cohesive security postures throughout all development teams.

On October 27, 2023, Apache published a security advisory addressing that a critical remote code execution (RCE) vulnerability has been fixed in the latest updates for Apache ActiveMQ products, CVE-2023-46604. This vulnerability was rated with a maximum Common Vulnerability Scoring System (CVSS) score of 10.0, as it can be exploited remotely by an unauthenticated threat actor in low complexity attacks.

This article aims to share timely and relevant information about a rapidly developing campaign under investigation. We are publishing it as early as possible for the benefit of the cybersecurity community, and we may provide updates in the near future once more details become available in our research.

Broken access control, the vulnerability category consistently ranking on the OWASP Top 10 Web Application Security Risks list, poses the most significant challenge for application security right now. Over-reliance on automated solutions to tackle these challenges creates a false sense of security and could have severe implications for application owners.

The financial sector is constantly adapting to emerging threats and regulatory changes. The New York Department of Financial Services (NYDFS) is at the forefront of cybersecurity regulation, ensuring that covered entities within the state maintain robust cybersecurity programs. In this blog post, we’ll dive into the recent changes to NYDFS regulations, specifically focusing on vulnerability management and an updated definition of risk assessment.

Containers offer a streamlined application deployment and management approach. Thanks to their efficiency and portability, platforms like Docker and Kubernetes have become household names in the tech industry. However, a misconception lurks in the shadows as containers gain popularity - the belief that active vulnerability scanning becomes redundant once containers are implemented.

This blog post series offers a gentle introduction to Rego, the policy language from the creators of the Open Policy Agent (OPA) engine. If you’re a beginner and want to get started with writing Rego policy as code, you’re in the right place. In this three-part series, we’ll go over the following.

On October 30, U.S. President Joseph Biden issued a sweeping Executive Order (“EO”) focused on making AI safer and more accountable.