Getting management to back your application security plans can be a tough sell. Metrics are vital because they help you understand how effective your initial cybersecurity measures are and how to turn them into measurable data that's easy for everyone to understand. This article will explore how to use metrics to get the support you need and make your application security programs more effective.

Zero-days are out there. Lurking just under the surface, waiting for the right moment to strike. A security team can do everything right and still experience a zero-day attack in its supply chain. And with innumerable configurations, devices, and platforms that can be exploited, zero-day exploits are becoming more common than ever.

When we first built the CISA KEV enrichment dashboard at Nucleus, our goal was to gain new insights into the vulnerabilities that had been confirmed by CISA as being exploited. Recently, CISA expanded the Known Exploited Vulnerabilities Catalog with vulnerabilities “known to be used in ransomware campaigns”. We find this data valuable in helping organizations identify which vulnerabilities on the KEV pose greater risk.

On October 4, 2023, Atlassian issued a security advisory revealing potential active exploitation of a previously unknown vulnerability (CVE-2023-22515, CVSS: 10) affecting Confluence Data Center and Server instances that are on-premises. This vulnerability can enable an unauthenticated, anonymous remote threat actor to escalate privileges by creating unauthorized Confluence administrator accounts and accessing Confluence instances across multiple versions of Confluence Data Center and Server.

On October 4, 2023, Cisco published a security advisory disclosing a critical authentication bypass vulnerability (CVE-2023-20101, CVSS: 9.8) in Cisco Emergency Responder. CVE-2023-20101 allows an unauthenticated, remote threat actor to utilize the root account (this account by default has hard coded credentials that cannot be altered) to log into an affected device.

Over the past several months, we've taken a journey through the new 2023 OWASP API Security Top-10 list. In the previous 12 weekly posts, we've delved into each category, discussed what it is, how it's exploited, why it matters, and suggested effective protections for each. Now, as we conclude this series, it's time to summarize and offer some practical guidance for security practitioners looking to bolster API security in their organizations.

Scaling a risk-based AppSec program involves adapting your security practices to accommodate the growth and evolving needs of your business, while effectively managing and mitigating security risks.

A recent vulnerability tracked as Rapid Reset (CVE-2023-44487) in the HTTP/2 protocol was recently disclosed by researchers and vendors. It was exploited in the wild from August 2023 to October 2023. The issue arises from the HTTP/2 protocol's ability to cancel streams using an RST_STREAM frame, which can be misused to overload servers by initiating and quickly canceling numerous streams, circumventing the server's concurrent stream limit.

TL;DR This vulnerability appears to be less severe than initially anticipated. Cato customers and infrastructure are secure. Last week the original author and long-time lead developer of cURL Daniel Stenberg published a “teaser” for a HIGH severity vulnerability in the ubiquitous libcurl development library and the curl command-line utility. A week of anticipation, multiple heinous crimes against humanity and a declaration of war later, the vulnerability was disclosed publicly.