Penetration testing, pen testing or ethical hacking, is the practice of testing a computer system, network or web application's cybersecurity by looking for exploitable security vulnerabilities. Penetration testing can be automated with penetration testing tools or manually by penetration testers.
An investigation claims that the UK’s National Health Service, which was hit hard by the notorious WannaCry worm in 2017, has seen a marked fall in ransomware attacks since. A report published by Comparitech, based upon Freedom of Information requests, reveals the somewhat surprising news that since WannaCry there have only been six recorded ransomware attacks against the NHS.
Circuit breakers were originally designed to protect electrical circuits from damage. Software development has adopted the concept as a type of resiliency pattern and it can now be found commonly in the cloud-native and microservices stacks. They can also be valuable in any codebase that needs to offer more flexibility, especially when relying on third-party APIs. Welcome to Part 1 of this two part series on building a circuit breaker in Node.js.
Back in the early 2010s, a Forrester researcher, John Kindervag, noticed that corporations had a binary view of trust and privilege. Once new employees have completed training, they are given full access to all the tools and VPNs needed to get their job done. Once they are logged on, they are trusted completely. Kindervag noticed that “trust” is a vulnerability that can be exploited. Since then, awareness of Zero Trust implementations has grown, in particular Google’s BeyondCorp.
Engaging third-party vendors for the provision of goods and services is not a new concept, so why has vendor risk management become so important? Vendor risk management is important because managing vendor risk is foundational to cybersecurity, ensuring business continuity and maintaining regulatory compliance. A robust vendor risk management (VRM) program can help organizations under their vendor risk profile and mitigate third-party and fourth-party risk rather than relying on incident response.
There are dozens of implementations of authorization mechanisms. When there are complex requirements dictated by business processes, authorization mechanisms may often be implemented incorrectly or, at least, not optimally. The reason for that, in my opinion, is the low attention of both the customer and developers to this aspect in the initial stages of the project and, at the same time, insufficient assessment of the impact of necessary requirements.
The need for a mature cybersecurity process in today’s corporate environment is becoming ever more critical. As hackers are becoming more and more sophisticated, so our management and defense systems should also be strengthened accordingly. While there are many components that make up a solid security program within an organization, today, we will shed a light on one essential of these components, which is a vulnerability management maturity model.
I’ve seen Tweets and heard many discussions about certifications, like CISSP, CEH, OSCP and so on, in InfoSec. No doubt certifications have value – in many situations hiring managers are quickly going through resumes and certifications are symbolic of at least book-learning, and some degree of dedication to InfoSec. Certifications can be expensive and time consuming so having them clears the bar of at least slightly dedicated.
Barely a week after Patch Tuesday, internet security company Qihoo 360 has discovered yet another vulnerability in Internet Explorer (IE), this time due to a remote code execution vulnerability in the jscript.dll scripting engine. The vulnerability, identified as CVE-2020-0674, is considered Critical for IE 11, and Moderate for IE 9 and IE 10.