F5 Labs

This episode in The Hunt for IoT Volume 6 series focuses on the threat actors building IoT botnets, how easy IoT devices are to exploit, recent thingbot discoveries, and the status of Mirai infections worldwide.

Kazakhstan is now asking its citizens to install digital certificates so that it can decrypt all online communications. Their methods, however, may leave the population vulnerable to cyber attacks for many years to come.

Similar to April and May, threat actors in June continued targeting the deserialization vulnerabilities found in Oracle WebLogic to mine cryptocurrency.

A vast majority of organisations have no visibility into encrypted traffic, nor do they have protection against automated attackers. F5 Labs' Preston Hogue writes for CSO Australia, discussing the integrity of encryption.

Attackers use the Domain Name System (DNS) as a weapon against unsuspecting victims to bring down their websites.

Find out why we care so much about application security, how applications have grown into the weird beasts that they are today, and how our work fits into the bigger picture of securing and running an application.

Lori Mac Vittie writes for Network Computing, describing why serverless security doesn't have to be a struggle if you pay attention to the apps and focus on securing them.

In this companion podcast, the researchers who created the F5 Labs Application Protection Report discuss their findings, and share the details and backstories that helped shape the final report.

We’re still thinking of Internet of Things devices as low risk when reality tells us exactly the opposite.

F5 Labs' Preston Hogue writes for SecurityWeek, explaining how you as a security professional are a source of friction - and therefore risk - and what to do about it.

Understanding the significance of the three foundational information security principles: confidentiality, integrity, and availability.

In the final part of our mobile app series, we cover the DevSecOps components related to mobile app security: rolling out requirements, training, testing, and operational practices.

A newcomer to the malware scene, Golang-based malware has been seen installing cryptominers specifically targeting Moreno cryptocurrency.

Similar to April, threat actors in May continued targeting the deserialization vulnerabilities found in Oracle WebLogic to mine cryptocurrency.

Access attacks that circumvent user authentication, such as phishing or credential stuffing, are the types that most commonly lead to a breach.

It looked like a simple XSS in the Outlook Android app, but the app developers couldn’t reproduce it so they didn’t fix it. Then things got interesting. Here’s the story of how I discovered CVE-2019-1105.

The Gootkit banking trojan is still active and protecting itself in Italy using a dedicated redirection defense.

In part 2 of our mobile app strategy, we lay out the mobile security requirements including specifics on authentication, storage, communication, operations and cryptography.

Lots of organizations are spinning up mobile applications to either directly or indirectly support their mission. We in the security field know that this is fraught with peril, but what do we do and where do we begin to manage the risk?

Welcome to the newly revamped CISO to CISO page!