5 posts tagged with "appsec"

Would you rather have a boat with a scratch or a boat with a hole?

Are you drowning in vulnerabilities?​

Talking about vulnerabilities is too terse, let’s talk about boats. If your boat had a hole in it, you would probably patch that hole as fast as you could. You definitely wouldn’t want your boat to take on water and sink. On the other hand, if your boat had a scar on it and not a hole, you would want to assess the level of damage, perform the minimum fixes required and focus back on steering your boat.

The CISA Known Exploited Vulnerabilities Catalog​

The US Cybersecurity & Infrastructure Security Agency (CISA) maintains a catalog of vulnerabilities which are known to be actively exploited in the wild.

As of January 2023, this list contains 871 vulnerabilities ranging from multiple product remote code execution vulnerabilities to vulnerabilities on frameworks such as Apache Struts, Log4Shell and similar.

Vulnerability Severity Scoring​

Most Security folks are already familiar with CVSS as a framework used by NVD to try to assign a quantifiable severity score to vulnerabilities. They also know to never take CVSS scores at face value and to always view them with a grain of salt.

Why can't we trust CVSS alone? Simply put: Because CVSS doesn't include how likely a vulnerability is to be exploited in reality. It's just a formula that lives in a vacuum and lacks the context necessary to help organizations accurately assess the risk of a breach if left unpatched.

That's where an exciting new effort, called EPSS, comes in.

What is EPSS?​

What is Text4Shell?​

Text4Shell is a vulnerability in the Java library Apache Commons Text. This vulnerability, in specific conditions, allows an attacker to execute arbitrary code on the victim's machine (Remote Code Execution or "RCE"). The vulnerability was discovered by Alvaro Muñoz (aka pwntester) and announced publicly on October 13th

Text4Shell was officially assigned the CVE-2022-42889 identifier.

Security is Everything​

If you're thinking about security for your company, but you don't know where to start, then you've come to right place.

Security spans the entirety of your company, all the way from how you onboard employees to the dependencies you import, but adding security comes at a cost: More secure systems are often more complicated to use.

Given that tradeoff, which areas of security should you focus on first?

We'll be answering that question today, based on our conversations with hundreds of companies, and we'll be offering our advice about how you can balance between security and usability as you grow.