Aggregator

不同的安全测试工程师，在面对相同系统时，会有不同的测试思路与习惯，以至于发现的漏洞不一样，导致业务方会有一些怨言。在此背景下，就安全测试标准化进行了讨论。 安全测试很难像功能测试一样，有完善的测试用例然后逐一执行。因为安全本身就是意料之外的事情，虽然标准化之后还会出现遗漏，但带来的安全效果肯定会比单兵作战要好，所以这事儿是有必要做的。回顾我们的做法： 1、资深安全测试工程师牵头编写安全测试用例集，结合历史漏洞、主营业务功能来做； 2、其他安全测试工程师学习安全测试用例集，并补充自己的思路，这是一个持续过程； 3、参照安全测试用例集，尝试开发一些小工具用于提升效率； 4、将测试集分享给业务线学习，鼓励业务线的测试、开发进行自测。 至此，作为集团级的应用安全团队就没啥招了，从效果来看仅对扩展测试思路有用、开发的小工具效果也一般。后来，就没再维护安全测试用例集，取而代之的是建设“纵深”的安全测试工具链：（安全需求、安全设计）－ SAST、SCA、人工审计 － IAST、DAST、人工测试 － SRC收洞，并通过对外部发现的漏洞复盘、不断优化整个安全测试体系（规范-流程-工具-人员）。 更多软件安全内容，可以访问： 1、SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ 设计阶段应开展哪些安全活动？ 如何选择开源组件安全扫描(SCA)工具？ SCA工具扫描出很多漏洞，如何处理？ SCA工具识别出高风险协议，如何处理？ 应该如何选型代码安全扫描工具？ 如何推进有问题的jar包更新？ SCA工具的误报率怎样？ 如何说服业务完成checklist自检？ sdl会对项目变更代码做review吗？ 怎么解决源代码两张皮导致安全失效？ 开发安全培训是否有效？ 安全组件如何在SDL中落地？ 如何安全管理研发提交代码到GitHub进行开源？ 安全组件(SDK)能够否覆盖Owasp Top 10? SDL建设是难中难，该如何做？ SDL 47/100问：如何定位及落地威胁建模？ 2、SDL创新实践系列 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 从安全视角，看研发安全 数字化转型下的研发安全痛点

US authorities have arrested soldier Cameron John Wagenius for his alleged involvement in leaking presidential phone records. US authorities arrested Cameron John Wagenius (20), a US Army soldier, suspected of involvement in leaking presidential call logs. The soldier was arrested in Fort Hood, Texas, he is suspected to be the hacker who using the moniker […]

Suspect Crew Members of the Eagle S Cannot Leave the Ship
Finnish police say they've identified as suspects eight crew members of an oil tanker linked to a Russian "shadow fleet" of sanctions busting ships in an investigation into an incident that broke submarine cables in the Baltic Sea. Authorities escorted the tanker into Finnish waters on Dec. 25.

Experts: New Mandates Could Be Difficult, Costly for Many Entities
The U.S. Department of Health and Human Services' proposed overhaul of the 20-plus-year-old HIPAA Security Rule aims to drastically improve the state of healthcare sector cybersecurity, but the potential new requirements could mean difficult and expensive heavy lifting for many regulated entities.

Hackers Reportedly Target Treasury Department Offices Overseeing Economic Sanctions
A Chinese hack of the U.S. Department of Treasury targeted offices tasked with overseeing economic sanctions and financial investigations, as experts warn Beijing is increasingly escalating attacks on American critical infrastructure while preparing for potential future conflict.

Flaw Bypasses Clickjacking Defenses, Enables Account Takeovers
Hackers are exploiting the split-second delay between two mouse clicks to carry out sophisticated clickjacking attacks, tricking victims into authorizing transactions or granting access they never intended. "DoubleClickjacking" manipulates users into granting OAuth and API permissions

Are Your Security Practices Up to the Challenge? As organizations continue to invest more heavily in cybersecurity measures, one question often arises. How can businesses justify these increased security investments, particularly when it comes to managing Non-Human Identities (NHIs) and Secrets Security? This conundrum brings to light the critical role of adopting smart NHIDR practices […]

The post Justify Your Security Investment with Smart NHIDR Practices appeared first on Entro.

The post Justify Your Security Investment with Smart NHIDR Practices appeared first on Security Boulevard.

What Does Secrets Vaulting Hold for your Business? In a world where data is the new gold, organizations are under increasing pressure to protect their resources from potential thieves. With the rise of cloud services, secrets vaulting has become a critical aspect in ensuring a secure environment. It provides the peace of mind every business […]

The post Achieve Peace of Mind with Secure Secrets Vaulting appeared first on Entro.

The post Achieve Peace of Mind with Secure Secrets Vaulting appeared first on Security Boulevard.

Changes to the healthcare privacy regulation, including technical controls for network segmentation, multifactor authentication, and encryption, would strengthen cybersecurity protections for electronic health information and address evolving threats against healthcare entities.

The post PCI DSS 4.0.1: A Comprehensive Guide to Successfully Meeting Requirements 6.4.3 and 11.6.1 appeared first on Feroot Security.

The post PCI DSS 4.0.1: A Comprehensive Guide to Successfully Meeting Requirements 6.4.3 and 11.6.1 appeared first on Security Boulevard.

Windows servers are vulnerable to a dangerous LDAP vulnerability that could be used to crash multiple servers at once and should be patched immediately.

A vulnerability classified as critical was found in WP Job Portal Plugin up to 2.2.4 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation leads to improper control of resource identifiers. This vulnerability is known as CVE-2024-12132. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in AudioCodes MP-202b 4.4.3. Affected is an unknown function of the component Web Interface. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2024-48197. It is possible to launch the attack remotely. There is no exploit available.

Following the publication of our in-depth analysis on the National Public Data (NPD) breach last week, Constella Intelligence received several inquiries about how to safeguard against identity attacks using the exposed SSNs.  The recent National Public Data (NPD) breach stands as the largest social security number (SSN) exposures in history. With 292 million individuals exposed, …

The post Best of 2024: National Public Data (NPD) Breach: Essential Guide to Protecting Your Identity appeared first on Security Boulevard.

A vulnerability, which was classified as critical, was found in Microsoft Windows 10 20H2/10 21H1/10 21H2/Server 20H2. Affected is an unknown function of the component Hyper-V. The manipulation leads to denial of service. This vulnerability is traded as CVE-2022-22713. It is possible to launch the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability has been found in Microsoft Visual Studio, .NET and .NET Core and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to denial of service. This vulnerability is known as CVE-2022-23267. The attack can be launched remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Microsoft Windows and classified as critical. Affected by this issue is some unknown functionality of the component Point-to-Point Tunneling Protocol. The manipulation leads to Remote Code Execution. This vulnerability is handled as CVE-2022-23270. The attack may be launched remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Microsoft Windows up to Server 2022. It has been classified as critical. This affects an unknown part of the component ALPC. The manipulation leads to Privilege Escalation. This vulnerability is uniquely identified as CVE-2022-23279. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.