Aggregator

2024年第三季度，网络安全行业毛利率同比下滑4.2%至57.2%，反映出行业供需失衡的严峻局面。然而，尽管整体营业利润率仍处于负值，但有12/21家公司实现了经营利润的同比改善。随着落后产能加速出清，领先厂商明年或将迎来利润增长拐点。

This daily article is intended to make it easier for those who want to stay updated with my regular Dark Web Informer and X/Twitter posts.

这是一个好迹象，说明已经开始关注开源组件的安全性。不过估计是在开源治理的初期。从建设阶段来说更重要的是看是否有预算投入，有充足预算肯定建议是用商用，没有预算则引入开源工具也尚可。无论是自研还是外购，有几条经验可以分享： 1、尽可能的要嵌入研发流程，自动化触发扫描，以及漏洞推送； 2、刚开始推广时，可能会在漏洞修复方面遇到困难，所以可以先要求风险非常高的组件及漏洞，再慢慢扩展开来； 3、对于开源组件，除了漏洞之外，还要关注许可证协议、后门，在一些行业许可证的合规性优先级可能更高，后门是深水区、有必要做但真正做得好的还不多。 更多软件安全内容，可以访问： 1、SDL100问：我与SDL的故事 SDL与DevSecOps有何异同？ 如何在不同企业实施SDL？ SAST误报太高，如何解决？ SDL需要哪些人参与？ 在devops中做开发安全，会遇到哪些问题？ 如何实施安全需求？ 安全需求，有哪些来源？ 安全需求怎么实现自动化？ 实施安全需求，会遇到哪些难题？ 安全需求和安全设计有何异同及关联？ 设计阶段应开展哪些安全活动？ 有哪些不错的安全设计参考资料？ 安全设计要求怎么做才能落地？ 有哪些威胁建模方法论？ 有哪些威胁建模工具？ 如何开始或实施威胁建模？ 威胁建模和架构安全评审，有何异同？ 编码阶段，开展哪些安全活动？ 如何选择静态代码扫描(SAST)工具？ 如何选择开源组件安全扫描(SCA)工具？ SCA工具扫描出很多漏洞，如何处理？ SCA工具识别出高风险协议，如何处理？ 如何制定一份有用的开发安全规范？ 如何做到开发安全规范的有效实施？ 应该如何选型代码安全扫描工具？ 代码安全扫描应该设置哪些指标？ 如何提升开发人员的安全意识？ 在编码阶段加入安全检查后，如何处理带来的时间压力？ SDL 29/100问：白盒检测工具存在局限性，如何进行补偿？ 2、SDL最初实践系列 开篇 安全需求 安全设计 安全开发 安全测试 安全审核 安全响应 3、SDL创新实践系列 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 从安全视角，看研发安全 数字化转型下的研发安全痛点

Is Your Cloud Security Compliant? With increasing reliance on cloud systems across industries, it’s time to ask hard-hitting questions. Is your cloud security up to par? Are your Non-Human Identities (NHIs) effectively managed? As businesses continue to innovate and adapt, prioritizing cybersecurity and cloud compliance becomes a critical determinant of success. Understanding the Importance of […]

The post Compliance in Cloud Security appeared first on Entro.

The post Compliance in Cloud Security appeared first on Security Boulevard.

Are You on the Safe Side with Your Secrets Scanning? In the realm of cybersecurity, there’s a formidable challenge to be tackled: the management of Non-Human Identities (NHIs) and Secrets. This entails not only securing these machine identities and the permissions granted to them but also monitoring their behavior within the system. With so many […]

The post Ensuring Calm with Effective Secrets Scanning Techniques appeared first on Entro.

The post Ensuring Calm with Effective Secrets Scanning Techniques appeared first on Security Boulevard.

How Does Compliance Impact Cloud Security? Are we fully conscious of the significant correlation between compliance and cloud security? With the increasing reliance on cloud-based solutions, the challenge of maintaining security compliance in the cloud environment has become a pivotal concern for organizations across multiple sectors. Achieving and maintaining cloud compliance isn’t a one-time event […]

The post Why Compliance in Cloud Security Can’t Be Ignored appeared first on Entro.

The post Why Compliance in Cloud Security Can’t Be Ignored appeared first on Security Boulevard.

IoT Vulnerability Wiki 物联网设备漏洞库

SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 23

A vulnerability was found in code-projects Online Class and Exam Scheduling System 1.0. It has been rated as critical. This issue affects some unknown processing of the file class_update.php. The manipulation of the argument id leads to sql injection. The identification of this vulnerability is CVE-2024-12360. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability was found in code-projects Admin Dashboard 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /vendor_management.php. The manipulation of the argument username leads to cross site scripting. This vulnerability was named CVE-2024-12359. The attack can be initiated remotely. Furthermore, there is an exploit available. The initial researcher advisory mentions contradicting product names.

A Blind Reverse Engineering/Exploration of Tom Clancy's Splinter Cell

Submit #458891 / VDB-287279

A vulnerability was found in WeiYe-Jing datax-web 2.1.1. It has been classified as critical. This affects an unknown part of the file /api/job/add/. The manipulation of the argument glueSource leads to os command injection. This vulnerability is uniquely identified as CVE-2024-12358. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

Submit #458634 / VDB-287278

A vulnerability was found in SourceCodester Best House Rental Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument page leads to file inclusion. This vulnerability is handled as CVE-2024-12357. The attack may be launched remotely. Furthermore, there is an exploit available.

Transform IAM from a burden to a business advantage. Discover how strategic IAM enables agility, reduces risk, and drives digital transformation success.

The post Transform IAM From Technology Burden To Business Advantage first appeared on Identient.

The post Transform IAM From Technology Burden To Business Advantage appeared first on Security Boulevard.

Submit #457865 / VDB-287277

Submit #457505 / VDB-287276

Help with recovering unsaved word document

Security Affairs newsletter Round 501 by Pierluigi Paganini – INTERNATIONAL EDITION